diff --git a/authprox/apadmin/main.go b/authprox/apadmin/main.go index c4ef4a5dc0..9b1edc0679 100644 --- a/authprox/apadmin/main.go +++ b/authprox/apadmin/main.go @@ -28,7 +28,7 @@ var cmds = cli.Commands{ Flags: []cli.Flag{ cli.StringFlag{ Name: "roster, r", - Usage: "the roster of the cothority that hosts the distributed Authentication Proxy", + Usage: "the roster of the cothority that hosts the distributed Policy Proxy", }, cli.StringFlag{ Name: "type", @@ -48,7 +48,7 @@ var cmds = cli.Commands{ Flags: []cli.Flag{ cli.StringFlag{ Name: "roster, r", - Usage: "the roster of the cothority that hosts the distributed Authentication Proxy", + Usage: "the roster of the cothority that hosts the distributed Policy Proxy", }, }, Action: show, diff --git a/authprox/proto.go b/authprox/proto.go index 2e15b39d40..ce1309e9aa 100644 --- a/authprox/proto.go +++ b/authprox/proto.go @@ -24,7 +24,7 @@ type EnrollResponse struct { } // SignatureRequest is the request sent to this service to request that -// the Authentication Proxy check the authentication information and +// the Policy Proxy check the authentication information and // generate a signature connecting some information identifying the // holder of the AuthInfo to the message. type SignatureRequest struct { diff --git a/authprox/service.go b/authprox/service.go index 8bf5e0d2b2..335379339e 100644 --- a/authprox/service.go +++ b/authprox/service.go @@ -21,7 +21,7 @@ import ( bbolt "go.etcd.io/bbolt" ) -// ServiceName is the name of the Authentication Proxy service. +// ServiceName is the name of the Policy Proxy service. const ServiceName = "AuthProx" var authProxID onet.ServiceID diff --git a/blscosi/protocol/protocol.go b/blscosi/protocol/protocol.go index 83b792b388..80905f56e9 100644 --- a/blscosi/protocol/protocol.go +++ b/blscosi/protocol/protocol.go @@ -28,7 +28,10 @@ type VerificationFn func(msg, data []byte) bool // init is done at startup. It defines every messages that is handled by the network // and registers the protocols. func init() { - GlobalRegisterDefaultProtocols() + _, err := onet.GlobalProtocolRegister(DefaultProtocolName, NewDefaultProtocol) + log.ErrFatal(err) + _, err = onet.GlobalProtocolRegister(DefaultSubProtocolName, NewDefaultSubProtocol) + log.ErrFatal(err) } // BlsCosi holds the parameters of the protocol. @@ -67,13 +70,6 @@ func NewDefaultProtocol(n *onet.TreeNodeInstance) (onet.ProtocolInstance, error) return NewBlsCosi(n, vf, DefaultSubProtocolName, pairing.NewSuiteBn256()) } -// GlobalRegisterDefaultProtocols is used to register the protocols before use, -// most likely in an init function. -func GlobalRegisterDefaultProtocols() { - onet.GlobalProtocolRegister(DefaultProtocolName, NewDefaultProtocol) - onet.GlobalProtocolRegister(DefaultSubProtocolName, NewDefaultSubProtocol) -} - // DefaultThreshold computes the minimal threshold authorized using // the formula 3f+1 func DefaultThreshold(n int) int { @@ -98,16 +94,15 @@ func NewBlsCosi(n *onet.TreeNodeInstance, vf VerificationFn, subProtocolName str // the default number of subtree is the square root to // distribute the nodes evenly - c.SetNbrSubTree(int(math.Sqrt(float64(nNodes - 1)))) - - return c, nil + err := c.SetNbrSubTree(int(math.Sqrt(float64(nNodes - 1)))) + return c, err } // SetNbrSubTree generates N new subtrees that will be used // for the protocol func (p *BlsCosi) SetNbrSubTree(nbr int) error { if nbr > len(p.Roster().List)-1 { - return errors.New("Cannot have more subtrees than nodes") + return errors.New("cannot have more subtrees than nodes") } if p.Threshold == 1 || nbr <= 0 { p.subTrees = []*onet.Tree{} @@ -129,7 +124,10 @@ func (p *BlsCosi) Shutdown() error { for _, subCosi := range p.subProtocols { // we're stopping the root thus it will stop the children // by itself using a broadcasted message - subCosi.Shutdown() + err := subCosi.Shutdown() + if err != nil { + log.Error("Error while shutting down", subCosi, err) + } } close(p.startChan) close(p.FinalSignature) @@ -321,7 +319,10 @@ func (p *BlsCosi) collectSignatures() (ResponseMap, error) { // restart subprotocol // send stop signal to old protocol - subProtocol.HandleStop(StructStop{subProtocol.TreeNode(), Stop{}}) + err = subProtocol.HandleStop(StructStop{subProtocol.TreeNode(), Stop{}}) + if err != nil { + log.Error("Error while stopping sub-protocol", subProtocol, err) + } subProtocol, err = p.startSubProtocol(p.subTrees[i]) if err != nil { errChan <- fmt.Errorf("(subprotocol %v) error in restarting of subprotocol: %s", i, err) diff --git a/blscosi/protocol/sub_protocol.go b/blscosi/protocol/sub_protocol.go index 3f50375093..989a6972ea 100644 --- a/blscosi/protocol/sub_protocol.go +++ b/blscosi/protocol/sub_protocol.go @@ -15,10 +15,6 @@ import ( "go.dedis.ch/onet/v3/log" ) -func init() { - GlobalRegisterDefaultProtocols() -} - // sub_protocol is run by each sub-leader and each node once, and n times by // the root leader, where n is the number of sub-leader. diff --git a/calypso/api.go b/calypso/api.go index 9cad053612..f2b230accd 100644 --- a/calypso/api.go +++ b/calypso/api.go @@ -40,7 +40,7 @@ func NewClient(byzcoin *byzcoin.Client) *Client { cothority.Suite, ServiceName)} } -// CreateLTS creates a random LTSID that can be used to reference the LTS group +// CreateOCS creates a random LTSID that can be used to reference the LTS group // created. It first sends a transaction to ByzCoin to spawn a LTS instance, // then it asks the Calypso cothority to start the DKG. func (c *Client) CreateLTS(ltsRoster *onet.Roster, darcID darc.ID, signers []darc.Signer, counters []uint64) (reply *CreateLTSReply, err error) { @@ -103,7 +103,7 @@ func (c *Client) Authorise(who *network.ServerIdentity, what skipchain.SkipBlock return nil } -// DecryptKey takes as input Read- and Write- Proofs. It verifies that +// Reencrypt takes as input Read- and Write- Proofs. It verifies that // the read/write requests match and then re-encrypts the secret // given the public key information of the reader. func (c *Client) DecryptKey(dkr *DecryptKey) (reply *DecryptKeyReply, err error) { @@ -261,7 +261,7 @@ func (c *Client) SpawnDarc(signer darc.Signer, signerCtr uint64, } // RecoverKey is used to recover the secret key once it has been -// re-encrypted to a given public key by the DecryptKey method +// re-encrypted to a given public key by the Reencrypt method // in the Calypso service. The resulting secret key can be used // with a symmetric decryption algorithm to decrypt the data // stored in the Data field of the WriteInstance. diff --git a/calypso/api_test.go b/calypso/api_test.go index 106e7b2d17..494b78b528 100644 --- a/calypso/api_test.go +++ b/calypso/api_test.go @@ -12,7 +12,7 @@ import ( "go.dedis.ch/onet/v3" ) -// Tests the client function CreateLTS +// Tests the client function CreateOCS func TestClient_CreateLTS(t *testing.T) { l := onet.NewTCPTest(cothority.Suite) _, roster, _ := l.GenTree(3, true) @@ -37,7 +37,7 @@ func TestClient_CreateLTS(t *testing.T) { require.NoError(t, err) } - // Invoke CreateLTS + // Invoke CreateOCS ltsReply, err := calypsoClient.CreateLTS(roster, d.GetBaseID(), []darc.Signer{signer}, []uint64{1}) require.Nil(t, err) require.NotNil(t, ltsReply.ByzCoinID) @@ -47,7 +47,7 @@ func TestClient_CreateLTS(t *testing.T) { // TODO(jallen): Write TestClient_Reshare (and add api.go part too, I guess) -// Tests the client api's AddRead, AddWrite, DecryptKey +// Tests the client api's AddRead, AddWrite, Reencrypt func TestClient_Calypso(t *testing.T) { l := onet.NewTCPTest(cothority.Suite) _, roster, _ := l.GenTree(3, true) diff --git a/calypso/proto.go b/calypso/proto.go index fa0ed6701c..ff87a09a4e 100644 --- a/calypso/proto.go +++ b/calypso/proto.go @@ -9,6 +9,7 @@ import ( // PROTOSTART // type :skipchain.SkipBlockID:bytes +// type :time.Time:uint64 // package calypso; // import "byzcoin.proto"; // import "onet.proto"; @@ -38,8 +39,9 @@ type Write struct { // f is the proof - written in uppercase here so it is an exported // field, but in the OCS-paper it's lowercase. F kyber.Scalar - // C is the ElGamal parts for the symmetric key material (might also - // contain an IV) + // C is the ElGamal part for the symmetric key material, at maximum length + // of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published + // in ExtraData, as it is not necessary to be encrypted. C kyber.Point // ExtraData is clear text and application-specific ExtraData []byte `protobuf:"opt"` @@ -68,7 +70,7 @@ type Authorise struct { type AuthoriseReply struct { } -// CreateLTS is used to start a DKG and store the private keys in each node. +// CreateOCS is used to start a DKG and store the private keys in each node. // Prior to using this request, the Calypso roster must be recorded on the // ByzCoin blockchain in the instance specified by InstanceID. type CreateLTS struct { @@ -96,7 +98,7 @@ type ReshareLTS struct { type ReshareLTSReply struct { } -// DecryptKey is sent by a reader after he successfully stored a 'Read' request +// Reencrypt is sent by a reader after he successfully stored a 'Read' request // in byzcoin Client. type DecryptKey struct { // Read is the proof that he has been accepted to read the secret. diff --git a/calypso/protocol/ocs_struct.go b/calypso/protocol/ocs_struct.go index 56da88621b..035812a5db 100644 --- a/calypso/protocol/ocs_struct.go +++ b/calypso/protocol/ocs_struct.go @@ -12,7 +12,7 @@ import ( ) // NameOCS can be used from other packages to refer to this protocol. -const NameOCS = "OCS" +const NameOCS = "OCSOld" func init() { network.RegisterMessages(&Reencrypt{}, &ReencryptReply{}) @@ -40,7 +40,7 @@ type structReencrypt struct { Reencrypt } -// ReencryptReply returns the share to re-encrypt from one node +// MessageReencryptReply returns the share to re-encrypt from one node type ReencryptReply struct { Ui *share.PubShare Ei kyber.Scalar diff --git a/calypso/service.go b/calypso/service.go index 3b7963f1ae..9849131e78 100644 --- a/calypso/service.go +++ b/calypso/service.go @@ -140,7 +140,7 @@ func (s *Service) Authorise(req *Authorise) (*AuthoriseReply, error) { return &AuthoriseReply{}, nil } -// CreateLTS takes as input a roster with a list of all nodes that should +// CreateOCS takes as input a roster with a list of all nodes that should // participate in the DKG. Every node will store its private key and wait for // decryption requests. The LTSID should be the InstanceID. func (s *Service) CreateLTS(req *CreateLTS) (reply *CreateLTSReply, err error) { @@ -340,7 +340,7 @@ func (s *Service) getLtsRoster(proof *byzcoin.Proof) (*onet.Roster, byzcoin.Inst return &info.Roster, byzcoin.NewInstanceID(instanceID), nil } -// DecryptKey takes as an input a Read- and a Write-proof. Proofs contain +// Reencrypt takes as an input a Read- and a Write-proof. Proofs contain // everything necessary to verify that a given instance is correct and // stored in ByzCoin. // Using the Read and the Write-instance, this method verifies that the diff --git a/conode/Dockerfile-dev b/conode/Dockerfile-dev index fbcb4b603d..16c8434e72 100644 --- a/conode/Dockerfile-dev +++ b/conode/Dockerfile-dev @@ -10,4 +10,4 @@ COPY exe/conode.Linux.x86_64 ./conode EXPOSE 7770 7771 -CMD "./run_nodes.sh -n 1" +CMD ["./run_nodes.sh", "-n 1", "-v 2", "-d /conode_data"] diff --git a/conode/Makefile b/conode/Makefile index 4c3c22c56d..cc503ed3cf 100644 --- a/conode/Makefile +++ b/conode/Makefile @@ -1,5 +1,5 @@ -CONTAINER = conode -IMAGE_NAME = dedis/$(CONTAINER) +CONTAINER = ocs +IMAGE_NAME = c4dt/$(CONTAINER) DATA_DIR = $(shell pwd)/conode_data GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no) TAG = dev-$(shell date +%y%m%d) @@ -56,8 +56,8 @@ clean: verify: GO111MODULE=on go mod verify - @echo "Checking for replace in go.mod..." - @if GO111MODULE=on go list -m all | grep --quiet '=>'; then exit 1; fi + #@echo "Checking for replace in go.mod..." + #@if GO111MODULE=on go list -m all | grep --quiet '=>'; then exit 1; fi # The suffix on conode exe is the result from: echo `uname -s`.`uname -m` # so that we can find the right one in the wrapper script. diff --git a/conode/conode.go b/conode/conode.go index fb32a8826b..87989b2218 100644 --- a/conode/conode.go +++ b/conode/conode.go @@ -24,14 +24,7 @@ import ( "time" "go.dedis.ch/cothority/v3" - _ "go.dedis.ch/cothority/v3/authprox" - _ "go.dedis.ch/cothority/v3/byzcoin" - _ "go.dedis.ch/cothority/v3/byzcoin/contracts" - _ "go.dedis.ch/cothority/v3/calypso" - _ "go.dedis.ch/cothority/v3/eventlog" - _ "go.dedis.ch/cothority/v3/evoting/service" - _ "go.dedis.ch/cothority/v3/personhood" - _ "go.dedis.ch/cothority/v3/skipchain" + _ "go.dedis.ch/cothority/v3/ocs" status "go.dedis.ch/cothority/v3/status/service" "go.dedis.ch/kyber/v3/util/encoding" "go.dedis.ch/kyber/v3/util/key" diff --git a/darc/proto.go b/darc/proto.go index 282e7f29e6..ff36bf39ce 100644 --- a/darc/proto.go +++ b/darc/proto.go @@ -77,7 +77,7 @@ type IdentityX509EC struct { } // IdentityProxy holds the info necessary to verify a claim -// from an external authentication system via an Authentication Proxy. +// from an external authentication system via an Policy Proxy. type IdentityProxy struct { Data string Public kyber.Point @@ -120,7 +120,7 @@ type SignerX509EC struct { } // SignerProxy holds the information necessary to verify claims -// coming from external authentication systems via Authentication Proxies. +// coming from external authentication systems via Policy Proxies. type SignerProxy struct { Data string Public kyber.Point diff --git a/dkg/pedersen/dkg.go b/dkg/pedersen/dkg.go index bea932a9d8..3bc748ccde 100644 --- a/dkg/pedersen/dkg.go +++ b/dkg/pedersen/dkg.go @@ -91,6 +91,9 @@ func NewSharedSecret(gen *dkgpedersen.DistKeyGenerator) (*SharedSecret, *dkgpede // Start sends the Announce-message to all children func (o *Setup) Start() error { + if !o.ServerIdentity().ID.Equal(o.Roster().List[0].ID) { + return errors.New("cannot do a DKG where the root is not the first node in the roster") + } log.Lvl3("Starting Protocol") // 1a - root asks children to send their public key errs := o.Broadcast(&Init{Wait: o.Wait}) diff --git a/eventlog/el/main.go b/eventlog/el/main.go index b845031a58..eead47d534 100644 --- a/eventlog/el/main.go +++ b/eventlog/el/main.go @@ -643,7 +643,7 @@ func (o *openidCfg) getSigners(cl *eventlog.Client) ([]darc.Signer, error) { n := len(r.List) T := threshold(n) - // The callback from darc.Sign where we need to go contact the Authentication Proxies. + // The callback from darc.Sign where we need to go contact the Policy Proxies. cb := func(msg []byte) ([]byte, error) { tok, err := ts.Token() if err != nil { diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/AuthProxProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/AuthProxProto.java index 35d8740bf2..ece1791d9d 100644 --- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/AuthProxProto.java +++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/AuthProxProto.java @@ -146,7 +146,7 @@ private EnrollRequest( break; } case 26: { - if (!((mutable_bitField0_ & 0x00000004) == 0x00000004)) { + if (!((mutable_bitField0_ & 0x00000004) != 0)) { participants_ = new java.util.ArrayList(); mutable_bitField0_ |= 0x00000004; } @@ -155,7 +155,7 @@ private EnrollRequest( } case 34: { ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.Builder subBuilder = null; - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { subBuilder = longpri_.toBuilder(); } longpri_ = input.readMessage(ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.parser(), extensionRegistry); @@ -167,7 +167,7 @@ private EnrollRequest( break; } case 42: { - if (!((mutable_bitField0_ & 0x00000010) == 0x00000010)) { + if (!((mutable_bitField0_ & 0x00000010) != 0)) { longpubs_ = new java.util.ArrayList(); mutable_bitField0_ |= 0x00000010; } @@ -189,11 +189,11 @@ private EnrollRequest( throw new com.google.protobuf.InvalidProtocolBufferException( e).setUnfinishedMessage(this); } finally { - if (((mutable_bitField0_ & 0x00000004) == 0x00000004)) { - participants_ = java.util.Collections.unmodifiableList(participants_); + if (((mutable_bitField0_ & 0x00000004) != 0)) { + participants_ = java.util.Collections.unmodifiableList(participants_); // C } - if (((mutable_bitField0_ & 0x00000010) == 0x00000010)) { - longpubs_ = java.util.Collections.unmodifiableList(longpubs_); + if (((mutable_bitField0_ & 0x00000010) != 0)) { + longpubs_ = java.util.Collections.unmodifiableList(longpubs_); // C } this.unknownFields = unknownFields.build(); makeExtensionsImmutable(); @@ -219,7 +219,7 @@ private EnrollRequest( * required string type = 1; */ public boolean hasType() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required string type = 1; @@ -261,7 +261,7 @@ public java.lang.String getType() { * required string issuer = 2; */ public boolean hasIssuer() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required string issuer = 2; @@ -325,7 +325,7 @@ public com.google.protobuf.ByteString getParticipants(int index) { * required .authprox.PriShare longpri = 4; */ public boolean hasLongpri() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required .authprox.PriShare longpri = 4; @@ -388,16 +388,16 @@ public final boolean isInitialized() { @java.lang.Override public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException { - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 1, type_); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 2, issuer_); } for (int i = 0; i < participants_.size(); i++) { output.writeBytes(3, participants_.get(i)); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { output.writeMessage(4, getLongpri()); } for (int i = 0; i < longpubs_.size(); i++) { @@ -412,10 +412,10 @@ public int getSerializedSize() { if (size != -1) return size; size = 0; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, type_); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, issuer_); } { @@ -427,7 +427,7 @@ public int getSerializedSize() { size += dataSize; size += 1 * getParticipantsList().size(); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { size += com.google.protobuf.CodedOutputStream .computeMessageSize(4, getLongpri()); } @@ -455,28 +455,27 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.EnrollRequest other = (ch.epfl.dedis.lib.proto.AuthProxProto.EnrollRequest) obj; - boolean result = true; - result = result && (hasType() == other.hasType()); + if (hasType() != other.hasType()) return false; if (hasType()) { - result = result && getType() - .equals(other.getType()); + if (!getType() + .equals(other.getType())) return false; } - result = result && (hasIssuer() == other.hasIssuer()); + if (hasIssuer() != other.hasIssuer()) return false; if (hasIssuer()) { - result = result && getIssuer() - .equals(other.getIssuer()); + if (!getIssuer() + .equals(other.getIssuer())) return false; } - result = result && getParticipantsList() - .equals(other.getParticipantsList()); - result = result && (hasLongpri() == other.hasLongpri()); + if (!getParticipantsList() + .equals(other.getParticipantsList())) return false; + if (hasLongpri() != other.hasLongpri()) return false; if (hasLongpri()) { - result = result && getLongpri() - .equals(other.getLongpri()); + if (!getLongpri() + .equals(other.getLongpri())) return false; } - result = result && getLongpubsList() - .equals(other.getLongpubsList()); - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!getLongpubsList() + .equals(other.getLongpubsList())) return false; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -687,28 +686,28 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollRequest buildPartial() { ch.epfl.dedis.lib.proto.AuthProxProto.EnrollRequest result = new ch.epfl.dedis.lib.proto.AuthProxProto.EnrollRequest(this); int from_bitField0_ = bitField0_; int to_bitField0_ = 0; - if (((from_bitField0_ & 0x00000001) == 0x00000001)) { + if (((from_bitField0_ & 0x00000001) != 0)) { to_bitField0_ |= 0x00000001; } result.type_ = type_; - if (((from_bitField0_ & 0x00000002) == 0x00000002)) { + if (((from_bitField0_ & 0x00000002) != 0)) { to_bitField0_ |= 0x00000002; } result.issuer_ = issuer_; - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { participants_ = java.util.Collections.unmodifiableList(participants_); bitField0_ = (bitField0_ & ~0x00000004); } result.participants_ = participants_; - if (((from_bitField0_ & 0x00000008) == 0x00000008)) { + if (((from_bitField0_ & 0x00000008) != 0)) { + if (longpriBuilder_ == null) { + result.longpri_ = longpri_; + } else { + result.longpri_ = longpriBuilder_.build(); + } to_bitField0_ |= 0x00000004; } - if (longpriBuilder_ == null) { - result.longpri_ = longpri_; - } else { - result.longpri_ = longpriBuilder_.build(); - } - if (((bitField0_ & 0x00000010) == 0x00000010)) { + if (((bitField0_ & 0x00000010) != 0)) { longpubs_ = java.util.Collections.unmodifiableList(longpubs_); bitField0_ = (bitField0_ & ~0x00000010); } @@ -720,35 +719,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollRequest buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -839,7 +838,7 @@ public Builder mergeFrom( * required string type = 1; */ public boolean hasType() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required string type = 1; @@ -915,7 +914,7 @@ public Builder setTypeBytes( * required string issuer = 2; */ public boolean hasIssuer() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required string issuer = 2; @@ -988,7 +987,7 @@ public Builder setIssuerBytes( private java.util.List participants_ = java.util.Collections.emptyList(); private void ensureParticipantsIsMutable() { - if (!((bitField0_ & 0x00000004) == 0x00000004)) { + if (!((bitField0_ & 0x00000004) != 0)) { participants_ = new java.util.ArrayList(participants_); bitField0_ |= 0x00000004; } @@ -998,7 +997,8 @@ private void ensureParticipantsIsMutable() { */ public java.util.List getParticipantsList() { - return java.util.Collections.unmodifiableList(participants_); + return ((bitField0_ & 0x00000004) != 0) ? + java.util.Collections.unmodifiableList(participants_) : participants_; } /** * repeated bytes participants = 3; @@ -1058,14 +1058,14 @@ public Builder clearParticipants() { return this; } - private ch.epfl.dedis.lib.proto.AuthProxProto.PriShare longpri_ = null; + private ch.epfl.dedis.lib.proto.AuthProxProto.PriShare longpri_; private com.google.protobuf.SingleFieldBuilderV3< ch.epfl.dedis.lib.proto.AuthProxProto.PriShare, ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.Builder, ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder> longpriBuilder_; /** * required .authprox.PriShare longpri = 4; */ public boolean hasLongpri() { - return ((bitField0_ & 0x00000008) == 0x00000008); + return ((bitField0_ & 0x00000008) != 0); } /** * required .authprox.PriShare longpri = 4; @@ -1112,7 +1112,7 @@ public Builder setLongpri( */ public Builder mergeLongpri(ch.epfl.dedis.lib.proto.AuthProxProto.PriShare value) { if (longpriBuilder_ == null) { - if (((bitField0_ & 0x00000008) == 0x00000008) && + if (((bitField0_ & 0x00000008) != 0) && longpri_ != null && longpri_ != ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.getDefaultInstance()) { longpri_ = @@ -1178,7 +1178,7 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder getLongpriOrBuild private java.util.List longpubs_ = java.util.Collections.emptyList(); private void ensureLongpubsIsMutable() { - if (!((bitField0_ & 0x00000010) == 0x00000010)) { + if (!((bitField0_ & 0x00000010) != 0)) { longpubs_ = new java.util.ArrayList(longpubs_); bitField0_ |= 0x00000010; } @@ -1188,7 +1188,8 @@ private void ensureLongpubsIsMutable() { */ public java.util.List getLongpubsList() { - return java.util.Collections.unmodifiableList(longpubs_); + return ((bitField0_ & 0x00000010) != 0) ? + java.util.Collections.unmodifiableList(longpubs_) : longpubs_; } /** * repeated bytes longpubs = 5; @@ -1416,9 +1417,8 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.EnrollResponse other = (ch.epfl.dedis.lib.proto.AuthProxProto.EnrollResponse) obj; - boolean result = true; - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -1597,35 +1597,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollResponse buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -1799,7 +1799,7 @@ public interface SignatureRequestOrBuilder extends /** * 
    * SignatureRequest is the request sent to this service to request that
-   * the Authentication Proxy check the authentication information and
+   * the Policy Proxy check the authentication information and
    * generate a signature connecting some information identifying the
    * holder of the AuthInfo to the message.
    *
@@ -1866,7 +1866,7 @@ private SignatureRequest( } case 34: { ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.Builder subBuilder = null; - if (((bitField0_ & 0x00000008) == 0x00000008)) { + if (((bitField0_ & 0x00000008) != 0)) { subBuilder = randpri_.toBuilder(); } randpri_ = input.readMessage(ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.parser(), extensionRegistry); @@ -1878,7 +1878,7 @@ private SignatureRequest( break; } case 42: { - if (!((mutable_bitField0_ & 0x00000010) == 0x00000010)) { + if (!((mutable_bitField0_ & 0x00000010) != 0)) { randpubs_ = new java.util.ArrayList(); mutable_bitField0_ |= 0x00000010; } @@ -1905,8 +1905,8 @@ private SignatureRequest( throw new com.google.protobuf.InvalidProtocolBufferException( e).setUnfinishedMessage(this); } finally { - if (((mutable_bitField0_ & 0x00000010) == 0x00000010)) { - randpubs_ = java.util.Collections.unmodifiableList(randpubs_); + if (((mutable_bitField0_ & 0x00000010) != 0)) { + randpubs_ = java.util.Collections.unmodifiableList(randpubs_); // C } this.unknownFields = unknownFields.build(); makeExtensionsImmutable(); @@ -1932,7 +1932,7 @@ private SignatureRequest( * required string type = 1; */ public boolean hasType() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required string type = 1; @@ -1974,7 +1974,7 @@ public java.lang.String getType() { * required string issuer = 2; */ public boolean hasIssuer() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required string issuer = 2; @@ -2016,7 +2016,7 @@ public java.lang.String getIssuer() { * required bytes authinfo = 3; */ public boolean hasAuthinfo() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required bytes authinfo = 3; @@ -2031,7 +2031,7 @@ public com.google.protobuf.ByteString getAuthinfo() { * required .authprox.PriShare randpri = 4; */ public boolean hasRandpri() { - return ((bitField0_ & 0x00000008) == 0x00000008); + return ((bitField0_ & 0x00000008) != 0); } /** * required .authprox.PriShare randpri = 4; @@ -2074,7 +2074,7 @@ public com.google.protobuf.ByteString getRandpubs(int index) { * required bytes message = 6; */ public boolean hasMessage() { - return ((bitField0_ & 0x00000010) == 0x00000010); + return ((bitField0_ & 0x00000010) != 0); } /** * required bytes message = 6; @@ -2117,22 +2117,22 @@ public final boolean isInitialized() { @java.lang.Override public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException { - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 1, type_); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 2, issuer_); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { output.writeBytes(3, authinfo_); } - if (((bitField0_ & 0x00000008) == 0x00000008)) { + if (((bitField0_ & 0x00000008) != 0)) { output.writeMessage(4, getRandpri()); } for (int i = 0; i < randpubs_.size(); i++) { output.writeBytes(5, randpubs_.get(i)); } - if (((bitField0_ & 0x00000010) == 0x00000010)) { + if (((bitField0_ & 0x00000010) != 0)) { output.writeBytes(6, message_); } unknownFields.writeTo(output); @@ -2144,17 +2144,17 @@ public int getSerializedSize() { if (size != -1) return size; size = 0; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, type_); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, issuer_); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { size += com.google.protobuf.CodedOutputStream .computeBytesSize(3, authinfo_); } - if (((bitField0_ & 0x00000008) == 0x00000008)) { + if (((bitField0_ & 0x00000008) != 0)) { size += com.google.protobuf.CodedOutputStream .computeMessageSize(4, getRandpri()); } @@ -2167,7 +2167,7 @@ public int getSerializedSize() { size += dataSize; size += 1 * getRandpubsList().size(); } - if (((bitField0_ & 0x00000010) == 0x00000010)) { + if (((bitField0_ & 0x00000010) != 0)) { size += com.google.protobuf.CodedOutputStream .computeBytesSize(6, message_); } @@ -2186,36 +2186,35 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.SignatureRequest other = (ch.epfl.dedis.lib.proto.AuthProxProto.SignatureRequest) obj; - boolean result = true; - result = result && (hasType() == other.hasType()); + if (hasType() != other.hasType()) return false; if (hasType()) { - result = result && getType() - .equals(other.getType()); + if (!getType() + .equals(other.getType())) return false; } - result = result && (hasIssuer() == other.hasIssuer()); + if (hasIssuer() != other.hasIssuer()) return false; if (hasIssuer()) { - result = result && getIssuer() - .equals(other.getIssuer()); + if (!getIssuer() + .equals(other.getIssuer())) return false; } - result = result && (hasAuthinfo() == other.hasAuthinfo()); + if (hasAuthinfo() != other.hasAuthinfo()) return false; if (hasAuthinfo()) { - result = result && getAuthinfo() - .equals(other.getAuthinfo()); + if (!getAuthinfo() + .equals(other.getAuthinfo())) return false; } - result = result && (hasRandpri() == other.hasRandpri()); + if (hasRandpri() != other.hasRandpri()) return false; if (hasRandpri()) { - result = result && getRandpri() - .equals(other.getRandpri()); + if (!getRandpri() + .equals(other.getRandpri())) return false; } - result = result && getRandpubsList() - .equals(other.getRandpubsList()); - result = result && (hasMessage() == other.hasMessage()); + if (!getRandpubsList() + .equals(other.getRandpubsList())) return false; + if (hasMessage() != other.hasMessage()) return false; if (hasMessage()) { - result = result && getMessage() - .equals(other.getMessage()); + if (!getMessage() + .equals(other.getMessage())) return false; } - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -2347,7 +2346,7 @@ protected Builder newBuilderForType( /** * 
      * SignatureRequest is the request sent to this service to request that
-     * the Authentication Proxy check the authentication information and
+     * the Policy Proxy check the authentication information and
      * generate a signature connecting some information identifying the
      * holder of the AuthInfo to the message.
      *
@@ -2434,32 +2433,32 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.SignatureRequest buildPartial() { ch.epfl.dedis.lib.proto.AuthProxProto.SignatureRequest result = new ch.epfl.dedis.lib.proto.AuthProxProto.SignatureRequest(this); int from_bitField0_ = bitField0_; int to_bitField0_ = 0; - if (((from_bitField0_ & 0x00000001) == 0x00000001)) { + if (((from_bitField0_ & 0x00000001) != 0)) { to_bitField0_ |= 0x00000001; } result.type_ = type_; - if (((from_bitField0_ & 0x00000002) == 0x00000002)) { + if (((from_bitField0_ & 0x00000002) != 0)) { to_bitField0_ |= 0x00000002; } result.issuer_ = issuer_; - if (((from_bitField0_ & 0x00000004) == 0x00000004)) { + if (((from_bitField0_ & 0x00000004) != 0)) { to_bitField0_ |= 0x00000004; } result.authinfo_ = authinfo_; - if (((from_bitField0_ & 0x00000008) == 0x00000008)) { + if (((from_bitField0_ & 0x00000008) != 0)) { + if (randpriBuilder_ == null) { + result.randpri_ = randpri_; + } else { + result.randpri_ = randpriBuilder_.build(); + } to_bitField0_ |= 0x00000008; } - if (randpriBuilder_ == null) { - result.randpri_ = randpri_; - } else { - result.randpri_ = randpriBuilder_.build(); - } - if (((bitField0_ & 0x00000010) == 0x00000010)) { + if (((bitField0_ & 0x00000010) != 0)) { randpubs_ = java.util.Collections.unmodifiableList(randpubs_); bitField0_ = (bitField0_ & ~0x00000010); } result.randpubs_ = randpubs_; - if (((from_bitField0_ & 0x00000020) == 0x00000020)) { + if (((from_bitField0_ & 0x00000020) != 0)) { to_bitField0_ |= 0x00000010; } result.message_ = message_; @@ -2470,35 +2469,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.SignatureRequest buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -2591,7 +2590,7 @@ public Builder mergeFrom( * required string type = 1; */ public boolean hasType() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required string type = 1; @@ -2667,7 +2666,7 @@ public Builder setTypeBytes( * required string issuer = 2; */ public boolean hasIssuer() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required string issuer = 2; @@ -2743,7 +2742,7 @@ public Builder setIssuerBytes( * required bytes authinfo = 3; */ public boolean hasAuthinfo() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required bytes authinfo = 3; @@ -2773,14 +2772,14 @@ public Builder clearAuthinfo() { return this; } - private ch.epfl.dedis.lib.proto.AuthProxProto.PriShare randpri_ = null; + private ch.epfl.dedis.lib.proto.AuthProxProto.PriShare randpri_; private com.google.protobuf.SingleFieldBuilderV3< ch.epfl.dedis.lib.proto.AuthProxProto.PriShare, ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.Builder, ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder> randpriBuilder_; /** * required .authprox.PriShare randpri = 4; */ public boolean hasRandpri() { - return ((bitField0_ & 0x00000008) == 0x00000008); + return ((bitField0_ & 0x00000008) != 0); } /** * required .authprox.PriShare randpri = 4; @@ -2827,7 +2826,7 @@ public Builder setRandpri( */ public Builder mergeRandpri(ch.epfl.dedis.lib.proto.AuthProxProto.PriShare value) { if (randpriBuilder_ == null) { - if (((bitField0_ & 0x00000008) == 0x00000008) && + if (((bitField0_ & 0x00000008) != 0) && randpri_ != null && randpri_ != ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.getDefaultInstance()) { randpri_ = @@ -2893,7 +2892,7 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder getRandpriOrBuild private java.util.List randpubs_ = java.util.Collections.emptyList(); private void ensureRandpubsIsMutable() { - if (!((bitField0_ & 0x00000010) == 0x00000010)) { + if (!((bitField0_ & 0x00000010) != 0)) { randpubs_ = new java.util.ArrayList(randpubs_); bitField0_ |= 0x00000010; } @@ -2903,7 +2902,8 @@ private void ensureRandpubsIsMutable() { */ public java.util.List getRandpubsList() { - return java.util.Collections.unmodifiableList(randpubs_); + return ((bitField0_ & 0x00000010) != 0) ? + java.util.Collections.unmodifiableList(randpubs_) : randpubs_; } /** * repeated bytes randpubs = 5; @@ -2968,7 +2968,7 @@ public Builder clearRandpubs() { * required bytes message = 6; */ public boolean hasMessage() { - return ((bitField0_ & 0x00000020) == 0x00000020); + return ((bitField0_ & 0x00000020) != 0); } /** * required bytes message = 6; @@ -3167,9 +3167,8 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.PriShare other = (ch.epfl.dedis.lib.proto.AuthProxProto.PriShare) obj; - boolean result = true; - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -3349,35 +3348,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PriShare buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -3555,7 +3554,7 @@ private PartialSig( break; case 10: { ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.Builder subBuilder = null; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { subBuilder = partial_.toBuilder(); } partial_ = input.readMessage(ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.parser(), extensionRegistry); @@ -3615,7 +3614,7 @@ private PartialSig( * required .authprox.PriShare partial = 1; */ public boolean hasPartial() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required .authprox.PriShare partial = 1; @@ -3636,7 +3635,7 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder getPartialOrBuild * required bytes sessionid = 2; */ public boolean hasSessionid() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required bytes sessionid = 2; @@ -3651,7 +3650,7 @@ public com.google.protobuf.ByteString getSessionid() { * required bytes signature = 3; */ public boolean hasSignature() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required bytes signature = 3; @@ -3686,13 +3685,13 @@ public final boolean isInitialized() { @java.lang.Override public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException { - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { output.writeMessage(1, getPartial()); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { output.writeBytes(2, sessionid_); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { output.writeBytes(3, signature_); } unknownFields.writeTo(output); @@ -3704,15 +3703,15 @@ public int getSerializedSize() { if (size != -1) return size; size = 0; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { size += com.google.protobuf.CodedOutputStream .computeMessageSize(1, getPartial()); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { size += com.google.protobuf.CodedOutputStream .computeBytesSize(2, sessionid_); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { size += com.google.protobuf.CodedOutputStream .computeBytesSize(3, signature_); } @@ -3731,24 +3730,23 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig other = (ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig) obj; - boolean result = true; - result = result && (hasPartial() == other.hasPartial()); + if (hasPartial() != other.hasPartial()) return false; if (hasPartial()) { - result = result && getPartial() - .equals(other.getPartial()); + if (!getPartial() + .equals(other.getPartial())) return false; } - result = result && (hasSessionid() == other.hasSessionid()); + if (hasSessionid() != other.hasSessionid()) return false; if (hasSessionid()) { - result = result && getSessionid() - .equals(other.getSessionid()); + if (!getSessionid() + .equals(other.getSessionid())) return false; } - result = result && (hasSignature() == other.hasSignature()); + if (hasSignature() != other.hasSignature()) return false; if (hasSignature()) { - result = result && getSignature() - .equals(other.getSignature()); + if (!getSignature() + .equals(other.getSignature())) return false; } - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -3947,19 +3945,19 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig buildPartial() { ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig result = new ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig(this); int from_bitField0_ = bitField0_; int to_bitField0_ = 0; - if (((from_bitField0_ & 0x00000001) == 0x00000001)) { + if (((from_bitField0_ & 0x00000001) != 0)) { + if (partialBuilder_ == null) { + result.partial_ = partial_; + } else { + result.partial_ = partialBuilder_.build(); + } to_bitField0_ |= 0x00000001; } - if (partialBuilder_ == null) { - result.partial_ = partial_; - } else { - result.partial_ = partialBuilder_.build(); - } - if (((from_bitField0_ & 0x00000002) == 0x00000002)) { + if (((from_bitField0_ & 0x00000002) != 0)) { to_bitField0_ |= 0x00000002; } result.sessionid_ = sessionid_; - if (((from_bitField0_ & 0x00000004) == 0x00000004)) { + if (((from_bitField0_ & 0x00000004) != 0)) { to_bitField0_ |= 0x00000004; } result.signature_ = signature_; @@ -3970,35 +3968,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -4060,14 +4058,14 @@ public Builder mergeFrom( } private int bitField0_; - private ch.epfl.dedis.lib.proto.AuthProxProto.PriShare partial_ = null; + private ch.epfl.dedis.lib.proto.AuthProxProto.PriShare partial_; private com.google.protobuf.SingleFieldBuilderV3< ch.epfl.dedis.lib.proto.AuthProxProto.PriShare, ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.Builder, ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder> partialBuilder_; /** * required .authprox.PriShare partial = 1; */ public boolean hasPartial() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required .authprox.PriShare partial = 1; @@ -4114,7 +4112,7 @@ public Builder setPartial( */ public Builder mergePartial(ch.epfl.dedis.lib.proto.AuthProxProto.PriShare value) { if (partialBuilder_ == null) { - if (((bitField0_ & 0x00000001) == 0x00000001) && + if (((bitField0_ & 0x00000001) != 0) && partial_ != null && partial_ != ch.epfl.dedis.lib.proto.AuthProxProto.PriShare.getDefaultInstance()) { partial_ = @@ -4183,7 +4181,7 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.PriShareOrBuilder getPartialOrBuild * required bytes sessionid = 2; */ public boolean hasSessionid() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required bytes sessionid = 2; @@ -4218,7 +4216,7 @@ public Builder clearSessionid() { * required bytes signature = 3; */ public boolean hasSignature() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required bytes signature = 3; @@ -4362,7 +4360,7 @@ private SignatureResponse( break; case 10: { ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig.Builder subBuilder = null; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { subBuilder = partialsignature_.toBuilder(); } partialsignature_ = input.readMessage(ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig.parser(), extensionRegistry); @@ -4412,7 +4410,7 @@ private SignatureResponse( * required .authprox.PartialSig partialsignature = 1; */ public boolean hasPartialsignature() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required .authprox.PartialSig partialsignature = 1; @@ -4449,7 +4447,7 @@ public final boolean isInitialized() { @java.lang.Override public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException { - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { output.writeMessage(1, getPartialsignature()); } unknownFields.writeTo(output); @@ -4461,7 +4459,7 @@ public int getSerializedSize() { if (size != -1) return size; size = 0; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { size += com.google.protobuf.CodedOutputStream .computeMessageSize(1, getPartialsignature()); } @@ -4480,14 +4478,13 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.SignatureResponse other = (ch.epfl.dedis.lib.proto.AuthProxProto.SignatureResponse) obj; - boolean result = true; - result = result && (hasPartialsignature() == other.hasPartialsignature()); + if (hasPartialsignature() != other.hasPartialsignature()) return false; if (hasPartialsignature()) { - result = result && getPartialsignature() - .equals(other.getPartialsignature()); + if (!getPartialsignature() + .equals(other.getPartialsignature())) return false; } - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -4673,14 +4670,14 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.SignatureResponse buildPartial() { ch.epfl.dedis.lib.proto.AuthProxProto.SignatureResponse result = new ch.epfl.dedis.lib.proto.AuthProxProto.SignatureResponse(this); int from_bitField0_ = bitField0_; int to_bitField0_ = 0; - if (((from_bitField0_ & 0x00000001) == 0x00000001)) { + if (((from_bitField0_ & 0x00000001) != 0)) { + if (partialsignatureBuilder_ == null) { + result.partialsignature_ = partialsignature_; + } else { + result.partialsignature_ = partialsignatureBuilder_.build(); + } to_bitField0_ |= 0x00000001; } - if (partialsignatureBuilder_ == null) { - result.partialsignature_ = partialsignature_; - } else { - result.partialsignature_ = partialsignatureBuilder_.build(); - } result.bitField0_ = to_bitField0_; onBuilt(); return result; @@ -4688,35 +4685,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.SignatureResponse buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -4769,14 +4766,14 @@ public Builder mergeFrom( } private int bitField0_; - private ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig partialsignature_ = null; + private ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig partialsignature_; private com.google.protobuf.SingleFieldBuilderV3< ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig, ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig.Builder, ch.epfl.dedis.lib.proto.AuthProxProto.PartialSigOrBuilder> partialsignatureBuilder_; /** * required .authprox.PartialSig partialsignature = 1; */ public boolean hasPartialsignature() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required .authprox.PartialSig partialsignature = 1; @@ -4823,7 +4820,7 @@ public Builder setPartialsignature( */ public Builder mergePartialsignature(ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig value) { if (partialsignatureBuilder_ == null) { - if (((bitField0_ & 0x00000001) == 0x00000001) && + if (((bitField0_ & 0x00000001) != 0) && partialsignature_ != null && partialsignature_ != ch.epfl.dedis.lib.proto.AuthProxProto.PartialSig.getDefaultInstance()) { partialsignature_ = @@ -5031,7 +5028,7 @@ private EnrollmentsRequest( break; case 10: { com.google.protobuf.ByteString bs = input.readBytes(); - if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) { + if (!((mutable_bitField0_ & 0x00000001) != 0)) { types_ = new com.google.protobuf.LazyStringArrayList(); mutable_bitField0_ |= 0x00000001; } @@ -5040,7 +5037,7 @@ private EnrollmentsRequest( } case 18: { com.google.protobuf.ByteString bs = input.readBytes(); - if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) { + if (!((mutable_bitField0_ & 0x00000002) != 0)) { issuers_ = new com.google.protobuf.LazyStringArrayList(); mutable_bitField0_ |= 0x00000002; } @@ -5062,10 +5059,10 @@ private EnrollmentsRequest( throw new com.google.protobuf.InvalidProtocolBufferException( e).setUnfinishedMessage(this); } finally { - if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) { + if (((mutable_bitField0_ & 0x00000001) != 0)) { types_ = types_.getUnmodifiableView(); } - if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) { + if (((mutable_bitField0_ & 0x00000002) != 0)) { issuers_ = issuers_.getUnmodifiableView(); } this.unknownFields = unknownFields.build(); @@ -5203,13 +5200,12 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest other = (ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest) obj; - boolean result = true; - result = result && getTypesList() - .equals(other.getTypesList()); - result = result && getIssuersList() - .equals(other.getIssuersList()); - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!getTypesList() + .equals(other.getTypesList())) return false; + if (!getIssuersList() + .equals(other.getIssuersList())) return false; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -5398,12 +5394,12 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest build() { public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest buildPartial() { ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest result = new ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest(this); int from_bitField0_ = bitField0_; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { types_ = types_.getUnmodifiableView(); bitField0_ = (bitField0_ & ~0x00000001); } result.types_ = types_; - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { issuers_ = issuers_.getUnmodifiableView(); bitField0_ = (bitField0_ & ~0x00000002); } @@ -5414,35 +5410,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsRequest buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -5508,7 +5504,7 @@ public Builder mergeFrom( private com.google.protobuf.LazyStringList types_ = com.google.protobuf.LazyStringArrayList.EMPTY; private void ensureTypesIsMutable() { - if (!((bitField0_ & 0x00000001) == 0x00000001)) { + if (!((bitField0_ & 0x00000001) != 0)) { types_ = new com.google.protobuf.LazyStringArrayList(types_); bitField0_ |= 0x00000001; } @@ -5601,7 +5597,7 @@ public Builder addTypesBytes( private com.google.protobuf.LazyStringList issuers_ = com.google.protobuf.LazyStringArrayList.EMPTY; private void ensureIssuersIsMutable() { - if (!((bitField0_ & 0x00000002) == 0x00000002)) { + if (!((bitField0_ & 0x00000002) != 0)) { issuers_ = new com.google.protobuf.LazyStringArrayList(issuers_); bitField0_ |= 0x00000002; } @@ -5817,7 +5813,7 @@ private EnrollmentsResponse( done = true; break; case 10: { - if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) { + if (!((mutable_bitField0_ & 0x00000001) != 0)) { enrollments_ = new java.util.ArrayList(); mutable_bitField0_ |= 0x00000001; } @@ -5840,7 +5836,7 @@ private EnrollmentsResponse( throw new com.google.protobuf.InvalidProtocolBufferException( e).setUnfinishedMessage(this); } finally { - if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) { + if (((mutable_bitField0_ & 0x00000001) != 0)) { enrollments_ = java.util.Collections.unmodifiableList(enrollments_); } this.unknownFields = unknownFields.build(); @@ -5946,11 +5942,10 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsResponse other = (ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsResponse) obj; - boolean result = true; - result = result && getEnrollmentsList() - .equals(other.getEnrollmentsList()); - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!getEnrollmentsList() + .equals(other.getEnrollmentsList())) return false; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -6136,7 +6131,7 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsResponse buildPartial() ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsResponse result = new ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsResponse(this); int from_bitField0_ = bitField0_; if (enrollmentsBuilder_ == null) { - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { enrollments_ = java.util.Collections.unmodifiableList(enrollments_); bitField0_ = (bitField0_ & ~0x00000001); } @@ -6150,35 +6145,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentsResponse buildPartial() @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -6256,7 +6251,7 @@ public Builder mergeFrom( private java.util.List enrollments_ = java.util.Collections.emptyList(); private void ensureEnrollmentsIsMutable() { - if (!((bitField0_ & 0x00000001) == 0x00000001)) { + if (!((bitField0_ & 0x00000001) != 0)) { enrollments_ = new java.util.ArrayList(enrollments_); bitField0_ |= 0x00000001; } @@ -6485,7 +6480,7 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo.Builder addEnrollmen enrollmentsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3< ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo, ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo.Builder, ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfoOrBuilder>( enrollments_, - ((bitField0_ & 0x00000001) == 0x00000001), + ((bitField0_ & 0x00000001) != 0), getParentForChildren(), isClean()); enrollments_ = null; @@ -6688,7 +6683,7 @@ private EnrollmentInfo( * required string type = 1; */ public boolean hasType() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required string type = 1; @@ -6730,7 +6725,7 @@ public java.lang.String getType() { * required string issuer = 2; */ public boolean hasIssuer() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required string issuer = 2; @@ -6772,7 +6767,7 @@ public java.lang.String getIssuer() { * required bytes public = 3; */ public boolean hasPublic() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required bytes public = 3; @@ -6807,13 +6802,13 @@ public final boolean isInitialized() { @java.lang.Override public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException { - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 1, type_); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 2, issuer_); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { output.writeBytes(3, public_); } unknownFields.writeTo(output); @@ -6825,13 +6820,13 @@ public int getSerializedSize() { if (size != -1) return size; size = 0; - if (((bitField0_ & 0x00000001) == 0x00000001)) { + if (((bitField0_ & 0x00000001) != 0)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, type_); } - if (((bitField0_ & 0x00000002) == 0x00000002)) { + if (((bitField0_ & 0x00000002) != 0)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, issuer_); } - if (((bitField0_ & 0x00000004) == 0x00000004)) { + if (((bitField0_ & 0x00000004) != 0)) { size += com.google.protobuf.CodedOutputStream .computeBytesSize(3, public_); } @@ -6850,24 +6845,23 @@ public boolean equals(final java.lang.Object obj) { } ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo other = (ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo) obj; - boolean result = true; - result = result && (hasType() == other.hasType()); + if (hasType() != other.hasType()) return false; if (hasType()) { - result = result && getType() - .equals(other.getType()); + if (!getType() + .equals(other.getType())) return false; } - result = result && (hasIssuer() == other.hasIssuer()); + if (hasIssuer() != other.hasIssuer()) return false; if (hasIssuer()) { - result = result && getIssuer() - .equals(other.getIssuer()); + if (!getIssuer() + .equals(other.getIssuer())) return false; } - result = result && (hasPublic() == other.hasPublic()); + if (hasPublic() != other.hasPublic()) return false; if (hasPublic()) { - result = result && getPublic() - .equals(other.getPublic()); + if (!getPublic() + .equals(other.getPublic())) return false; } - result = result && unknownFields.equals(other.unknownFields); - return result; + if (!unknownFields.equals(other.unknownFields)) return false; + return true; } @java.lang.Override @@ -7060,15 +7054,15 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo buildPartial() { ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo result = new ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo(this); int from_bitField0_ = bitField0_; int to_bitField0_ = 0; - if (((from_bitField0_ & 0x00000001) == 0x00000001)) { + if (((from_bitField0_ & 0x00000001) != 0)) { to_bitField0_ |= 0x00000001; } result.type_ = type_; - if (((from_bitField0_ & 0x00000002) == 0x00000002)) { + if (((from_bitField0_ & 0x00000002) != 0)) { to_bitField0_ |= 0x00000002; } result.issuer_ = issuer_; - if (((from_bitField0_ & 0x00000004) == 0x00000004)) { + if (((from_bitField0_ & 0x00000004) != 0)) { to_bitField0_ |= 0x00000004; } result.public_ = public_; @@ -7079,35 +7073,35 @@ public ch.epfl.dedis.lib.proto.AuthProxProto.EnrollmentInfo buildPartial() { @java.lang.Override public Builder clone() { - return (Builder) super.clone(); + return super.clone(); } @java.lang.Override public Builder setField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.setField(field, value); + return super.setField(field, value); } @java.lang.Override public Builder clearField( com.google.protobuf.Descriptors.FieldDescriptor field) { - return (Builder) super.clearField(field); + return super.clearField(field); } @java.lang.Override public Builder clearOneof( com.google.protobuf.Descriptors.OneofDescriptor oneof) { - return (Builder) super.clearOneof(oneof); + return super.clearOneof(oneof); } @java.lang.Override public Builder setRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) { - return (Builder) super.setRepeatedField(field, index, value); + return super.setRepeatedField(field, index, value); } @java.lang.Override public Builder addRepeatedField( com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) { - return (Builder) super.addRepeatedField(field, value); + return super.addRepeatedField(field, value); } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { @@ -7178,7 +7172,7 @@ public Builder mergeFrom( * required string type = 1; */ public boolean hasType() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * required string type = 1; @@ -7254,7 +7248,7 @@ public Builder setTypeBytes( * required string issuer = 2; */ public boolean hasIssuer() { - return ((bitField0_ & 0x00000002) == 0x00000002); + return ((bitField0_ & 0x00000002) != 0); } /** * required string issuer = 2; @@ -7330,7 +7324,7 @@ public Builder setIssuerBytes( * required bytes public = 3; */ public boolean hasPublic() { - return ((bitField0_ & 0x00000004) == 0x00000004); + return ((bitField0_ & 0x00000004) != 0); } /** * required bytes public = 3; diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/ByzCoinProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/ByzCoinProto.java index c73c1af38b..058d238cd8 100644 --- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/ByzCoinProto.java +++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/ByzCoinProto.java @@ -110,7 +110,6 @@ private DataHeader() { trieroot_ = com.google.protobuf.ByteString.EMPTY; clienttransactionhash_ = com.google.protobuf.ByteString.EMPTY; statechangeshash_ = com.google.protobuf.ByteString.EMPTY; - timestamp_ = 0L; } @java.lang.Override @@ -201,7 +200,7 @@ private DataHeader( * required bytes trieroot = 1; */ public boolean hasTrieroot() { - return ((bitField0_ & 0x00000001) == 0x00000001); + return ((bitField0_ & 0x00000001) != 0); } /** * 
@@ -225,7 +224,7 @@ public com.google.protobuf.ByteString getTrieroot() {
      * required bytes clienttransactionhash = 2;
      */
     public boolean hasClienttransactionhash() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -249,7 +248,7 @@ public com.google.protobuf.ByteString getClienttransactionhash() {
      * required bytes statechangeshash = 3;
      */
     public boolean hasStatechangeshash() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -273,7 +272,7 @@ public com.google.protobuf.ByteString getStatechangeshash() {
      * required sint64 timestamp = 4;
      */
     public boolean hasTimestamp() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -316,16 +315,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, trieroot_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, clienttransactionhash_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, statechangeshash_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeSInt64(4, timestamp_);
       }
       unknownFields.writeTo(output);
@@ -337,19 +336,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, trieroot_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, clienttransactionhash_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, statechangeshash_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(4, timestamp_);
       }
@@ -368,29 +367,28 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DataHeader other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DataHeader) obj;
 
-      boolean result = true;
-      result = result && (hasTrieroot() == other.hasTrieroot());
+      if (hasTrieroot() != other.hasTrieroot()) return false;
       if (hasTrieroot()) {
-        result = result && getTrieroot()
-            .equals(other.getTrieroot());
+        if (!getTrieroot()
+            .equals(other.getTrieroot())) return false;
       }
-      result = result && (hasClienttransactionhash() == other.hasClienttransactionhash());
+      if (hasClienttransactionhash() != other.hasClienttransactionhash()) return false;
       if (hasClienttransactionhash()) {
-        result = result && getClienttransactionhash()
-            .equals(other.getClienttransactionhash());
+        if (!getClienttransactionhash()
+            .equals(other.getClienttransactionhash())) return false;
       }
-      result = result && (hasStatechangeshash() == other.hasStatechangeshash());
+      if (hasStatechangeshash() != other.hasStatechangeshash()) return false;
       if (hasStatechangeshash()) {
-        result = result && getStatechangeshash()
-            .equals(other.getStatechangeshash());
+        if (!getStatechangeshash()
+            .equals(other.getStatechangeshash())) return false;
       }
-      result = result && (hasTimestamp() == other.hasTimestamp());
+      if (hasTimestamp() != other.hasTimestamp()) return false;
       if (hasTimestamp()) {
-        result = result && (getTimestamp()
-            == other.getTimestamp());
+        if (getTimestamp()
+            != other.getTimestamp()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -590,22 +588,22 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DataHeader buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DataHeader result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DataHeader(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.trieroot_ = trieroot_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.clienttransactionhash_ = clienttransactionhash_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.statechangeshash_ = statechangeshash_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.timestamp_ = timestamp_;
           to_bitField0_ |= 0x00000008;
         }
-        result.timestamp_ = timestamp_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -613,35 +611,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DataHeader buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -719,7 +717,7 @@ public Builder mergeFrom(
        * required bytes trieroot = 1;
        */
       public boolean hasTrieroot() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -773,7 +771,7 @@ public Builder clearTrieroot() {
        * required bytes clienttransactionhash = 2;
        */
       public boolean hasClienttransactionhash() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -825,7 +823,7 @@ public Builder clearClienttransactionhash() {
        * required bytes statechangeshash = 3;
        */
       public boolean hasStatechangeshash() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -879,7 +877,7 @@ public Builder clearStatechangeshash() {
        * required sint64 timestamp = 4;
        */
       public boolean hasTimestamp() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -1044,7 +1042,7 @@ private DataBody(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 txresults_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -1067,7 +1065,7 @@ private DataBody(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           txresults_ = java.util.Collections.unmodifiableList(txresults_);
         }
         this.unknownFields = unknownFields.build();
@@ -1173,11 +1171,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DataBody other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DataBody) obj;
 
-      boolean result = true;
-      result = result && getTxresultsList()
-          .equals(other.getTxresultsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getTxresultsList()
+          .equals(other.getTxresultsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1364,7 +1361,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DataBody buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DataBody result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DataBody(this);
         int from_bitField0_ = bitField0_;
         if (txresultsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             txresults_ = java.util.Collections.unmodifiableList(txresults_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -1378,35 +1375,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DataBody buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1484,7 +1481,7 @@ public Builder mergeFrom(
       private java.util.List txresults_ =
         java.util.Collections.emptyList();
       private void ensureTxresultsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           txresults_ = new java.util.ArrayList(txresults_);
           bitField0_ |= 0x00000001;
          }
@@ -1713,7 +1710,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult.Builder addTxresultsBuilder
           txresultsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult, ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.TxResultOrBuilder>(
                   txresults_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           txresults_ = null;
@@ -1934,9 +1931,6 @@ private CreateGenesisBlock(com.google.protobuf.GeneratedMessageV3.Builder bui
       super(builder);
     }
     private CreateGenesisBlock() {
-      version_ = 0;
-      blockinterval_ = 0L;
-      maxblocksize_ = 0;
       darccontractids_ = com.google.protobuf.LazyStringArrayList.EMPTY;
     }
 
@@ -1971,7 +1965,7 @@ private CreateGenesisBlock(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = roster_.toBuilder();
               }
               roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
@@ -1984,7 +1978,7 @@ private CreateGenesisBlock(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.DarcProto.Darc.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = genesisdarc_.toBuilder();
               }
               genesisdarc_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.Darc.parser(), extensionRegistry);
@@ -2007,7 +2001,7 @@ private CreateGenesisBlock(
             }
             case 50: {
               com.google.protobuf.ByteString bs = input.readBytes();
-              if (!((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+              if (!((mutable_bitField0_ & 0x00000020) != 0)) {
                 darccontractids_ = new com.google.protobuf.LazyStringArrayList();
                 mutable_bitField0_ |= 0x00000020;
               }
@@ -2029,7 +2023,7 @@ private CreateGenesisBlock(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((mutable_bitField0_ & 0x00000020) != 0)) {
           darccontractids_ = darccontractids_.getUnmodifiableView();
         }
         this.unknownFields = unknownFields.build();
@@ -2060,7 +2054,7 @@ private CreateGenesisBlock(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -2083,7 +2077,7 @@ public int getVersion() {
      * required .onet.Roster roster = 2;
      */
     public boolean hasRoster() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -2116,7 +2110,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
      * required .darc.Darc genesisdarc = 3;
      */
     public boolean hasGenesisdarc() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -2149,7 +2143,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.DarcOrBuilder getGenesisdarcOrBuilder()
      * required sint64 blockinterval = 4;
      */
     public boolean hasBlockinterval() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -2172,7 +2166,7 @@ public long getBlockinterval() {
      * optional sint32 maxblocksize = 5;
      */
     public boolean hasMaxblocksize() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * 
@@ -2272,19 +2266,19 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getRoster());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getGenesisdarc());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeSInt64(4, blockinterval_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeSInt32(5, maxblocksize_);
       }
       for (int i = 0; i < darccontractids_.size(); i++) {
@@ -2299,23 +2293,23 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getRoster());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getGenesisdarc());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(4, blockinterval_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(5, maxblocksize_);
       }
@@ -2342,36 +2336,35 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlock other = (ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlock) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasRoster() == other.hasRoster());
+      if (hasRoster() != other.hasRoster()) return false;
       if (hasRoster()) {
-        result = result && getRoster()
-            .equals(other.getRoster());
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
       }
-      result = result && (hasGenesisdarc() == other.hasGenesisdarc());
+      if (hasGenesisdarc() != other.hasGenesisdarc()) return false;
       if (hasGenesisdarc()) {
-        result = result && getGenesisdarc()
-            .equals(other.getGenesisdarc());
+        if (!getGenesisdarc()
+            .equals(other.getGenesisdarc())) return false;
       }
-      result = result && (hasBlockinterval() == other.hasBlockinterval());
+      if (hasBlockinterval() != other.hasBlockinterval()) return false;
       if (hasBlockinterval()) {
-        result = result && (getBlockinterval()
-            == other.getBlockinterval());
+        if (getBlockinterval()
+            != other.getBlockinterval()) return false;
       }
-      result = result && (hasMaxblocksize() == other.hasMaxblocksize());
+      if (hasMaxblocksize() != other.hasMaxblocksize()) return false;
       if (hasMaxblocksize()) {
-        result = result && (getMaxblocksize()
-            == other.getMaxblocksize());
+        if (getMaxblocksize()
+            != other.getMaxblocksize()) return false;
       }
-      result = result && getDarccontractidsList()
-          .equals(other.getDarccontractidsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getDarccontractidsList()
+          .equals(other.getDarccontractidsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2593,35 +2586,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlock buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlock result = new ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlock(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (rosterBuilder_ == null) {
-          result.roster_ = roster_;
-        } else {
-          result.roster_ = rosterBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (genesisdarcBuilder_ == null) {
+            result.genesisdarc_ = genesisdarc_;
+          } else {
+            result.genesisdarc_ = genesisdarcBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (genesisdarcBuilder_ == null) {
-          result.genesisdarc_ = genesisdarc_;
-        } else {
-          result.genesisdarc_ = genesisdarcBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.blockinterval_ = blockinterval_;
           to_bitField0_ |= 0x00000008;
         }
-        result.blockinterval_ = blockinterval_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
+          result.maxblocksize_ = maxblocksize_;
           to_bitField0_ |= 0x00000010;
         }
-        result.maxblocksize_ = maxblocksize_;
-        if (((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((bitField0_ & 0x00000020) != 0)) {
           darccontractids_ = darccontractids_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000020);
         }
@@ -2633,35 +2626,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlock buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2757,7 +2750,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -2796,7 +2789,7 @@ public Builder clearVersion() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_ = null;
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
       /**
@@ -2807,7 +2800,7 @@ public Builder clearVersion() {
        * required .onet.Roster roster = 2;
        */
       public boolean hasRoster() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -2870,7 +2863,7 @@ public Builder setRoster(
        */
       public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
         if (rosterBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               roster_ != null &&
               roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
             roster_ =
@@ -2950,7 +2943,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
         return rosterBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.Darc genesisdarc_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.Darc genesisdarc_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.Darc, ch.epfl.dedis.lib.proto.DarcProto.Darc.Builder, ch.epfl.dedis.lib.proto.DarcProto.DarcOrBuilder> genesisdarcBuilder_;
       /**
@@ -2961,7 +2954,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
        * required .darc.Darc genesisdarc = 3;
        */
       public boolean hasGenesisdarc() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -3024,7 +3017,7 @@ public Builder setGenesisdarc(
        */
       public Builder mergeGenesisdarc(ch.epfl.dedis.lib.proto.DarcProto.Darc value) {
         if (genesisdarcBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               genesisdarc_ != null &&
               genesisdarc_ != ch.epfl.dedis.lib.proto.DarcProto.Darc.getDefaultInstance()) {
             genesisdarc_ =
@@ -3113,7 +3106,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.DarcOrBuilder getGenesisdarcOrBuilder()
        * required sint64 blockinterval = 4;
        */
       public boolean hasBlockinterval() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -3161,7 +3154,7 @@ public Builder clearBlockinterval() {
        * optional sint32 maxblocksize = 5;
        */
       public boolean hasMaxblocksize() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * 
@@ -3202,7 +3195,7 @@ public Builder clearMaxblocksize() {
 
       private com.google.protobuf.LazyStringList darccontractids_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       private void ensureDarccontractidsIsMutable() {
-        if (!((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (!((bitField0_ & 0x00000020) != 0)) {
           darccontractids_ = new com.google.protobuf.LazyStringArrayList(darccontractids_);
           bitField0_ |= 0x00000020;
          }
@@ -3453,7 +3446,6 @@ private CreateGenesisBlockResponse(com.google.protobuf.GeneratedMessageV3.Builde
       super(builder);
     }
     private CreateGenesisBlockResponse() {
-      version_ = 0;
     }
 
     @java.lang.Override
@@ -3487,7 +3479,7 @@ private CreateGenesisBlockResponse(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = skipblock_.toBuilder();
               }
               skipblock_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -3541,7 +3533,7 @@ private CreateGenesisBlockResponse(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -3564,7 +3556,7 @@ public int getVersion() {
      * optional .skipchain.SkipBlock skipblock = 2;
      */
     public boolean hasSkipblock() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -3611,10 +3603,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getSkipblock());
       }
       unknownFields.writeTo(output);
@@ -3626,11 +3618,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getSkipblock());
       }
@@ -3649,19 +3641,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlockResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlockResponse) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasSkipblock() == other.hasSkipblock());
+      if (hasSkipblock() != other.hasSkipblock()) return false;
       if (hasSkipblock()) {
-        result = result && getSkipblock()
-            .equals(other.getSkipblock());
+        if (!getSkipblock()
+            .equals(other.getSkipblock())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -3853,18 +3844,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlockResponse buildPart
         ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlockResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlockResponse(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (skipblockBuilder_ == null) {
+            result.skipblock_ = skipblock_;
+          } else {
+            result.skipblock_ = skipblockBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (skipblockBuilder_ == null) {
-          result.skipblock_ = skipblock_;
-        } else {
-          result.skipblock_ = skipblockBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -3872,35 +3863,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CreateGenesisBlockResponse buildPart
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3967,7 +3958,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -4006,7 +3997,7 @@ public Builder clearVersion() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock skipblock_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock skipblock_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> skipblockBuilder_;
       /**
@@ -4017,7 +4008,7 @@ public Builder clearVersion() {
        * optional .skipchain.SkipBlock skipblock = 2;
        */
       public boolean hasSkipblock() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -4080,7 +4071,7 @@ public Builder setSkipblock(
        */
       public Builder mergeSkipblock(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (skipblockBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               skipblock_ != null &&
               skipblock_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             skipblock_ =
@@ -4311,9 +4302,7 @@ private AddTxRequest(com.google.protobuf.GeneratedMessageV3.Builder builder)
       super(builder);
     }
     private AddTxRequest() {
-      version_ = 0;
       skipchainid_ = com.google.protobuf.ByteString.EMPTY;
-      inclusionwait_ = 0;
     }
 
     @java.lang.Override
@@ -4352,7 +4341,7 @@ private AddTxRequest(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = transaction_.toBuilder();
               }
               transaction_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.parser(), extensionRegistry);
@@ -4411,7 +4400,7 @@ private AddTxRequest(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -4434,7 +4423,7 @@ public int getVersion() {
      * required bytes skipchainid = 2;
      */
     public boolean hasSkipchainid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -4457,7 +4446,7 @@ public com.google.protobuf.ByteString getSkipchainid() {
      * required .byzcoin.ClientTransaction transaction = 3;
      */
     public boolean hasTransaction() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -4491,7 +4480,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransactionOrBuilder getTransa
      * optional sint32 inclusionwait = 4;
      */
     public boolean hasInclusionwait() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -4535,16 +4524,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, skipchainid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getTransaction());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeSInt32(4, inclusionwait_);
       }
       unknownFields.writeTo(output);
@@ -4556,19 +4545,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, skipchainid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getTransaction());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(4, inclusionwait_);
       }
@@ -4587,29 +4576,28 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxRequest other = (ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxRequest) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasSkipchainid() == other.hasSkipchainid());
+      if (hasSkipchainid() != other.hasSkipchainid()) return false;
       if (hasSkipchainid()) {
-        result = result && getSkipchainid()
-            .equals(other.getSkipchainid());
+        if (!getSkipchainid()
+            .equals(other.getSkipchainid())) return false;
       }
-      result = result && (hasTransaction() == other.hasTransaction());
+      if (hasTransaction() != other.hasTransaction()) return false;
       if (hasTransaction()) {
-        result = result && getTransaction()
-            .equals(other.getTransaction());
+        if (!getTransaction()
+            .equals(other.getTransaction())) return false;
       }
-      result = result && (hasInclusionwait() == other.hasInclusionwait());
+      if (hasInclusionwait() != other.hasInclusionwait()) return false;
       if (hasInclusionwait()) {
-        result = result && (getInclusionwait()
-            == other.getInclusionwait());
+        if (getInclusionwait()
+            != other.getInclusionwait()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4813,26 +4801,26 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxRequest buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxRequest result = new ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxRequest(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.skipchainid_ = skipchainid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (transactionBuilder_ == null) {
+            result.transaction_ = transaction_;
+          } else {
+            result.transaction_ = transactionBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (transactionBuilder_ == null) {
-          result.transaction_ = transaction_;
-        } else {
-          result.transaction_ = transactionBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.inclusionwait_ = inclusionwait_;
           to_bitField0_ |= 0x00000008;
         }
-        result.inclusionwait_ = inclusionwait_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -4840,35 +4828,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxRequest buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4945,7 +4933,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -4993,7 +4981,7 @@ public Builder clearVersion() {
        * required bytes skipchainid = 2;
        */
       public boolean hasSkipchainid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -5035,7 +5023,7 @@ public Builder clearSkipchainid() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction transaction_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction transaction_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction, ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransactionOrBuilder> transactionBuilder_;
       /**
@@ -5046,7 +5034,7 @@ public Builder clearSkipchainid() {
        * required .byzcoin.ClientTransaction transaction = 3;
        */
       public boolean hasTransaction() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -5109,7 +5097,7 @@ public Builder setTransaction(
        */
       public Builder mergeTransaction(ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction value) {
         if (transactionBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               transaction_ != null &&
               transaction_ != ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.getDefaultInstance()) {
             transaction_ =
@@ -5199,7 +5187,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransactionOrBuilder getTransa
        * optional sint32 inclusionwait = 4;
        */
       public boolean hasInclusionwait() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -5331,7 +5319,6 @@ private AddTxResponse(com.google.protobuf.GeneratedMessageV3.Builder builder)
       super(builder);
     }
     private AddTxResponse() {
-      version_ = 0;
     }
 
     @java.lang.Override
@@ -5406,7 +5393,7 @@ private AddTxResponse(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -5437,7 +5424,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
       unknownFields.writeTo(output);
@@ -5449,7 +5436,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
@@ -5468,14 +5455,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxResponse) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5656,10 +5642,10 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxResponse buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxResponse(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -5667,35 +5653,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.AddTxResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -5754,7 +5740,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -5919,7 +5905,6 @@ private GetProof(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private GetProof() {
-      version_ = 0;
       key_ = com.google.protobuf.ByteString.EMPTY;
       id_ = com.google.protobuf.ByteString.EMPTY;
     }
@@ -6006,7 +5991,7 @@ private GetProof(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -6029,7 +6014,7 @@ public int getVersion() {
      * required bytes key = 2;
      */
     public boolean hasKey() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -6053,7 +6038,7 @@ public com.google.protobuf.ByteString getKey() {
      * required bytes id = 3;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -6093,13 +6078,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, key_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, id_);
       }
       unknownFields.writeTo(output);
@@ -6111,15 +6096,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, key_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, id_);
       }
@@ -6138,24 +6123,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetProof other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetProof) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasKey() == other.hasKey());
+      if (hasKey() != other.hasKey()) return false;
       if (hasKey()) {
-        result = result && getKey()
-            .equals(other.getKey());
+        if (!getKey()
+            .equals(other.getKey())) return false;
       }
-      result = result && (hasId() == other.hasId());
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -6348,15 +6332,15 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetProof buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetProof result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetProof(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.key_ = key_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.id_ = id_;
@@ -6367,35 +6351,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetProof buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -6466,7 +6450,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -6514,7 +6498,7 @@ public Builder clearVersion() {
        * required bytes key = 2;
        */
       public boolean hasKey() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -6566,7 +6550,7 @@ public Builder clearKey() {
        * required bytes id = 3;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -6730,7 +6714,6 @@ private GetProofResponse(com.google.protobuf.GeneratedMessageV3.Builder build
       super(builder);
     }
     private GetProofResponse() {
-      version_ = 0;
     }
 
     @java.lang.Override
@@ -6764,7 +6747,7 @@ private GetProofResponse(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = proof_.toBuilder();
               }
               proof_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.parser(), extensionRegistry);
@@ -6818,7 +6801,7 @@ private GetProofResponse(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -6842,7 +6825,7 @@ public int getVersion() {
      * required .byzcoin.Proof proof = 2;
      */
     public boolean hasProof() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -6893,10 +6876,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getProof());
       }
       unknownFields.writeTo(output);
@@ -6908,11 +6891,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getProof());
       }
@@ -6931,19 +6914,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetProofResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetProofResponse) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasProof() == other.hasProof());
+      if (hasProof() != other.hasProof()) return false;
       if (hasProof()) {
-        result = result && getProof()
-            .equals(other.getProof());
+        if (!getProof()
+            .equals(other.getProof())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -7136,18 +7118,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetProofResponse buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetProofResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetProofResponse(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (proofBuilder_ == null) {
+            result.proof_ = proof_;
+          } else {
+            result.proof_ = proofBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (proofBuilder_ == null) {
-          result.proof_ = proof_;
-        } else {
-          result.proof_ = proofBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -7155,35 +7137,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetProofResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -7251,7 +7233,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -7290,7 +7272,7 @@ public Builder clearVersion() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof proof_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof proof_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Proof, ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder> proofBuilder_;
       /**
@@ -7302,7 +7284,7 @@ public Builder clearVersion() {
        * required .byzcoin.Proof proof = 2;
        */
       public boolean hasProof() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -7369,7 +7351,7 @@ public Builder setProof(
        */
       public Builder mergeProof(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof value) {
         if (proofBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               proof_ != null &&
               proof_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.getDefaultInstance()) {
             proof_ =
@@ -7622,7 +7604,6 @@ private CheckAuthorization(com.google.protobuf.GeneratedMessageV3.Builder bui
       super(builder);
     }
     private CheckAuthorization() {
-      version_ = 0;
       byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
       darcid_ = com.google.protobuf.ByteString.EMPTY;
       identities_ = java.util.Collections.emptyList();
@@ -7668,7 +7649,7 @@ private CheckAuthorization(
               break;
             }
             case 34: {
-              if (!((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
+              if (!((mutable_bitField0_ & 0x00000008) != 0)) {
                 identities_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000008;
               }
@@ -7691,7 +7672,7 @@ private CheckAuthorization(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((mutable_bitField0_ & 0x00000008) != 0)) {
           identities_ = java.util.Collections.unmodifiableList(identities_);
         }
         this.unknownFields = unknownFields.build();
@@ -7722,7 +7703,7 @@ private CheckAuthorization(
      * required sint32 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -7745,7 +7726,7 @@ public int getVersion() {
      * required bytes byzcoinid = 2;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -7768,7 +7749,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * required bytes darcid = 3;
      */
     public boolean hasDarcid() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -7868,13 +7849,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, darcid_);
       }
       for (int i = 0; i < identities_.size(); i++) {
@@ -7889,15 +7870,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, darcid_);
       }
@@ -7920,26 +7901,25 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorization other = (ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorization) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasDarcid() == other.hasDarcid());
+      if (hasDarcid() != other.hasDarcid()) return false;
       if (hasDarcid()) {
-        result = result && getDarcid()
-            .equals(other.getDarcid());
+        if (!getDarcid()
+            .equals(other.getDarcid())) return false;
       }
-      result = result && getIdentitiesList()
-          .equals(other.getIdentitiesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getIdentitiesList()
+          .equals(other.getIdentitiesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -8144,20 +8124,20 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorization buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorization result = new ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorization(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.darcid_ = darcid_;
         if (identitiesBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008)) {
+          if (((bitField0_ & 0x00000008) != 0)) {
             identities_ = java.util.Collections.unmodifiableList(identities_);
             bitField0_ = (bitField0_ & ~0x00000008);
           }
@@ -8172,35 +8152,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorization buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -8302,7 +8282,7 @@ public Builder mergeFrom(
        * required sint32 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -8350,7 +8330,7 @@ public Builder clearVersion() {
        * required bytes byzcoinid = 2;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -8401,7 +8381,7 @@ public Builder clearByzcoinid() {
        * required bytes darcid = 3;
        */
       public boolean hasDarcid() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -8446,7 +8426,7 @@ public Builder clearDarcid() {
       private java.util.List identities_ =
         java.util.Collections.emptyList();
       private void ensureIdentitiesIsMutable() {
-        if (!((bitField0_ & 0x00000008) == 0x00000008)) {
+        if (!((bitField0_ & 0x00000008) != 0)) {
           identities_ = new java.util.ArrayList(identities_);
           bitField0_ |= 0x00000008;
          }
@@ -8747,7 +8727,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder addIdentitiesBuilder(
           identitiesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.DarcProto.Identity, ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityOrBuilder>(
                   identities_,
-                  ((bitField0_ & 0x00000008) == 0x00000008),
+                  ((bitField0_ & 0x00000008) != 0),
                   getParentForChildren(),
                   isClean());
           identities_ = null;
@@ -8878,7 +8858,7 @@ private CheckAuthorizationResponse(
               break;
             case 10: {
               com.google.protobuf.ByteString bs = input.readBytes();
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 actions_ = new com.google.protobuf.LazyStringArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -8900,7 +8880,7 @@ private CheckAuthorizationResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           actions_ = actions_.getUnmodifiableView();
         }
         this.unknownFields = unknownFields.build();
@@ -8998,11 +8978,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse) obj;
 
-      boolean result = true;
-      result = result && getActionsList()
-          .equals(other.getActionsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getActionsList()
+          .equals(other.getActionsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -9184,7 +9163,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse build() {
       public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse(this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((bitField0_ & 0x00000001) != 0)) {
           actions_ = actions_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000001);
         }
@@ -9195,35 +9174,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckAuthorizationResponse buildPart
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -9279,7 +9258,7 @@ public Builder mergeFrom(
 
       private com.google.protobuf.LazyStringList actions_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       private void ensureActionsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           actions_ = new com.google.protobuf.LazyStringArrayList(actions_);
           bitField0_ |= 0x00000001;
          }
@@ -9494,8 +9473,6 @@ private ChainConfig(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private ChainConfig() {
-      blockinterval_ = 0L;
-      maxblocksize_ = 0;
       darccontractids_ = com.google.protobuf.LazyStringArrayList.EMPTY;
     }
 
@@ -9530,7 +9507,7 @@ private ChainConfig(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = roster_.toBuilder();
               }
               roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
@@ -9548,7 +9525,7 @@ private ChainConfig(
             }
             case 34: {
               com.google.protobuf.ByteString bs = input.readBytes();
-              if (!((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
+              if (!((mutable_bitField0_ & 0x00000008) != 0)) {
                 darccontractids_ = new com.google.protobuf.LazyStringArrayList();
                 mutable_bitField0_ |= 0x00000008;
               }
@@ -9570,7 +9547,7 @@ private ChainConfig(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((mutable_bitField0_ & 0x00000008) != 0)) {
           darccontractids_ = darccontractids_.getUnmodifiableView();
         }
         this.unknownFields = unknownFields.build();
@@ -9597,7 +9574,7 @@ private ChainConfig(
      * required sint64 blockinterval = 1;
      */
     public boolean hasBlockinterval() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required sint64 blockinterval = 1;
@@ -9612,7 +9589,7 @@ public long getBlockinterval() {
      * required .onet.Roster roster = 2;
      */
     public boolean hasRoster() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .onet.Roster roster = 2;
@@ -9633,7 +9610,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
      * required sint32 maxblocksize = 3;
      */
     public boolean hasMaxblocksize() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required sint32 maxblocksize = 3;
@@ -9701,13 +9678,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt64(1, blockinterval_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getRoster());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeSInt32(3, maxblocksize_);
       }
       for (int i = 0; i < darccontractids_.size(); i++) {
@@ -9722,15 +9699,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(1, blockinterval_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getRoster());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(3, maxblocksize_);
       }
@@ -9757,26 +9734,25 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.ChainConfig other = (ch.epfl.dedis.lib.proto.ByzCoinProto.ChainConfig) obj;
 
-      boolean result = true;
-      result = result && (hasBlockinterval() == other.hasBlockinterval());
+      if (hasBlockinterval() != other.hasBlockinterval()) return false;
       if (hasBlockinterval()) {
-        result = result && (getBlockinterval()
-            == other.getBlockinterval());
+        if (getBlockinterval()
+            != other.getBlockinterval()) return false;
       }
-      result = result && (hasRoster() == other.hasRoster());
+      if (hasRoster() != other.hasRoster()) return false;
       if (hasRoster()) {
-        result = result && getRoster()
-            .equals(other.getRoster());
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
       }
-      result = result && (hasMaxblocksize() == other.hasMaxblocksize());
+      if (hasMaxblocksize() != other.hasMaxblocksize()) return false;
       if (hasMaxblocksize()) {
-        result = result && (getMaxblocksize()
-            == other.getMaxblocksize());
+        if (getMaxblocksize()
+            != other.getMaxblocksize()) return false;
       }
-      result = result && getDarccontractidsList()
-          .equals(other.getDarccontractidsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getDarccontractidsList()
+          .equals(other.getDarccontractidsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -9982,23 +9958,23 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ChainConfig buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.ChainConfig result = new ch.epfl.dedis.lib.proto.ByzCoinProto.ChainConfig(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.blockinterval_ = blockinterval_;
           to_bitField0_ |= 0x00000001;
         }
-        result.blockinterval_ = blockinterval_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (rosterBuilder_ == null) {
-          result.roster_ = roster_;
-        } else {
-          result.roster_ = rosterBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          result.maxblocksize_ = maxblocksize_;
           to_bitField0_ |= 0x00000004;
         }
-        result.maxblocksize_ = maxblocksize_;
-        if (((bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((bitField0_ & 0x00000008) != 0)) {
           darccontractids_ = darccontractids_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000008);
         }
@@ -10010,35 +9986,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ChainConfig buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -10118,7 +10094,7 @@ public Builder mergeFrom(
        * required sint64 blockinterval = 1;
        */
       public boolean hasBlockinterval() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required sint64 blockinterval = 1;
@@ -10145,14 +10121,14 @@ public Builder clearBlockinterval() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_ = null;
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
       /**
        * required .onet.Roster roster = 2;
        */
       public boolean hasRoster() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .onet.Roster roster = 2;
@@ -10199,7 +10175,7 @@ public Builder setRoster(
        */
       public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
         if (rosterBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               roster_ != null &&
               roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
             roster_ =
@@ -10268,7 +10244,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
        * required sint32 maxblocksize = 3;
        */
       public boolean hasMaxblocksize() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required sint32 maxblocksize = 3;
@@ -10297,7 +10273,7 @@ public Builder clearMaxblocksize() {
 
       private com.google.protobuf.LazyStringList darccontractids_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       private void ensureDarccontractidsIsMutable() {
-        if (!((bitField0_ & 0x00000008) == 0x00000008)) {
+        if (!((bitField0_ & 0x00000008) != 0)) {
           darccontractids_ = new com.google.protobuf.LazyStringArrayList(darccontractids_);
           bitField0_ |= 0x00000008;
          }
@@ -10601,7 +10577,7 @@ private Proof(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.TrieProto.Proof.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = inclusionproof_.toBuilder();
               }
               inclusionproof_ = input.readMessage(ch.epfl.dedis.lib.proto.TrieProto.Proof.parser(), extensionRegistry);
@@ -10614,7 +10590,7 @@ private Proof(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = latest_.toBuilder();
               }
               latest_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -10626,7 +10602,7 @@ private Proof(
               break;
             }
             case 26: {
-              if (!((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
+              if (!((mutable_bitField0_ & 0x00000004) != 0)) {
                 links_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000004;
               }
@@ -10649,7 +10625,7 @@ private Proof(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((mutable_bitField0_ & 0x00000004) != 0)) {
           links_ = java.util.Collections.unmodifiableList(links_);
         }
         this.unknownFields = unknownFields.build();
@@ -10680,7 +10656,7 @@ private Proof(
      * required .trie.Proof inclusionproof = 1;
      */
     public boolean hasInclusionproof() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -10713,7 +10689,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.ProofOrBuilder getInclusionproofOrBuild
      * required .skipchain.SkipBlock latest = 2;
      */
     public boolean hasLatest() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -10837,10 +10813,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getInclusionproof());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getLatest());
       }
       for (int i = 0; i < links_.size(); i++) {
@@ -10855,11 +10831,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getInclusionproof());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getLatest());
       }
@@ -10882,21 +10858,20 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Proof other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Proof) obj;
 
-      boolean result = true;
-      result = result && (hasInclusionproof() == other.hasInclusionproof());
+      if (hasInclusionproof() != other.hasInclusionproof()) return false;
       if (hasInclusionproof()) {
-        result = result && getInclusionproof()
-            .equals(other.getInclusionproof());
+        if (!getInclusionproof()
+            .equals(other.getInclusionproof())) return false;
       }
-      result = result && (hasLatest() == other.hasLatest());
+      if (hasLatest() != other.hasLatest()) return false;
       if (hasLatest()) {
-        result = result && getLatest()
-            .equals(other.getLatest());
+        if (!getLatest()
+            .equals(other.getLatest())) return false;
       }
-      result = result && getLinksList()
-          .equals(other.getLinksList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getLinksList()
+          .equals(other.getLinksList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -11111,24 +11086,24 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Proof buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Proof result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Proof(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (inclusionproofBuilder_ == null) {
+            result.inclusionproof_ = inclusionproof_;
+          } else {
+            result.inclusionproof_ = inclusionproofBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (inclusionproofBuilder_ == null) {
-          result.inclusionproof_ = inclusionproof_;
-        } else {
-          result.inclusionproof_ = inclusionproofBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (latestBuilder_ == null) {
+            result.latest_ = latest_;
+          } else {
+            result.latest_ = latestBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (latestBuilder_ == null) {
-          result.latest_ = latest_;
-        } else {
-          result.latest_ = latestBuilder_.build();
-        }
         if (linksBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004)) {
+          if (((bitField0_ & 0x00000004) != 0)) {
             links_ = java.util.Collections.unmodifiableList(links_);
             bitField0_ = (bitField0_ & ~0x00000004);
           }
@@ -11143,35 +11118,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Proof buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -11264,7 +11239,7 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.TrieProto.Proof inclusionproof_ = null;
+      private ch.epfl.dedis.lib.proto.TrieProto.Proof inclusionproof_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.TrieProto.Proof, ch.epfl.dedis.lib.proto.TrieProto.Proof.Builder, ch.epfl.dedis.lib.proto.TrieProto.ProofOrBuilder> inclusionproofBuilder_;
       /**
@@ -11275,7 +11250,7 @@ public Builder mergeFrom(
        * required .trie.Proof inclusionproof = 1;
        */
       public boolean hasInclusionproof() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -11338,7 +11313,7 @@ public Builder setInclusionproof(
        */
       public Builder mergeInclusionproof(ch.epfl.dedis.lib.proto.TrieProto.Proof value) {
         if (inclusionproofBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               inclusionproof_ != null &&
               inclusionproof_ != ch.epfl.dedis.lib.proto.TrieProto.Proof.getDefaultInstance()) {
             inclusionproof_ =
@@ -11418,7 +11393,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.ProofOrBuilder getInclusionproofOrBuild
         return inclusionproofBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock latest_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock latest_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> latestBuilder_;
       /**
@@ -11429,7 +11404,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.ProofOrBuilder getInclusionproofOrBuild
        * required .skipchain.SkipBlock latest = 2;
        */
       public boolean hasLatest() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -11492,7 +11467,7 @@ public Builder setLatest(
        */
       public Builder mergeLatest(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (latestBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               latest_ != null &&
               latest_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             latest_ =
@@ -11575,7 +11550,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getLatestOrBuil
       private java.util.List links_ =
         java.util.Collections.emptyList();
       private void ensureLinksIsMutable() {
-        if (!((bitField0_ & 0x00000004) == 0x00000004)) {
+        if (!((bitField0_ & 0x00000004) != 0)) {
           links_ = new java.util.ArrayList(links_);
           bitField0_ |= 0x00000004;
          }
@@ -11912,7 +11887,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder addLinksBuilde
           linksBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink, ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLinkOrBuilder>(
                   links_,
-                  ((bitField0_ & 0x00000004) == 0x00000004),
+                  ((bitField0_ & 0x00000004) != 0),
                   getParentForChildren(),
                   isClean());
           links_ = null;
@@ -12194,7 +12169,7 @@ private Instruction(com.google.protobuf.GeneratedMessageV3.Builder builder) {
     }
     private Instruction() {
       instanceid_ = com.google.protobuf.ByteString.EMPTY;
-      signercounter_ = java.util.Collections.emptyList();
+      signercounter_ = emptyLongList();
       signeridentities_ = java.util.Collections.emptyList();
       signatures_ = java.util.Collections.emptyList();
     }
@@ -12230,7 +12205,7 @@ private Instruction(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = spawn_.toBuilder();
               }
               spawn_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn.parser(), extensionRegistry);
@@ -12243,7 +12218,7 @@ private Instruction(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = invoke_.toBuilder();
               }
               invoke_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke.parser(), extensionRegistry);
@@ -12256,7 +12231,7 @@ private Instruction(
             }
             case 34: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Delete.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000008) == 0x00000008)) {
+              if (((bitField0_ & 0x00000008) != 0)) {
                 subBuilder = delete_.toBuilder();
               }
               delete_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Delete.parser(), extensionRegistry);
@@ -12268,28 +12243,28 @@ private Instruction(
               break;
             }
             case 40: {
-              if (!((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
-                signercounter_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000010) != 0)) {
+                signercounter_ = newLongList();
                 mutable_bitField0_ |= 0x00000010;
               }
-              signercounter_.add(input.readUInt64());
+              signercounter_.addLong(input.readUInt64());
               break;
             }
             case 42: {
               int length = input.readRawVarint32();
               int limit = input.pushLimit(length);
-              if (!((mutable_bitField0_ & 0x00000010) == 0x00000010) && input.getBytesUntilLimit() > 0) {
-                signercounter_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000010) != 0) && input.getBytesUntilLimit() > 0) {
+                signercounter_ = newLongList();
                 mutable_bitField0_ |= 0x00000010;
               }
               while (input.getBytesUntilLimit() > 0) {
-                signercounter_.add(input.readUInt64());
+                signercounter_.addLong(input.readUInt64());
               }
               input.popLimit(limit);
               break;
             }
             case 50: {
-              if (!((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+              if (!((mutable_bitField0_ & 0x00000020) != 0)) {
                 signeridentities_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000020;
               }
@@ -12298,7 +12273,7 @@ private Instruction(
               break;
             }
             case 58: {
-              if (!((mutable_bitField0_ & 0x00000040) == 0x00000040)) {
+              if (!((mutable_bitField0_ & 0x00000040) != 0)) {
                 signatures_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000040;
               }
@@ -12320,14 +12295,14 @@ private Instruction(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
-          signercounter_ = java.util.Collections.unmodifiableList(signercounter_);
+        if (((mutable_bitField0_ & 0x00000010) != 0)) {
+          signercounter_.makeImmutable(); // C
         }
-        if (((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((mutable_bitField0_ & 0x00000020) != 0)) {
           signeridentities_ = java.util.Collections.unmodifiableList(signeridentities_);
         }
-        if (((mutable_bitField0_ & 0x00000040) == 0x00000040)) {
-          signatures_ = java.util.Collections.unmodifiableList(signatures_);
+        if (((mutable_bitField0_ & 0x00000040) != 0)) {
+          signatures_ = java.util.Collections.unmodifiableList(signatures_); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -12358,7 +12333,7 @@ private Instruction(
      * required bytes instanceid = 1;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -12382,7 +12357,7 @@ public com.google.protobuf.ByteString getInstanceid() {
      * optional .byzcoin.Spawn spawn = 2;
      */
     public boolean hasSpawn() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -12415,7 +12390,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.SpawnOrBuilder getSpawnOrBuilder() {
      * optional .byzcoin.Invoke invoke = 3;
      */
     public boolean hasInvoke() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -12448,7 +12423,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.InvokeOrBuilder getInvokeOrBuilder()
      * optional .byzcoin.Delete delete = 4;
      */
     public boolean hasDelete() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -12472,7 +12447,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DeleteOrBuilder getDeleteOrBuilder()
     }
 
     public static final int SIGNERCOUNTER_FIELD_NUMBER = 5;
-    private java.util.List signercounter_;
+    private com.google.protobuf.Internal.LongList signercounter_;
     /**
      * 
      * SignerCounter must be set to a value that is one greater than what
@@ -12511,7 +12486,7 @@ public int getSignercounterCount() {
      * repeated uint64 signercounter = 5 [packed = true];
      */
     public long getSignercounter(int index) {
-      return signercounter_.get(index);
+      return signercounter_.getLong(index);
     }
     private int signercounterMemoizedSerializedSize = -1;
 
@@ -12650,16 +12625,16 @@ public final boolean isInitialized() {
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
       getSerializedSize();
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, instanceid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getSpawn());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getInvoke());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeMessage(4, getDelete());
       }
       if (getSignercounterList().size() > 0) {
@@ -12667,7 +12642,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
         output.writeUInt32NoTag(signercounterMemoizedSerializedSize);
       }
       for (int i = 0; i < signercounter_.size(); i++) {
-        output.writeUInt64NoTag(signercounter_.get(i));
+        output.writeUInt64NoTag(signercounter_.getLong(i));
       }
       for (int i = 0; i < signeridentities_.size(); i++) {
         output.writeMessage(6, signeridentities_.get(i));
@@ -12684,19 +12659,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, instanceid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getSpawn());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getInvoke());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(4, getDelete());
       }
@@ -12704,7 +12679,7 @@ public int getSerializedSize() {
         int dataSize = 0;
         for (int i = 0; i < signercounter_.size(); i++) {
           dataSize += com.google.protobuf.CodedOutputStream
-            .computeUInt64SizeNoTag(signercounter_.get(i));
+            .computeUInt64SizeNoTag(signercounter_.getLong(i));
         }
         size += dataSize;
         if (!getSignercounterList().isEmpty()) {
@@ -12742,35 +12717,34 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction) obj;
 
-      boolean result = true;
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && (hasSpawn() == other.hasSpawn());
+      if (hasSpawn() != other.hasSpawn()) return false;
       if (hasSpawn()) {
-        result = result && getSpawn()
-            .equals(other.getSpawn());
+        if (!getSpawn()
+            .equals(other.getSpawn())) return false;
       }
-      result = result && (hasInvoke() == other.hasInvoke());
+      if (hasInvoke() != other.hasInvoke()) return false;
       if (hasInvoke()) {
-        result = result && getInvoke()
-            .equals(other.getInvoke());
+        if (!getInvoke()
+            .equals(other.getInvoke())) return false;
       }
-      result = result && (hasDelete() == other.hasDelete());
+      if (hasDelete() != other.hasDelete()) return false;
       if (hasDelete()) {
-        result = result && getDelete()
-            .equals(other.getDelete());
-      }
-      result = result && getSignercounterList()
-          .equals(other.getSignercounterList());
-      result = result && getSigneridentitiesList()
-          .equals(other.getSigneridentitiesList());
-      result = result && getSignaturesList()
-          .equals(other.getSignaturesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+        if (!getDelete()
+            .equals(other.getDelete())) return false;
+      }
+      if (!getSignercounterList()
+          .equals(other.getSignercounterList())) return false;
+      if (!getSigneridentitiesList()
+          .equals(other.getSigneridentitiesList())) return false;
+      if (!getSignaturesList()
+          .equals(other.getSignaturesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -12969,7 +12943,7 @@ public Builder clear() {
           deleteBuilder_.clear();
         }
         bitField0_ = (bitField0_ & ~0x00000008);
-        signercounter_ = java.util.Collections.emptyList();
+        signercounter_ = emptyLongList();
         bitField0_ = (bitField0_ & ~0x00000010);
         if (signeridentitiesBuilder_ == null) {
           signeridentities_ = java.util.Collections.emptyList();
@@ -13007,41 +12981,41 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.instanceid_ = instanceid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (spawnBuilder_ == null) {
+            result.spawn_ = spawn_;
+          } else {
+            result.spawn_ = spawnBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (spawnBuilder_ == null) {
-          result.spawn_ = spawn_;
-        } else {
-          result.spawn_ = spawnBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (invokeBuilder_ == null) {
+            result.invoke_ = invoke_;
+          } else {
+            result.invoke_ = invokeBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (invokeBuilder_ == null) {
-          result.invoke_ = invoke_;
-        } else {
-          result.invoke_ = invokeBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (deleteBuilder_ == null) {
+            result.delete_ = delete_;
+          } else {
+            result.delete_ = deleteBuilder_.build();
+          }
           to_bitField0_ |= 0x00000008;
         }
-        if (deleteBuilder_ == null) {
-          result.delete_ = delete_;
-        } else {
-          result.delete_ = deleteBuilder_.build();
-        }
-        if (((bitField0_ & 0x00000010) == 0x00000010)) {
-          signercounter_ = java.util.Collections.unmodifiableList(signercounter_);
+        if (((bitField0_ & 0x00000010) != 0)) {
+          signercounter_.makeImmutable();
           bitField0_ = (bitField0_ & ~0x00000010);
         }
         result.signercounter_ = signercounter_;
         if (signeridentitiesBuilder_ == null) {
-          if (((bitField0_ & 0x00000020) == 0x00000020)) {
+          if (((bitField0_ & 0x00000020) != 0)) {
             signeridentities_ = java.util.Collections.unmodifiableList(signeridentities_);
             bitField0_ = (bitField0_ & ~0x00000020);
           }
@@ -13049,7 +13023,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction buildPartial() {
         } else {
           result.signeridentities_ = signeridentitiesBuilder_.build();
         }
-        if (((bitField0_ & 0x00000040) == 0x00000040)) {
+        if (((bitField0_ & 0x00000040) != 0)) {
           signatures_ = java.util.Collections.unmodifiableList(signatures_);
           bitField0_ = (bitField0_ & ~0x00000040);
         }
@@ -13061,35 +13035,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -13224,7 +13198,7 @@ public Builder mergeFrom(
        * required bytes instanceid = 1;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -13269,7 +13243,7 @@ public Builder clearInstanceid() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn spawn_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn spawn_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn, ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.SpawnOrBuilder> spawnBuilder_;
       /**
@@ -13280,7 +13254,7 @@ public Builder clearInstanceid() {
        * optional .byzcoin.Spawn spawn = 2;
        */
       public boolean hasSpawn() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -13343,7 +13317,7 @@ public Builder setSpawn(
        */
       public Builder mergeSpawn(ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn value) {
         if (spawnBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               spawn_ != null &&
               spawn_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn.getDefaultInstance()) {
             spawn_ =
@@ -13423,7 +13397,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.SpawnOrBuilder getSpawnOrBuilder() {
         return spawnBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke invoke_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke invoke_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke, ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.InvokeOrBuilder> invokeBuilder_;
       /**
@@ -13434,7 +13408,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.SpawnOrBuilder getSpawnOrBuilder() {
        * optional .byzcoin.Invoke invoke = 3;
        */
       public boolean hasInvoke() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -13497,7 +13471,7 @@ public Builder setInvoke(
        */
       public Builder mergeInvoke(ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke value) {
         if (invokeBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               invoke_ != null &&
               invoke_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke.getDefaultInstance()) {
             invoke_ =
@@ -13577,7 +13551,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.InvokeOrBuilder getInvokeOrBuilder()
         return invokeBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Delete delete_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Delete delete_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Delete, ch.epfl.dedis.lib.proto.ByzCoinProto.Delete.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.DeleteOrBuilder> deleteBuilder_;
       /**
@@ -13588,7 +13562,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.InvokeOrBuilder getInvokeOrBuilder()
        * optional .byzcoin.Delete delete = 4;
        */
       public boolean hasDelete() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -13651,7 +13625,7 @@ public Builder setDelete(
        */
       public Builder mergeDelete(ch.epfl.dedis.lib.proto.ByzCoinProto.Delete value) {
         if (deleteBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008) &&
+          if (((bitField0_ & 0x00000008) != 0) &&
               delete_ != null &&
               delete_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Delete.getDefaultInstance()) {
             delete_ =
@@ -13731,10 +13705,10 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DeleteOrBuilder getDeleteOrBuilder()
         return deleteBuilder_;
       }
 
-      private java.util.List signercounter_ = java.util.Collections.emptyList();
+      private com.google.protobuf.Internal.LongList signercounter_ = emptyLongList();
       private void ensureSignercounterIsMutable() {
-        if (!((bitField0_ & 0x00000010) == 0x00000010)) {
-          signercounter_ = new java.util.ArrayList(signercounter_);
+        if (!((bitField0_ & 0x00000010) != 0)) {
+          signercounter_ = mutableCopy(signercounter_);
           bitField0_ |= 0x00000010;
          }
       }
@@ -13750,7 +13724,8 @@ private void ensureSignercounterIsMutable() {
        */
       public java.util.List
           getSignercounterList() {
-        return java.util.Collections.unmodifiableList(signercounter_);
+        return ((bitField0_ & 0x00000010) != 0) ?
+                 java.util.Collections.unmodifiableList(signercounter_) : signercounter_;
       }
       /**
        * 
@@ -13776,7 +13751,7 @@ public int getSignercounterCount() {
        * repeated uint64 signercounter = 5 [packed = true];
        */
       public long getSignercounter(int index) {
-        return signercounter_.get(index);
+        return signercounter_.getLong(index);
       }
       /**
        * 
@@ -13791,7 +13766,7 @@ public long getSignercounter(int index) {
       public Builder setSignercounter(
           int index, long value) {
         ensureSignercounterIsMutable();
-        signercounter_.set(index, value);
+        signercounter_.setLong(index, value);
         onChanged();
         return this;
       }
@@ -13807,7 +13782,7 @@ public Builder setSignercounter(
        */
       public Builder addSignercounter(long value) {
         ensureSignercounterIsMutable();
-        signercounter_.add(value);
+        signercounter_.addLong(value);
         onChanged();
         return this;
       }
@@ -13840,7 +13815,7 @@ public Builder addAllSignercounter(
        * repeated uint64 signercounter = 5 [packed = true];
        */
       public Builder clearSignercounter() {
-        signercounter_ = java.util.Collections.emptyList();
+        signercounter_ = emptyLongList();
         bitField0_ = (bitField0_ & ~0x00000010);
         onChanged();
         return this;
@@ -13849,7 +13824,7 @@ public Builder clearSignercounter() {
       private java.util.List signeridentities_ =
         java.util.Collections.emptyList();
       private void ensureSigneridentitiesIsMutable() {
-        if (!((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (!((bitField0_ & 0x00000020) != 0)) {
           signeridentities_ = new java.util.ArrayList(signeridentities_);
           bitField0_ |= 0x00000020;
          }
@@ -14150,7 +14125,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder addSigneridentitiesBui
           signeridentitiesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.DarcProto.Identity, ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityOrBuilder>(
                   signeridentities_,
-                  ((bitField0_ & 0x00000020) == 0x00000020),
+                  ((bitField0_ & 0x00000020) != 0),
                   getParentForChildren(),
                   isClean());
           signeridentities_ = null;
@@ -14160,7 +14135,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder addSigneridentitiesBui
 
       private java.util.List signatures_ = java.util.Collections.emptyList();
       private void ensureSignaturesIsMutable() {
-        if (!((bitField0_ & 0x00000040) == 0x00000040)) {
+        if (!((bitField0_ & 0x00000040) != 0)) {
           signatures_ = new java.util.ArrayList(signatures_);
           bitField0_ |= 0x00000040;
          }
@@ -14175,7 +14150,8 @@ private void ensureSignaturesIsMutable() {
        */
       public java.util.List
           getSignaturesList() {
-        return java.util.Collections.unmodifiableList(signatures_);
+        return ((bitField0_ & 0x00000040) != 0) ?
+                 java.util.Collections.unmodifiableList(signatures_) : signatures_;
       }
       /**
        * 
@@ -14443,7 +14419,7 @@ private Spawn(
               break;
             }
             case 18: {
-              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
                 args_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000002;
               }
@@ -14466,7 +14442,7 @@ private Spawn(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
           args_ = java.util.Collections.unmodifiableList(args_);
         }
         this.unknownFields = unknownFields.build();
@@ -14497,7 +14473,7 @@ private Spawn(
      * required string contractid = 1;
      */
     public boolean hasContractid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -14620,7 +14596,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, contractid_);
       }
       for (int i = 0; i < args_.size(); i++) {
@@ -14635,7 +14611,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, contractid_);
       }
       for (int i = 0; i < args_.size(); i++) {
@@ -14657,16 +14633,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn) obj;
 
-      boolean result = true;
-      result = result && (hasContractid() == other.hasContractid());
+      if (hasContractid() != other.hasContractid()) return false;
       if (hasContractid()) {
-        result = result && getContractid()
-            .equals(other.getContractid());
+        if (!getContractid()
+            .equals(other.getContractid())) return false;
       }
-      result = result && getArgsList()
-          .equals(other.getArgsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getArgsList()
+          .equals(other.getArgsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -14858,12 +14833,12 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.contractid_ = contractid_;
         if (argsBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002)) {
+          if (((bitField0_ & 0x00000002) != 0)) {
             args_ = java.util.Collections.unmodifiableList(args_);
             bitField0_ = (bitField0_ & ~0x00000002);
           }
@@ -14878,35 +14853,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Spawn buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -14998,7 +14973,7 @@ public Builder mergeFrom(
        * required string contractid = 1;
        */
       public boolean hasContractid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -15092,7 +15067,7 @@ public Builder setContractidBytes(
       private java.util.List args_ =
         java.util.Collections.emptyList();
       private void ensureArgsIsMutable() {
-        if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        if (!((bitField0_ & 0x00000002) != 0)) {
           args_ = new java.util.ArrayList(args_);
           bitField0_ |= 0x00000002;
          }
@@ -15393,7 +15368,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Argument.Builder addArgsBuilder(
           argsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.Argument, ch.epfl.dedis.lib.proto.ByzCoinProto.Argument.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ArgumentOrBuilder>(
                   args_,
-                  ((bitField0_ & 0x00000002) == 0x00000002),
+                  ((bitField0_ & 0x00000002) != 0),
                   getParentForChildren(),
                   isClean());
           args_ = null;
@@ -15613,7 +15588,7 @@ private Invoke(
               break;
             }
             case 26: {
-              if (!((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
+              if (!((mutable_bitField0_ & 0x00000004) != 0)) {
                 args_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000004;
               }
@@ -15636,7 +15611,7 @@ private Invoke(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((mutable_bitField0_ & 0x00000004) != 0)) {
           args_ = java.util.Collections.unmodifiableList(args_);
         }
         this.unknownFields = unknownFields.build();
@@ -15667,7 +15642,7 @@ private Invoke(
      * required string contractid = 1;
      */
     public boolean hasContractid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -15721,7 +15696,7 @@ public java.lang.String getContractid() {
      * required string command = 2;
      */
     public boolean hasCommand() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -15848,10 +15823,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, contractid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 2, command_);
       }
       for (int i = 0; i < args_.size(); i++) {
@@ -15866,10 +15841,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, contractid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, command_);
       }
       for (int i = 0; i < args_.size(); i++) {
@@ -15891,21 +15866,20 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke) obj;
 
-      boolean result = true;
-      result = result && (hasContractid() == other.hasContractid());
+      if (hasContractid() != other.hasContractid()) return false;
       if (hasContractid()) {
-        result = result && getContractid()
-            .equals(other.getContractid());
+        if (!getContractid()
+            .equals(other.getContractid())) return false;
       }
-      result = result && (hasCommand() == other.hasCommand());
+      if (hasCommand() != other.hasCommand()) return false;
       if (hasCommand()) {
-        result = result && getCommand()
-            .equals(other.getCommand());
+        if (!getCommand()
+            .equals(other.getCommand())) return false;
       }
-      result = result && getArgsList()
-          .equals(other.getArgsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getArgsList()
+          .equals(other.getArgsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -16104,16 +16078,16 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.contractid_ = contractid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.command_ = command_;
         if (argsBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004)) {
+          if (((bitField0_ & 0x00000004) != 0)) {
             args_ = java.util.Collections.unmodifiableList(args_);
             bitField0_ = (bitField0_ & ~0x00000004);
           }
@@ -16128,35 +16102,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Invoke buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -16256,7 +16230,7 @@ public Builder mergeFrom(
        * required string contractid = 1;
        */
       public boolean hasContractid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -16356,7 +16330,7 @@ public Builder setContractidBytes(
        * required string command = 2;
        */
       public boolean hasCommand() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -16450,7 +16424,7 @@ public Builder setCommandBytes(
       private java.util.List args_ =
         java.util.Collections.emptyList();
       private void ensureArgsIsMutable() {
-        if (!((bitField0_ & 0x00000004) == 0x00000004)) {
+        if (!((bitField0_ & 0x00000004) != 0)) {
           args_ = new java.util.ArrayList(args_);
           bitField0_ |= 0x00000004;
          }
@@ -16751,7 +16725,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Argument.Builder addArgsBuilder(
           argsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.Argument, ch.epfl.dedis.lib.proto.ByzCoinProto.Argument.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ArgumentOrBuilder>(
                   args_,
-                  ((bitField0_ & 0x00000004) == 0x00000004),
+                  ((bitField0_ & 0x00000004) != 0),
                   getParentForChildren(),
                   isClean());
           args_ = null;
@@ -16935,7 +16909,7 @@ private Delete(
      * required string contractid = 1;
      */
     public boolean hasContractid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -16997,7 +16971,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, contractid_);
       }
       unknownFields.writeTo(output);
@@ -17009,7 +16983,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, contractid_);
       }
       size += unknownFields.getSerializedSize();
@@ -17027,14 +17001,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Delete other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Delete) obj;
 
-      boolean result = true;
-      result = result && (hasContractid() == other.hasContractid());
+      if (hasContractid() != other.hasContractid()) return false;
       if (hasContractid()) {
-        result = result && getContractid()
-            .equals(other.getContractid());
+        if (!getContractid()
+            .equals(other.getContractid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -17216,7 +17189,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Delete buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Delete result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Delete(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.contractid_ = contractid_;
@@ -17227,35 +17200,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Delete buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -17316,7 +17289,7 @@ public Builder mergeFrom(
        * required string contractid = 1;
        */
       public boolean hasContractid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -17605,7 +17578,7 @@ private Argument(
      * required string name = 1;
      */
     public boolean hasName() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -17659,7 +17632,7 @@ public java.lang.String getName() {
      * required bytes value = 2;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -17694,10 +17667,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, value_);
       }
       unknownFields.writeTo(output);
@@ -17709,10 +17682,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, value_);
       }
@@ -17731,19 +17704,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Argument other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Argument) obj;
 
-      boolean result = true;
-      result = result && (hasName() == other.hasName());
+      if (hasName() != other.hasName()) return false;
       if (hasName()) {
-        result = result && getName()
-            .equals(other.getName());
+        if (!getName()
+            .equals(other.getName())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && getValue()
-            .equals(other.getValue());
+        if (!getValue()
+            .equals(other.getValue())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -17930,11 +17902,11 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Argument buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Argument result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Argument(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.name_ = name_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.value_ = value_;
@@ -17945,35 +17917,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Argument buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -18040,7 +18012,7 @@ public Builder mergeFrom(
        * required string name = 1;
        */
       public boolean hasName() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -18140,7 +18112,7 @@ public Builder setNameBytes(
        * required bytes value = 2;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -18311,7 +18283,7 @@ private ClientTransaction(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 instructions_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -18334,7 +18306,7 @@ private ClientTransaction(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           instructions_ = java.util.Collections.unmodifiableList(instructions_);
         }
         this.unknownFields = unknownFields.build();
@@ -18440,11 +18412,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction other = (ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction) obj;
 
-      boolean result = true;
-      result = result && getInstructionsList()
-          .equals(other.getInstructionsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getInstructionsList()
+          .equals(other.getInstructionsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -18634,7 +18605,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction result = new ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction(this);
         int from_bitField0_ = bitField0_;
         if (instructionsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             instructions_ = java.util.Collections.unmodifiableList(instructions_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -18648,35 +18619,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -18754,7 +18725,7 @@ public Builder mergeFrom(
       private java.util.List instructions_ =
         java.util.Collections.emptyList();
       private void ensureInstructionsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           instructions_ = new java.util.ArrayList(instructions_);
           bitField0_ |= 0x00000001;
          }
@@ -18983,7 +18954,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction.Builder addInstructionsB
           instructionsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction, ch.epfl.dedis.lib.proto.ByzCoinProto.Instruction.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.InstructionOrBuilder>(
                   instructions_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           instructions_ = null;
@@ -19086,7 +19057,6 @@ private TxResult(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private TxResult() {
-      accepted_ = false;
     }
 
     @java.lang.Override
@@ -19115,7 +19085,7 @@ private TxResult(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = clienttransaction_.toBuilder();
               }
               clienttransaction_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.parser(), extensionRegistry);
@@ -19170,7 +19140,7 @@ private TxResult(
      * required .byzcoin.ClientTransaction clienttransaction = 1;
      */
     public boolean hasClienttransaction() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .byzcoin.ClientTransaction clienttransaction = 1;
@@ -19191,7 +19161,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransactionOrBuilder getClient
      * required bool accepted = 2;
      */
     public boolean hasAccepted() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bool accepted = 2;
@@ -19226,10 +19196,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getClienttransaction());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBool(2, accepted_);
       }
       unknownFields.writeTo(output);
@@ -19241,11 +19211,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getClienttransaction());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBoolSize(2, accepted_);
       }
@@ -19264,19 +19234,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult other = (ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult) obj;
 
-      boolean result = true;
-      result = result && (hasClienttransaction() == other.hasClienttransaction());
+      if (hasClienttransaction() != other.hasClienttransaction()) return false;
       if (hasClienttransaction()) {
-        result = result && getClienttransaction()
-            .equals(other.getClienttransaction());
+        if (!getClienttransaction()
+            .equals(other.getClienttransaction())) return false;
       }
-      result = result && (hasAccepted() == other.hasAccepted());
+      if (hasAccepted() != other.hasAccepted()) return false;
       if (hasAccepted()) {
-        result = result && (getAccepted()
-            == other.getAccepted());
+        if (getAccepted()
+            != other.getAccepted()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -19469,18 +19438,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult result = new ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (clienttransactionBuilder_ == null) {
+            result.clienttransaction_ = clienttransaction_;
+          } else {
+            result.clienttransaction_ = clienttransactionBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (clienttransactionBuilder_ == null) {
-          result.clienttransaction_ = clienttransaction_;
-        } else {
-          result.clienttransaction_ = clienttransactionBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.accepted_ = accepted_;
           to_bitField0_ |= 0x00000002;
         }
-        result.accepted_ = accepted_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -19488,35 +19457,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.TxResult buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -19575,14 +19544,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction clienttransaction_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction clienttransaction_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction, ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransactionOrBuilder> clienttransactionBuilder_;
       /**
        * required .byzcoin.ClientTransaction clienttransaction = 1;
        */
       public boolean hasClienttransaction() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .byzcoin.ClientTransaction clienttransaction = 1;
@@ -19629,7 +19598,7 @@ public Builder setClienttransaction(
        */
       public Builder mergeClienttransaction(ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction value) {
         if (clienttransactionBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               clienttransaction_ != null &&
               clienttransaction_ != ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransaction.getDefaultInstance()) {
             clienttransaction_ =
@@ -19698,7 +19667,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ClientTransactionOrBuilder getClient
        * required bool accepted = 2;
        */
       public boolean hasAccepted() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bool accepted = 2;
@@ -19909,12 +19878,10 @@ private StateChange(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private StateChange() {
-      stateaction_ = 0;
       instanceid_ = com.google.protobuf.ByteString.EMPTY;
       contractid_ = "";
       value_ = com.google.protobuf.ByteString.EMPTY;
       darcid_ = com.google.protobuf.ByteString.EMPTY;
-      version_ = 0L;
     }
 
     @java.lang.Override
@@ -20015,7 +19982,7 @@ private StateChange(
      * required sint32 stateaction = 1;
      */
     public boolean hasStateaction() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -20038,7 +20005,7 @@ public int getStateaction() {
      * required bytes instanceid = 2;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -20061,7 +20028,7 @@ public com.google.protobuf.ByteString getInstanceid() {
      * required string contractid = 3;
      */
     public boolean hasContractid() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -20115,7 +20082,7 @@ public java.lang.String getContractid() {
      * required bytes value = 4;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -20138,7 +20105,7 @@ public com.google.protobuf.ByteString getValue() {
      * required bytes darcid = 5;
      */
     public boolean hasDarcid() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * 
@@ -20161,7 +20128,7 @@ public com.google.protobuf.ByteString getDarcid() {
      * required uint64 version = 6;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000020) == 0x00000020);
+      return ((bitField0_ & 0x00000020) != 0);
     }
     /**
      * 
@@ -20212,22 +20179,22 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, stateaction_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 3, contractid_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeBytes(4, value_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeBytes(5, darcid_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         output.writeUInt64(6, version_);
       }
       unknownFields.writeTo(output);
@@ -20239,26 +20206,26 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, stateaction_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(3, contractid_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(4, value_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(5, darcid_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(6, version_);
       }
@@ -20277,39 +20244,38 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange other = (ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange) obj;
 
-      boolean result = true;
-      result = result && (hasStateaction() == other.hasStateaction());
+      if (hasStateaction() != other.hasStateaction()) return false;
       if (hasStateaction()) {
-        result = result && (getStateaction()
-            == other.getStateaction());
+        if (getStateaction()
+            != other.getStateaction()) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && (hasContractid() == other.hasContractid());
+      if (hasContractid() != other.hasContractid()) return false;
       if (hasContractid()) {
-        result = result && getContractid()
-            .equals(other.getContractid());
+        if (!getContractid()
+            .equals(other.getContractid())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && getValue()
-            .equals(other.getValue());
+        if (!getValue()
+            .equals(other.getValue())) return false;
       }
-      result = result && (hasDarcid() == other.hasDarcid());
+      if (hasDarcid() != other.hasDarcid()) return false;
       if (hasDarcid()) {
-        result = result && getDarcid()
-            .equals(other.getDarcid());
+        if (!getDarcid()
+            .equals(other.getDarcid())) return false;
       }
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -20521,30 +20487,30 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange result = new ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.stateaction_ = stateaction_;
           to_bitField0_ |= 0x00000001;
         }
-        result.stateaction_ = stateaction_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.instanceid_ = instanceid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.contractid_ = contractid_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.value_ = value_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
           to_bitField0_ |= 0x00000010;
         }
         result.darcid_ = darcid_;
-        if (((from_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((from_bitField0_ & 0x00000020) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000020;
         }
-        result.version_ = version_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -20552,35 +20518,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -20671,7 +20637,7 @@ public Builder mergeFrom(
        * required sint32 stateaction = 1;
        */
       public boolean hasStateaction() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -20719,7 +20685,7 @@ public Builder clearStateaction() {
        * required bytes instanceid = 2;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -20770,7 +20736,7 @@ public Builder clearInstanceid() {
        * required string contractid = 3;
        */
       public boolean hasContractid() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -20870,7 +20836,7 @@ public Builder setContractidBytes(
        * required bytes value = 4;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -20921,7 +20887,7 @@ public Builder clearValue() {
        * required bytes darcid = 5;
        */
       public boolean hasDarcid() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * 
@@ -20972,7 +20938,7 @@ public Builder clearDarcid() {
        * required uint64 version = 6;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000020) == 0x00000020);
+        return ((bitField0_ & 0x00000020) != 0);
       }
       /**
        * 
@@ -21120,7 +21086,6 @@ private Coin(com.google.protobuf.GeneratedMessageV3.Builder builder) {
     }
     private Coin() {
       name_ = com.google.protobuf.ByteString.EMPTY;
-      value_ = 0L;
     }
 
     @java.lang.Override
@@ -21200,7 +21165,7 @@ private Coin(
      * required bytes name = 1;
      */
     public boolean hasName() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -21223,7 +21188,7 @@ public com.google.protobuf.ByteString getName() {
      * required uint64 value = 2;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -21258,10 +21223,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeUInt64(2, value_);
       }
       unknownFields.writeTo(output);
@@ -21273,11 +21238,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(2, value_);
       }
@@ -21296,19 +21261,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.Coin other = (ch.epfl.dedis.lib.proto.ByzCoinProto.Coin) obj;
 
-      boolean result = true;
-      result = result && (hasName() == other.hasName());
+      if (hasName() != other.hasName()) return false;
       if (hasName()) {
-        result = result && getName()
-            .equals(other.getName());
+        if (!getName()
+            .equals(other.getName())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && (getValue()
-            == other.getValue());
+        if (getValue()
+            != other.getValue()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -21497,14 +21461,14 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Coin buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.Coin result = new ch.epfl.dedis.lib.proto.ByzCoinProto.Coin(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.name_ = name_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.value_ = value_;
           to_bitField0_ |= 0x00000002;
         }
-        result.value_ = value_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -21512,35 +21476,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.Coin buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -21605,7 +21569,7 @@ public Builder mergeFrom(
        * required bytes name = 1;
        */
       public boolean hasName() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -21656,7 +21620,7 @@ public Builder clearName() {
        * required uint64 value = 2;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -21849,7 +21813,7 @@ private StreamingRequest(
      * required bytes id = 1;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes id = 1;
@@ -21876,7 +21840,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, id_);
       }
       unknownFields.writeTo(output);
@@ -21888,7 +21852,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, id_);
       }
@@ -21907,14 +21871,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingRequest other = (ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingRequest) obj;
 
-      boolean result = true;
-      result = result && (hasId() == other.hasId());
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -22096,7 +22059,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingRequest buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingRequest result = new ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingRequest(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.id_ = id_;
@@ -22107,35 +22070,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingRequest buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -22190,7 +22153,7 @@ public Builder mergeFrom(
        * required bytes id = 1;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes id = 1;
@@ -22334,7 +22297,7 @@ private StreamingResponse(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = block_.toBuilder();
               }
               block_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -22384,7 +22347,7 @@ private StreamingResponse(
      * optional .skipchain.SkipBlock block = 1;
      */
     public boolean hasBlock() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .skipchain.SkipBlock block = 1;
@@ -22419,7 +22382,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getBlock());
       }
       unknownFields.writeTo(output);
@@ -22431,7 +22394,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getBlock());
       }
@@ -22450,14 +22413,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingResponse) obj;
 
-      boolean result = true;
-      result = result && (hasBlock() == other.hasBlock());
+      if (hasBlock() != other.hasBlock()) return false;
       if (hasBlock()) {
-        result = result && getBlock()
-            .equals(other.getBlock());
+        if (!getBlock()
+            .equals(other.getBlock())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -22643,14 +22605,14 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingResponse buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingResponse(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (blockBuilder_ == null) {
+            result.block_ = block_;
+          } else {
+            result.block_ = blockBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (blockBuilder_ == null) {
-          result.block_ = block_;
-        } else {
-          result.block_ = blockBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -22658,35 +22620,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StreamingResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -22738,14 +22700,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock block_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock block_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> blockBuilder_;
       /**
        * optional .skipchain.SkipBlock block = 1;
        */
       public boolean hasBlock() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional .skipchain.SkipBlock block = 1;
@@ -22792,7 +22754,7 @@ public Builder setBlock(
        */
       public Builder mergeBlock(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (blockBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               block_ != null &&
               block_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             block_ =
@@ -22994,8 +22956,6 @@ private DownloadState(com.google.protobuf.GeneratedMessageV3.Builder builder)
     }
     private DownloadState() {
       byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
-      nonce_ = 0L;
-      length_ = 0;
     }
 
     @java.lang.Override
@@ -23080,7 +23040,7 @@ private DownloadState(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -23108,7 +23068,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * required uint64 nonce = 2;
      */
     public boolean hasNonce() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -23136,7 +23096,7 @@ public long getNonce() {
      * required sint32 length = 3;
      */
     public boolean hasLength() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -23175,13 +23135,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeUInt64(2, nonce_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeSInt32(3, length_);
       }
       unknownFields.writeTo(output);
@@ -23193,15 +23153,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(2, nonce_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(3, length_);
       }
@@ -23220,24 +23180,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadState other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadState) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasNonce() == other.hasNonce());
+      if (hasNonce() != other.hasNonce()) return false;
       if (hasNonce()) {
-        result = result && (getNonce()
-            == other.getNonce());
+        if (getNonce()
+            != other.getNonce()) return false;
       }
-      result = result && (hasLength() == other.hasLength());
+      if (hasLength() != other.hasLength()) return false;
       if (hasLength()) {
-        result = result && (getLength()
-            == other.getLength());
+        if (getLength()
+            != other.getLength()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -23434,18 +23393,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadState buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadState result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadState(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.nonce_ = nonce_;
           to_bitField0_ |= 0x00000002;
         }
-        result.nonce_ = nonce_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          result.length_ = length_;
           to_bitField0_ |= 0x00000004;
         }
-        result.length_ = length_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -23453,35 +23412,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadState buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -23552,7 +23511,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -23608,7 +23567,7 @@ public Builder clearByzcoinid() {
        * required uint64 nonce = 2;
        */
       public boolean hasNonce() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -23671,7 +23630,7 @@ public Builder clearNonce() {
        * required sint32 length = 3;
        */
       public boolean hasLength() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -23855,7 +23814,6 @@ private DownloadStateResponse(com.google.protobuf.GeneratedMessageV3.Builder
     }
     private DownloadStateResponse() {
       keyvalues_ = java.util.Collections.emptyList();
-      nonce_ = 0L;
     }
 
     @java.lang.Override
@@ -23883,7 +23841,7 @@ private DownloadStateResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 keyvalues_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -23911,7 +23869,7 @@ private DownloadStateResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           keyvalues_ = java.util.Collections.unmodifiableList(keyvalues_);
         }
         this.unknownFields = unknownFields.build();
@@ -24004,7 +23962,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValueOrBuilder getKeyvaluesOrBu
      * required uint64 nonce = 2;
      */
     public boolean hasNonce() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -24046,7 +24004,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
       for (int i = 0; i < keyvalues_.size(); i++) {
         output.writeMessage(1, keyvalues_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeUInt64(2, nonce_);
       }
       unknownFields.writeTo(output);
@@ -24062,7 +24020,7 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, keyvalues_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(2, nonce_);
       }
@@ -24081,16 +24039,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadStateResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadStateResponse) obj;
 
-      boolean result = true;
-      result = result && getKeyvaluesList()
-          .equals(other.getKeyvaluesList());
-      result = result && (hasNonce() == other.hasNonce());
+      if (!getKeyvaluesList()
+          .equals(other.getKeyvaluesList())) return false;
+      if (hasNonce() != other.hasNonce()) return false;
       if (hasNonce()) {
-        result = result && (getNonce()
-            == other.getNonce());
+        if (getNonce()
+            != other.getNonce()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -24285,7 +24242,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadStateResponse buildPartial()
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
         if (keyvaluesBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             keyvalues_ = java.util.Collections.unmodifiableList(keyvalues_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -24293,10 +24250,10 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadStateResponse buildPartial()
         } else {
           result.keyvalues_ = keyvaluesBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.nonce_ = nonce_;
           to_bitField0_ |= 0x00000001;
         }
-        result.nonce_ = nonce_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -24304,35 +24261,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DownloadStateResponse buildPartial()
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -24416,7 +24373,7 @@ public Builder mergeFrom(
       private java.util.List keyvalues_ =
         java.util.Collections.emptyList();
       private void ensureKeyvaluesIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           keyvalues_ = new java.util.ArrayList(keyvalues_);
           bitField0_ |= 0x00000001;
          }
@@ -24735,7 +24692,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue.Builder addKeyvaluesBuild
           keyvaluesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue, ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValueOrBuilder>(
                   keyvalues_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           keyvalues_ = null;
@@ -24754,7 +24711,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue.Builder addKeyvaluesBuild
        * required uint64 nonce = 2;
        */
       public boolean hasNonce() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -24967,7 +24924,7 @@ private DBKeyValue(
      * required bytes key = 1;
      */
     public boolean hasKey() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes key = 1;
@@ -24982,7 +24939,7 @@ public com.google.protobuf.ByteString getKey() {
      * required bytes value = 2;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes value = 2;
@@ -25013,10 +24970,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, key_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, value_);
       }
       unknownFields.writeTo(output);
@@ -25028,11 +24985,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, key_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, value_);
       }
@@ -25051,19 +25008,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue) obj;
 
-      boolean result = true;
-      result = result && (hasKey() == other.hasKey());
+      if (hasKey() != other.hasKey()) return false;
       if (hasKey()) {
-        result = result && getKey()
-            .equals(other.getKey());
+        if (!getKey()
+            .equals(other.getKey())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && getValue()
-            .equals(other.getValue());
+        if (!getValue()
+            .equals(other.getValue())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -25250,11 +25206,11 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.key_ = key_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.value_ = value_;
@@ -25265,35 +25221,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DBKeyValue buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -25354,7 +25310,7 @@ public Builder mergeFrom(
        * required bytes key = 1;
        */
       public boolean hasKey() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes key = 1;
@@ -25389,7 +25345,7 @@ public Builder clearKey() {
        * required bytes value = 2;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes value = 2;
@@ -25543,10 +25499,8 @@ private StateChangeBody(com.google.protobuf.GeneratedMessageV3.Builder builde
       super(builder);
     }
     private StateChangeBody() {
-      stateaction_ = 0;
       contractid_ = "";
       value_ = com.google.protobuf.ByteString.EMPTY;
-      version_ = 0L;
       darcid_ = com.google.protobuf.ByteString.EMPTY;
     }
 
@@ -25639,7 +25593,7 @@ private StateChangeBody(
      * required sint32 stateaction = 1;
      */
     public boolean hasStateaction() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required sint32 stateaction = 1;
@@ -25654,7 +25608,7 @@ public int getStateaction() {
      * required string contractid = 2;
      */
     public boolean hasContractid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required string contractid = 2;
@@ -25696,7 +25650,7 @@ public java.lang.String getContractid() {
      * required bytes value = 3;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required bytes value = 3;
@@ -25711,7 +25665,7 @@ public com.google.protobuf.ByteString getValue() {
      * required uint64 version = 4;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * required uint64 version = 4;
@@ -25726,7 +25680,7 @@ public long getVersion() {
      * required bytes darcid = 5;
      */
     public boolean hasDarcid() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * required bytes darcid = 5;
@@ -25769,19 +25723,19 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, stateaction_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 2, contractid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, value_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeUInt64(4, version_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeBytes(5, darcid_);
       }
       unknownFields.writeTo(output);
@@ -25793,22 +25747,22 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, stateaction_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, contractid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, value_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(4, version_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(5, darcid_);
       }
@@ -25827,34 +25781,33 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody other = (ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody) obj;
 
-      boolean result = true;
-      result = result && (hasStateaction() == other.hasStateaction());
+      if (hasStateaction() != other.hasStateaction()) return false;
       if (hasStateaction()) {
-        result = result && (getStateaction()
-            == other.getStateaction());
+        if (getStateaction()
+            != other.getStateaction()) return false;
       }
-      result = result && (hasContractid() == other.hasContractid());
+      if (hasContractid() != other.hasContractid()) return false;
       if (hasContractid()) {
-        result = result && getContractid()
-            .equals(other.getContractid());
+        if (!getContractid()
+            .equals(other.getContractid())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && getValue()
-            .equals(other.getValue());
+        if (!getValue()
+            .equals(other.getValue())) return false;
       }
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasDarcid() == other.hasDarcid());
+      if (hasDarcid() != other.hasDarcid()) return false;
       if (hasDarcid()) {
-        result = result && getDarcid()
-            .equals(other.getDarcid());
+        if (!getDarcid()
+            .equals(other.getDarcid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -26061,23 +26014,23 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody result = new ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.stateaction_ = stateaction_;
           to_bitField0_ |= 0x00000001;
         }
-        result.stateaction_ = stateaction_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.contractid_ = contractid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.value_ = value_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000008;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
           to_bitField0_ |= 0x00000010;
         }
         result.darcid_ = darcid_;
@@ -26088,35 +26041,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -26197,7 +26150,7 @@ public Builder mergeFrom(
        * required sint32 stateaction = 1;
        */
       public boolean hasStateaction() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required sint32 stateaction = 1;
@@ -26229,7 +26182,7 @@ public Builder clearStateaction() {
        * required string contractid = 2;
        */
       public boolean hasContractid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required string contractid = 2;
@@ -26305,7 +26258,7 @@ public Builder setContractidBytes(
        * required bytes value = 3;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes value = 3;
@@ -26340,7 +26293,7 @@ public Builder clearValue() {
        * required uint64 version = 4;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required uint64 version = 4;
@@ -26372,7 +26325,7 @@ public Builder clearVersion() {
        * required bytes darcid = 5;
        */
       public boolean hasDarcid() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * required bytes darcid = 5;
@@ -26534,7 +26487,7 @@ private GetSignerCounters(
               break;
             case 10: {
               com.google.protobuf.ByteString bs = input.readBytes();
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 signerids_ = new com.google.protobuf.LazyStringArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -26561,7 +26514,7 @@ private GetSignerCounters(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           signerids_ = signerids_.getUnmodifiableView();
         }
         this.unknownFields = unknownFields.build();
@@ -26617,7 +26570,7 @@ public java.lang.String getSignerids(int index) {
      * required bytes skipchainid = 2;
      */
     public boolean hasSkipchainid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes skipchainid = 2;
@@ -26647,7 +26600,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
       for (int i = 0; i < signerids_.size(); i++) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, signerids_.getRaw(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(2, skipchainid_);
       }
       unknownFields.writeTo(output);
@@ -26667,7 +26620,7 @@ public int getSerializedSize() {
         size += dataSize;
         size += 1 * getSigneridsList().size();
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, skipchainid_);
       }
@@ -26686,16 +26639,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCounters other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCounters) obj;
 
-      boolean result = true;
-      result = result && getSigneridsList()
-          .equals(other.getSigneridsList());
-      result = result && (hasSkipchainid() == other.hasSkipchainid());
+      if (!getSigneridsList()
+          .equals(other.getSigneridsList())) return false;
+      if (hasSkipchainid() != other.hasSkipchainid()) return false;
       if (hasSkipchainid()) {
-        result = result && getSkipchainid()
-            .equals(other.getSkipchainid());
+        if (!getSkipchainid()
+            .equals(other.getSkipchainid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -26883,12 +26835,12 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCounters buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCounters result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCounters(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((bitField0_ & 0x00000001) != 0)) {
           signerids_ = signerids_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000001);
         }
         result.signerids_ = signerids_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.skipchainid_ = skipchainid_;
@@ -26899,35 +26851,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCounters buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -26989,7 +26941,7 @@ public Builder mergeFrom(
 
       private com.google.protobuf.LazyStringList signerids_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       private void ensureSigneridsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           signerids_ = new com.google.protobuf.LazyStringArrayList(signerids_);
           bitField0_ |= 0x00000001;
          }
@@ -27085,7 +27037,7 @@ public Builder addSigneridsBytes(
        * required bytes skipchainid = 2;
        */
       public boolean hasSkipchainid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes skipchainid = 2;
@@ -27202,7 +27154,7 @@ private GetSignerCountersResponse(com.google.protobuf.GeneratedMessageV3.Builder
       super(builder);
     }
     private GetSignerCountersResponse() {
-      counters_ = java.util.Collections.emptyList();
+      counters_ = emptyLongList();
     }
 
     @java.lang.Override
@@ -27230,22 +27182,22 @@ private GetSignerCountersResponse(
               done = true;
               break;
             case 8: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-                counters_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                counters_ = newLongList();
                 mutable_bitField0_ |= 0x00000001;
               }
-              counters_.add(input.readUInt64());
+              counters_.addLong(input.readUInt64());
               break;
             }
             case 10: {
               int length = input.readRawVarint32();
               int limit = input.pushLimit(length);
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001) && input.getBytesUntilLimit() > 0) {
-                counters_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000001) != 0) && input.getBytesUntilLimit() > 0) {
+                counters_ = newLongList();
                 mutable_bitField0_ |= 0x00000001;
               }
               while (input.getBytesUntilLimit() > 0) {
-                counters_.add(input.readUInt64());
+                counters_.addLong(input.readUInt64());
               }
               input.popLimit(limit);
               break;
@@ -27265,8 +27217,8 @@ private GetSignerCountersResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-          counters_ = java.util.Collections.unmodifiableList(counters_);
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          counters_.makeImmutable(); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -27286,7 +27238,7 @@ private GetSignerCountersResponse(
     }
 
     public static final int COUNTERS_FIELD_NUMBER = 1;
-    private java.util.List counters_;
+    private com.google.protobuf.Internal.LongList counters_;
     /**
      * repeated uint64 counters = 1 [packed = true];
      */
@@ -27304,7 +27256,7 @@ public int getCountersCount() {
      * repeated uint64 counters = 1 [packed = true];
      */
     public long getCounters(int index) {
-      return counters_.get(index);
+      return counters_.getLong(index);
     }
     private int countersMemoizedSerializedSize = -1;
 
@@ -27328,7 +27280,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
         output.writeUInt32NoTag(countersMemoizedSerializedSize);
       }
       for (int i = 0; i < counters_.size(); i++) {
-        output.writeUInt64NoTag(counters_.get(i));
+        output.writeUInt64NoTag(counters_.getLong(i));
       }
       unknownFields.writeTo(output);
     }
@@ -27343,7 +27295,7 @@ public int getSerializedSize() {
         int dataSize = 0;
         for (int i = 0; i < counters_.size(); i++) {
           dataSize += com.google.protobuf.CodedOutputStream
-            .computeUInt64SizeNoTag(counters_.get(i));
+            .computeUInt64SizeNoTag(counters_.getLong(i));
         }
         size += dataSize;
         if (!getCountersList().isEmpty()) {
@@ -27368,11 +27320,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse) obj;
 
-      boolean result = true;
-      result = result && getCountersList()
-          .equals(other.getCountersList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getCountersList()
+          .equals(other.getCountersList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -27524,7 +27475,7 @@ private void maybeForceBuilderInitialization() {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        counters_ = java.util.Collections.emptyList();
+        counters_ = emptyLongList();
         bitField0_ = (bitField0_ & ~0x00000001);
         return this;
       }
@@ -27553,8 +27504,8 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse build() {
       public ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse(this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
-          counters_ = java.util.Collections.unmodifiableList(counters_);
+        if (((bitField0_ & 0x00000001) != 0)) {
+          counters_.makeImmutable();
           bitField0_ = (bitField0_ & ~0x00000001);
         }
         result.counters_ = counters_;
@@ -27564,35 +27515,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetSignerCountersResponse buildParti
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -27646,10 +27597,10 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private java.util.List counters_ = java.util.Collections.emptyList();
+      private com.google.protobuf.Internal.LongList counters_ = emptyLongList();
       private void ensureCountersIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
-          counters_ = new java.util.ArrayList(counters_);
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          counters_ = mutableCopy(counters_);
           bitField0_ |= 0x00000001;
          }
       }
@@ -27658,7 +27609,8 @@ private void ensureCountersIsMutable() {
        */
       public java.util.List
           getCountersList() {
-        return java.util.Collections.unmodifiableList(counters_);
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(counters_) : counters_;
       }
       /**
        * repeated uint64 counters = 1 [packed = true];
@@ -27670,7 +27622,7 @@ public int getCountersCount() {
        * repeated uint64 counters = 1 [packed = true];
        */
       public long getCounters(int index) {
-        return counters_.get(index);
+        return counters_.getLong(index);
       }
       /**
        * repeated uint64 counters = 1 [packed = true];
@@ -27678,7 +27630,7 @@ public long getCounters(int index) {
       public Builder setCounters(
           int index, long value) {
         ensureCountersIsMutable();
-        counters_.set(index, value);
+        counters_.setLong(index, value);
         onChanged();
         return this;
       }
@@ -27687,7 +27639,7 @@ public Builder setCounters(
        */
       public Builder addCounters(long value) {
         ensureCountersIsMutable();
-        counters_.add(value);
+        counters_.addLong(value);
         onChanged();
         return this;
       }
@@ -27706,7 +27658,7 @@ public Builder addAllCounters(
        * repeated uint64 counters = 1 [packed = true];
        */
       public Builder clearCounters() {
-        counters_ = java.util.Collections.emptyList();
+        counters_ = emptyLongList();
         bitField0_ = (bitField0_ & ~0x00000001);
         onChanged();
         return this;
@@ -27815,7 +27767,6 @@ private GetInstanceVersion(com.google.protobuf.GeneratedMessageV3.Builder bui
     private GetInstanceVersion() {
       skipchainid_ = com.google.protobuf.ByteString.EMPTY;
       instanceid_ = com.google.protobuf.ByteString.EMPTY;
-      version_ = 0L;
     }
 
     @java.lang.Override
@@ -27896,7 +27847,7 @@ private GetInstanceVersion(
      * required bytes skipchainid = 1;
      */
     public boolean hasSkipchainid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes skipchainid = 1;
@@ -27911,7 +27862,7 @@ public com.google.protobuf.ByteString getSkipchainid() {
      * required bytes instanceid = 2;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes instanceid = 2;
@@ -27926,7 +27877,7 @@ public com.google.protobuf.ByteString getInstanceid() {
      * required uint64 version = 3;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required uint64 version = 3;
@@ -27961,13 +27912,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeUInt64(3, version_);
       }
       unknownFields.writeTo(output);
@@ -27979,15 +27930,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(3, version_);
       }
@@ -28006,24 +27957,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersion other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersion) obj;
 
-      boolean result = true;
-      result = result && (hasSkipchainid() == other.hasSkipchainid());
+      if (hasSkipchainid() != other.hasSkipchainid()) return false;
       if (hasSkipchainid()) {
-        result = result && getSkipchainid()
-            .equals(other.getSkipchainid());
+        if (!getSkipchainid()
+            .equals(other.getSkipchainid())) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -28218,18 +28168,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersion buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersion result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersion(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.skipchainid_ = skipchainid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.instanceid_ = instanceid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000004;
         }
-        result.version_ = version_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -28237,35 +28187,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersion buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -28332,7 +28282,7 @@ public Builder mergeFrom(
        * required bytes skipchainid = 1;
        */
       public boolean hasSkipchainid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes skipchainid = 1;
@@ -28367,7 +28317,7 @@ public Builder clearSkipchainid() {
        * required bytes instanceid = 2;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes instanceid = 2;
@@ -28402,7 +28352,7 @@ public Builder clearInstanceid() {
        * required uint64 version = 3;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required uint64 version = 3;
@@ -28598,7 +28548,7 @@ private GetLastInstanceVersion(
      * required bytes skipchainid = 1;
      */
     public boolean hasSkipchainid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes skipchainid = 1;
@@ -28613,7 +28563,7 @@ public com.google.protobuf.ByteString getSkipchainid() {
      * required bytes instanceid = 2;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes instanceid = 2;
@@ -28644,10 +28594,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, instanceid_);
       }
       unknownFields.writeTo(output);
@@ -28659,11 +28609,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, instanceid_);
       }
@@ -28682,19 +28632,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetLastInstanceVersion other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetLastInstanceVersion) obj;
 
-      boolean result = true;
-      result = result && (hasSkipchainid() == other.hasSkipchainid());
+      if (hasSkipchainid() != other.hasSkipchainid()) return false;
       if (hasSkipchainid()) {
-        result = result && getSkipchainid()
-            .equals(other.getSkipchainid());
+        if (!getSkipchainid()
+            .equals(other.getSkipchainid())) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -28882,11 +28831,11 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetLastInstanceVersion buildPartial(
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetLastInstanceVersion result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetLastInstanceVersion(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.skipchainid_ = skipchainid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.instanceid_ = instanceid_;
@@ -28897,35 +28846,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetLastInstanceVersion buildPartial(
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -28986,7 +28935,7 @@ public Builder mergeFrom(
        * required bytes skipchainid = 1;
        */
       public boolean hasSkipchainid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes skipchainid = 1;
@@ -29021,7 +28970,7 @@ public Builder clearSkipchainid() {
        * required bytes instanceid = 2;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes instanceid = 2;
@@ -29149,7 +29098,6 @@ private GetInstanceVersionResponse(com.google.protobuf.GeneratedMessageV3.Builde
       super(builder);
     }
     private GetInstanceVersionResponse() {
-      blockindex_ = 0;
     }
 
     @java.lang.Override
@@ -29178,7 +29126,7 @@ private GetInstanceVersionResponse(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = statechange_.toBuilder();
               }
               statechange_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.parser(), extensionRegistry);
@@ -29233,7 +29181,7 @@ private GetInstanceVersionResponse(
      * required .byzcoin.StateChange statechange = 1;
      */
     public boolean hasStatechange() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .byzcoin.StateChange statechange = 1;
@@ -29254,7 +29202,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeOrBuilder getStatechangeO
      * required sint32 blockindex = 2;
      */
     public boolean hasBlockindex() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required sint32 blockindex = 2;
@@ -29289,10 +29237,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getStatechange());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeSInt32(2, blockindex_);
       }
       unknownFields.writeTo(output);
@@ -29304,11 +29252,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getStatechange());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(2, blockindex_);
       }
@@ -29327,19 +29275,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse) obj;
 
-      boolean result = true;
-      result = result && (hasStatechange() == other.hasStatechange());
+      if (hasStatechange() != other.hasStatechange()) return false;
       if (hasStatechange()) {
-        result = result && getStatechange()
-            .equals(other.getStatechange());
+        if (!getStatechange()
+            .equals(other.getStatechange())) return false;
       }
-      result = result && (hasBlockindex() == other.hasBlockindex());
+      if (hasBlockindex() != other.hasBlockindex()) return false;
       if (hasBlockindex()) {
-        result = result && (getBlockindex()
-            == other.getBlockindex());
+        if (getBlockindex()
+            != other.getBlockindex()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -29534,18 +29481,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse buildPart
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (statechangeBuilder_ == null) {
+            result.statechange_ = statechange_;
+          } else {
+            result.statechange_ = statechangeBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (statechangeBuilder_ == null) {
-          result.statechange_ = statechange_;
-        } else {
-          result.statechange_ = statechangeBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.blockindex_ = blockindex_;
           to_bitField0_ |= 0x00000002;
         }
-        result.blockindex_ = blockindex_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -29553,35 +29500,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse buildPart
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -29640,14 +29587,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange statechange_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange statechange_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange, ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeOrBuilder> statechangeBuilder_;
       /**
        * required .byzcoin.StateChange statechange = 1;
        */
       public boolean hasStatechange() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .byzcoin.StateChange statechange = 1;
@@ -29694,7 +29641,7 @@ public Builder setStatechange(
        */
       public Builder mergeStatechange(ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange value) {
         if (statechangeBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               statechange_ != null &&
               statechange_ != ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.getDefaultInstance()) {
             statechange_ =
@@ -29763,7 +29710,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeOrBuilder getStatechangeO
        * required sint32 blockindex = 2;
        */
       public boolean hasBlockindex() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required sint32 blockindex = 2;
@@ -29959,7 +29906,7 @@ private GetAllInstanceVersion(
      * required bytes skipchainid = 1;
      */
     public boolean hasSkipchainid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes skipchainid = 1;
@@ -29974,7 +29921,7 @@ public com.google.protobuf.ByteString getSkipchainid() {
      * required bytes instanceid = 2;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes instanceid = 2;
@@ -30005,10 +29952,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, instanceid_);
       }
       unknownFields.writeTo(output);
@@ -30020,11 +29967,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, instanceid_);
       }
@@ -30043,19 +29990,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersion other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersion) obj;
 
-      boolean result = true;
-      result = result && (hasSkipchainid() == other.hasSkipchainid());
+      if (hasSkipchainid() != other.hasSkipchainid()) return false;
       if (hasSkipchainid()) {
-        result = result && getSkipchainid()
-            .equals(other.getSkipchainid());
+        if (!getSkipchainid()
+            .equals(other.getSkipchainid())) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -30243,11 +30189,11 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersion buildPartial()
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersion result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersion(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.skipchainid_ = skipchainid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.instanceid_ = instanceid_;
@@ -30258,35 +30204,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersion buildPartial()
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -30347,7 +30293,7 @@ public Builder mergeFrom(
        * required bytes skipchainid = 1;
        */
       public boolean hasSkipchainid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes skipchainid = 1;
@@ -30382,7 +30328,7 @@ public Builder clearSkipchainid() {
        * required bytes instanceid = 2;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes instanceid = 2;
@@ -30538,7 +30484,7 @@ private GetAllInstanceVersionResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 statechanges_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -30561,7 +30507,7 @@ private GetAllInstanceVersionResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           statechanges_ = java.util.Collections.unmodifiableList(statechanges_);
         }
         this.unknownFields = unknownFields.build();
@@ -30667,11 +30613,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersionResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersionResponse) obj;
 
-      boolean result = true;
-      result = result && getStatechangesList()
-          .equals(other.getStatechangesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getStatechangesList()
+          .equals(other.getStatechangesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -30858,7 +30803,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersionResponse buildP
         ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersionResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersionResponse(this);
         int from_bitField0_ = bitField0_;
         if (statechangesBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             statechanges_ = java.util.Collections.unmodifiableList(statechanges_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -30872,35 +30817,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetAllInstanceVersionResponse buildP
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -30978,7 +30923,7 @@ public Builder mergeFrom(
       private java.util.List statechanges_ =
         java.util.Collections.emptyList();
       private void ensureStatechangesIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           statechanges_ = new java.util.ArrayList(statechanges_);
           bitField0_ |= 0x00000001;
          }
@@ -31207,7 +31152,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse.Builder a
           statechangesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse, ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponse.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.GetInstanceVersionResponseOrBuilder>(
                   statechanges_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           statechanges_ = null;
@@ -31319,7 +31264,6 @@ private CheckStateChangeValidity(com.google.protobuf.GeneratedMessageV3.Builder<
     private CheckStateChangeValidity() {
       skipchainid_ = com.google.protobuf.ByteString.EMPTY;
       instanceid_ = com.google.protobuf.ByteString.EMPTY;
-      version_ = 0L;
     }
 
     @java.lang.Override
@@ -31400,7 +31344,7 @@ private CheckStateChangeValidity(
      * required bytes skipchainid = 1;
      */
     public boolean hasSkipchainid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes skipchainid = 1;
@@ -31415,7 +31359,7 @@ public com.google.protobuf.ByteString getSkipchainid() {
      * required bytes instanceid = 2;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes instanceid = 2;
@@ -31430,7 +31374,7 @@ public com.google.protobuf.ByteString getInstanceid() {
      * required uint64 version = 3;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required uint64 version = 3;
@@ -31465,13 +31409,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeUInt64(3, version_);
       }
       unknownFields.writeTo(output);
@@ -31483,15 +31427,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, skipchainid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(3, version_);
       }
@@ -31510,24 +31454,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidity other = (ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidity) obj;
 
-      boolean result = true;
-      result = result && (hasSkipchainid() == other.hasSkipchainid());
+      if (hasSkipchainid() != other.hasSkipchainid()) return false;
       if (hasSkipchainid()) {
-        result = result && getSkipchainid()
-            .equals(other.getSkipchainid());
+        if (!getSkipchainid()
+            .equals(other.getSkipchainid())) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -31723,18 +31666,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidity buildPartia
         ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidity result = new ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidity(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.skipchainid_ = skipchainid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.instanceid_ = instanceid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000004;
         }
-        result.version_ = version_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -31742,35 +31685,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidity buildPartia
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -31837,7 +31780,7 @@ public Builder mergeFrom(
        * required bytes skipchainid = 1;
        */
       public boolean hasSkipchainid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes skipchainid = 1;
@@ -31872,7 +31815,7 @@ public Builder clearSkipchainid() {
        * required bytes instanceid = 2;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes instanceid = 2;
@@ -31907,7 +31850,7 @@ public Builder clearInstanceid() {
        * required uint64 version = 3;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required uint64 version = 3;
@@ -32071,7 +32014,7 @@ private CheckStateChangeValidityResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 statechanges_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -32099,7 +32042,7 @@ private CheckStateChangeValidityResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           statechanges_ = java.util.Collections.unmodifiableList(statechanges_);
         }
         this.unknownFields = unknownFields.build();
@@ -32161,7 +32104,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeOrBuilder getStatechanges
      * required bytes blockid = 2;
      */
     public boolean hasBlockid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes blockid = 2;
@@ -32197,7 +32140,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
       for (int i = 0; i < statechanges_.size(); i++) {
         output.writeMessage(1, statechanges_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(2, blockid_);
       }
       unknownFields.writeTo(output);
@@ -32213,7 +32156,7 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, statechanges_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, blockid_);
       }
@@ -32232,16 +32175,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidityResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidityResponse) obj;
 
-      boolean result = true;
-      result = result && getStatechangesList()
-          .equals(other.getStatechangesList());
-      result = result && (hasBlockid() == other.hasBlockid());
+      if (!getStatechangesList()
+          .equals(other.getStatechangesList())) return false;
+      if (hasBlockid() != other.hasBlockid()) return false;
       if (hasBlockid()) {
-        result = result && getBlockid()
-            .equals(other.getBlockid());
+        if (!getBlockid()
+            .equals(other.getBlockid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -32436,7 +32378,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidityResponse bui
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
         if (statechangesBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             statechanges_ = java.util.Collections.unmodifiableList(statechanges_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -32444,7 +32386,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidityResponse bui
         } else {
           result.statechanges_ = statechangesBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.blockid_ = blockid_;
@@ -32455,35 +32397,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CheckStateChangeValidityResponse bui
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -32567,7 +32509,7 @@ public Builder mergeFrom(
       private java.util.List statechanges_ =
         java.util.Collections.emptyList();
       private void ensureStatechangesIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           statechanges_ = new java.util.ArrayList(statechanges_);
           bitField0_ |= 0x00000001;
          }
@@ -32796,7 +32738,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.Builder addStatechangesB
           statechangesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange, ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeOrBuilder>(
                   statechanges_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           statechanges_ = null;
@@ -32809,7 +32751,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.StateChange.Builder addStatechangesB
        * required bytes blockid = 2;
        */
       public boolean hasBlockid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes blockid = 2;
@@ -32993,7 +32935,7 @@ private DebugRequest(
      * optional bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional bytes byzcoinid = 1;
@@ -33016,7 +32958,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
       unknownFields.writeTo(output);
@@ -33028,7 +32970,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
@@ -33047,14 +32989,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRequest other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRequest) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -33236,7 +33177,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRequest buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRequest result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRequest(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
@@ -33247,35 +33188,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRequest buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -33327,7 +33268,7 @@ public Builder mergeFrom(
        * optional bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional bytes byzcoinid = 1;
@@ -33509,7 +33450,7 @@ private DebugResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 byzcoins_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -33518,7 +33459,7 @@ private DebugResponse(
               break;
             }
             case 18: {
-              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
                 dump_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000002;
               }
@@ -33541,10 +33482,10 @@ private DebugResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           byzcoins_ = java.util.Collections.unmodifiableList(byzcoins_);
         }
-        if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
           dump_ = java.util.Collections.unmodifiableList(dump_);
         }
         this.unknownFields = unknownFields.build();
@@ -33698,13 +33639,12 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse) obj;
 
-      boolean result = true;
-      result = result && getByzcoinsList()
-          .equals(other.getByzcoinsList());
-      result = result && getDumpList()
-          .equals(other.getDumpList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getByzcoinsList()
+          .equals(other.getByzcoinsList())) return false;
+      if (!getDumpList()
+          .equals(other.getDumpList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -33903,7 +33843,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse(this);
         int from_bitField0_ = bitField0_;
         if (byzcoinsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             byzcoins_ = java.util.Collections.unmodifiableList(byzcoins_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -33912,7 +33852,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse buildPartial() {
           result.byzcoins_ = byzcoinsBuilder_.build();
         }
         if (dumpBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002)) {
+          if (((bitField0_ & 0x00000002) != 0)) {
             dump_ = java.util.Collections.unmodifiableList(dump_);
             bitField0_ = (bitField0_ & ~0x00000002);
           }
@@ -33926,35 +33866,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -34063,7 +34003,7 @@ public Builder mergeFrom(
       private java.util.List byzcoins_ =
         java.util.Collections.emptyList();
       private void ensureByzcoinsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           byzcoins_ = new java.util.ArrayList(byzcoins_);
           bitField0_ |= 0x00000001;
          }
@@ -34292,7 +34232,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin.Builder addByzc
           byzcoinsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin, ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoinOrBuilder>(
                   byzcoins_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           byzcoins_ = null;
@@ -34303,7 +34243,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin.Builder addByzc
       private java.util.List dump_ =
         java.util.Collections.emptyList();
       private void ensureDumpIsMutable() {
-        if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        if (!((bitField0_ & 0x00000002) != 0)) {
           dump_ = new java.util.ArrayList(dump_);
           bitField0_ |= 0x00000002;
          }
@@ -34532,7 +34472,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState.Builder addDumpBu
           dumpBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState, ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseStateOrBuilder>(
                   dump_,
-                  ((bitField0_ & 0x00000002) == 0x00000002),
+                  ((bitField0_ & 0x00000002) != 0),
                   getParentForChildren(),
                   isClean());
           dump_ = null;
@@ -34683,7 +34623,7 @@ private DebugResponseByzcoin(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = genesis_.toBuilder();
               }
               genesis_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -34696,7 +34636,7 @@ private DebugResponseByzcoin(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = latest_.toBuilder();
               }
               latest_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -34746,7 +34686,7 @@ private DebugResponseByzcoin(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes byzcoinid = 1;
@@ -34761,7 +34701,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * optional .skipchain.SkipBlock genesis = 2;
      */
     public boolean hasGenesis() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional .skipchain.SkipBlock genesis = 2;
@@ -34782,7 +34722,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getGenesisOrBui
      * optional .skipchain.SkipBlock latest = 3;
      */
     public boolean hasLatest() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * optional .skipchain.SkipBlock latest = 3;
@@ -34827,13 +34767,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getGenesis());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getLatest());
       }
       unknownFields.writeTo(output);
@@ -34845,15 +34785,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getGenesis());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getLatest());
       }
@@ -34872,24 +34812,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasGenesis() == other.hasGenesis());
+      if (hasGenesis() != other.hasGenesis()) return false;
       if (hasGenesis()) {
-        result = result && getGenesis()
-            .equals(other.getGenesis());
+        if (!getGenesis()
+            .equals(other.getGenesis())) return false;
       }
-      result = result && (hasLatest() == other.hasLatest());
+      if (hasLatest() != other.hasLatest()) return false;
       if (hasLatest()) {
-        result = result && getLatest()
-            .equals(other.getLatest());
+        if (!getLatest()
+            .equals(other.getLatest())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -35093,26 +35032,26 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin buildPartial()
         ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (genesisBuilder_ == null) {
+            result.genesis_ = genesis_;
+          } else {
+            result.genesis_ = genesisBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (genesisBuilder_ == null) {
-          result.genesis_ = genesis_;
-        } else {
-          result.genesis_ = genesisBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (latestBuilder_ == null) {
+            result.latest_ = latest_;
+          } else {
+            result.latest_ = latestBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (latestBuilder_ == null) {
-          result.latest_ = latest_;
-        } else {
-          result.latest_ = latestBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -35120,35 +35059,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseByzcoin buildPartial()
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -35219,7 +35158,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes byzcoinid = 1;
@@ -35249,14 +35188,14 @@ public Builder clearByzcoinid() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock genesis_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock genesis_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> genesisBuilder_;
       /**
        * optional .skipchain.SkipBlock genesis = 2;
        */
       public boolean hasGenesis() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional .skipchain.SkipBlock genesis = 2;
@@ -35303,7 +35242,7 @@ public Builder setGenesis(
        */
       public Builder mergeGenesis(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (genesisBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               genesis_ != null &&
               genesis_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             genesis_ =
@@ -35367,14 +35306,14 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getGenesisOrBui
         return genesisBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock latest_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock latest_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> latestBuilder_;
       /**
        * optional .skipchain.SkipBlock latest = 3;
        */
       public boolean hasLatest() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * optional .skipchain.SkipBlock latest = 3;
@@ -35421,7 +35360,7 @@ public Builder setLatest(
        */
       public Builder mergeLatest(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (latestBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               latest_ != null &&
               latest_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             latest_ =
@@ -35614,7 +35553,7 @@ private DebugResponseState(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = state_.toBuilder();
               }
               state_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody.parser(), extensionRegistry);
@@ -35664,7 +35603,7 @@ private DebugResponseState(
      * required bytes key = 1;
      */
     public boolean hasKey() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes key = 1;
@@ -35679,7 +35618,7 @@ public com.google.protobuf.ByteString getKey() {
      * required .byzcoin.StateChangeBody state = 2;
      */
     public boolean hasState() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .byzcoin.StateChangeBody state = 2;
@@ -35720,10 +35659,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, key_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getState());
       }
       unknownFields.writeTo(output);
@@ -35735,11 +35674,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, key_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getState());
       }
@@ -35758,19 +35697,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState) obj;
 
-      boolean result = true;
-      result = result && (hasKey() == other.hasKey());
+      if (hasKey() != other.hasKey()) return false;
       if (hasKey()) {
-        result = result && getKey()
-            .equals(other.getKey());
+        if (!getKey()
+            .equals(other.getKey())) return false;
       }
-      result = result && (hasState() == other.hasState());
+      if (hasState() != other.hasState()) return false;
       if (hasState()) {
-        result = result && getState()
-            .equals(other.getState());
+        if (!getState()
+            .equals(other.getState())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -35962,18 +35900,18 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.key_ = key_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (stateBuilder_ == null) {
+            result.state_ = state_;
+          } else {
+            result.state_ = stateBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (stateBuilder_ == null) {
-          result.state_ = state_;
-        } else {
-          result.state_ = stateBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -35981,35 +35919,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugResponseState buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -36073,7 +36011,7 @@ public Builder mergeFrom(
        * required bytes key = 1;
        */
       public boolean hasKey() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes key = 1;
@@ -36103,14 +36041,14 @@ public Builder clearKey() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody state_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody state_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody, ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBodyOrBuilder> stateBuilder_;
       /**
        * required .byzcoin.StateChangeBody state = 2;
        */
       public boolean hasState() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .byzcoin.StateChangeBody state = 2;
@@ -36157,7 +36095,7 @@ public Builder setState(
        */
       public Builder mergeState(ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody value) {
         if (stateBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               state_ != null &&
               state_ != ch.epfl.dedis.lib.proto.ByzCoinProto.StateChangeBody.getDefaultInstance()) {
             state_ =
@@ -36390,7 +36328,7 @@ private DebugRemoveRequest(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes byzcoinid = 1;
@@ -36405,7 +36343,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * required bytes signature = 2;
      */
     public boolean hasSignature() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes signature = 2;
@@ -36436,10 +36374,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, signature_);
       }
       unknownFields.writeTo(output);
@@ -36451,11 +36389,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, signature_);
       }
@@ -36474,19 +36412,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRemoveRequest other = (ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRemoveRequest) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasSignature() == other.hasSignature());
+      if (hasSignature() != other.hasSignature()) return false;
       if (hasSignature()) {
-        result = result && getSignature()
-            .equals(other.getSignature());
+        if (!getSignature()
+            .equals(other.getSignature())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -36674,11 +36611,11 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRemoveRequest buildPartial() {
         ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRemoveRequest result = new ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRemoveRequest(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.signature_ = signature_;
@@ -36689,35 +36626,35 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.DebugRemoveRequest buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -36778,7 +36715,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes byzcoinid = 1;
@@ -36813,7 +36750,7 @@ public Builder clearByzcoinid() {
        * required bytes signature = 2;
        */
       public boolean hasSignature() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes signature = 2;
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/Calypso.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/Calypso.java
index fa952c1c96..86215a6b56 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/Calypso.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/Calypso.java
@@ -115,8 +115,9 @@ public interface WriteOrBuilder extends
 
     /**
      * 
-     * C is the ElGamal parts for the symmetric key material (might also
-     * contain an IV)
+     * C is the ElGamal part for the symmetric key material, at maximum length
+     * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+     * in ExtraData, as it is not necessary to be encrypted.
      * 

      *
      * required bytes c = 6;
@@ -124,8 +125,9 @@ public interface WriteOrBuilder extends
     boolean hasC();
     /**
      * 
-     * C is the ElGamal parts for the symmetric key material (might also
-     * contain an IV)
+     * C is the ElGamal part for the symmetric key material, at maximum length
+     * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+     * in ExtraData, as it is not necessary to be encrypted.
      * 

      *
      * required bytes c = 6;
@@ -302,7 +304,7 @@ private Write(
      * required bytes data = 1;
      */
     public boolean hasData() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -326,7 +328,7 @@ public com.google.protobuf.ByteString getData() {
      * required bytes u = 2;
      */
     public boolean hasU() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -352,7 +354,7 @@ public com.google.protobuf.ByteString getU() {
      * required bytes ubar = 3;
      */
     public boolean hasUbar() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -378,7 +380,7 @@ public com.google.protobuf.ByteString getUbar() {
      * required bytes e = 4;
      */
     public boolean hasE() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -402,7 +404,7 @@ public com.google.protobuf.ByteString getE() {
      * required bytes f = 5;
      */
     public boolean hasF() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * 
@@ -420,19 +422,21 @@ public com.google.protobuf.ByteString getF() {
     private com.google.protobuf.ByteString c_;
     /**
      * 
-     * C is the ElGamal parts for the symmetric key material (might also
-     * contain an IV)
+     * C is the ElGamal part for the symmetric key material, at maximum length
+     * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+     * in ExtraData, as it is not necessary to be encrypted.
      * 

      *
      * required bytes c = 6;
      */
     public boolean hasC() {
-      return ((bitField0_ & 0x00000020) == 0x00000020);
+      return ((bitField0_ & 0x00000020) != 0);
     }
     /**
      * 
-     * C is the ElGamal parts for the symmetric key material (might also
-     * contain an IV)
+     * C is the ElGamal part for the symmetric key material, at maximum length
+     * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+     * in ExtraData, as it is not necessary to be encrypted.
      * 

      *
      * required bytes c = 6;
@@ -451,7 +455,7 @@ public com.google.protobuf.ByteString getC() {
      * optional bytes extradata = 7;
      */
     public boolean hasExtradata() {
-      return ((bitField0_ & 0x00000040) == 0x00000040);
+      return ((bitField0_ & 0x00000040) != 0);
     }
     /**
      * 
@@ -474,7 +478,7 @@ public com.google.protobuf.ByteString getExtradata() {
      * required bytes ltsid = 8;
      */
     public boolean hasLtsid() {
-      return ((bitField0_ & 0x00000080) == 0x00000080);
+      return ((bitField0_ & 0x00000080) != 0);
     }
     /**
      * 
@@ -529,28 +533,28 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, data_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, u_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, ubar_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeBytes(4, e_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeBytes(5, f_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         output.writeBytes(6, c_);
       }
-      if (((bitField0_ & 0x00000040) == 0x00000040)) {
+      if (((bitField0_ & 0x00000040) != 0)) {
         output.writeBytes(7, extradata_);
       }
-      if (((bitField0_ & 0x00000080) == 0x00000080)) {
+      if (((bitField0_ & 0x00000080) != 0)) {
         output.writeBytes(8, ltsid_);
       }
       unknownFields.writeTo(output);
@@ -562,35 +566,35 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, data_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, u_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, ubar_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(4, e_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(5, f_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(6, c_);
       }
-      if (((bitField0_ & 0x00000040) == 0x00000040)) {
+      if (((bitField0_ & 0x00000040) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(7, extradata_);
       }
-      if (((bitField0_ & 0x00000080) == 0x00000080)) {
+      if (((bitField0_ & 0x00000080) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(8, ltsid_);
       }
@@ -609,49 +613,48 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.Write other = (ch.epfl.dedis.lib.proto.Calypso.Write) obj;
 
-      boolean result = true;
-      result = result && (hasData() == other.hasData());
+      if (hasData() != other.hasData()) return false;
       if (hasData()) {
-        result = result && getData()
-            .equals(other.getData());
+        if (!getData()
+            .equals(other.getData())) return false;
       }
-      result = result && (hasU() == other.hasU());
+      if (hasU() != other.hasU()) return false;
       if (hasU()) {
-        result = result && getU()
-            .equals(other.getU());
+        if (!getU()
+            .equals(other.getU())) return false;
       }
-      result = result && (hasUbar() == other.hasUbar());
+      if (hasUbar() != other.hasUbar()) return false;
       if (hasUbar()) {
-        result = result && getUbar()
-            .equals(other.getUbar());
+        if (!getUbar()
+            .equals(other.getUbar())) return false;
       }
-      result = result && (hasE() == other.hasE());
+      if (hasE() != other.hasE()) return false;
       if (hasE()) {
-        result = result && getE()
-            .equals(other.getE());
+        if (!getE()
+            .equals(other.getE())) return false;
       }
-      result = result && (hasF() == other.hasF());
+      if (hasF() != other.hasF()) return false;
       if (hasF()) {
-        result = result && getF()
-            .equals(other.getF());
+        if (!getF()
+            .equals(other.getF())) return false;
       }
-      result = result && (hasC() == other.hasC());
+      if (hasC() != other.hasC()) return false;
       if (hasC()) {
-        result = result && getC()
-            .equals(other.getC());
+        if (!getC()
+            .equals(other.getC())) return false;
       }
-      result = result && (hasExtradata() == other.hasExtradata());
+      if (hasExtradata() != other.hasExtradata()) return false;
       if (hasExtradata()) {
-        result = result && getExtradata()
-            .equals(other.getExtradata());
+        if (!getExtradata()
+            .equals(other.getExtradata())) return false;
       }
-      result = result && (hasLtsid() == other.hasLtsid());
+      if (hasLtsid() != other.hasLtsid()) return false;
       if (hasLtsid()) {
-        result = result && getLtsid()
-            .equals(other.getLtsid());
+        if (!getLtsid()
+            .equals(other.getLtsid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -875,35 +878,35 @@ public ch.epfl.dedis.lib.proto.Calypso.Write buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.Write result = new ch.epfl.dedis.lib.proto.Calypso.Write(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.data_ = data_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.u_ = u_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.ubar_ = ubar_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.e_ = e_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
           to_bitField0_ |= 0x00000010;
         }
         result.f_ = f_;
-        if (((from_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((from_bitField0_ & 0x00000020) != 0)) {
           to_bitField0_ |= 0x00000020;
         }
         result.c_ = c_;
-        if (((from_bitField0_ & 0x00000040) == 0x00000040)) {
+        if (((from_bitField0_ & 0x00000040) != 0)) {
           to_bitField0_ |= 0x00000040;
         }
         result.extradata_ = extradata_;
-        if (((from_bitField0_ & 0x00000080) == 0x00000080)) {
+        if (((from_bitField0_ & 0x00000080) != 0)) {
           to_bitField0_ |= 0x00000080;
         }
         result.ltsid_ = ltsid_;
@@ -914,35 +917,35 @@ public ch.epfl.dedis.lib.proto.Calypso.Write buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1041,7 +1044,7 @@ public Builder mergeFrom(
        * required bytes data = 1;
        */
       public boolean hasData() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -1095,7 +1098,7 @@ public Builder clearData() {
        * required bytes u = 2;
        */
       public boolean hasU() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -1149,7 +1152,7 @@ public Builder clearU() {
        * required bytes ubar = 3;
        */
       public boolean hasUbar() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -1209,7 +1212,7 @@ public Builder clearUbar() {
        * required bytes e = 4;
        */
       public boolean hasE() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -1261,7 +1264,7 @@ public Builder clearE() {
        * required bytes f = 5;
        */
       public boolean hasF() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * 
@@ -1309,19 +1312,21 @@ public Builder clearF() {
       private com.google.protobuf.ByteString c_ = com.google.protobuf.ByteString.EMPTY;
       /**
        * 
-       * C is the ElGamal parts for the symmetric key material (might also
-       * contain an IV)
+       * C is the ElGamal part for the symmetric key material, at maximum length
+       * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+       * in ExtraData, as it is not necessary to be encrypted.
        * 

        *
        * required bytes c = 6;
        */
       public boolean hasC() {
-        return ((bitField0_ & 0x00000020) == 0x00000020);
+        return ((bitField0_ & 0x00000020) != 0);
       }
       /**
        * 
-       * C is the ElGamal parts for the symmetric key material (might also
-       * contain an IV)
+       * C is the ElGamal part for the symmetric key material, at maximum length
+       * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+       * in ExtraData, as it is not necessary to be encrypted.
        * 

        *
        * required bytes c = 6;
@@ -1331,8 +1336,9 @@ public com.google.protobuf.ByteString getC() {
       }
       /**
        * 
-       * C is the ElGamal parts for the symmetric key material (might also
-       * contain an IV)
+       * C is the ElGamal part for the symmetric key material, at maximum length
+       * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+       * in ExtraData, as it is not necessary to be encrypted.
        * 

        *
        * required bytes c = 6;
@@ -1348,8 +1354,9 @@ public Builder setC(com.google.protobuf.ByteString value) {
       }
       /**
        * 
-       * C is the ElGamal parts for the symmetric key material (might also
-       * contain an IV)
+       * C is the ElGamal part for the symmetric key material, at maximum length
+       * of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+       * in ExtraData, as it is not necessary to be encrypted.
        * 

        *
        * required bytes c = 6;
@@ -1370,7 +1377,7 @@ public Builder clearC() {
        * optional bytes extradata = 7;
        */
       public boolean hasExtradata() {
-        return ((bitField0_ & 0x00000040) == 0x00000040);
+        return ((bitField0_ & 0x00000040) != 0);
       }
       /**
        * 
@@ -1421,7 +1428,7 @@ public Builder clearExtradata() {
        * required bytes ltsid = 8;
        */
       public boolean hasLtsid() {
-        return ((bitField0_ & 0x00000080) == 0x00000080);
+        return ((bitField0_ & 0x00000080) != 0);
       }
       /**
        * 
@@ -1632,7 +1639,7 @@ private Read(
      * required bytes write = 1;
      */
     public boolean hasWrite() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes write = 1;
@@ -1647,7 +1654,7 @@ public com.google.protobuf.ByteString getWrite() {
      * required bytes xc = 2;
      */
     public boolean hasXc() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes xc = 2;
@@ -1678,10 +1685,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, write_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, xc_);
       }
       unknownFields.writeTo(output);
@@ -1693,11 +1700,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, write_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, xc_);
       }
@@ -1716,19 +1723,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.Read other = (ch.epfl.dedis.lib.proto.Calypso.Read) obj;
 
-      boolean result = true;
-      result = result && (hasWrite() == other.hasWrite());
+      if (hasWrite() != other.hasWrite()) return false;
       if (hasWrite()) {
-        result = result && getWrite()
-            .equals(other.getWrite());
+        if (!getWrite()
+            .equals(other.getWrite())) return false;
       }
-      result = result && (hasXc() == other.hasXc());
+      if (hasXc() != other.hasXc()) return false;
       if (hasXc()) {
-        result = result && getXc()
-            .equals(other.getXc());
+        if (!getXc()
+            .equals(other.getXc())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1916,11 +1922,11 @@ public ch.epfl.dedis.lib.proto.Calypso.Read buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.Read result = new ch.epfl.dedis.lib.proto.Calypso.Read(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.write_ = write_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.xc_ = xc_;
@@ -1931,35 +1937,35 @@ public ch.epfl.dedis.lib.proto.Calypso.Read buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2020,7 +2026,7 @@ public Builder mergeFrom(
        * required bytes write = 1;
        */
       public boolean hasWrite() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes write = 1;
@@ -2055,7 +2061,7 @@ public Builder clearWrite() {
        * required bytes xc = 2;
        */
       public boolean hasXc() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes xc = 2;
@@ -2239,7 +2245,7 @@ private Authorise(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes byzcoinid = 1;
@@ -2266,7 +2272,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
       unknownFields.writeTo(output);
@@ -2278,7 +2284,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
@@ -2297,14 +2303,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.Authorise other = (ch.epfl.dedis.lib.proto.Calypso.Authorise) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2486,7 +2491,7 @@ public ch.epfl.dedis.lib.proto.Calypso.Authorise buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.Authorise result = new ch.epfl.dedis.lib.proto.Calypso.Authorise(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
@@ -2497,35 +2502,35 @@ public ch.epfl.dedis.lib.proto.Calypso.Authorise buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2580,7 +2585,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes byzcoinid = 1;
@@ -2778,9 +2783,8 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.AuthoriseReply other = (ch.epfl.dedis.lib.proto.Calypso.AuthoriseReply) obj;
 
-      boolean result = true;
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2959,35 +2963,35 @@ public ch.epfl.dedis.lib.proto.Calypso.AuthoriseReply buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3101,7 +3105,7 @@ public interface CreateLTSOrBuilder extends
   }
   /**
    * 
-   * CreateLTS is used to start a DKG and store the private keys in each node.
+   * CreateOCS is used to start a DKG and store the private keys in each node.
    * Prior to using this request, the Calypso roster must be recorded on the
    * ByzCoin blockchain in the instance specified by InstanceID.
    * 

@@ -3146,7 +3150,7 @@ private CreateLTS(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = proof_.toBuilder();
               }
               proof_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.parser(), extensionRegistry);
@@ -3196,7 +3200,7 @@ private CreateLTS(
      * required .byzcoin.Proof proof = 1;
      */
     public boolean hasProof() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .byzcoin.Proof proof = 1;
@@ -3233,7 +3237,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getProof());
       }
       unknownFields.writeTo(output);
@@ -3245,7 +3249,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getProof());
       }
@@ -3264,14 +3268,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.CreateLTS other = (ch.epfl.dedis.lib.proto.Calypso.CreateLTS) obj;
 
-      boolean result = true;
-      result = result && (hasProof() == other.hasProof());
+      if (hasProof() != other.hasProof()) return false;
       if (hasProof()) {
-        result = result && getProof()
-            .equals(other.getProof());
+        if (!getProof()
+            .equals(other.getProof())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -3382,7 +3385,7 @@ protected Builder newBuilderForType(
     }
     /**
      * 
-     * CreateLTS is used to start a DKG and store the private keys in each node.
+     * CreateOCS is used to start a DKG and store the private keys in each node.
      * Prior to using this request, the Calypso roster must be recorded on the
      * ByzCoin blockchain in the instance specified by InstanceID.
      * 

@@ -3459,14 +3462,14 @@ public ch.epfl.dedis.lib.proto.Calypso.CreateLTS buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.CreateLTS result = new ch.epfl.dedis.lib.proto.Calypso.CreateLTS(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (proofBuilder_ == null) {
+            result.proof_ = proof_;
+          } else {
+            result.proof_ = proofBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (proofBuilder_ == null) {
-          result.proof_ = proof_;
-        } else {
-          result.proof_ = proofBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -3474,35 +3477,35 @@ public ch.epfl.dedis.lib.proto.Calypso.CreateLTS buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3555,14 +3558,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof proof_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof proof_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Proof, ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder> proofBuilder_;
       /**
        * required .byzcoin.Proof proof = 1;
        */
       public boolean hasProof() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .byzcoin.Proof proof = 1;
@@ -3609,7 +3612,7 @@ public Builder setProof(
        */
       public Builder mergeProof(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof value) {
         if (proofBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               proof_ != null &&
               proof_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.getDefaultInstance()) {
             proof_ =
@@ -3865,7 +3868,7 @@ private CreateLTSReply(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes byzcoinid = 1;
@@ -3880,7 +3883,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * required bytes instanceid = 2;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes instanceid = 2;
@@ -3899,7 +3902,7 @@ public com.google.protobuf.ByteString getInstanceid() {
      * required bytes x = 3;
      */
     public boolean hasX() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -3938,13 +3941,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, x_);
       }
       unknownFields.writeTo(output);
@@ -3956,15 +3959,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, instanceid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, x_);
       }
@@ -3983,24 +3986,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.CreateLTSReply other = (ch.epfl.dedis.lib.proto.Calypso.CreateLTSReply) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && (hasX() == other.hasX());
+      if (hasX() != other.hasX()) return false;
       if (hasX()) {
-        result = result && getX()
-            .equals(other.getX());
+        if (!getX()
+            .equals(other.getX())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4194,15 +4196,15 @@ public ch.epfl.dedis.lib.proto.Calypso.CreateLTSReply buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.CreateLTSReply result = new ch.epfl.dedis.lib.proto.Calypso.CreateLTSReply(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.instanceid_ = instanceid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.x_ = x_;
@@ -4213,35 +4215,35 @@ public ch.epfl.dedis.lib.proto.Calypso.CreateLTSReply buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4308,7 +4310,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes byzcoinid = 1;
@@ -4343,7 +4345,7 @@ public Builder clearByzcoinid() {
        * required bytes instanceid = 2;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes instanceid = 2;
@@ -4382,7 +4384,7 @@ public Builder clearInstanceid() {
        * required bytes x = 3;
        */
       public boolean hasX() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -4540,7 +4542,7 @@ private ReshareLTS(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = proof_.toBuilder();
               }
               proof_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.parser(), extensionRegistry);
@@ -4590,7 +4592,7 @@ private ReshareLTS(
      * required .byzcoin.Proof proof = 1;
      */
     public boolean hasProof() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .byzcoin.Proof proof = 1;
@@ -4627,7 +4629,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getProof());
       }
       unknownFields.writeTo(output);
@@ -4639,7 +4641,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getProof());
       }
@@ -4658,14 +4660,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.ReshareLTS other = (ch.epfl.dedis.lib.proto.Calypso.ReshareLTS) obj;
 
-      boolean result = true;
-      result = result && (hasProof() == other.hasProof());
+      if (hasProof() != other.hasProof()) return false;
       if (hasProof()) {
-        result = result && getProof()
-            .equals(other.getProof());
+        if (!getProof()
+            .equals(other.getProof())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4853,14 +4854,14 @@ public ch.epfl.dedis.lib.proto.Calypso.ReshareLTS buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.ReshareLTS result = new ch.epfl.dedis.lib.proto.Calypso.ReshareLTS(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (proofBuilder_ == null) {
+            result.proof_ = proof_;
+          } else {
+            result.proof_ = proofBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (proofBuilder_ == null) {
-          result.proof_ = proof_;
-        } else {
-          result.proof_ = proofBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -4868,35 +4869,35 @@ public ch.epfl.dedis.lib.proto.Calypso.ReshareLTS buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4949,14 +4950,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof proof_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof proof_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Proof, ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder> proofBuilder_;
       /**
        * required .byzcoin.Proof proof = 1;
        */
       public boolean hasProof() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .byzcoin.Proof proof = 1;
@@ -5003,7 +5004,7 @@ public Builder setProof(
        */
       public Builder mergeProof(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof value) {
         if (proofBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               proof_ != null &&
               proof_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.getDefaultInstance()) {
             proof_ =
@@ -5236,9 +5237,8 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.ReshareLTSReply other = (ch.epfl.dedis.lib.proto.Calypso.ReshareLTSReply) obj;
 
-      boolean result = true;
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5418,35 +5418,35 @@ public ch.epfl.dedis.lib.proto.Calypso.ReshareLTSReply buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -5597,7 +5597,7 @@ public interface DecryptKeyOrBuilder extends
   }
   /**
    * 
-   * DecryptKey is sent by a reader after he successfully stored a 'Read' request
+   * Reencrypt is sent by a reader after he successfully stored a 'Read' request
    * in byzcoin Client.
    * 

    *
@@ -5641,7 +5641,7 @@ private DecryptKey(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = read_.toBuilder();
               }
               read_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.parser(), extensionRegistry);
@@ -5654,7 +5654,7 @@ private DecryptKey(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = write_.toBuilder();
               }
               write_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.parser(), extensionRegistry);
@@ -5708,7 +5708,7 @@ private DecryptKey(
      * required .byzcoin.Proof read = 1;
      */
     public boolean hasRead() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -5741,7 +5741,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder getReadOrBuilder() {
      * required .byzcoin.Proof write = 2;
      */
     public boolean hasWrite() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -5794,10 +5794,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getRead());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getWrite());
       }
       unknownFields.writeTo(output);
@@ -5809,11 +5809,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getRead());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getWrite());
       }
@@ -5832,19 +5832,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.DecryptKey other = (ch.epfl.dedis.lib.proto.Calypso.DecryptKey) obj;
 
-      boolean result = true;
-      result = result && (hasRead() == other.hasRead());
+      if (hasRead() != other.hasRead()) return false;
       if (hasRead()) {
-        result = result && getRead()
-            .equals(other.getRead());
+        if (!getRead()
+            .equals(other.getRead())) return false;
       }
-      result = result && (hasWrite() == other.hasWrite());
+      if (hasWrite() != other.hasWrite()) return false;
       if (hasWrite()) {
-        result = result && getWrite()
-            .equals(other.getWrite());
+        if (!getWrite()
+            .equals(other.getWrite())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5959,7 +5958,7 @@ protected Builder newBuilderForType(
     }
     /**
      * 
-     * DecryptKey is sent by a reader after he successfully stored a 'Read' request
+     * Reencrypt is sent by a reader after he successfully stored a 'Read' request
      * in byzcoin Client.
      * 

      *
@@ -6042,22 +6041,22 @@ public ch.epfl.dedis.lib.proto.Calypso.DecryptKey buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.DecryptKey result = new ch.epfl.dedis.lib.proto.Calypso.DecryptKey(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (readBuilder_ == null) {
+            result.read_ = read_;
+          } else {
+            result.read_ = readBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (readBuilder_ == null) {
-          result.read_ = read_;
-        } else {
-          result.read_ = readBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (writeBuilder_ == null) {
+            result.write_ = write_;
+          } else {
+            result.write_ = writeBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (writeBuilder_ == null) {
-          result.write_ = write_;
-        } else {
-          result.write_ = writeBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -6065,35 +6064,35 @@ public ch.epfl.dedis.lib.proto.Calypso.DecryptKey buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -6155,7 +6154,7 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof read_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof read_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Proof, ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder> readBuilder_;
       /**
@@ -6166,7 +6165,7 @@ public Builder mergeFrom(
        * required .byzcoin.Proof read = 1;
        */
       public boolean hasRead() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -6229,7 +6228,7 @@ public Builder setRead(
        */
       public Builder mergeRead(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof value) {
         if (readBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               read_ != null &&
               read_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.getDefaultInstance()) {
             read_ =
@@ -6309,7 +6308,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder getReadOrBuilder() {
         return readBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof write_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Proof write_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Proof, ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder> writeBuilder_;
       /**
@@ -6320,7 +6319,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.ProofOrBuilder getReadOrBuilder() {
        * required .byzcoin.Proof write = 2;
        */
       public boolean hasWrite() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -6383,7 +6382,7 @@ public Builder setWrite(
        */
       public Builder mergeWrite(ch.epfl.dedis.lib.proto.ByzCoinProto.Proof value) {
         if (writeBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               write_ != null &&
               write_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Proof.getDefaultInstance()) {
             write_ =
@@ -6675,7 +6674,7 @@ private DecryptKeyReply(
      * required bytes c = 1;
      */
     public boolean hasC() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -6698,7 +6697,7 @@ public com.google.protobuf.ByteString getC() {
      * required bytes xhatenc = 2;
      */
     public boolean hasXhatenc() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -6721,7 +6720,7 @@ public com.google.protobuf.ByteString getXhatenc() {
      * required bytes x = 3;
      */
     public boolean hasX() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -6760,13 +6759,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, c_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, xhatenc_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, x_);
       }
       unknownFields.writeTo(output);
@@ -6778,15 +6777,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, c_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, xhatenc_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, x_);
       }
@@ -6805,24 +6804,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.DecryptKeyReply other = (ch.epfl.dedis.lib.proto.Calypso.DecryptKeyReply) obj;
 
-      boolean result = true;
-      result = result && (hasC() == other.hasC());
+      if (hasC() != other.hasC()) return false;
       if (hasC()) {
-        result = result && getC()
-            .equals(other.getC());
+        if (!getC()
+            .equals(other.getC())) return false;
       }
-      result = result && (hasXhatenc() == other.hasXhatenc());
+      if (hasXhatenc() != other.hasXhatenc()) return false;
       if (hasXhatenc()) {
-        result = result && getXhatenc()
-            .equals(other.getXhatenc());
+        if (!getXhatenc()
+            .equals(other.getXhatenc())) return false;
       }
-      result = result && (hasX() == other.hasX());
+      if (hasX() != other.hasX()) return false;
       if (hasX()) {
-        result = result && getX()
-            .equals(other.getX());
+        if (!getX()
+            .equals(other.getX())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -7016,15 +7014,15 @@ public ch.epfl.dedis.lib.proto.Calypso.DecryptKeyReply buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.DecryptKeyReply result = new ch.epfl.dedis.lib.proto.Calypso.DecryptKeyReply(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.c_ = c_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.xhatenc_ = xhatenc_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.x_ = x_;
@@ -7035,35 +7033,35 @@ public ch.epfl.dedis.lib.proto.Calypso.DecryptKeyReply buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -7134,7 +7132,7 @@ public Builder mergeFrom(
        * required bytes c = 1;
        */
       public boolean hasC() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -7185,7 +7183,7 @@ public Builder clearC() {
        * required bytes xhatenc = 2;
        */
       public boolean hasXhatenc() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -7236,7 +7234,7 @@ public Builder clearXhatenc() {
        * required bytes x = 3;
        */
       public boolean hasX() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -7443,7 +7441,7 @@ private GetLTSReply(
      * required bytes ltsid = 1;
      */
     public boolean hasLtsid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -7474,7 +7472,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, ltsid_);
       }
       unknownFields.writeTo(output);
@@ -7486,7 +7484,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, ltsid_);
       }
@@ -7505,14 +7503,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.GetLTSReply other = (ch.epfl.dedis.lib.proto.Calypso.GetLTSReply) obj;
 
-      boolean result = true;
-      result = result && (hasLtsid() == other.hasLtsid());
+      if (hasLtsid() != other.hasLtsid()) return false;
       if (hasLtsid()) {
-        result = result && getLtsid()
-            .equals(other.getLtsid());
+        if (!getLtsid()
+            .equals(other.getLtsid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -7693,7 +7690,7 @@ public ch.epfl.dedis.lib.proto.Calypso.GetLTSReply buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.GetLTSReply result = new ch.epfl.dedis.lib.proto.Calypso.GetLTSReply(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.ltsid_ = ltsid_;
@@ -7704,35 +7701,35 @@ public ch.epfl.dedis.lib.proto.Calypso.GetLTSReply buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -7791,7 +7788,7 @@ public Builder mergeFrom(
        * required bytes ltsid = 1;
        */
       public boolean hasLtsid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -7947,7 +7944,7 @@ private LtsInstanceInfo(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = roster_.toBuilder();
               }
               roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
@@ -7997,7 +7994,7 @@ private LtsInstanceInfo(
      * required .onet.Roster roster = 1;
      */
     public boolean hasRoster() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .onet.Roster roster = 1;
@@ -8034,7 +8031,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getRoster());
       }
       unknownFields.writeTo(output);
@@ -8046,7 +8043,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getRoster());
       }
@@ -8065,14 +8062,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Calypso.LtsInstanceInfo other = (ch.epfl.dedis.lib.proto.Calypso.LtsInstanceInfo) obj;
 
-      boolean result = true;
-      result = result && (hasRoster() == other.hasRoster());
+      if (hasRoster() != other.hasRoster()) return false;
       if (hasRoster()) {
-        result = result && getRoster()
-            .equals(other.getRoster());
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -8258,14 +8254,14 @@ public ch.epfl.dedis.lib.proto.Calypso.LtsInstanceInfo buildPartial() {
         ch.epfl.dedis.lib.proto.Calypso.LtsInstanceInfo result = new ch.epfl.dedis.lib.proto.Calypso.LtsInstanceInfo(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (rosterBuilder_ == null) {
-          result.roster_ = roster_;
-        } else {
-          result.roster_ = rosterBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -8273,35 +8269,35 @@ public ch.epfl.dedis.lib.proto.Calypso.LtsInstanceInfo buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -8354,14 +8350,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_ = null;
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
       /**
        * required .onet.Roster roster = 1;
        */
       public boolean hasRoster() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .onet.Roster roster = 1;
@@ -8408,7 +8404,7 @@ public Builder setRoster(
        */
       public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
         if (rosterBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               roster_ != null &&
               roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
             roster_ =
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/DarcProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/DarcProto.java
index f458f464cf..57187a366c 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/DarcProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/DarcProto.java
@@ -246,7 +246,6 @@ private Darc(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private Darc() {
-      version_ = 0L;
       description_ = com.google.protobuf.ByteString.EMPTY;
       baseid_ = com.google.protobuf.ByteString.EMPTY;
       previd_ = com.google.protobuf.ByteString.EMPTY;
@@ -300,7 +299,7 @@ private Darc(
             }
             case 42: {
               ch.epfl.dedis.lib.proto.DarcProto.Rules.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000010) == 0x00000010)) {
+              if (((bitField0_ & 0x00000010) != 0)) {
                 subBuilder = rules_.toBuilder();
               }
               rules_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.Rules.parser(), extensionRegistry);
@@ -312,7 +311,7 @@ private Darc(
               break;
             }
             case 50: {
-              if (!((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+              if (!((mutable_bitField0_ & 0x00000020) != 0)) {
                 signatures_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000020;
               }
@@ -321,7 +320,7 @@ private Darc(
               break;
             }
             case 58: {
-              if (!((mutable_bitField0_ & 0x00000040) == 0x00000040)) {
+              if (!((mutable_bitField0_ & 0x00000040) != 0)) {
                 verificationdarcs_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000040;
               }
@@ -344,10 +343,10 @@ private Darc(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((mutable_bitField0_ & 0x00000020) != 0)) {
           signatures_ = java.util.Collections.unmodifiableList(signatures_);
         }
-        if (((mutable_bitField0_ & 0x00000040) == 0x00000040)) {
+        if (((mutable_bitField0_ & 0x00000040) != 0)) {
           verificationdarcs_ = java.util.Collections.unmodifiableList(verificationdarcs_);
         }
         this.unknownFields = unknownFields.build();
@@ -379,7 +378,7 @@ private Darc(
      * required uint64 version = 1;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -405,7 +404,7 @@ public long getVersion() {
      * required bytes description = 2;
      */
     public boolean hasDescription() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -431,7 +430,7 @@ public com.google.protobuf.ByteString getDescription() {
      * optional bytes baseid = 3;
      */
     public boolean hasBaseid() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -455,7 +454,7 @@ public com.google.protobuf.ByteString getBaseid() {
      * required bytes previd = 4;
      */
     public boolean hasPrevid() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -478,7 +477,7 @@ public com.google.protobuf.ByteString getPrevid() {
      * required .darc.Rules rules = 5;
      */
     public boolean hasRules() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * 
@@ -677,19 +676,19 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeUInt64(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, description_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, baseid_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeBytes(4, previd_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeMessage(5, getRules());
       }
       for (int i = 0; i < signatures_.size(); i++) {
@@ -707,23 +706,23 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(1, version_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, description_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, baseid_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(4, previd_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(5, getRules());
       }
@@ -750,38 +749,37 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Darc other = (ch.epfl.dedis.lib.proto.DarcProto.Darc) obj;
 
-      boolean result = true;
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && (getVersion()
-            == other.getVersion());
+        if (getVersion()
+            != other.getVersion()) return false;
       }
-      result = result && (hasDescription() == other.hasDescription());
+      if (hasDescription() != other.hasDescription()) return false;
       if (hasDescription()) {
-        result = result && getDescription()
-            .equals(other.getDescription());
+        if (!getDescription()
+            .equals(other.getDescription())) return false;
       }
-      result = result && (hasBaseid() == other.hasBaseid());
+      if (hasBaseid() != other.hasBaseid()) return false;
       if (hasBaseid()) {
-        result = result && getBaseid()
-            .equals(other.getBaseid());
+        if (!getBaseid()
+            .equals(other.getBaseid())) return false;
       }
-      result = result && (hasPrevid() == other.hasPrevid());
+      if (hasPrevid() != other.hasPrevid()) return false;
       if (hasPrevid()) {
-        result = result && getPrevid()
-            .equals(other.getPrevid());
+        if (!getPrevid()
+            .equals(other.getPrevid())) return false;
       }
-      result = result && (hasRules() == other.hasRules());
+      if (hasRules() != other.hasRules()) return false;
       if (hasRules()) {
-        result = result && getRules()
-            .equals(other.getRules());
-      }
-      result = result && getSignaturesList()
-          .equals(other.getSignaturesList());
-      result = result && getVerificationdarcsList()
-          .equals(other.getVerificationdarcsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+        if (!getRules()
+            .equals(other.getRules())) return false;
+      }
+      if (!getSignaturesList()
+          .equals(other.getSignaturesList())) return false;
+      if (!getVerificationdarcsList()
+          .equals(other.getVerificationdarcsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1016,32 +1014,32 @@ public ch.epfl.dedis.lib.proto.DarcProto.Darc buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Darc result = new ch.epfl.dedis.lib.proto.DarcProto.Darc(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.version_ = version_;
           to_bitField0_ |= 0x00000001;
         }
-        result.version_ = version_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.description_ = description_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.baseid_ = baseid_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.previd_ = previd_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
+          if (rulesBuilder_ == null) {
+            result.rules_ = rules_;
+          } else {
+            result.rules_ = rulesBuilder_.build();
+          }
           to_bitField0_ |= 0x00000010;
         }
-        if (rulesBuilder_ == null) {
-          result.rules_ = rules_;
-        } else {
-          result.rules_ = rulesBuilder_.build();
-        }
         if (signaturesBuilder_ == null) {
-          if (((bitField0_ & 0x00000020) == 0x00000020)) {
+          if (((bitField0_ & 0x00000020) != 0)) {
             signatures_ = java.util.Collections.unmodifiableList(signatures_);
             bitField0_ = (bitField0_ & ~0x00000020);
           }
@@ -1050,7 +1048,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Darc buildPartial() {
           result.signatures_ = signaturesBuilder_.build();
         }
         if (verificationdarcsBuilder_ == null) {
-          if (((bitField0_ & 0x00000040) == 0x00000040)) {
+          if (((bitField0_ & 0x00000040) != 0)) {
             verificationdarcs_ = java.util.Collections.unmodifiableList(verificationdarcs_);
             bitField0_ = (bitField0_ & ~0x00000040);
           }
@@ -1065,35 +1063,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Darc buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1239,7 +1237,7 @@ public Builder mergeFrom(
        * required uint64 version = 1;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -1292,7 +1290,7 @@ public Builder clearVersion() {
        * required bytes description = 2;
        */
       public boolean hasDescription() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -1350,7 +1348,7 @@ public Builder clearDescription() {
        * optional bytes baseid = 3;
        */
       public boolean hasBaseid() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -1404,7 +1402,7 @@ public Builder clearBaseid() {
        * required bytes previd = 4;
        */
       public boolean hasPrevid() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -1446,7 +1444,7 @@ public Builder clearPrevid() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.Rules rules_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.Rules rules_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.Rules, ch.epfl.dedis.lib.proto.DarcProto.Rules.Builder, ch.epfl.dedis.lib.proto.DarcProto.RulesOrBuilder> rulesBuilder_;
       /**
@@ -1457,7 +1455,7 @@ public Builder clearPrevid() {
        * required .darc.Rules rules = 5;
        */
       public boolean hasRules() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * 
@@ -1520,7 +1518,7 @@ public Builder setRules(
        */
       public Builder mergeRules(ch.epfl.dedis.lib.proto.DarcProto.Rules value) {
         if (rulesBuilder_ == null) {
-          if (((bitField0_ & 0x00000010) == 0x00000010) &&
+          if (((bitField0_ & 0x00000010) != 0) &&
               rules_ != null &&
               rules_ != ch.epfl.dedis.lib.proto.DarcProto.Rules.getDefaultInstance()) {
             rules_ =
@@ -1603,7 +1601,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.RulesOrBuilder getRulesOrBuilder() {
       private java.util.List signatures_ =
         java.util.Collections.emptyList();
       private void ensureSignaturesIsMutable() {
-        if (!((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (!((bitField0_ & 0x00000020) != 0)) {
           signatures_ = new java.util.ArrayList(signatures_);
           bitField0_ |= 0x00000020;
          }
@@ -1940,7 +1938,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder addSignaturesBuilder(
           signaturesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.DarcProto.Signature, ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder>(
                   signatures_,
-                  ((bitField0_ & 0x00000020) == 0x00000020),
+                  ((bitField0_ & 0x00000020) != 0),
                   getParentForChildren(),
                   isClean());
           signatures_ = null;
@@ -1951,7 +1949,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder addSignaturesBuilder(
       private java.util.List verificationdarcs_ =
         java.util.Collections.emptyList();
       private void ensureVerificationdarcsIsMutable() {
-        if (!((bitField0_ & 0x00000040) == 0x00000040)) {
+        if (!((bitField0_ & 0x00000040) != 0)) {
           verificationdarcs_ = new java.util.ArrayList(verificationdarcs_);
           bitField0_ |= 0x00000040;
          }
@@ -2288,7 +2286,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Darc.Builder addVerificationdarcsBuilde
           verificationdarcsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.DarcProto.Darc, ch.epfl.dedis.lib.proto.DarcProto.Darc.Builder, ch.epfl.dedis.lib.proto.DarcProto.DarcOrBuilder>(
                   verificationdarcs_,
-                  ((bitField0_ & 0x00000040) == 0x00000040),
+                  ((bitField0_ & 0x00000040) != 0),
                   getParentForChildren(),
                   isClean());
           verificationdarcs_ = null;
@@ -2498,7 +2496,7 @@ private Identity(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = darc_.toBuilder();
               }
               darc_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc.parser(), extensionRegistry);
@@ -2511,7 +2509,7 @@ private Identity(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = ed25519_.toBuilder();
               }
               ed25519_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519.parser(), extensionRegistry);
@@ -2524,7 +2522,7 @@ private Identity(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = x509Ec_.toBuilder();
               }
               x509Ec_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC.parser(), extensionRegistry);
@@ -2537,7 +2535,7 @@ private Identity(
             }
             case 34: {
               ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000008) == 0x00000008)) {
+              if (((bitField0_ & 0x00000008) != 0)) {
                 subBuilder = proxy_.toBuilder();
               }
               proxy_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy.parser(), extensionRegistry);
@@ -2591,7 +2589,7 @@ private Identity(
      * optional .darc.IdentityDarc darc = 1;
      */
     public boolean hasDarc() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -2624,7 +2622,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityDarcOrBuilder getDarcOrBuilder(
      * optional .darc.IdentityEd25519 ed25519 = 2;
      */
     public boolean hasEd25519() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -2657,7 +2655,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519OrBuilder getEd25519OrBu
      * optional .darc.IdentityX509EC x509ec = 3;
      */
     public boolean hasX509Ec() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -2690,7 +2688,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityX509ECOrBuilder getX509EcOrBuil
      * optional .darc.IdentityProxy proxy = 4;
      */
     public boolean hasProxy() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -2751,16 +2749,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getDarc());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getEd25519());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getX509Ec());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeMessage(4, getProxy());
       }
       unknownFields.writeTo(output);
@@ -2772,19 +2770,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getDarc());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getEd25519());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getX509Ec());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(4, getProxy());
       }
@@ -2803,29 +2801,28 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Identity other = (ch.epfl.dedis.lib.proto.DarcProto.Identity) obj;
 
-      boolean result = true;
-      result = result && (hasDarc() == other.hasDarc());
+      if (hasDarc() != other.hasDarc()) return false;
       if (hasDarc()) {
-        result = result && getDarc()
-            .equals(other.getDarc());
+        if (!getDarc()
+            .equals(other.getDarc())) return false;
       }
-      result = result && (hasEd25519() == other.hasEd25519());
+      if (hasEd25519() != other.hasEd25519()) return false;
       if (hasEd25519()) {
-        result = result && getEd25519()
-            .equals(other.getEd25519());
+        if (!getEd25519()
+            .equals(other.getEd25519())) return false;
       }
-      result = result && (hasX509Ec() == other.hasX509Ec());
+      if (hasX509Ec() != other.hasX509Ec()) return false;
       if (hasX509Ec()) {
-        result = result && getX509Ec()
-            .equals(other.getX509Ec());
+        if (!getX509Ec()
+            .equals(other.getX509Ec())) return false;
       }
-      result = result && (hasProxy() == other.hasProxy());
+      if (hasProxy() != other.hasProxy()) return false;
       if (hasProxy()) {
-        result = result && getProxy()
-            .equals(other.getProxy());
+        if (!getProxy()
+            .equals(other.getProxy())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -3045,38 +3042,38 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Identity result = new ch.epfl.dedis.lib.proto.DarcProto.Identity(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (darcBuilder_ == null) {
+            result.darc_ = darc_;
+          } else {
+            result.darc_ = darcBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (darcBuilder_ == null) {
-          result.darc_ = darc_;
-        } else {
-          result.darc_ = darcBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (ed25519Builder_ == null) {
+            result.ed25519_ = ed25519_;
+          } else {
+            result.ed25519_ = ed25519Builder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (ed25519Builder_ == null) {
-          result.ed25519_ = ed25519_;
-        } else {
-          result.ed25519_ = ed25519Builder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (x509EcBuilder_ == null) {
+            result.x509Ec_ = x509Ec_;
+          } else {
+            result.x509Ec_ = x509EcBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (x509EcBuilder_ == null) {
-          result.x509Ec_ = x509Ec_;
-        } else {
-          result.x509Ec_ = x509EcBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (proxyBuilder_ == null) {
+            result.proxy_ = proxy_;
+          } else {
+            result.proxy_ = proxyBuilder_.build();
+          }
           to_bitField0_ |= 0x00000008;
         }
-        if (proxyBuilder_ == null) {
-          result.proxy_ = proxy_;
-        } else {
-          result.proxy_ = proxyBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -3084,35 +3081,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3188,7 +3185,7 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc darc_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc darc_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc, ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityDarcOrBuilder> darcBuilder_;
       /**
@@ -3199,7 +3196,7 @@ public Builder mergeFrom(
        * optional .darc.IdentityDarc darc = 1;
        */
       public boolean hasDarc() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -3262,7 +3259,7 @@ public Builder setDarc(
        */
       public Builder mergeDarc(ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc value) {
         if (darcBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               darc_ != null &&
               darc_ != ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc.getDefaultInstance()) {
             darc_ =
@@ -3342,7 +3339,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityDarcOrBuilder getDarcOrBuilder(
         return darcBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 ed25519_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 ed25519_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519, ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519OrBuilder> ed25519Builder_;
       /**
@@ -3353,7 +3350,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityDarcOrBuilder getDarcOrBuilder(
        * optional .darc.IdentityEd25519 ed25519 = 2;
        */
       public boolean hasEd25519() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -3416,7 +3413,7 @@ public Builder setEd25519(
        */
       public Builder mergeEd25519(ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 value) {
         if (ed25519Builder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               ed25519_ != null &&
               ed25519_ != ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519.getDefaultInstance()) {
             ed25519_ =
@@ -3496,7 +3493,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519OrBuilder getEd25519OrBu
         return ed25519Builder_;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC x509Ec_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC x509Ec_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC, ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityX509ECOrBuilder> x509EcBuilder_;
       /**
@@ -3507,7 +3504,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519OrBuilder getEd25519OrBu
        * optional .darc.IdentityX509EC x509ec = 3;
        */
       public boolean hasX509Ec() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -3570,7 +3567,7 @@ public Builder setX509Ec(
        */
       public Builder mergeX509Ec(ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC value) {
         if (x509EcBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               x509Ec_ != null &&
               x509Ec_ != ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC.getDefaultInstance()) {
             x509Ec_ =
@@ -3650,7 +3647,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityX509ECOrBuilder getX509EcOrBuil
         return x509EcBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy proxy_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy proxy_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy, ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityProxyOrBuilder> proxyBuilder_;
       /**
@@ -3661,7 +3658,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityX509ECOrBuilder getX509EcOrBuil
        * optional .darc.IdentityProxy proxy = 4;
        */
       public boolean hasProxy() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -3724,7 +3721,7 @@ public Builder setProxy(
        */
       public Builder mergeProxy(ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy value) {
         if (proxyBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008) &&
+          if (((bitField0_ & 0x00000008) != 0) &&
               proxy_ != null &&
               proxy_ != ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy.getDefaultInstance()) {
             proxy_ =
@@ -3957,7 +3954,7 @@ private IdentityEd25519(
      * required bytes point = 1;
      */
     public boolean hasPoint() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes point = 1;
@@ -3984,7 +3981,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, point_);
       }
       unknownFields.writeTo(output);
@@ -3996,7 +3993,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, point_);
       }
@@ -4015,14 +4012,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 other = (ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519) obj;
 
-      boolean result = true;
-      result = result && (hasPoint() == other.hasPoint());
+      if (hasPoint() != other.hasPoint()) return false;
       if (hasPoint()) {
-        result = result && getPoint()
-            .equals(other.getPoint());
+        if (!getPoint()
+            .equals(other.getPoint())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4203,7 +4199,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 result = new ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.point_ = point_;
@@ -4214,35 +4210,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityEd25519 buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4297,7 +4293,7 @@ public Builder mergeFrom(
        * required bytes point = 1;
        */
       public boolean hasPoint() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes point = 1;
@@ -4480,7 +4476,7 @@ private IdentityX509EC(
      * required bytes public = 1;
      */
     public boolean hasPublic() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes public = 1;
@@ -4507,7 +4503,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, public_);
       }
       unknownFields.writeTo(output);
@@ -4519,7 +4515,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, public_);
       }
@@ -4538,14 +4534,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC other = (ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC) obj;
 
-      boolean result = true;
-      result = result && (hasPublic() == other.hasPublic());
+      if (hasPublic() != other.hasPublic()) return false;
       if (hasPublic()) {
-        result = result && getPublic()
-            .equals(other.getPublic());
+        if (!getPublic()
+            .equals(other.getPublic())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4726,7 +4721,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC result = new ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.public_ = public_;
@@ -4737,35 +4732,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityX509EC buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4820,7 +4815,7 @@ public Builder mergeFrom(
        * required bytes public = 1;
        */
       public boolean hasPublic() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes public = 1;
@@ -4932,7 +4927,7 @@ public interface IdentityProxyOrBuilder extends
   /**
    * 
    * IdentityProxy holds the info necessary to verify a claim
-   * from an external authentication system via an Authentication Proxy.
+   * from an external authentication system via an Policy Proxy.
    * 

    *
    * Protobuf type {@code darc.IdentityProxy}
@@ -5025,7 +5020,7 @@ private IdentityProxy(
      * required string data = 1;
      */
     public boolean hasData() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string data = 1;
@@ -5067,7 +5062,7 @@ public java.lang.String getData() {
      * required bytes public = 2;
      */
     public boolean hasPublic() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes public = 2;
@@ -5098,10 +5093,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, data_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, public_);
       }
       unknownFields.writeTo(output);
@@ -5113,10 +5108,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, data_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, public_);
       }
@@ -5135,19 +5130,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy other = (ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy) obj;
 
-      boolean result = true;
-      result = result && (hasData() == other.hasData());
+      if (hasData() != other.hasData()) return false;
       if (hasData()) {
-        result = result && getData()
-            .equals(other.getData());
+        if (!getData()
+            .equals(other.getData())) return false;
       }
-      result = result && (hasPublic() == other.hasPublic());
+      if (hasPublic() != other.hasPublic()) return false;
       if (hasPublic()) {
-        result = result && getPublic()
-            .equals(other.getPublic());
+        if (!getPublic()
+            .equals(other.getPublic())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5263,7 +5257,7 @@ protected Builder newBuilderForType(
     /**
      * 
      * IdentityProxy holds the info necessary to verify a claim
-     * from an external authentication system via an Authentication Proxy.
+     * from an external authentication system via an Policy Proxy.
      * 

      *
      * Protobuf type {@code darc.IdentityProxy}
@@ -5335,11 +5329,11 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy result = new ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.data_ = data_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.public_ = public_;
@@ -5350,35 +5344,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityProxy buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -5441,7 +5435,7 @@ public Builder mergeFrom(
        * required string data = 1;
        */
       public boolean hasData() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string data = 1;
@@ -5517,7 +5511,7 @@ public Builder setDataBytes(
        * required bytes public = 2;
        */
       public boolean hasPublic() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes public = 2;
@@ -5713,7 +5707,7 @@ private IdentityDarc(
      * required bytes id = 1;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -5744,7 +5738,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, id_);
       }
       unknownFields.writeTo(output);
@@ -5756,7 +5750,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, id_);
       }
@@ -5775,14 +5769,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc other = (ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc) obj;
 
-      boolean result = true;
-      result = result && (hasId() == other.hasId());
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5964,7 +5957,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc result = new ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.id_ = id_;
@@ -5975,35 +5968,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.IdentityDarc buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -6062,7 +6055,7 @@ public Builder mergeFrom(
        * required bytes id = 1;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -6254,7 +6247,7 @@ private Signature(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = signer_.toBuilder();
               }
               signer_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.Identity.parser(), extensionRegistry);
@@ -6308,7 +6301,7 @@ private Signature(
      * required bytes signature = 1;
      */
     public boolean hasSignature() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -6331,7 +6324,7 @@ public com.google.protobuf.ByteString getSignature() {
      * required .darc.Identity signer = 2;
      */
     public boolean hasSigner() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -6380,10 +6373,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, signature_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getSigner());
       }
       unknownFields.writeTo(output);
@@ -6395,11 +6388,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, signature_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getSigner());
       }
@@ -6418,19 +6411,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Signature other = (ch.epfl.dedis.lib.proto.DarcProto.Signature) obj;
 
-      boolean result = true;
-      result = result && (hasSignature() == other.hasSignature());
+      if (hasSignature() != other.hasSignature()) return false;
       if (hasSignature()) {
-        result = result && getSignature()
-            .equals(other.getSignature());
+        if (!getSignature()
+            .equals(other.getSignature())) return false;
       }
-      result = result && (hasSigner() == other.hasSigner());
+      if (hasSigner() != other.hasSigner()) return false;
       if (hasSigner()) {
-        result = result && getSigner()
-            .equals(other.getSigner());
+        if (!getSigner()
+            .equals(other.getSigner())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -6623,18 +6615,18 @@ public ch.epfl.dedis.lib.proto.DarcProto.Signature buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Signature result = new ch.epfl.dedis.lib.proto.DarcProto.Signature(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.signature_ = signature_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (signerBuilder_ == null) {
+            result.signer_ = signer_;
+          } else {
+            result.signer_ = signerBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (signerBuilder_ == null) {
-          result.signer_ = signer_;
-        } else {
-          result.signer_ = signerBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -6642,35 +6634,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Signature buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -6738,7 +6730,7 @@ public Builder mergeFrom(
        * required bytes signature = 1;
        */
       public boolean hasSignature() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -6780,7 +6772,7 @@ public Builder clearSignature() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.Identity signer_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.Identity signer_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.Identity, ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityOrBuilder> signerBuilder_;
       /**
@@ -6791,7 +6783,7 @@ public Builder clearSignature() {
        * required .darc.Identity signer = 2;
        */
       public boolean hasSigner() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -6854,7 +6846,7 @@ public Builder setSigner(
        */
       public Builder mergeSigner(ch.epfl.dedis.lib.proto.DarcProto.Identity value) {
         if (signerBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               signer_ != null &&
               signer_ != ch.epfl.dedis.lib.proto.DarcProto.Identity.getDefaultInstance()) {
             signer_ =
@@ -7074,7 +7066,7 @@ private Signer(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = ed25519_.toBuilder();
               }
               ed25519_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519.parser(), extensionRegistry);
@@ -7087,7 +7079,7 @@ private Signer(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = x509Ec_.toBuilder();
               }
               x509Ec_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC.parser(), extensionRegistry);
@@ -7100,7 +7092,7 @@ private Signer(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.DarcProto.SignerProxy.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = proxy_.toBuilder();
               }
               proxy_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.SignerProxy.parser(), extensionRegistry);
@@ -7150,7 +7142,7 @@ private Signer(
      * optional .darc.SignerEd25519 ed25519 = 1;
      */
     public boolean hasEd25519() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .darc.SignerEd25519 ed25519 = 1;
@@ -7171,7 +7163,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519OrBuilder getEd25519OrBuil
      * optional .darc.SignerX509EC x509ec = 2;
      */
     public boolean hasX509Ec() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional .darc.SignerX509EC x509ec = 2;
@@ -7192,7 +7184,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerX509ECOrBuilder getX509EcOrBuilde
      * optional .darc.SignerProxy proxy = 3;
      */
     public boolean hasProxy() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * optional .darc.SignerProxy proxy = 3;
@@ -7239,13 +7231,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getEd25519());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getX509Ec());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getProxy());
       }
       unknownFields.writeTo(output);
@@ -7257,15 +7249,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getEd25519());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getX509Ec());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getProxy());
       }
@@ -7284,24 +7276,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Signer other = (ch.epfl.dedis.lib.proto.DarcProto.Signer) obj;
 
-      boolean result = true;
-      result = result && (hasEd25519() == other.hasEd25519());
+      if (hasEd25519() != other.hasEd25519()) return false;
       if (hasEd25519()) {
-        result = result && getEd25519()
-            .equals(other.getEd25519());
+        if (!getEd25519()
+            .equals(other.getEd25519())) return false;
       }
-      result = result && (hasX509Ec() == other.hasX509Ec());
+      if (hasX509Ec() != other.hasX509Ec()) return false;
       if (hasX509Ec()) {
-        result = result && getX509Ec()
-            .equals(other.getX509Ec());
+        if (!getX509Ec()
+            .equals(other.getX509Ec())) return false;
       }
-      result = result && (hasProxy() == other.hasProxy());
+      if (hasProxy() != other.hasProxy()) return false;
       if (hasProxy()) {
-        result = result && getProxy()
-            .equals(other.getProxy());
+        if (!getProxy()
+            .equals(other.getProxy())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -7509,30 +7500,30 @@ public ch.epfl.dedis.lib.proto.DarcProto.Signer buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Signer result = new ch.epfl.dedis.lib.proto.DarcProto.Signer(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (ed25519Builder_ == null) {
+            result.ed25519_ = ed25519_;
+          } else {
+            result.ed25519_ = ed25519Builder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (ed25519Builder_ == null) {
-          result.ed25519_ = ed25519_;
-        } else {
-          result.ed25519_ = ed25519Builder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (x509EcBuilder_ == null) {
+            result.x509Ec_ = x509Ec_;
+          } else {
+            result.x509Ec_ = x509EcBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (x509EcBuilder_ == null) {
-          result.x509Ec_ = x509Ec_;
-        } else {
-          result.x509Ec_ = x509EcBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (proxyBuilder_ == null) {
+            result.proxy_ = proxy_;
+          } else {
+            result.proxy_ = proxyBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (proxyBuilder_ == null) {
-          result.proxy_ = proxy_;
-        } else {
-          result.proxy_ = proxyBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -7540,35 +7531,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Signer buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -7636,14 +7627,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 ed25519_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 ed25519_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519, ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519OrBuilder> ed25519Builder_;
       /**
        * optional .darc.SignerEd25519 ed25519 = 1;
        */
       public boolean hasEd25519() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional .darc.SignerEd25519 ed25519 = 1;
@@ -7690,7 +7681,7 @@ public Builder setEd25519(
        */
       public Builder mergeEd25519(ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 value) {
         if (ed25519Builder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               ed25519_ != null &&
               ed25519_ != ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519.getDefaultInstance()) {
             ed25519_ =
@@ -7754,14 +7745,14 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519OrBuilder getEd25519OrBuil
         return ed25519Builder_;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC x509Ec_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC x509Ec_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC, ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignerX509ECOrBuilder> x509EcBuilder_;
       /**
        * optional .darc.SignerX509EC x509ec = 2;
        */
       public boolean hasX509Ec() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional .darc.SignerX509EC x509ec = 2;
@@ -7808,7 +7799,7 @@ public Builder setX509Ec(
        */
       public Builder mergeX509Ec(ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC value) {
         if (x509EcBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               x509Ec_ != null &&
               x509Ec_ != ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC.getDefaultInstance()) {
             x509Ec_ =
@@ -7872,14 +7863,14 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerX509ECOrBuilder getX509EcOrBuilde
         return x509EcBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.DarcProto.SignerProxy proxy_ = null;
+      private ch.epfl.dedis.lib.proto.DarcProto.SignerProxy proxy_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.DarcProto.SignerProxy, ch.epfl.dedis.lib.proto.DarcProto.SignerProxy.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignerProxyOrBuilder> proxyBuilder_;
       /**
        * optional .darc.SignerProxy proxy = 3;
        */
       public boolean hasProxy() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * optional .darc.SignerProxy proxy = 3;
@@ -7926,7 +7917,7 @@ public Builder setProxy(
        */
       public Builder mergeProxy(ch.epfl.dedis.lib.proto.DarcProto.SignerProxy value) {
         if (proxyBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               proxy_ != null &&
               proxy_ != ch.epfl.dedis.lib.proto.DarcProto.SignerProxy.getDefaultInstance()) {
             proxy_ =
@@ -8158,7 +8149,7 @@ private SignerEd25519(
      * required bytes point = 1;
      */
     public boolean hasPoint() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes point = 1;
@@ -8173,7 +8164,7 @@ public com.google.protobuf.ByteString getPoint() {
      * required bytes secret = 2;
      */
     public boolean hasSecret() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes secret = 2;
@@ -8204,10 +8195,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, point_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, secret_);
       }
       unknownFields.writeTo(output);
@@ -8219,11 +8210,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, point_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, secret_);
       }
@@ -8242,19 +8233,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 other = (ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519) obj;
 
-      boolean result = true;
-      result = result && (hasPoint() == other.hasPoint());
+      if (hasPoint() != other.hasPoint()) return false;
       if (hasPoint()) {
-        result = result && getPoint()
-            .equals(other.getPoint());
+        if (!getPoint()
+            .equals(other.getPoint())) return false;
       }
-      result = result && (hasSecret() == other.hasSecret());
+      if (hasSecret() != other.hasSecret()) return false;
       if (hasSecret()) {
-        result = result && getSecret()
-            .equals(other.getSecret());
+        if (!getSecret()
+            .equals(other.getSecret())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -8441,11 +8431,11 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 result = new ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.point_ = point_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.secret_ = secret_;
@@ -8456,35 +8446,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerEd25519 buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -8545,7 +8535,7 @@ public Builder mergeFrom(
        * required bytes point = 1;
        */
       public boolean hasPoint() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes point = 1;
@@ -8580,7 +8570,7 @@ public Builder clearPoint() {
        * required bytes secret = 2;
        */
       public boolean hasSecret() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes secret = 2;
@@ -8764,7 +8754,7 @@ private SignerX509EC(
      * required bytes point = 1;
      */
     public boolean hasPoint() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes point = 1;
@@ -8791,7 +8781,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, point_);
       }
       unknownFields.writeTo(output);
@@ -8803,7 +8793,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, point_);
       }
@@ -8822,14 +8812,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC other = (ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC) obj;
 
-      boolean result = true;
-      result = result && (hasPoint() == other.hasPoint());
+      if (hasPoint() != other.hasPoint()) return false;
       if (hasPoint()) {
-        result = result && getPoint()
-            .equals(other.getPoint());
+        if (!getPoint()
+            .equals(other.getPoint())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -9011,7 +9000,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC result = new ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.point_ = point_;
@@ -9022,35 +9011,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerX509EC buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -9105,7 +9094,7 @@ public Builder mergeFrom(
        * required bytes point = 1;
        */
       public boolean hasPoint() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes point = 1;
@@ -9217,7 +9206,7 @@ public interface SignerProxyOrBuilder extends
   /**
    * 
    * SignerProxy holds the information necessary to verify claims
-   * coming from external authentication systems via Authentication Proxies.
+   * coming from external authentication systems via Policy Proxies.
    * 

    *
    * Protobuf type {@code darc.SignerProxy}
@@ -9310,7 +9299,7 @@ private SignerProxy(
      * required string data = 1;
      */
     public boolean hasData() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string data = 1;
@@ -9352,7 +9341,7 @@ public java.lang.String getData() {
      * required bytes public = 2;
      */
     public boolean hasPublic() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes public = 2;
@@ -9383,10 +9372,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, data_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, public_);
       }
       unknownFields.writeTo(output);
@@ -9398,10 +9387,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, data_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, public_);
       }
@@ -9420,19 +9409,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.SignerProxy other = (ch.epfl.dedis.lib.proto.DarcProto.SignerProxy) obj;
 
-      boolean result = true;
-      result = result && (hasData() == other.hasData());
+      if (hasData() != other.hasData()) return false;
       if (hasData()) {
-        result = result && getData()
-            .equals(other.getData());
+        if (!getData()
+            .equals(other.getData())) return false;
       }
-      result = result && (hasPublic() == other.hasPublic());
+      if (hasPublic() != other.hasPublic()) return false;
       if (hasPublic()) {
-        result = result && getPublic()
-            .equals(other.getPublic());
+        if (!getPublic()
+            .equals(other.getPublic())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -9548,7 +9536,7 @@ protected Builder newBuilderForType(
     /**
      * 
      * SignerProxy holds the information necessary to verify claims
-     * coming from external authentication systems via Authentication Proxies.
+     * coming from external authentication systems via Policy Proxies.
      * 

      *
      * Protobuf type {@code darc.SignerProxy}
@@ -9620,11 +9608,11 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerProxy buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.SignerProxy result = new ch.epfl.dedis.lib.proto.DarcProto.SignerProxy(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.data_ = data_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.public_ = public_;
@@ -9635,35 +9623,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.SignerProxy buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -9726,7 +9714,7 @@ public Builder mergeFrom(
        * required string data = 1;
        */
       public boolean hasData() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string data = 1;
@@ -9802,7 +9790,7 @@ public Builder setDataBytes(
        * required bytes public = 2;
        */
       public boolean hasPublic() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes public = 2;
@@ -10022,7 +10010,7 @@ private Request(
               break;
             }
             case 34: {
-              if (!((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
+              if (!((mutable_bitField0_ & 0x00000008) != 0)) {
                 identities_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000008;
               }
@@ -10031,7 +10019,7 @@ private Request(
               break;
             }
             case 42: {
-              if (!((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
+              if (!((mutable_bitField0_ & 0x00000010) != 0)) {
                 signatures_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000010;
               }
@@ -10053,11 +10041,11 @@ private Request(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((mutable_bitField0_ & 0x00000008) != 0)) {
           identities_ = java.util.Collections.unmodifiableList(identities_);
         }
-        if (((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
-          signatures_ = java.util.Collections.unmodifiableList(signatures_);
+        if (((mutable_bitField0_ & 0x00000010) != 0)) {
+          signatures_ = java.util.Collections.unmodifiableList(signatures_); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -10083,7 +10071,7 @@ private Request(
      * required bytes baseid = 1;
      */
     public boolean hasBaseid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes baseid = 1;
@@ -10098,7 +10086,7 @@ public com.google.protobuf.ByteString getBaseid() {
      * required string action = 2;
      */
     public boolean hasAction() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required string action = 2;
@@ -10140,7 +10128,7 @@ public java.lang.String getAction() {
      * required bytes msg = 3;
      */
     public boolean hasMsg() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required bytes msg = 3;
@@ -10238,13 +10226,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, baseid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 2, action_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, msg_);
       }
       for (int i = 0; i < identities_.size(); i++) {
@@ -10262,14 +10250,14 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, baseid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, action_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, msg_);
       }
@@ -10301,28 +10289,27 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Request other = (ch.epfl.dedis.lib.proto.DarcProto.Request) obj;
 
-      boolean result = true;
-      result = result && (hasBaseid() == other.hasBaseid());
+      if (hasBaseid() != other.hasBaseid()) return false;
       if (hasBaseid()) {
-        result = result && getBaseid()
-            .equals(other.getBaseid());
+        if (!getBaseid()
+            .equals(other.getBaseid())) return false;
       }
-      result = result && (hasAction() == other.hasAction());
+      if (hasAction() != other.hasAction()) return false;
       if (hasAction()) {
-        result = result && getAction()
-            .equals(other.getAction());
+        if (!getAction()
+            .equals(other.getAction())) return false;
       }
-      result = result && (hasMsg() == other.hasMsg());
+      if (hasMsg() != other.hasMsg()) return false;
       if (hasMsg()) {
-        result = result && getMsg()
-            .equals(other.getMsg());
-      }
-      result = result && getIdentitiesList()
-          .equals(other.getIdentitiesList());
-      result = result && getSignaturesList()
-          .equals(other.getSignaturesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+        if (!getMsg()
+            .equals(other.getMsg())) return false;
+      }
+      if (!getIdentitiesList()
+          .equals(other.getIdentitiesList())) return false;
+      if (!getSignaturesList()
+          .equals(other.getSignaturesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -10532,20 +10519,20 @@ public ch.epfl.dedis.lib.proto.DarcProto.Request buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Request result = new ch.epfl.dedis.lib.proto.DarcProto.Request(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.baseid_ = baseid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.action_ = action_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.msg_ = msg_;
         if (identitiesBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008)) {
+          if (((bitField0_ & 0x00000008) != 0)) {
             identities_ = java.util.Collections.unmodifiableList(identities_);
             bitField0_ = (bitField0_ & ~0x00000008);
           }
@@ -10553,7 +10540,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Request buildPartial() {
         } else {
           result.identities_ = identitiesBuilder_.build();
         }
-        if (((bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((bitField0_ & 0x00000010) != 0)) {
           signatures_ = java.util.Collections.unmodifiableList(signatures_);
           bitField0_ = (bitField0_ & ~0x00000010);
         }
@@ -10565,35 +10552,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Request buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -10703,7 +10690,7 @@ public Builder mergeFrom(
        * required bytes baseid = 1;
        */
       public boolean hasBaseid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes baseid = 1;
@@ -10738,7 +10725,7 @@ public Builder clearBaseid() {
        * required string action = 2;
        */
       public boolean hasAction() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required string action = 2;
@@ -10814,7 +10801,7 @@ public Builder setActionBytes(
        * required bytes msg = 3;
        */
       public boolean hasMsg() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes msg = 3;
@@ -10847,7 +10834,7 @@ public Builder clearMsg() {
       private java.util.List identities_ =
         java.util.Collections.emptyList();
       private void ensureIdentitiesIsMutable() {
-        if (!((bitField0_ & 0x00000008) == 0x00000008)) {
+        if (!((bitField0_ & 0x00000008) != 0)) {
           identities_ = new java.util.ArrayList(identities_);
           bitField0_ |= 0x00000008;
          }
@@ -11076,7 +11063,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder addIdentitiesBuilder(
           identitiesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.DarcProto.Identity, ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder, ch.epfl.dedis.lib.proto.DarcProto.IdentityOrBuilder>(
                   identities_,
-                  ((bitField0_ & 0x00000008) == 0x00000008),
+                  ((bitField0_ & 0x00000008) != 0),
                   getParentForChildren(),
                   isClean());
           identities_ = null;
@@ -11086,7 +11073,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Identity.Builder addIdentitiesBuilder(
 
       private java.util.List signatures_ = java.util.Collections.emptyList();
       private void ensureSignaturesIsMutable() {
-        if (!((bitField0_ & 0x00000010) == 0x00000010)) {
+        if (!((bitField0_ & 0x00000010) != 0)) {
           signatures_ = new java.util.ArrayList(signatures_);
           bitField0_ |= 0x00000010;
          }
@@ -11096,7 +11083,8 @@ private void ensureSignaturesIsMutable() {
        */
       public java.util.List
           getSignaturesList() {
-        return java.util.Collections.unmodifiableList(signatures_);
+        return ((bitField0_ & 0x00000010) != 0) ?
+                 java.util.Collections.unmodifiableList(signatures_) : signatures_;
       }
       /**
        * repeated bytes signatures = 5;
@@ -11281,7 +11269,7 @@ private Rules(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 list_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -11304,7 +11292,7 @@ private Rules(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           list_ = java.util.Collections.unmodifiableList(list_);
         }
         this.unknownFields = unknownFields.build();
@@ -11410,11 +11398,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Rules other = (ch.epfl.dedis.lib.proto.DarcProto.Rules) obj;
 
-      boolean result = true;
-      result = result && getListList()
-          .equals(other.getListList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getListList()
+          .equals(other.getListList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -11600,7 +11587,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Rules buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Rules result = new ch.epfl.dedis.lib.proto.DarcProto.Rules(this);
         int from_bitField0_ = bitField0_;
         if (listBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             list_ = java.util.Collections.unmodifiableList(list_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -11614,35 +11601,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Rules buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -11720,7 +11707,7 @@ public Builder mergeFrom(
       private java.util.List list_ =
         java.util.Collections.emptyList();
       private void ensureListIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           list_ = new java.util.ArrayList(list_);
           bitField0_ |= 0x00000001;
          }
@@ -11949,7 +11936,7 @@ public ch.epfl.dedis.lib.proto.DarcProto.Rule.Builder addListBuilder(
           listBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.DarcProto.Rule, ch.epfl.dedis.lib.proto.DarcProto.Rule.Builder, ch.epfl.dedis.lib.proto.DarcProto.RuleOrBuilder>(
                   list_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           list_ = null;
@@ -12131,7 +12118,7 @@ private Rule(
      * required string action = 1;
      */
     public boolean hasAction() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string action = 1;
@@ -12173,7 +12160,7 @@ public java.lang.String getAction() {
      * required bytes expr = 2;
      */
     public boolean hasExpr() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes expr = 2;
@@ -12204,10 +12191,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, action_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, expr_);
       }
       unknownFields.writeTo(output);
@@ -12219,10 +12206,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, action_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, expr_);
       }
@@ -12241,19 +12228,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.DarcProto.Rule other = (ch.epfl.dedis.lib.proto.DarcProto.Rule) obj;
 
-      boolean result = true;
-      result = result && (hasAction() == other.hasAction());
+      if (hasAction() != other.hasAction()) return false;
       if (hasAction()) {
-        result = result && getAction()
-            .equals(other.getAction());
+        if (!getAction()
+            .equals(other.getAction())) return false;
       }
-      result = result && (hasExpr() == other.hasExpr());
+      if (hasExpr() != other.hasExpr()) return false;
       if (hasExpr()) {
-        result = result && getExpr()
-            .equals(other.getExpr());
+        if (!getExpr()
+            .equals(other.getExpr())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -12440,11 +12426,11 @@ public ch.epfl.dedis.lib.proto.DarcProto.Rule buildPartial() {
         ch.epfl.dedis.lib.proto.DarcProto.Rule result = new ch.epfl.dedis.lib.proto.DarcProto.Rule(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.action_ = action_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.expr_ = expr_;
@@ -12455,35 +12441,35 @@ public ch.epfl.dedis.lib.proto.DarcProto.Rule buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -12546,7 +12532,7 @@ public Builder mergeFrom(
        * required string action = 1;
        */
       public boolean hasAction() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string action = 1;
@@ -12622,7 +12608,7 @@ public Builder setActionBytes(
        * required bytes expr = 2;
        */
       public boolean hasExpr() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes expr = 2;
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/EventLogProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/EventLogProto.java
index 8c64807f84..5070cab9c6 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/EventLogProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/EventLogProto.java
@@ -119,8 +119,6 @@ private SearchRequest() {
       instance_ = com.google.protobuf.ByteString.EMPTY;
       id_ = com.google.protobuf.ByteString.EMPTY;
       topic_ = "";
-      from_ = 0L;
-      to_ = 0L;
     }
 
     @java.lang.Override
@@ -212,7 +210,7 @@ private SearchRequest(
      * required bytes instance = 1;
      */
     public boolean hasInstance() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes instance = 1;
@@ -227,7 +225,7 @@ public com.google.protobuf.ByteString getInstance() {
      * required bytes id = 2;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes id = 2;
@@ -246,7 +244,7 @@ public com.google.protobuf.ByteString getId() {
      * required string topic = 3;
      */
     public boolean hasTopic() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -300,7 +298,7 @@ public java.lang.String getTopic() {
      * required sint64 from = 4;
      */
     public boolean hasFrom() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -323,7 +321,7 @@ public long getFrom() {
      * required sint64 to = 5;
      */
     public boolean hasTo() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * 
@@ -370,19 +368,19 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, instance_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, id_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 3, topic_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeSInt64(4, from_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeSInt64(5, to_);
       }
       unknownFields.writeTo(output);
@@ -394,22 +392,22 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, instance_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, id_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(3, topic_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(4, from_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(5, to_);
       }
@@ -428,34 +426,33 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.EventLogProto.SearchRequest other = (ch.epfl.dedis.lib.proto.EventLogProto.SearchRequest) obj;
 
-      boolean result = true;
-      result = result && (hasInstance() == other.hasInstance());
+      if (hasInstance() != other.hasInstance()) return false;
       if (hasInstance()) {
-        result = result && getInstance()
-            .equals(other.getInstance());
+        if (!getInstance()
+            .equals(other.getInstance())) return false;
       }
-      result = result && (hasId() == other.hasId());
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && (hasTopic() == other.hasTopic());
+      if (hasTopic() != other.hasTopic()) return false;
       if (hasTopic()) {
-        result = result && getTopic()
-            .equals(other.getTopic());
+        if (!getTopic()
+            .equals(other.getTopic())) return false;
       }
-      result = result && (hasFrom() == other.hasFrom());
+      if (hasFrom() != other.hasFrom()) return false;
       if (hasFrom()) {
-        result = result && (getFrom()
-            == other.getFrom());
+        if (getFrom()
+            != other.getFrom()) return false;
       }
-      result = result && (hasTo() == other.hasTo());
+      if (hasTo() != other.hasTo()) return false;
       if (hasTo()) {
-        result = result && (getTo()
-            == other.getTo());
+        if (getTo()
+            != other.getTo()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -665,26 +662,26 @@ public ch.epfl.dedis.lib.proto.EventLogProto.SearchRequest buildPartial() {
         ch.epfl.dedis.lib.proto.EventLogProto.SearchRequest result = new ch.epfl.dedis.lib.proto.EventLogProto.SearchRequest(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.instance_ = instance_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.id_ = id_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.topic_ = topic_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.from_ = from_;
           to_bitField0_ |= 0x00000008;
         }
-        result.from_ = from_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
+          result.to_ = to_;
           to_bitField0_ |= 0x00000010;
         }
-        result.to_ = to_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -692,35 +689,35 @@ public ch.epfl.dedis.lib.proto.EventLogProto.SearchRequest buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -801,7 +798,7 @@ public Builder mergeFrom(
        * required bytes instance = 1;
        */
       public boolean hasInstance() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes instance = 1;
@@ -836,7 +833,7 @@ public Builder clearInstance() {
        * required bytes id = 2;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes id = 2;
@@ -875,7 +872,7 @@ public Builder clearId() {
        * required string topic = 3;
        */
       public boolean hasTopic() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -975,7 +972,7 @@ public Builder setTopicBytes(
        * required sint64 from = 4;
        */
       public boolean hasFrom() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -1023,7 +1020,7 @@ public Builder clearFrom() {
        * required sint64 to = 5;
        */
       public boolean hasTo() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * 
@@ -1181,7 +1178,6 @@ private SearchResponse(com.google.protobuf.GeneratedMessageV3.Builder builder
     }
     private SearchResponse() {
       events_ = java.util.Collections.emptyList();
-      truncated_ = false;
     }
 
     @java.lang.Override
@@ -1209,7 +1205,7 @@ private SearchResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 events_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -1237,7 +1233,7 @@ private SearchResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           events_ = java.util.Collections.unmodifiableList(events_);
         }
         this.unknownFields = unknownFields.build();
@@ -1305,7 +1301,7 @@ public ch.epfl.dedis.lib.proto.EventLogProto.EventOrBuilder getEventsOrBuilder(
      * required bool truncated = 2;
      */
     public boolean hasTruncated() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -1347,7 +1343,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
       for (int i = 0; i < events_.size(); i++) {
         output.writeMessage(1, events_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBool(2, truncated_);
       }
       unknownFields.writeTo(output);
@@ -1363,7 +1359,7 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, events_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBoolSize(2, truncated_);
       }
@@ -1382,16 +1378,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.EventLogProto.SearchResponse other = (ch.epfl.dedis.lib.proto.EventLogProto.SearchResponse) obj;
 
-      boolean result = true;
-      result = result && getEventsList()
-          .equals(other.getEventsList());
-      result = result && (hasTruncated() == other.hasTruncated());
+      if (!getEventsList()
+          .equals(other.getEventsList())) return false;
+      if (hasTruncated() != other.hasTruncated()) return false;
       if (hasTruncated()) {
-        result = result && (getTruncated()
-            == other.getTruncated());
+        if (getTruncated()
+            != other.getTruncated()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1585,7 +1580,7 @@ public ch.epfl.dedis.lib.proto.EventLogProto.SearchResponse buildPartial() {
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
         if (eventsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             events_ = java.util.Collections.unmodifiableList(events_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -1593,10 +1588,10 @@ public ch.epfl.dedis.lib.proto.EventLogProto.SearchResponse buildPartial() {
         } else {
           result.events_ = eventsBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.truncated_ = truncated_;
           to_bitField0_ |= 0x00000001;
         }
-        result.truncated_ = truncated_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -1604,35 +1599,35 @@ public ch.epfl.dedis.lib.proto.EventLogProto.SearchResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1716,7 +1711,7 @@ public Builder mergeFrom(
       private java.util.List events_ =
         java.util.Collections.emptyList();
       private void ensureEventsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           events_ = new java.util.ArrayList(events_);
           bitField0_ |= 0x00000001;
          }
@@ -1945,7 +1940,7 @@ public ch.epfl.dedis.lib.proto.EventLogProto.Event.Builder addEventsBuilder(
           eventsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.EventLogProto.Event, ch.epfl.dedis.lib.proto.EventLogProto.Event.Builder, ch.epfl.dedis.lib.proto.EventLogProto.EventOrBuilder>(
                   events_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           events_ = null;
@@ -1964,7 +1959,7 @@ public ch.epfl.dedis.lib.proto.EventLogProto.Event.Builder addEventsBuilder(
        * required bool truncated = 2;
        */
       public boolean hasTruncated() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -2120,7 +2115,6 @@ private Event(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private Event() {
-      when_ = 0L;
       topic_ = "";
       content_ = "";
     }
@@ -2205,7 +2199,7 @@ private Event(
      * required sint64 when = 1;
      */
     public boolean hasWhen() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required sint64 when = 1;
@@ -2220,7 +2214,7 @@ public long getWhen() {
      * required string topic = 2;
      */
     public boolean hasTopic() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required string topic = 2;
@@ -2262,7 +2256,7 @@ public java.lang.String getTopic() {
      * required string content = 3;
      */
     public boolean hasContent() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required string content = 3;
@@ -2324,13 +2318,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt64(1, when_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 2, topic_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 3, content_);
       }
       unknownFields.writeTo(output);
@@ -2342,14 +2336,14 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(1, when_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, topic_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(3, content_);
       }
       size += unknownFields.getSerializedSize();
@@ -2367,24 +2361,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.EventLogProto.Event other = (ch.epfl.dedis.lib.proto.EventLogProto.Event) obj;
 
-      boolean result = true;
-      result = result && (hasWhen() == other.hasWhen());
+      if (hasWhen() != other.hasWhen()) return false;
       if (hasWhen()) {
-        result = result && (getWhen()
-            == other.getWhen());
+        if (getWhen()
+            != other.getWhen()) return false;
       }
-      result = result && (hasTopic() == other.hasTopic());
+      if (hasTopic() != other.hasTopic()) return false;
       if (hasTopic()) {
-        result = result && getTopic()
-            .equals(other.getTopic());
+        if (!getTopic()
+            .equals(other.getTopic())) return false;
       }
-      result = result && (hasContent() == other.hasContent());
+      if (hasContent() != other.hasContent()) return false;
       if (hasContent()) {
-        result = result && getContent()
-            .equals(other.getContent());
+        if (!getContent()
+            .equals(other.getContent())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2579,15 +2572,15 @@ public ch.epfl.dedis.lib.proto.EventLogProto.Event buildPartial() {
         ch.epfl.dedis.lib.proto.EventLogProto.Event result = new ch.epfl.dedis.lib.proto.EventLogProto.Event(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.when_ = when_;
           to_bitField0_ |= 0x00000001;
         }
-        result.when_ = when_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.topic_ = topic_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.content_ = content_;
@@ -2598,35 +2591,35 @@ public ch.epfl.dedis.lib.proto.EventLogProto.Event buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2697,7 +2690,7 @@ public Builder mergeFrom(
        * required sint64 when = 1;
        */
       public boolean hasWhen() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required sint64 when = 1;
@@ -2729,7 +2722,7 @@ public Builder clearWhen() {
        * required string topic = 2;
        */
       public boolean hasTopic() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required string topic = 2;
@@ -2805,7 +2798,7 @@ public Builder setTopicBytes(
        * required string content = 3;
        */
       public boolean hasContent() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required string content = 3;
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/NetworkProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/NetworkProto.java
index 5861083b51..6141d7182d 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/NetworkProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/NetworkProto.java
@@ -153,7 +153,7 @@ private ServerIdentity(
               break;
             }
             case 18: {
-              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
                 serviceIdentities_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000002;
               }
@@ -199,7 +199,7 @@ private ServerIdentity(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
           serviceIdentities_ = java.util.Collections.unmodifiableList(serviceIdentities_);
         }
         this.unknownFields = unknownFields.build();
@@ -226,7 +226,7 @@ private ServerIdentity(
      * required bytes public = 1;
      */
     public boolean hasPublic() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes public = 1;
@@ -276,7 +276,7 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentityOrBuilder getServiceI
      * required bytes id = 3;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes id = 3;
@@ -291,7 +291,7 @@ public com.google.protobuf.ByteString getId() {
      * required string address = 4;
      */
     public boolean hasAddress() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required string address = 4;
@@ -333,7 +333,7 @@ public java.lang.String getAddress() {
      * required string description = 5;
      */
     public boolean hasDescription() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * required string description = 5;
@@ -375,7 +375,7 @@ public java.lang.String getDescription() {
      * optional string url = 6;
      */
     public boolean hasUrl() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * optional string url = 6;
@@ -447,22 +447,22 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, public_);
       }
       for (int i = 0; i < serviceIdentities_.size(); i++) {
         output.writeMessage(2, serviceIdentities_.get(i));
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(3, id_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 4, address_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 5, description_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 6, url_);
       }
       unknownFields.writeTo(output);
@@ -474,7 +474,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, public_);
       }
@@ -482,17 +482,17 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, serviceIdentities_.get(i));
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, id_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(4, address_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(5, description_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(6, url_);
       }
       size += unknownFields.getSerializedSize();
@@ -510,36 +510,35 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity other = (ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity) obj;
 
-      boolean result = true;
-      result = result && (hasPublic() == other.hasPublic());
+      if (hasPublic() != other.hasPublic()) return false;
       if (hasPublic()) {
-        result = result && getPublic()
-            .equals(other.getPublic());
+        if (!getPublic()
+            .equals(other.getPublic())) return false;
       }
-      result = result && getServiceIdentitiesList()
-          .equals(other.getServiceIdentitiesList());
-      result = result && (hasId() == other.hasId());
+      if (!getServiceIdentitiesList()
+          .equals(other.getServiceIdentitiesList())) return false;
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && (hasAddress() == other.hasAddress());
+      if (hasAddress() != other.hasAddress()) return false;
       if (hasAddress()) {
-        result = result && getAddress()
-            .equals(other.getAddress());
+        if (!getAddress()
+            .equals(other.getAddress())) return false;
       }
-      result = result && (hasDescription() == other.hasDescription());
+      if (hasDescription() != other.hasDescription()) return false;
       if (hasDescription()) {
-        result = result && getDescription()
-            .equals(other.getDescription());
+        if (!getDescription()
+            .equals(other.getDescription())) return false;
       }
-      result = result && (hasUrl() == other.hasUrl());
+      if (hasUrl() != other.hasUrl()) return false;
       if (hasUrl()) {
-        result = result && getUrl()
-            .equals(other.getUrl());
+        if (!getUrl()
+            .equals(other.getUrl())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -751,12 +750,12 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity buildPartial() {
         ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity result = new ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.public_ = public_;
         if (serviceIdentitiesBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002)) {
+          if (((bitField0_ & 0x00000002) != 0)) {
             serviceIdentities_ = java.util.Collections.unmodifiableList(serviceIdentities_);
             bitField0_ = (bitField0_ & ~0x00000002);
           }
@@ -764,19 +763,19 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity buildPartial() {
         } else {
           result.serviceIdentities_ = serviceIdentitiesBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.id_ = id_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.address_ = address_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.description_ = description_;
-        if (((from_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((from_bitField0_ & 0x00000020) != 0)) {
           to_bitField0_ |= 0x00000010;
         }
         result.url_ = url_;
@@ -787,35 +786,35 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -928,7 +927,7 @@ public Builder mergeFrom(
        * required bytes public = 1;
        */
       public boolean hasPublic() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes public = 1;
@@ -961,7 +960,7 @@ public Builder clearPublic() {
       private java.util.List serviceIdentities_ =
         java.util.Collections.emptyList();
       private void ensureServiceIdentitiesIsMutable() {
-        if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        if (!((bitField0_ & 0x00000002) != 0)) {
           serviceIdentities_ = new java.util.ArrayList(serviceIdentities_);
           bitField0_ |= 0x00000002;
          }
@@ -1190,7 +1189,7 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity.Builder addServiceId
           serviceIdentitiesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity, ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity.Builder, ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentityOrBuilder>(
                   serviceIdentities_,
-                  ((bitField0_ & 0x00000002) == 0x00000002),
+                  ((bitField0_ & 0x00000002) != 0),
                   getParentForChildren(),
                   isClean());
           serviceIdentities_ = null;
@@ -1203,7 +1202,7 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity.Builder addServiceId
        * required bytes id = 3;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes id = 3;
@@ -1238,7 +1237,7 @@ public Builder clearId() {
        * required string address = 4;
        */
       public boolean hasAddress() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required string address = 4;
@@ -1314,7 +1313,7 @@ public Builder setAddressBytes(
        * required string description = 5;
        */
       public boolean hasDescription() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * required string description = 5;
@@ -1390,7 +1389,7 @@ public Builder setDescriptionBytes(
        * optional string url = 6;
        */
       public boolean hasUrl() {
-        return ((bitField0_ & 0x00000020) == 0x00000020);
+        return ((bitField0_ & 0x00000020) != 0);
       }
       /**
        * optional string url = 6;
@@ -1652,7 +1651,7 @@ private ServiceIdentity(
      * required string name = 1;
      */
     public boolean hasName() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string name = 1;
@@ -1694,7 +1693,7 @@ public java.lang.String getName() {
      * required string suite = 2;
      */
     public boolean hasSuite() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required string suite = 2;
@@ -1736,7 +1735,7 @@ public java.lang.String getSuite() {
      * required bytes public = 3;
      */
     public boolean hasPublic() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required bytes public = 3;
@@ -1771,13 +1770,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 2, suite_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, public_);
       }
       unknownFields.writeTo(output);
@@ -1789,13 +1788,13 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, suite_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, public_);
       }
@@ -1814,24 +1813,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity other = (ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity) obj;
 
-      boolean result = true;
-      result = result && (hasName() == other.hasName());
+      if (hasName() != other.hasName()) return false;
       if (hasName()) {
-        result = result && getName()
-            .equals(other.getName());
+        if (!getName()
+            .equals(other.getName())) return false;
       }
-      result = result && (hasSuite() == other.hasSuite());
+      if (hasSuite() != other.hasSuite()) return false;
       if (hasSuite()) {
-        result = result && getSuite()
-            .equals(other.getSuite());
+        if (!getSuite()
+            .equals(other.getSuite())) return false;
       }
-      result = result && (hasPublic() == other.hasPublic());
+      if (hasPublic() != other.hasPublic()) return false;
       if (hasPublic()) {
-        result = result && getPublic()
-            .equals(other.getPublic());
+        if (!getPublic()
+            .equals(other.getPublic())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2020,15 +2018,15 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity buildPartial() {
         ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity result = new ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.name_ = name_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.suite_ = suite_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.public_ = public_;
@@ -2039,35 +2037,35 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServiceIdentity buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2138,7 +2136,7 @@ public Builder mergeFrom(
        * required string name = 1;
        */
       public boolean hasName() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string name = 1;
@@ -2214,7 +2212,7 @@ public Builder setNameBytes(
        * required string suite = 2;
        */
       public boolean hasSuite() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required string suite = 2;
@@ -2290,7 +2288,7 @@ public Builder setSuiteBytes(
        * required bytes public = 3;
        */
       public boolean hasPublic() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes public = 3;
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/OCS.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/OCS.java
new file mode 100644
index 0000000000..f8935de0a4
--- /dev/null
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/OCS.java
@@ -0,0 +1,17363 @@
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: ocs.proto
+
+package ch.epfl.dedis.lib.proto;
+
+public final class OCS {
+  private OCS() {}
+  public static void registerAllExtensions(
+      com.google.protobuf.ExtensionRegistryLite registry) {
+  }
+
+  public static void registerAllExtensions(
+      com.google.protobuf.ExtensionRegistry registry) {
+    registerAllExtensions(
+        (com.google.protobuf.ExtensionRegistryLite) registry);
+  }
+  public interface AddPolicyCreateOCSOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AddPolicyCreateOCS)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required .ocs.Policy create = 1;
+     */
+    boolean hasCreate();
+    /**
+     * required .ocs.Policy create = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.Policy getCreate();
+    /**
+     * required .ocs.Policy create = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getCreateOrBuilder();
+  }
+  /**
+   * 
+   * AddPolicyCreateOCS is sent by a local admin to add a rule to define who is
+   * authorized to create a new OCS.
+   * 

+   *
+   * Protobuf type {@code ocs.AddPolicyCreateOCS}
+   */
+  public  static final class AddPolicyCreateOCS extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AddPolicyCreateOCS)
+      AddPolicyCreateOCSOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AddPolicyCreateOCS.newBuilder() to construct.
+    private AddPolicyCreateOCS(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AddPolicyCreateOCS() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AddPolicyCreateOCS(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              ch.epfl.dedis.lib.proto.OCS.Policy.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000001) != 0)) {
+                subBuilder = create_.toBuilder();
+              }
+              create_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.Policy.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(create_);
+                create_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000001;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCS_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCS_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.class, ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int CREATE_FIELD_NUMBER = 1;
+    private ch.epfl.dedis.lib.proto.OCS.Policy create_;
+    /**
+     * required .ocs.Policy create = 1;
+     */
+    public boolean hasCreate() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required .ocs.Policy create = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.Policy getCreate() {
+      return create_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : create_;
+    }
+    /**
+     * required .ocs.Policy create = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getCreateOrBuilder() {
+      return create_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : create_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasCreate()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getCreate().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeMessage(1, getCreate());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(1, getCreate());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS other = (ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS) obj;
+
+      if (hasCreate() != other.hasCreate()) return false;
+      if (hasCreate()) {
+        if (!getCreate()
+            .equals(other.getCreate())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasCreate()) {
+        hash = (37 * hash) + CREATE_FIELD_NUMBER;
+        hash = (53 * hash) + getCreate().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AddPolicyCreateOCS is sent by a local admin to add a rule to define who is
+     * authorized to create a new OCS.
+     * 

+     *
+     * Protobuf type {@code ocs.AddPolicyCreateOCS}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AddPolicyCreateOCS)
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCS_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCS_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.class, ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getCreateFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        if (createBuilder_ == null) {
+          create_ = null;
+        } else {
+          createBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCS_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS build() {
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS result = new ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (createBuilder_ == null) {
+            result.create_ = create_;
+          } else {
+            result.create_ = createBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000001;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS.getDefaultInstance()) return this;
+        if (other.hasCreate()) {
+          mergeCreate(other.getCreate());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasCreate()) {
+          return false;
+        }
+        if (!getCreate().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private ch.epfl.dedis.lib.proto.OCS.Policy create_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> createBuilder_;
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public boolean hasCreate() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy getCreate() {
+        if (createBuilder_ == null) {
+          return create_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : create_;
+        } else {
+          return createBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public Builder setCreate(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (createBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          create_ = value;
+          onChanged();
+        } else {
+          createBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public Builder setCreate(
+          ch.epfl.dedis.lib.proto.OCS.Policy.Builder builderForValue) {
+        if (createBuilder_ == null) {
+          create_ = builderForValue.build();
+          onChanged();
+        } else {
+          createBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public Builder mergeCreate(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (createBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0) &&
+              create_ != null &&
+              create_ != ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance()) {
+            create_ =
+              ch.epfl.dedis.lib.proto.OCS.Policy.newBuilder(create_).mergeFrom(value).buildPartial();
+          } else {
+            create_ = value;
+          }
+          onChanged();
+        } else {
+          createBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public Builder clearCreate() {
+        if (createBuilder_ == null) {
+          create_ = null;
+          onChanged();
+        } else {
+          createBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy.Builder getCreateBuilder() {
+        bitField0_ |= 0x00000001;
+        onChanged();
+        return getCreateFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getCreateOrBuilder() {
+        if (createBuilder_ != null) {
+          return createBuilder_.getMessageOrBuilder();
+        } else {
+          return create_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : create_;
+        }
+      }
+      /**
+       * required .ocs.Policy create = 1;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> 
+          getCreateFieldBuilder() {
+        if (createBuilder_ == null) {
+          createBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder>(
+                  getCreate(),
+                  getParentForChildren(),
+                  isClean());
+          create_ = null;
+        }
+        return createBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AddPolicyCreateOCS)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AddPolicyCreateOCS)
+    private static final ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AddPolicyCreateOCS parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AddPolicyCreateOCS(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCS getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AddPolicyCreateOCSReplyOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AddPolicyCreateOCSReply)
+      com.google.protobuf.MessageOrBuilder {
+  }
+  /**
+   * 
+   * AddPolicyCreateOCSReply is an empty reply if the policy has been successfully
+   * created.
+   * 

+   *
+   * Protobuf type {@code ocs.AddPolicyCreateOCSReply}
+   */
+  public  static final class AddPolicyCreateOCSReply extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AddPolicyCreateOCSReply)
+      AddPolicyCreateOCSReplyOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AddPolicyCreateOCSReply.newBuilder() to construct.
+    private AddPolicyCreateOCSReply(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AddPolicyCreateOCSReply() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AddPolicyCreateOCSReply(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCSReply_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCSReply_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.class, ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.Builder.class);
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply other = (ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply) obj;
+
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AddPolicyCreateOCSReply is an empty reply if the policy has been successfully
+     * created.
+     * 

+     *
+     * Protobuf type {@code ocs.AddPolicyCreateOCSReply}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AddPolicyCreateOCSReply)
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReplyOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCSReply_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCSReply_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.class, ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AddPolicyCreateOCSReply_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply build() {
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply result = new ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply(this);
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply.getDefaultInstance()) return this;
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AddPolicyCreateOCSReply)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AddPolicyCreateOCSReply)
+    private static final ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AddPolicyCreateOCSReply parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AddPolicyCreateOCSReply(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AddPolicyCreateOCSReply getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface CreateOCSOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.CreateOCS)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required .onet.Roster roster = 1;
+     */
+    boolean hasRoster();
+    /**
+     * required .onet.Roster roster = 1;
+     */
+    ch.epfl.dedis.lib.proto.OnetProto.Roster getRoster();
+    /**
+     * required .onet.Roster roster = 1;
+     */
+    ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder();
+
+    /**
+     * required .ocs.Policy policyreencrypt = 2;
+     */
+    boolean hasPolicyreencrypt();
+    /**
+     * required .ocs.Policy policyreencrypt = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreencrypt();
+    /**
+     * required .ocs.Policy policyreencrypt = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreencryptOrBuilder();
+
+    /**
+     * required .ocs.Policy policyreshare = 3;
+     */
+    boolean hasPolicyreshare();
+    /**
+     * required .ocs.Policy policyreshare = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreshare();
+    /**
+     * required .ocs.Policy policyreshare = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreshareOrBuilder();
+  }
+  /**
+   * 
+   * CreateOCS is sent to the service to request a new OCS cothority.
+   * It holds the two policies necessary to define an OCS: how to
+   * authenticate a reencryption request, and how to authenticate a
+   * resharing request.
+   * In the current form, both policies point to the same structure. If at
+   * a later moment a new access control backend is added, it might be that
+   * the policies will differ for this new backend.
+   * 

+   *
+   * Protobuf type {@code ocs.CreateOCS}
+   */
+  public  static final class CreateOCS extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.CreateOCS)
+      CreateOCSOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use CreateOCS.newBuilder() to construct.
+    private CreateOCS(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private CreateOCS() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private CreateOCS(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000001) != 0)) {
+                subBuilder = roster_.toBuilder();
+              }
+              roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(roster_);
+                roster_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000001;
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OCS.Policy.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = policyreencrypt_.toBuilder();
+              }
+              policyreencrypt_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.Policy.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(policyreencrypt_);
+                policyreencrypt_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            case 26: {
+              ch.epfl.dedis.lib.proto.OCS.Policy.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000004) != 0)) {
+                subBuilder = policyreshare_.toBuilder();
+              }
+              policyreshare_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.Policy.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(policyreshare_);
+                policyreshare_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000004;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCS_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCS_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.CreateOCS.class, ch.epfl.dedis.lib.proto.OCS.CreateOCS.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int ROSTER_FIELD_NUMBER = 1;
+    private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
+    /**
+     * required .onet.Roster roster = 1;
+     */
+    public boolean hasRoster() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required .onet.Roster roster = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OnetProto.Roster getRoster() {
+      return roster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+    }
+    /**
+     * required .onet.Roster roster = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
+      return roster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+    }
+
+    public static final int POLICYREENCRYPT_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OCS.Policy policyreencrypt_;
+    /**
+     * required .ocs.Policy policyreencrypt = 2;
+     */
+    public boolean hasPolicyreencrypt() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required .ocs.Policy policyreencrypt = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreencrypt() {
+      return policyreencrypt_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+    }
+    /**
+     * required .ocs.Policy policyreencrypt = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreencryptOrBuilder() {
+      return policyreencrypt_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+    }
+
+    public static final int POLICYRESHARE_FIELD_NUMBER = 3;
+    private ch.epfl.dedis.lib.proto.OCS.Policy policyreshare_;
+    /**
+     * required .ocs.Policy policyreshare = 3;
+     */
+    public boolean hasPolicyreshare() {
+      return ((bitField0_ & 0x00000004) != 0);
+    }
+    /**
+     * required .ocs.Policy policyreshare = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreshare() {
+      return policyreshare_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+    }
+    /**
+     * required .ocs.Policy policyreshare = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreshareOrBuilder() {
+      return policyreshare_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasRoster()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasPolicyreencrypt()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasPolicyreshare()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getRoster().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getPolicyreencrypt().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getPolicyreshare().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeMessage(1, getRoster());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getPolicyreencrypt());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        output.writeMessage(3, getPolicyreshare());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(1, getRoster());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getPolicyreencrypt());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(3, getPolicyreshare());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.CreateOCS)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.CreateOCS other = (ch.epfl.dedis.lib.proto.OCS.CreateOCS) obj;
+
+      if (hasRoster() != other.hasRoster()) return false;
+      if (hasRoster()) {
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
+      }
+      if (hasPolicyreencrypt() != other.hasPolicyreencrypt()) return false;
+      if (hasPolicyreencrypt()) {
+        if (!getPolicyreencrypt()
+            .equals(other.getPolicyreencrypt())) return false;
+      }
+      if (hasPolicyreshare() != other.hasPolicyreshare()) return false;
+      if (hasPolicyreshare()) {
+        if (!getPolicyreshare()
+            .equals(other.getPolicyreshare())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasRoster()) {
+        hash = (37 * hash) + ROSTER_FIELD_NUMBER;
+        hash = (53 * hash) + getRoster().hashCode();
+      }
+      if (hasPolicyreencrypt()) {
+        hash = (37 * hash) + POLICYREENCRYPT_FIELD_NUMBER;
+        hash = (53 * hash) + getPolicyreencrypt().hashCode();
+      }
+      if (hasPolicyreshare()) {
+        hash = (37 * hash) + POLICYRESHARE_FIELD_NUMBER;
+        hash = (53 * hash) + getPolicyreshare().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.CreateOCS prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * CreateOCS is sent to the service to request a new OCS cothority.
+     * It holds the two policies necessary to define an OCS: how to
+     * authenticate a reencryption request, and how to authenticate a
+     * resharing request.
+     * In the current form, both policies point to the same structure. If at
+     * a later moment a new access control backend is added, it might be that
+     * the policies will differ for this new backend.
+     * 

+     *
+     * Protobuf type {@code ocs.CreateOCS}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.CreateOCS)
+        ch.epfl.dedis.lib.proto.OCS.CreateOCSOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCS_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCS_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.CreateOCS.class, ch.epfl.dedis.lib.proto.OCS.CreateOCS.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.CreateOCS.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getRosterFieldBuilder();
+          getPolicyreencryptFieldBuilder();
+          getPolicyreshareFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        if (rosterBuilder_ == null) {
+          roster_ = null;
+        } else {
+          rosterBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (policyreencryptBuilder_ == null) {
+          policyreencrypt_ = null;
+        } else {
+          policyreencryptBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        if (policyreshareBuilder_ == null) {
+          policyreshare_ = null;
+        } else {
+          policyreshareBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCS_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.CreateOCS getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.CreateOCS.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.CreateOCS build() {
+        ch.epfl.dedis.lib.proto.OCS.CreateOCS result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.CreateOCS buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.CreateOCS result = new ch.epfl.dedis.lib.proto.OCS.CreateOCS(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000001;
+        }
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (policyreencryptBuilder_ == null) {
+            result.policyreencrypt_ = policyreencrypt_;
+          } else {
+            result.policyreencrypt_ = policyreencryptBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (policyreshareBuilder_ == null) {
+            result.policyreshare_ = policyreshare_;
+          } else {
+            result.policyreshare_ = policyreshareBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000004;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.CreateOCS) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.CreateOCS)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.CreateOCS other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.CreateOCS.getDefaultInstance()) return this;
+        if (other.hasRoster()) {
+          mergeRoster(other.getRoster());
+        }
+        if (other.hasPolicyreencrypt()) {
+          mergePolicyreencrypt(other.getPolicyreencrypt());
+        }
+        if (other.hasPolicyreshare()) {
+          mergePolicyreshare(other.getPolicyreshare());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasRoster()) {
+          return false;
+        }
+        if (!hasPolicyreencrypt()) {
+          return false;
+        }
+        if (!hasPolicyreshare()) {
+          return false;
+        }
+        if (!getRoster().isInitialized()) {
+          return false;
+        }
+        if (!getPolicyreencrypt().isInitialized()) {
+          return false;
+        }
+        if (!getPolicyreshare().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.CreateOCS parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.CreateOCS) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public boolean hasRoster() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.Roster getRoster() {
+        if (rosterBuilder_ == null) {
+          return roster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+        } else {
+          return rosterBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public Builder setRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
+        if (rosterBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          roster_ = value;
+          onChanged();
+        } else {
+          rosterBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public Builder setRoster(
+          ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder builderForValue) {
+        if (rosterBuilder_ == null) {
+          roster_ = builderForValue.build();
+          onChanged();
+        } else {
+          rosterBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
+        if (rosterBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0) &&
+              roster_ != null &&
+              roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
+            roster_ =
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.newBuilder(roster_).mergeFrom(value).buildPartial();
+          } else {
+            roster_ = value;
+          }
+          onChanged();
+        } else {
+          rosterBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public Builder clearRoster() {
+        if (rosterBuilder_ == null) {
+          roster_ = null;
+          onChanged();
+        } else {
+          rosterBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder getRosterBuilder() {
+        bitField0_ |= 0x00000001;
+        onChanged();
+        return getRosterFieldBuilder().getBuilder();
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
+        if (rosterBuilder_ != null) {
+          return rosterBuilder_.getMessageOrBuilder();
+        } else {
+          return roster_ == null ?
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+        }
+      }
+      /**
+       * required .onet.Roster roster = 1;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> 
+          getRosterFieldBuilder() {
+        if (rosterBuilder_ == null) {
+          rosterBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder>(
+                  getRoster(),
+                  getParentForChildren(),
+                  isClean());
+          roster_ = null;
+        }
+        return rosterBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.Policy policyreencrypt_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> policyreencryptBuilder_;
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public boolean hasPolicyreencrypt() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreencrypt() {
+        if (policyreencryptBuilder_ == null) {
+          return policyreencrypt_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+        } else {
+          return policyreencryptBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public Builder setPolicyreencrypt(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreencryptBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          policyreencrypt_ = value;
+          onChanged();
+        } else {
+          policyreencryptBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public Builder setPolicyreencrypt(
+          ch.epfl.dedis.lib.proto.OCS.Policy.Builder builderForValue) {
+        if (policyreencryptBuilder_ == null) {
+          policyreencrypt_ = builderForValue.build();
+          onChanged();
+        } else {
+          policyreencryptBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public Builder mergePolicyreencrypt(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreencryptBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              policyreencrypt_ != null &&
+              policyreencrypt_ != ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance()) {
+            policyreencrypt_ =
+              ch.epfl.dedis.lib.proto.OCS.Policy.newBuilder(policyreencrypt_).mergeFrom(value).buildPartial();
+          } else {
+            policyreencrypt_ = value;
+          }
+          onChanged();
+        } else {
+          policyreencryptBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public Builder clearPolicyreencrypt() {
+        if (policyreencryptBuilder_ == null) {
+          policyreencrypt_ = null;
+          onChanged();
+        } else {
+          policyreencryptBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy.Builder getPolicyreencryptBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getPolicyreencryptFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreencryptOrBuilder() {
+        if (policyreencryptBuilder_ != null) {
+          return policyreencryptBuilder_.getMessageOrBuilder();
+        } else {
+          return policyreencrypt_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+        }
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> 
+          getPolicyreencryptFieldBuilder() {
+        if (policyreencryptBuilder_ == null) {
+          policyreencryptBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder>(
+                  getPolicyreencrypt(),
+                  getParentForChildren(),
+                  isClean());
+          policyreencrypt_ = null;
+        }
+        return policyreencryptBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.Policy policyreshare_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> policyreshareBuilder_;
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public boolean hasPolicyreshare() {
+        return ((bitField0_ & 0x00000004) != 0);
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreshare() {
+        if (policyreshareBuilder_ == null) {
+          return policyreshare_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+        } else {
+          return policyreshareBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public Builder setPolicyreshare(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreshareBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          policyreshare_ = value;
+          onChanged();
+        } else {
+          policyreshareBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public Builder setPolicyreshare(
+          ch.epfl.dedis.lib.proto.OCS.Policy.Builder builderForValue) {
+        if (policyreshareBuilder_ == null) {
+          policyreshare_ = builderForValue.build();
+          onChanged();
+        } else {
+          policyreshareBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public Builder mergePolicyreshare(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreshareBuilder_ == null) {
+          if (((bitField0_ & 0x00000004) != 0) &&
+              policyreshare_ != null &&
+              policyreshare_ != ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance()) {
+            policyreshare_ =
+              ch.epfl.dedis.lib.proto.OCS.Policy.newBuilder(policyreshare_).mergeFrom(value).buildPartial();
+          } else {
+            policyreshare_ = value;
+          }
+          onChanged();
+        } else {
+          policyreshareBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public Builder clearPolicyreshare() {
+        if (policyreshareBuilder_ == null) {
+          policyreshare_ = null;
+          onChanged();
+        } else {
+          policyreshareBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy.Builder getPolicyreshareBuilder() {
+        bitField0_ |= 0x00000004;
+        onChanged();
+        return getPolicyreshareFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreshareOrBuilder() {
+        if (policyreshareBuilder_ != null) {
+          return policyreshareBuilder_.getMessageOrBuilder();
+        } else {
+          return policyreshare_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+        }
+      }
+      /**
+       * required .ocs.Policy policyreshare = 3;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> 
+          getPolicyreshareFieldBuilder() {
+        if (policyreshareBuilder_ == null) {
+          policyreshareBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder>(
+                  getPolicyreshare(),
+                  getParentForChildren(),
+                  isClean());
+          policyreshare_ = null;
+        }
+        return policyreshareBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.CreateOCS)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.CreateOCS)
+    private static final ch.epfl.dedis.lib.proto.OCS.CreateOCS DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.CreateOCS();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCS getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public CreateOCS parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new CreateOCS(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.CreateOCS getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface CreateOCSReplyOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.CreateOCSReply)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes ocsid = 1;
+     */
+    boolean hasOcsid();
+    /**
+     * required bytes ocsid = 1;
+     */
+    com.google.protobuf.ByteString getOcsid();
+  }
+  /**
+   * 
+   * CreateOCSReply is the reply sent by the conode if the OCS has been
+   * setup correctly. It contains the ID of the OCS, which is the binary
+   * representation of the aggregate public key. It also has the Sig, which
+   * is the collective signature of all nodes on the aggregate public key
+   * and the authentication.
+   * 

+   *
+   * Protobuf type {@code ocs.CreateOCSReply}
+   */
+  public  static final class CreateOCSReply extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.CreateOCSReply)
+      CreateOCSReplyOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use CreateOCSReply.newBuilder() to construct.
+    private CreateOCSReply(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private CreateOCSReply() {
+      ocsid_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private CreateOCSReply(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              ocsid_ = input.readBytes();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCSReply_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCSReply_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.class, ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int OCSID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString ocsid_;
+    /**
+     * required bytes ocsid = 1;
+     */
+    public boolean hasOcsid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes ocsid = 1;
+     */
+    public com.google.protobuf.ByteString getOcsid() {
+      return ocsid_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasOcsid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, ocsid_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, ocsid_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.CreateOCSReply)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.CreateOCSReply other = (ch.epfl.dedis.lib.proto.OCS.CreateOCSReply) obj;
+
+      if (hasOcsid() != other.hasOcsid()) return false;
+      if (hasOcsid()) {
+        if (!getOcsid()
+            .equals(other.getOcsid())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasOcsid()) {
+        hash = (37 * hash) + OCSID_FIELD_NUMBER;
+        hash = (53 * hash) + getOcsid().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.CreateOCSReply prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * CreateOCSReply is the reply sent by the conode if the OCS has been
+     * setup correctly. It contains the ID of the OCS, which is the binary
+     * representation of the aggregate public key. It also has the Sig, which
+     * is the collective signature of all nodes on the aggregate public key
+     * and the authentication.
+     * 

+     *
+     * Protobuf type {@code ocs.CreateOCSReply}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.CreateOCSReply)
+        ch.epfl.dedis.lib.proto.OCS.CreateOCSReplyOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCSReply_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCSReply_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.class, ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ocsid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_CreateOCSReply_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.CreateOCSReply getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.CreateOCSReply build() {
+        ch.epfl.dedis.lib.proto.OCS.CreateOCSReply result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.CreateOCSReply buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.CreateOCSReply result = new ch.epfl.dedis.lib.proto.OCS.CreateOCSReply(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.ocsid_ = ocsid_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.CreateOCSReply) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.CreateOCSReply)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.CreateOCSReply other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.CreateOCSReply.getDefaultInstance()) return this;
+        if (other.hasOcsid()) {
+          setOcsid(other.getOcsid());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasOcsid()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.CreateOCSReply parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.CreateOCSReply) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString ocsid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ocsid = 1;
+       */
+      public boolean hasOcsid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public com.google.protobuf.ByteString getOcsid() {
+        return ocsid_;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder setOcsid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        ocsid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder clearOcsid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ocsid_ = getDefaultInstance().getOcsid();
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.CreateOCSReply)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.CreateOCSReply)
+    private static final ch.epfl.dedis.lib.proto.OCS.CreateOCSReply DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.CreateOCSReply();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.CreateOCSReply getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public CreateOCSReply parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new CreateOCSReply(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.CreateOCSReply getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface GetProofOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.GetProof)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes ocsid = 1;
+     */
+    boolean hasOcsid();
+    /**
+     * required bytes ocsid = 1;
+     */
+    com.google.protobuf.ByteString getOcsid();
+  }
+  /**
+   * 
+   * GetProof is sent to a node to have him sign his definition of the
+   * given OCS.
+   * 

+   *
+   * Protobuf type {@code ocs.GetProof}
+   */
+  public  static final class GetProof extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.GetProof)
+      GetProofOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use GetProof.newBuilder() to construct.
+    private GetProof(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private GetProof() {
+      ocsid_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private GetProof(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              ocsid_ = input.readBytes();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProof_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProof_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.GetProof.class, ch.epfl.dedis.lib.proto.OCS.GetProof.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int OCSID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString ocsid_;
+    /**
+     * required bytes ocsid = 1;
+     */
+    public boolean hasOcsid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes ocsid = 1;
+     */
+    public com.google.protobuf.ByteString getOcsid() {
+      return ocsid_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasOcsid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, ocsid_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, ocsid_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.GetProof)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.GetProof other = (ch.epfl.dedis.lib.proto.OCS.GetProof) obj;
+
+      if (hasOcsid() != other.hasOcsid()) return false;
+      if (hasOcsid()) {
+        if (!getOcsid()
+            .equals(other.getOcsid())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasOcsid()) {
+        hash = (37 * hash) + OCSID_FIELD_NUMBER;
+        hash = (53 * hash) + getOcsid().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.GetProof prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * GetProof is sent to a node to have him sign his definition of the
+     * given OCS.
+     * 

+     *
+     * Protobuf type {@code ocs.GetProof}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.GetProof)
+        ch.epfl.dedis.lib.proto.OCS.GetProofOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProof_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProof_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.GetProof.class, ch.epfl.dedis.lib.proto.OCS.GetProof.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.GetProof.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ocsid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProof_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.GetProof getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.GetProof.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.GetProof build() {
+        ch.epfl.dedis.lib.proto.OCS.GetProof result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.GetProof buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.GetProof result = new ch.epfl.dedis.lib.proto.OCS.GetProof(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.ocsid_ = ocsid_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.GetProof) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.GetProof)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.GetProof other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.GetProof.getDefaultInstance()) return this;
+        if (other.hasOcsid()) {
+          setOcsid(other.getOcsid());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasOcsid()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.GetProof parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.GetProof) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString ocsid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ocsid = 1;
+       */
+      public boolean hasOcsid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public com.google.protobuf.ByteString getOcsid() {
+        return ocsid_;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder setOcsid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        ocsid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder clearOcsid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ocsid_ = getDefaultInstance().getOcsid();
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.GetProof)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.GetProof)
+    private static final ch.epfl.dedis.lib.proto.OCS.GetProof DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.GetProof();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.GetProof getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public GetProof parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new GetProof(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.GetProof getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface GetProofReplyOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.GetProofReply)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required .ocs.OCSProof proof = 1;
+     */
+    boolean hasProof();
+    /**
+     * required .ocs.OCSProof proof = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.OCSProof getProof();
+    /**
+     * required .ocs.OCSProof proof = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder getProofOrBuilder();
+  }
+  /**
+   * 
+   * GetProofReply contains the additional info that node has on the given
+   * OCS, as well as a signature using the services private key.
+   * 

+   *
+   * Protobuf type {@code ocs.GetProofReply}
+   */
+  public  static final class GetProofReply extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.GetProofReply)
+      GetProofReplyOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use GetProofReply.newBuilder() to construct.
+    private GetProofReply(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private GetProofReply() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private GetProofReply(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000001) != 0)) {
+                subBuilder = proof_.toBuilder();
+              }
+              proof_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.OCSProof.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(proof_);
+                proof_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000001;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProofReply_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProofReply_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.GetProofReply.class, ch.epfl.dedis.lib.proto.OCS.GetProofReply.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int PROOF_FIELD_NUMBER = 1;
+    private ch.epfl.dedis.lib.proto.OCS.OCSProof proof_;
+    /**
+     * required .ocs.OCSProof proof = 1;
+     */
+    public boolean hasProof() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required .ocs.OCSProof proof = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.OCSProof getProof() {
+      return proof_ == null ? ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance() : proof_;
+    }
+    /**
+     * required .ocs.OCSProof proof = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder getProofOrBuilder() {
+      return proof_ == null ? ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance() : proof_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasProof()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getProof().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeMessage(1, getProof());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(1, getProof());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.GetProofReply)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.GetProofReply other = (ch.epfl.dedis.lib.proto.OCS.GetProofReply) obj;
+
+      if (hasProof() != other.hasProof()) return false;
+      if (hasProof()) {
+        if (!getProof()
+            .equals(other.getProof())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasProof()) {
+        hash = (37 * hash) + PROOF_FIELD_NUMBER;
+        hash = (53 * hash) + getProof().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.GetProofReply prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * GetProofReply contains the additional info that node has on the given
+     * OCS, as well as a signature using the services private key.
+     * 

+     *
+     * Protobuf type {@code ocs.GetProofReply}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.GetProofReply)
+        ch.epfl.dedis.lib.proto.OCS.GetProofReplyOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProofReply_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProofReply_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.GetProofReply.class, ch.epfl.dedis.lib.proto.OCS.GetProofReply.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.GetProofReply.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getProofFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        if (proofBuilder_ == null) {
+          proof_ = null;
+        } else {
+          proofBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_GetProofReply_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.GetProofReply getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.GetProofReply.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.GetProofReply build() {
+        ch.epfl.dedis.lib.proto.OCS.GetProofReply result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.GetProofReply buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.GetProofReply result = new ch.epfl.dedis.lib.proto.OCS.GetProofReply(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (proofBuilder_ == null) {
+            result.proof_ = proof_;
+          } else {
+            result.proof_ = proofBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000001;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.GetProofReply) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.GetProofReply)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.GetProofReply other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.GetProofReply.getDefaultInstance()) return this;
+        if (other.hasProof()) {
+          mergeProof(other.getProof());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasProof()) {
+          return false;
+        }
+        if (!getProof().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.GetProofReply parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.GetProofReply) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private ch.epfl.dedis.lib.proto.OCS.OCSProof proof_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.OCSProof, ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder, ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder> proofBuilder_;
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public boolean hasProof() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.OCSProof getProof() {
+        if (proofBuilder_ == null) {
+          return proof_ == null ? ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance() : proof_;
+        } else {
+          return proofBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public Builder setProof(ch.epfl.dedis.lib.proto.OCS.OCSProof value) {
+        if (proofBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          proof_ = value;
+          onChanged();
+        } else {
+          proofBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public Builder setProof(
+          ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder builderForValue) {
+        if (proofBuilder_ == null) {
+          proof_ = builderForValue.build();
+          onChanged();
+        } else {
+          proofBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public Builder mergeProof(ch.epfl.dedis.lib.proto.OCS.OCSProof value) {
+        if (proofBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0) &&
+              proof_ != null &&
+              proof_ != ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance()) {
+            proof_ =
+              ch.epfl.dedis.lib.proto.OCS.OCSProof.newBuilder(proof_).mergeFrom(value).buildPartial();
+          } else {
+            proof_ = value;
+          }
+          onChanged();
+        } else {
+          proofBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public Builder clearProof() {
+        if (proofBuilder_ == null) {
+          proof_ = null;
+          onChanged();
+        } else {
+          proofBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder getProofBuilder() {
+        bitField0_ |= 0x00000001;
+        onChanged();
+        return getProofFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder getProofOrBuilder() {
+        if (proofBuilder_ != null) {
+          return proofBuilder_.getMessageOrBuilder();
+        } else {
+          return proof_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance() : proof_;
+        }
+      }
+      /**
+       * required .ocs.OCSProof proof = 1;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.OCSProof, ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder, ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder> 
+          getProofFieldBuilder() {
+        if (proofBuilder_ == null) {
+          proofBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.OCSProof, ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder, ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder>(
+                  getProof(),
+                  getParentForChildren(),
+                  isClean());
+          proof_ = null;
+        }
+        return proofBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.GetProofReply)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.GetProofReply)
+    private static final ch.epfl.dedis.lib.proto.OCS.GetProofReply DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.GetProofReply();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.GetProofReply getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public GetProofReply parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new GetProofReply(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.GetProofReply getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface ReencryptOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.Reencrypt)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes ocsid = 1;
+     */
+    boolean hasOcsid();
+    /**
+     * required bytes ocsid = 1;
+     */
+    com.google.protobuf.ByteString getOcsid();
+
+    /**
+     * required .ocs.AuthReencrypt auth = 2;
+     */
+    boolean hasAuth();
+    /**
+     * required .ocs.AuthReencrypt auth = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReencrypt getAuth();
+    /**
+     * required .ocs.AuthReencrypt auth = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder getAuthOrBuilder();
+  }
+  /**
+   * 
+   * Reencrypt is sent to the service to request a re-encryption of the
+   * secret given in AuthReencrypt. AuthReencrypt must also contain the proof that the
+   * request is valid, as well as the ephemeral key, to which the secret
+   * will be re-encrypted.
+   * 

+   *
+   * Protobuf type {@code ocs.Reencrypt}
+   */
+  public  static final class Reencrypt extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.Reencrypt)
+      ReencryptOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use Reencrypt.newBuilder() to construct.
+    private Reencrypt(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private Reencrypt() {
+      ocsid_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private Reencrypt(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              ocsid_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = auth_.toBuilder();
+              }
+              auth_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(auth_);
+                auth_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reencrypt_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reencrypt_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.Reencrypt.class, ch.epfl.dedis.lib.proto.OCS.Reencrypt.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int OCSID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString ocsid_;
+    /**
+     * required bytes ocsid = 1;
+     */
+    public boolean hasOcsid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes ocsid = 1;
+     */
+    public com.google.protobuf.ByteString getOcsid() {
+      return ocsid_;
+    }
+
+    public static final int AUTH_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OCS.AuthReencrypt auth_;
+    /**
+     * required .ocs.AuthReencrypt auth = 2;
+     */
+    public boolean hasAuth() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required .ocs.AuthReencrypt auth = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt getAuth() {
+      return auth_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance() : auth_;
+    }
+    /**
+     * required .ocs.AuthReencrypt auth = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder getAuthOrBuilder() {
+      return auth_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance() : auth_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasOcsid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasAuth()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getAuth().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, ocsid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getAuth());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, ocsid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getAuth());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.Reencrypt)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.Reencrypt other = (ch.epfl.dedis.lib.proto.OCS.Reencrypt) obj;
+
+      if (hasOcsid() != other.hasOcsid()) return false;
+      if (hasOcsid()) {
+        if (!getOcsid()
+            .equals(other.getOcsid())) return false;
+      }
+      if (hasAuth() != other.hasAuth()) return false;
+      if (hasAuth()) {
+        if (!getAuth()
+            .equals(other.getAuth())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasOcsid()) {
+        hash = (37 * hash) + OCSID_FIELD_NUMBER;
+        hash = (53 * hash) + getOcsid().hashCode();
+      }
+      if (hasAuth()) {
+        hash = (37 * hash) + AUTH_FIELD_NUMBER;
+        hash = (53 * hash) + getAuth().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.Reencrypt prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * Reencrypt is sent to the service to request a re-encryption of the
+     * secret given in AuthReencrypt. AuthReencrypt must also contain the proof that the
+     * request is valid, as well as the ephemeral key, to which the secret
+     * will be re-encrypted.
+     * 

+     *
+     * Protobuf type {@code ocs.Reencrypt}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.Reencrypt)
+        ch.epfl.dedis.lib.proto.OCS.ReencryptOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reencrypt_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reencrypt_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.Reencrypt.class, ch.epfl.dedis.lib.proto.OCS.Reencrypt.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.Reencrypt.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getAuthFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ocsid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (authBuilder_ == null) {
+          auth_ = null;
+        } else {
+          authBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reencrypt_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Reencrypt getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.Reencrypt.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Reencrypt build() {
+        ch.epfl.dedis.lib.proto.OCS.Reencrypt result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Reencrypt buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.Reencrypt result = new ch.epfl.dedis.lib.proto.OCS.Reencrypt(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.ocsid_ = ocsid_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (authBuilder_ == null) {
+            result.auth_ = auth_;
+          } else {
+            result.auth_ = authBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.Reencrypt) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.Reencrypt)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.Reencrypt other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.Reencrypt.getDefaultInstance()) return this;
+        if (other.hasOcsid()) {
+          setOcsid(other.getOcsid());
+        }
+        if (other.hasAuth()) {
+          mergeAuth(other.getAuth());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasOcsid()) {
+          return false;
+        }
+        if (!hasAuth()) {
+          return false;
+        }
+        if (!getAuth().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.Reencrypt parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.Reencrypt) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString ocsid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ocsid = 1;
+       */
+      public boolean hasOcsid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public com.google.protobuf.ByteString getOcsid() {
+        return ocsid_;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder setOcsid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        ocsid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder clearOcsid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ocsid_ = getDefaultInstance().getOcsid();
+        onChanged();
+        return this;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthReencrypt auth_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReencrypt, ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder> authBuilder_;
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public boolean hasAuth() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt getAuth() {
+        if (authBuilder_ == null) {
+          return auth_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance() : auth_;
+        } else {
+          return authBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public Builder setAuth(ch.epfl.dedis.lib.proto.OCS.AuthReencrypt value) {
+        if (authBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          auth_ = value;
+          onChanged();
+        } else {
+          authBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public Builder setAuth(
+          ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder builderForValue) {
+        if (authBuilder_ == null) {
+          auth_ = builderForValue.build();
+          onChanged();
+        } else {
+          authBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public Builder mergeAuth(ch.epfl.dedis.lib.proto.OCS.AuthReencrypt value) {
+        if (authBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              auth_ != null &&
+              auth_ != ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance()) {
+            auth_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.newBuilder(auth_).mergeFrom(value).buildPartial();
+          } else {
+            auth_ = value;
+          }
+          onChanged();
+        } else {
+          authBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public Builder clearAuth() {
+        if (authBuilder_ == null) {
+          auth_ = null;
+          onChanged();
+        } else {
+          authBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder getAuthBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getAuthFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder getAuthOrBuilder() {
+        if (authBuilder_ != null) {
+          return authBuilder_.getMessageOrBuilder();
+        } else {
+          return auth_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance() : auth_;
+        }
+      }
+      /**
+       * required .ocs.AuthReencrypt auth = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReencrypt, ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder> 
+          getAuthFieldBuilder() {
+        if (authBuilder_ == null) {
+          authBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthReencrypt, ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder>(
+                  getAuth(),
+                  getParentForChildren(),
+                  isClean());
+          auth_ = null;
+        }
+        return authBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.Reencrypt)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.Reencrypt)
+    private static final ch.epfl.dedis.lib.proto.OCS.Reencrypt DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.Reencrypt();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.Reencrypt getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public Reencrypt parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new Reencrypt(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.Reencrypt getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface ReencryptReplyOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.ReencryptReply)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes x = 1;
+     */
+    boolean hasX();
+    /**
+     * required bytes x = 1;
+     */
+    com.google.protobuf.ByteString getX();
+
+    /**
+     * required bytes xhatenc = 2;
+     */
+    boolean hasXhatenc();
+    /**
+     * required bytes xhatenc = 2;
+     */
+    com.google.protobuf.ByteString getXhatenc();
+
+    /**
+     * required bytes c = 3;
+     */
+    boolean hasC();
+    /**
+     * required bytes c = 3;
+     */
+    com.google.protobuf.ByteString getC();
+  }
+  /**
+   * 
+   * MessageReencryptReply is the reply if the re-encryption is successful, and
+   * it contains XHat, which is the secret re-encrypted to the ephemeral
+   * key given in AuthReencrypt.
+   * 

+   *
+   * Protobuf type {@code ocs.ReencryptReply}
+   */
+  public  static final class ReencryptReply extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.ReencryptReply)
+      ReencryptReplyOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use ReencryptReply.newBuilder() to construct.
+    private ReencryptReply(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private ReencryptReply() {
+      x_ = com.google.protobuf.ByteString.EMPTY;
+      xhatenc_ = com.google.protobuf.ByteString.EMPTY;
+      c_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private ReencryptReply(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              x_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              bitField0_ |= 0x00000002;
+              xhatenc_ = input.readBytes();
+              break;
+            }
+            case 26: {
+              bitField0_ |= 0x00000004;
+              c_ = input.readBytes();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReencryptReply_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReencryptReply_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.ReencryptReply.class, ch.epfl.dedis.lib.proto.OCS.ReencryptReply.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int X_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString x_;
+    /**
+     * required bytes x = 1;
+     */
+    public boolean hasX() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes x = 1;
+     */
+    public com.google.protobuf.ByteString getX() {
+      return x_;
+    }
+
+    public static final int XHATENC_FIELD_NUMBER = 2;
+    private com.google.protobuf.ByteString xhatenc_;
+    /**
+     * required bytes xhatenc = 2;
+     */
+    public boolean hasXhatenc() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required bytes xhatenc = 2;
+     */
+    public com.google.protobuf.ByteString getXhatenc() {
+      return xhatenc_;
+    }
+
+    public static final int C_FIELD_NUMBER = 3;
+    private com.google.protobuf.ByteString c_;
+    /**
+     * required bytes c = 3;
+     */
+    public boolean hasC() {
+      return ((bitField0_ & 0x00000004) != 0);
+    }
+    /**
+     * required bytes c = 3;
+     */
+    public com.google.protobuf.ByteString getC() {
+      return c_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasX()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasXhatenc()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasC()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, x_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeBytes(2, xhatenc_);
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        output.writeBytes(3, c_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, x_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(2, xhatenc_);
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(3, c_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.ReencryptReply)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.ReencryptReply other = (ch.epfl.dedis.lib.proto.OCS.ReencryptReply) obj;
+
+      if (hasX() != other.hasX()) return false;
+      if (hasX()) {
+        if (!getX()
+            .equals(other.getX())) return false;
+      }
+      if (hasXhatenc() != other.hasXhatenc()) return false;
+      if (hasXhatenc()) {
+        if (!getXhatenc()
+            .equals(other.getXhatenc())) return false;
+      }
+      if (hasC() != other.hasC()) return false;
+      if (hasC()) {
+        if (!getC()
+            .equals(other.getC())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasX()) {
+        hash = (37 * hash) + X_FIELD_NUMBER;
+        hash = (53 * hash) + getX().hashCode();
+      }
+      if (hasXhatenc()) {
+        hash = (37 * hash) + XHATENC_FIELD_NUMBER;
+        hash = (53 * hash) + getXhatenc().hashCode();
+      }
+      if (hasC()) {
+        hash = (37 * hash) + C_FIELD_NUMBER;
+        hash = (53 * hash) + getC().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.ReencryptReply prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * MessageReencryptReply is the reply if the re-encryption is successful, and
+     * it contains XHat, which is the secret re-encrypted to the ephemeral
+     * key given in AuthReencrypt.
+     * 

+     *
+     * Protobuf type {@code ocs.ReencryptReply}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.ReencryptReply)
+        ch.epfl.dedis.lib.proto.OCS.ReencryptReplyOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReencryptReply_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReencryptReply_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.ReencryptReply.class, ch.epfl.dedis.lib.proto.OCS.ReencryptReply.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.ReencryptReply.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        x_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        xhatenc_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000002);
+        c_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReencryptReply_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.ReencryptReply getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.ReencryptReply.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.ReencryptReply build() {
+        ch.epfl.dedis.lib.proto.OCS.ReencryptReply result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.ReencryptReply buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.ReencryptReply result = new ch.epfl.dedis.lib.proto.OCS.ReencryptReply(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.x_ = x_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          to_bitField0_ |= 0x00000002;
+        }
+        result.xhatenc_ = xhatenc_;
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          to_bitField0_ |= 0x00000004;
+        }
+        result.c_ = c_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.ReencryptReply) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.ReencryptReply)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.ReencryptReply other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.ReencryptReply.getDefaultInstance()) return this;
+        if (other.hasX()) {
+          setX(other.getX());
+        }
+        if (other.hasXhatenc()) {
+          setXhatenc(other.getXhatenc());
+        }
+        if (other.hasC()) {
+          setC(other.getC());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasX()) {
+          return false;
+        }
+        if (!hasXhatenc()) {
+          return false;
+        }
+        if (!hasC()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.ReencryptReply parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.ReencryptReply) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString x_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes x = 1;
+       */
+      public boolean hasX() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes x = 1;
+       */
+      public com.google.protobuf.ByteString getX() {
+        return x_;
+      }
+      /**
+       * required bytes x = 1;
+       */
+      public Builder setX(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        x_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes x = 1;
+       */
+      public Builder clearX() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        x_ = getDefaultInstance().getX();
+        onChanged();
+        return this;
+      }
+
+      private com.google.protobuf.ByteString xhatenc_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes xhatenc = 2;
+       */
+      public boolean hasXhatenc() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required bytes xhatenc = 2;
+       */
+      public com.google.protobuf.ByteString getXhatenc() {
+        return xhatenc_;
+      }
+      /**
+       * required bytes xhatenc = 2;
+       */
+      public Builder setXhatenc(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000002;
+        xhatenc_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes xhatenc = 2;
+       */
+      public Builder clearXhatenc() {
+        bitField0_ = (bitField0_ & ~0x00000002);
+        xhatenc_ = getDefaultInstance().getXhatenc();
+        onChanged();
+        return this;
+      }
+
+      private com.google.protobuf.ByteString c_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes c = 3;
+       */
+      public boolean hasC() {
+        return ((bitField0_ & 0x00000004) != 0);
+      }
+      /**
+       * required bytes c = 3;
+       */
+      public com.google.protobuf.ByteString getC() {
+        return c_;
+      }
+      /**
+       * required bytes c = 3;
+       */
+      public Builder setC(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000004;
+        c_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes c = 3;
+       */
+      public Builder clearC() {
+        bitField0_ = (bitField0_ & ~0x00000004);
+        c_ = getDefaultInstance().getC();
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.ReencryptReply)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.ReencryptReply)
+    private static final ch.epfl.dedis.lib.proto.OCS.ReencryptReply DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.ReencryptReply();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.ReencryptReply getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public ReencryptReply parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new ReencryptReply(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.ReencryptReply getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface ReshareOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.Reshare)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes ocsid = 1;
+     */
+    boolean hasOcsid();
+    /**
+     * required bytes ocsid = 1;
+     */
+    com.google.protobuf.ByteString getOcsid();
+
+    /**
+     * required .onet.Roster newroster = 2;
+     */
+    boolean hasNewroster();
+    /**
+     * required .onet.Roster newroster = 2;
+     */
+    ch.epfl.dedis.lib.proto.OnetProto.Roster getNewroster();
+    /**
+     * required .onet.Roster newroster = 2;
+     */
+    ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getNewrosterOrBuilder();
+
+    /**
+     * required .ocs.AuthReshare auth = 3;
+     */
+    boolean hasAuth();
+    /**
+     * required .ocs.AuthReshare auth = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReshare getAuth();
+    /**
+     * required .ocs.AuthReshare auth = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder getAuthOrBuilder();
+  }
+  /**
+   * 
+   * Reshare is called to ask OCS to change the roster. It needs a valid
+   * authentication before the private keys are re-distributed over the new
+   * roster.
+   * TODO: should NewRoster be always present in AuthReshare? It will be present
+   * TODO: at least in AuthReshareByzCoin, but might not in other AuthReshares
+   * 

+   *
+   * Protobuf type {@code ocs.Reshare}
+   */
+  public  static final class Reshare extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.Reshare)
+      ReshareOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use Reshare.newBuilder() to construct.
+    private Reshare(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private Reshare() {
+      ocsid_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private Reshare(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              ocsid_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = newroster_.toBuilder();
+              }
+              newroster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(newroster_);
+                newroster_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            case 26: {
+              ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000004) != 0)) {
+                subBuilder = auth_.toBuilder();
+              }
+              auth_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthReshare.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(auth_);
+                auth_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000004;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reshare_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reshare_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.Reshare.class, ch.epfl.dedis.lib.proto.OCS.Reshare.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int OCSID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString ocsid_;
+    /**
+     * required bytes ocsid = 1;
+     */
+    public boolean hasOcsid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes ocsid = 1;
+     */
+    public com.google.protobuf.ByteString getOcsid() {
+      return ocsid_;
+    }
+
+    public static final int NEWROSTER_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OnetProto.Roster newroster_;
+    /**
+     * required .onet.Roster newroster = 2;
+     */
+    public boolean hasNewroster() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required .onet.Roster newroster = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OnetProto.Roster getNewroster() {
+      return newroster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : newroster_;
+    }
+    /**
+     * required .onet.Roster newroster = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getNewrosterOrBuilder() {
+      return newroster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : newroster_;
+    }
+
+    public static final int AUTH_FIELD_NUMBER = 3;
+    private ch.epfl.dedis.lib.proto.OCS.AuthReshare auth_;
+    /**
+     * required .ocs.AuthReshare auth = 3;
+     */
+    public boolean hasAuth() {
+      return ((bitField0_ & 0x00000004) != 0);
+    }
+    /**
+     * required .ocs.AuthReshare auth = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshare getAuth() {
+      return auth_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance() : auth_;
+    }
+    /**
+     * required .ocs.AuthReshare auth = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder getAuthOrBuilder() {
+      return auth_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance() : auth_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasOcsid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasNewroster()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasAuth()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getNewroster().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getAuth().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, ocsid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getNewroster());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        output.writeMessage(3, getAuth());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, ocsid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getNewroster());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(3, getAuth());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.Reshare)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.Reshare other = (ch.epfl.dedis.lib.proto.OCS.Reshare) obj;
+
+      if (hasOcsid() != other.hasOcsid()) return false;
+      if (hasOcsid()) {
+        if (!getOcsid()
+            .equals(other.getOcsid())) return false;
+      }
+      if (hasNewroster() != other.hasNewroster()) return false;
+      if (hasNewroster()) {
+        if (!getNewroster()
+            .equals(other.getNewroster())) return false;
+      }
+      if (hasAuth() != other.hasAuth()) return false;
+      if (hasAuth()) {
+        if (!getAuth()
+            .equals(other.getAuth())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasOcsid()) {
+        hash = (37 * hash) + OCSID_FIELD_NUMBER;
+        hash = (53 * hash) + getOcsid().hashCode();
+      }
+      if (hasNewroster()) {
+        hash = (37 * hash) + NEWROSTER_FIELD_NUMBER;
+        hash = (53 * hash) + getNewroster().hashCode();
+      }
+      if (hasAuth()) {
+        hash = (37 * hash) + AUTH_FIELD_NUMBER;
+        hash = (53 * hash) + getAuth().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.Reshare prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * Reshare is called to ask OCS to change the roster. It needs a valid
+     * authentication before the private keys are re-distributed over the new
+     * roster.
+     * TODO: should NewRoster be always present in AuthReshare? It will be present
+     * TODO: at least in AuthReshareByzCoin, but might not in other AuthReshares
+     * 

+     *
+     * Protobuf type {@code ocs.Reshare}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.Reshare)
+        ch.epfl.dedis.lib.proto.OCS.ReshareOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reshare_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reshare_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.Reshare.class, ch.epfl.dedis.lib.proto.OCS.Reshare.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.Reshare.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getNewrosterFieldBuilder();
+          getAuthFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ocsid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (newrosterBuilder_ == null) {
+          newroster_ = null;
+        } else {
+          newrosterBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        if (authBuilder_ == null) {
+          auth_ = null;
+        } else {
+          authBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Reshare_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Reshare getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.Reshare.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Reshare build() {
+        ch.epfl.dedis.lib.proto.OCS.Reshare result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Reshare buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.Reshare result = new ch.epfl.dedis.lib.proto.OCS.Reshare(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.ocsid_ = ocsid_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (newrosterBuilder_ == null) {
+            result.newroster_ = newroster_;
+          } else {
+            result.newroster_ = newrosterBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (authBuilder_ == null) {
+            result.auth_ = auth_;
+          } else {
+            result.auth_ = authBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000004;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.Reshare) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.Reshare)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.Reshare other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.Reshare.getDefaultInstance()) return this;
+        if (other.hasOcsid()) {
+          setOcsid(other.getOcsid());
+        }
+        if (other.hasNewroster()) {
+          mergeNewroster(other.getNewroster());
+        }
+        if (other.hasAuth()) {
+          mergeAuth(other.getAuth());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasOcsid()) {
+          return false;
+        }
+        if (!hasNewroster()) {
+          return false;
+        }
+        if (!hasAuth()) {
+          return false;
+        }
+        if (!getNewroster().isInitialized()) {
+          return false;
+        }
+        if (!getAuth().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.Reshare parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.Reshare) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString ocsid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ocsid = 1;
+       */
+      public boolean hasOcsid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public com.google.protobuf.ByteString getOcsid() {
+        return ocsid_;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder setOcsid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        ocsid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder clearOcsid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ocsid_ = getDefaultInstance().getOcsid();
+        onChanged();
+        return this;
+      }
+
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster newroster_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> newrosterBuilder_;
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public boolean hasNewroster() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.Roster getNewroster() {
+        if (newrosterBuilder_ == null) {
+          return newroster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : newroster_;
+        } else {
+          return newrosterBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public Builder setNewroster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
+        if (newrosterBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          newroster_ = value;
+          onChanged();
+        } else {
+          newrosterBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public Builder setNewroster(
+          ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder builderForValue) {
+        if (newrosterBuilder_ == null) {
+          newroster_ = builderForValue.build();
+          onChanged();
+        } else {
+          newrosterBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public Builder mergeNewroster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
+        if (newrosterBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              newroster_ != null &&
+              newroster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
+            newroster_ =
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.newBuilder(newroster_).mergeFrom(value).buildPartial();
+          } else {
+            newroster_ = value;
+          }
+          onChanged();
+        } else {
+          newrosterBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public Builder clearNewroster() {
+        if (newrosterBuilder_ == null) {
+          newroster_ = null;
+          onChanged();
+        } else {
+          newrosterBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder getNewrosterBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getNewrosterFieldBuilder().getBuilder();
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getNewrosterOrBuilder() {
+        if (newrosterBuilder_ != null) {
+          return newrosterBuilder_.getMessageOrBuilder();
+        } else {
+          return newroster_ == null ?
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : newroster_;
+        }
+      }
+      /**
+       * required .onet.Roster newroster = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> 
+          getNewrosterFieldBuilder() {
+        if (newrosterBuilder_ == null) {
+          newrosterBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder>(
+                  getNewroster(),
+                  getParentForChildren(),
+                  isClean());
+          newroster_ = null;
+        }
+        return newrosterBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthReshare auth_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReshare, ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder> authBuilder_;
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public boolean hasAuth() {
+        return ((bitField0_ & 0x00000004) != 0);
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshare getAuth() {
+        if (authBuilder_ == null) {
+          return auth_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance() : auth_;
+        } else {
+          return authBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public Builder setAuth(ch.epfl.dedis.lib.proto.OCS.AuthReshare value) {
+        if (authBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          auth_ = value;
+          onChanged();
+        } else {
+          authBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public Builder setAuth(
+          ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder builderForValue) {
+        if (authBuilder_ == null) {
+          auth_ = builderForValue.build();
+          onChanged();
+        } else {
+          authBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public Builder mergeAuth(ch.epfl.dedis.lib.proto.OCS.AuthReshare value) {
+        if (authBuilder_ == null) {
+          if (((bitField0_ & 0x00000004) != 0) &&
+              auth_ != null &&
+              auth_ != ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance()) {
+            auth_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthReshare.newBuilder(auth_).mergeFrom(value).buildPartial();
+          } else {
+            auth_ = value;
+          }
+          onChanged();
+        } else {
+          authBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public Builder clearAuth() {
+        if (authBuilder_ == null) {
+          auth_ = null;
+          onChanged();
+        } else {
+          authBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder getAuthBuilder() {
+        bitField0_ |= 0x00000004;
+        onChanged();
+        return getAuthFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder getAuthOrBuilder() {
+        if (authBuilder_ != null) {
+          return authBuilder_.getMessageOrBuilder();
+        } else {
+          return auth_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance() : auth_;
+        }
+      }
+      /**
+       * required .ocs.AuthReshare auth = 3;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReshare, ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder> 
+          getAuthFieldBuilder() {
+        if (authBuilder_ == null) {
+          authBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthReshare, ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder>(
+                  getAuth(),
+                  getParentForChildren(),
+                  isClean());
+          auth_ = null;
+        }
+        return authBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.Reshare)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.Reshare)
+    private static final ch.epfl.dedis.lib.proto.OCS.Reshare DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.Reshare();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.Reshare getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public Reshare parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new Reshare(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.Reshare getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface ReshareReplyOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.ReshareReply)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes sig = 1;
+     */
+    boolean hasSig();
+    /**
+     * required bytes sig = 1;
+     */
+    com.google.protobuf.ByteString getSig();
+  }
+  /**
+   * 
+   * ReshareReply is returned if the resharing has been completed successfully
+   * and contains the collective signature on the message
+   *   sha256( X | NewRoster )
+   * 

+   *
+   * Protobuf type {@code ocs.ReshareReply}
+   */
+  public  static final class ReshareReply extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.ReshareReply)
+      ReshareReplyOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use ReshareReply.newBuilder() to construct.
+    private ReshareReply(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private ReshareReply() {
+      sig_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private ReshareReply(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              sig_ = input.readBytes();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReshareReply_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReshareReply_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.ReshareReply.class, ch.epfl.dedis.lib.proto.OCS.ReshareReply.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int SIG_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString sig_;
+    /**
+     * required bytes sig = 1;
+     */
+    public boolean hasSig() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes sig = 1;
+     */
+    public com.google.protobuf.ByteString getSig() {
+      return sig_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasSig()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, sig_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, sig_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.ReshareReply)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.ReshareReply other = (ch.epfl.dedis.lib.proto.OCS.ReshareReply) obj;
+
+      if (hasSig() != other.hasSig()) return false;
+      if (hasSig()) {
+        if (!getSig()
+            .equals(other.getSig())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasSig()) {
+        hash = (37 * hash) + SIG_FIELD_NUMBER;
+        hash = (53 * hash) + getSig().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.ReshareReply prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * ReshareReply is returned if the resharing has been completed successfully
+     * and contains the collective signature on the message
+     *   sha256( X | NewRoster )
+     * 

+     *
+     * Protobuf type {@code ocs.ReshareReply}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.ReshareReply)
+        ch.epfl.dedis.lib.proto.OCS.ReshareReplyOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReshareReply_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReshareReply_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.ReshareReply.class, ch.epfl.dedis.lib.proto.OCS.ReshareReply.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.ReshareReply.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        sig_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_ReshareReply_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.ReshareReply getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.ReshareReply.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.ReshareReply build() {
+        ch.epfl.dedis.lib.proto.OCS.ReshareReply result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.ReshareReply buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.ReshareReply result = new ch.epfl.dedis.lib.proto.OCS.ReshareReply(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.sig_ = sig_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.ReshareReply) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.ReshareReply)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.ReshareReply other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.ReshareReply.getDefaultInstance()) return this;
+        if (other.hasSig()) {
+          setSig(other.getSig());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasSig()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.ReshareReply parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.ReshareReply) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString sig_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes sig = 1;
+       */
+      public boolean hasSig() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes sig = 1;
+       */
+      public com.google.protobuf.ByteString getSig() {
+        return sig_;
+      }
+      /**
+       * required bytes sig = 1;
+       */
+      public Builder setSig(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        sig_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes sig = 1;
+       */
+      public Builder clearSig() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        sig_ = getDefaultInstance().getSig();
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.ReshareReply)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.ReshareReply)
+    private static final ch.epfl.dedis.lib.proto.OCS.ReshareReply DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.ReshareReply();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.ReshareReply getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public ReshareReply parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new ReshareReply(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.ReshareReply getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface PolicyOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.Policy)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * optional .ocs.PolicyByzCoin byzcoin = 1;
+     */
+    boolean hasByzcoin();
+    /**
+     * optional .ocs.PolicyByzCoin byzcoin = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin getByzcoin();
+    /**
+     * optional .ocs.PolicyByzCoin byzcoin = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder getByzcoinOrBuilder();
+
+    /**
+     * optional .ocs.PolicyX509Cert x509cert = 2;
+     */
+    boolean hasX509Cert();
+    /**
+     * optional .ocs.PolicyX509Cert x509cert = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert getX509Cert();
+    /**
+     * optional .ocs.PolicyX509Cert x509cert = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder getX509CertOrBuilder();
+  }
+  /**
+   * 
+   * Policy holds all possible authentication structures. When using it to call
+   * Authorise, only one of the fields must be non-nil.
+   * 

+   *
+   * Protobuf type {@code ocs.Policy}
+   */
+  public  static final class Policy extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.Policy)
+      PolicyOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use Policy.newBuilder() to construct.
+    private Policy(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private Policy() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private Policy(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000001) != 0)) {
+                subBuilder = byzcoin_.toBuilder();
+              }
+              byzcoin_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(byzcoin_);
+                byzcoin_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000001;
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = x509Cert_.toBuilder();
+              }
+              x509Cert_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(x509Cert_);
+                x509Cert_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Policy_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Policy_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.Policy.class, ch.epfl.dedis.lib.proto.OCS.Policy.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int BYZCOIN_FIELD_NUMBER = 1;
+    private ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin byzcoin_;
+    /**
+     * optional .ocs.PolicyByzCoin byzcoin = 1;
+     */
+    public boolean hasByzcoin() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * optional .ocs.PolicyByzCoin byzcoin = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin getByzcoin() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance() : byzcoin_;
+    }
+    /**
+     * optional .ocs.PolicyByzCoin byzcoin = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder getByzcoinOrBuilder() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance() : byzcoin_;
+    }
+
+    public static final int X509CERT_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert x509Cert_;
+    /**
+     * optional .ocs.PolicyX509Cert x509cert = 2;
+     */
+    public boolean hasX509Cert() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * optional .ocs.PolicyX509Cert x509cert = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert getX509Cert() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance() : x509Cert_;
+    }
+    /**
+     * optional .ocs.PolicyX509Cert x509cert = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder getX509CertOrBuilder() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance() : x509Cert_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (hasByzcoin()) {
+        if (!getByzcoin().isInitialized()) {
+          memoizedIsInitialized = 0;
+          return false;
+        }
+      }
+      if (hasX509Cert()) {
+        if (!getX509Cert().isInitialized()) {
+          memoizedIsInitialized = 0;
+          return false;
+        }
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeMessage(1, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getX509Cert());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(1, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getX509Cert());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.Policy)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.Policy other = (ch.epfl.dedis.lib.proto.OCS.Policy) obj;
+
+      if (hasByzcoin() != other.hasByzcoin()) return false;
+      if (hasByzcoin()) {
+        if (!getByzcoin()
+            .equals(other.getByzcoin())) return false;
+      }
+      if (hasX509Cert() != other.hasX509Cert()) return false;
+      if (hasX509Cert()) {
+        if (!getX509Cert()
+            .equals(other.getX509Cert())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasByzcoin()) {
+        hash = (37 * hash) + BYZCOIN_FIELD_NUMBER;
+        hash = (53 * hash) + getByzcoin().hashCode();
+      }
+      if (hasX509Cert()) {
+        hash = (37 * hash) + X509CERT_FIELD_NUMBER;
+        hash = (53 * hash) + getX509Cert().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.Policy parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.Policy prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * Policy holds all possible authentication structures. When using it to call
+     * Authorise, only one of the fields must be non-nil.
+     * 

+     *
+     * Protobuf type {@code ocs.Policy}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.Policy)
+        ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Policy_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Policy_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.Policy.class, ch.epfl.dedis.lib.proto.OCS.Policy.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.Policy.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getByzcoinFieldBuilder();
+          getX509CertFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_Policy_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Policy getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Policy build() {
+        ch.epfl.dedis.lib.proto.OCS.Policy result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.Policy buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.Policy result = new ch.epfl.dedis.lib.proto.OCS.Policy(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (byzcoinBuilder_ == null) {
+            result.byzcoin_ = byzcoin_;
+          } else {
+            result.byzcoin_ = byzcoinBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000001;
+        }
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (x509CertBuilder_ == null) {
+            result.x509Cert_ = x509Cert_;
+          } else {
+            result.x509Cert_ = x509CertBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.Policy) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.Policy)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.Policy other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance()) return this;
+        if (other.hasByzcoin()) {
+          mergeByzcoin(other.getByzcoin());
+        }
+        if (other.hasX509Cert()) {
+          mergeX509Cert(other.getX509Cert());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (hasByzcoin()) {
+          if (!getByzcoin().isInitialized()) {
+            return false;
+          }
+        }
+        if (hasX509Cert()) {
+          if (!getX509Cert().isInitialized()) {
+            return false;
+          }
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.Policy parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.Policy) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin byzcoin_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder> byzcoinBuilder_;
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public boolean hasByzcoin() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin getByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance() : byzcoin_;
+        } else {
+          return byzcoinBuilder_.getMessage();
+        }
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public Builder setByzcoin(ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          byzcoin_ = value;
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public Builder setByzcoin(
+          ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder builderForValue) {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = builderForValue.build();
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public Builder mergeByzcoin(ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0) &&
+              byzcoin_ != null &&
+              byzcoin_ != ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance()) {
+            byzcoin_ =
+              ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.newBuilder(byzcoin_).mergeFrom(value).buildPartial();
+          } else {
+            byzcoin_ = value;
+          }
+          onChanged();
+        } else {
+          byzcoinBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public Builder clearByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+          onChanged();
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder getByzcoinBuilder() {
+        bitField0_ |= 0x00000001;
+        onChanged();
+        return getByzcoinFieldBuilder().getBuilder();
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder getByzcoinOrBuilder() {
+        if (byzcoinBuilder_ != null) {
+          return byzcoinBuilder_.getMessageOrBuilder();
+        } else {
+          return byzcoin_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance() : byzcoin_;
+        }
+      }
+      /**
+       * optional .ocs.PolicyByzCoin byzcoin = 1;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder> 
+          getByzcoinFieldBuilder() {
+        if (byzcoinBuilder_ == null) {
+          byzcoinBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder>(
+                  getByzcoin(),
+                  getParentForChildren(),
+                  isClean());
+          byzcoin_ = null;
+        }
+        return byzcoinBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert x509Cert_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert, ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder> x509CertBuilder_;
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public boolean hasX509Cert() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert getX509Cert() {
+        if (x509CertBuilder_ == null) {
+          return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance() : x509Cert_;
+        } else {
+          return x509CertBuilder_.getMessage();
+        }
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public Builder setX509Cert(ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          x509Cert_ = value;
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public Builder setX509Cert(
+          ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder builderForValue) {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = builderForValue.build();
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public Builder mergeX509Cert(ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              x509Cert_ != null &&
+              x509Cert_ != ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance()) {
+            x509Cert_ =
+              ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.newBuilder(x509Cert_).mergeFrom(value).buildPartial();
+          } else {
+            x509Cert_ = value;
+          }
+          onChanged();
+        } else {
+          x509CertBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public Builder clearX509Cert() {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+          onChanged();
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder getX509CertBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getX509CertFieldBuilder().getBuilder();
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder getX509CertOrBuilder() {
+        if (x509CertBuilder_ != null) {
+          return x509CertBuilder_.getMessageOrBuilder();
+        } else {
+          return x509Cert_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance() : x509Cert_;
+        }
+      }
+      /**
+       * optional .ocs.PolicyX509Cert x509cert = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert, ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder> 
+          getX509CertFieldBuilder() {
+        if (x509CertBuilder_ == null) {
+          x509CertBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert, ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder>(
+                  getX509Cert(),
+                  getParentForChildren(),
+                  isClean());
+          x509Cert_ = null;
+        }
+        return x509CertBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.Policy)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.Policy)
+    private static final ch.epfl.dedis.lib.proto.OCS.Policy DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.Policy();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.Policy getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public Policy parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new Policy(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.Policy getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface PolicyByzCoinOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.PolicyByzCoin)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    boolean hasByzcoinid();
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    com.google.protobuf.ByteString getByzcoinid();
+
+    /**
+     * required uint64 ttl = 2;
+     */
+    boolean hasTtl();
+    /**
+     * required uint64 ttl = 2;
+     */
+    long getTtl();
+  }
+  /**
+   * 
+   * PolicyByzCoin holds the information necessary to authenticate a byzcoin request.
+   * In the ByzCoin model, all requests are valid as long as they are stored in the
+   * blockchain with the given ID.
+   * The TTL is to avoid that too old requests are re-used. If it is 0, it is disabled.
+   * 

+   *
+   * Protobuf type {@code ocs.PolicyByzCoin}
+   */
+  public  static final class PolicyByzCoin extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.PolicyByzCoin)
+      PolicyByzCoinOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use PolicyByzCoin.newBuilder() to construct.
+    private PolicyByzCoin(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private PolicyByzCoin() {
+      byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private PolicyByzCoin(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              byzcoinid_ = input.readBytes();
+              break;
+            }
+            case 16: {
+              bitField0_ |= 0x00000002;
+              ttl_ = input.readUInt64();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyByzCoin_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyByzCoin_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.class, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int BYZCOINID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString byzcoinid_;
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    public boolean hasByzcoinid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    public com.google.protobuf.ByteString getByzcoinid() {
+      return byzcoinid_;
+    }
+
+    public static final int TTL_FIELD_NUMBER = 2;
+    private long ttl_;
+    /**
+     * required uint64 ttl = 2;
+     */
+    public boolean hasTtl() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required uint64 ttl = 2;
+     */
+    public long getTtl() {
+      return ttl_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasByzcoinid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasTtl()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, byzcoinid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeUInt64(2, ttl_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, byzcoinid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeUInt64Size(2, ttl_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin other = (ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin) obj;
+
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
+      if (hasByzcoinid()) {
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
+      }
+      if (hasTtl() != other.hasTtl()) return false;
+      if (hasTtl()) {
+        if (getTtl()
+            != other.getTtl()) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasByzcoinid()) {
+        hash = (37 * hash) + BYZCOINID_FIELD_NUMBER;
+        hash = (53 * hash) + getByzcoinid().hashCode();
+      }
+      if (hasTtl()) {
+        hash = (37 * hash) + TTL_FIELD_NUMBER;
+        hash = (53 * hash) + com.google.protobuf.Internal.hashLong(
+            getTtl());
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * PolicyByzCoin holds the information necessary to authenticate a byzcoin request.
+     * In the ByzCoin model, all requests are valid as long as they are stored in the
+     * blockchain with the given ID.
+     * The TTL is to avoid that too old requests are re-used. If it is 0, it is disabled.
+     * 

+     *
+     * Protobuf type {@code ocs.PolicyByzCoin}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.PolicyByzCoin)
+        ch.epfl.dedis.lib.proto.OCS.PolicyByzCoinOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyByzCoin_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyByzCoin_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.class, ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ttl_ = 0L;
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyByzCoin_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin build() {
+        ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin result = new ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.byzcoinid_ = byzcoinid_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.ttl_ = ttl_;
+          to_bitField0_ |= 0x00000002;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin.getDefaultInstance()) return this;
+        if (other.hasByzcoinid()) {
+          setByzcoinid(other.getByzcoinid());
+        }
+        if (other.hasTtl()) {
+          setTtl(other.getTtl());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasByzcoinid()) {
+          return false;
+        }
+        if (!hasTtl()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public boolean hasByzcoinid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public com.google.protobuf.ByteString getByzcoinid() {
+        return byzcoinid_;
+      }
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public Builder setByzcoinid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        byzcoinid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public Builder clearByzcoinid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        byzcoinid_ = getDefaultInstance().getByzcoinid();
+        onChanged();
+        return this;
+      }
+
+      private long ttl_ ;
+      /**
+       * required uint64 ttl = 2;
+       */
+      public boolean hasTtl() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required uint64 ttl = 2;
+       */
+      public long getTtl() {
+        return ttl_;
+      }
+      /**
+       * required uint64 ttl = 2;
+       */
+      public Builder setTtl(long value) {
+        bitField0_ |= 0x00000002;
+        ttl_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required uint64 ttl = 2;
+       */
+      public Builder clearTtl() {
+        bitField0_ = (bitField0_ & ~0x00000002);
+        ttl_ = 0L;
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.PolicyByzCoin)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.PolicyByzCoin)
+    private static final ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public PolicyByzCoin parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new PolicyByzCoin(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.PolicyByzCoin getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface PolicyX509CertOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.PolicyX509Cert)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * 
+     * Slice of ASN.1 encoded X509 certificates.
+     * 

+     *
+     * repeated bytes ca = 1;
+     */
+    java.util.List getCaList();
+    /**
+     * 
+     * Slice of ASN.1 encoded X509 certificates.
+     * 

+     *
+     * repeated bytes ca = 1;
+     */
+    int getCaCount();
+    /**
+     * 
+     * Slice of ASN.1 encoded X509 certificates.
+     * 

+     *
+     * repeated bytes ca = 1;
+     */
+    com.google.protobuf.ByteString getCa(int index);
+
+    /**
+     * required sint32 threshold = 2;
+     */
+    boolean hasThreshold();
+    /**
+     * required sint32 threshold = 2;
+     */
+    int getThreshold();
+  }
+  /**
+   * 
+   * X509Cert holds the information necessary to authenticate a HyperLedger/Fabric
+   * request. In its simplest form, it is simply the CA that will have to sign the
+   * certificates of the requesters.
+   * The Threshold indicates how many clients must have signed the request before it
+   * is accepted.
+   * 

+   *
+   * Protobuf type {@code ocs.PolicyX509Cert}
+   */
+  public  static final class PolicyX509Cert extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.PolicyX509Cert)
+      PolicyX509CertOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use PolicyX509Cert.newBuilder() to construct.
+    private PolicyX509Cert(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private PolicyX509Cert() {
+      ca_ = java.util.Collections.emptyList();
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private PolicyX509Cert(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                ca_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000001;
+              }
+              ca_.add(input.readBytes());
+              break;
+            }
+            case 16: {
+              bitField0_ |= 0x00000001;
+              threshold_ = input.readSInt32();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          ca_ = java.util.Collections.unmodifiableList(ca_); // C
+        }
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyX509Cert_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyX509Cert_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.class, ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int CA_FIELD_NUMBER = 1;
+    private java.util.List ca_;
+    /**
+     * 
+     * Slice of ASN.1 encoded X509 certificates.
+     * 

+     *
+     * repeated bytes ca = 1;
+     */
+    public java.util.List
+        getCaList() {
+      return ca_;
+    }
+    /**
+     * 
+     * Slice of ASN.1 encoded X509 certificates.
+     * 

+     *
+     * repeated bytes ca = 1;
+     */
+    public int getCaCount() {
+      return ca_.size();
+    }
+    /**
+     * 
+     * Slice of ASN.1 encoded X509 certificates.
+     * 

+     *
+     * repeated bytes ca = 1;
+     */
+    public com.google.protobuf.ByteString getCa(int index) {
+      return ca_.get(index);
+    }
+
+    public static final int THRESHOLD_FIELD_NUMBER = 2;
+    private int threshold_;
+    /**
+     * required sint32 threshold = 2;
+     */
+    public boolean hasThreshold() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required sint32 threshold = 2;
+     */
+    public int getThreshold() {
+      return threshold_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasThreshold()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      for (int i = 0; i < ca_.size(); i++) {
+        output.writeBytes(1, ca_.get(i));
+      }
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeSInt32(2, threshold_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      {
+        int dataSize = 0;
+        for (int i = 0; i < ca_.size(); i++) {
+          dataSize += com.google.protobuf.CodedOutputStream
+            .computeBytesSizeNoTag(ca_.get(i));
+        }
+        size += dataSize;
+        size += 1 * getCaList().size();
+      }
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeSInt32Size(2, threshold_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert other = (ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert) obj;
+
+      if (!getCaList()
+          .equals(other.getCaList())) return false;
+      if (hasThreshold() != other.hasThreshold()) return false;
+      if (hasThreshold()) {
+        if (getThreshold()
+            != other.getThreshold()) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (getCaCount() > 0) {
+        hash = (37 * hash) + CA_FIELD_NUMBER;
+        hash = (53 * hash) + getCaList().hashCode();
+      }
+      if (hasThreshold()) {
+        hash = (37 * hash) + THRESHOLD_FIELD_NUMBER;
+        hash = (53 * hash) + getThreshold();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * X509Cert holds the information necessary to authenticate a HyperLedger/Fabric
+     * request. In its simplest form, it is simply the CA that will have to sign the
+     * certificates of the requesters.
+     * The Threshold indicates how many clients must have signed the request before it
+     * is accepted.
+     * 

+     *
+     * Protobuf type {@code ocs.PolicyX509Cert}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.PolicyX509Cert)
+        ch.epfl.dedis.lib.proto.OCS.PolicyX509CertOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyX509Cert_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.class, ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ca_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        threshold_ = 0;
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_PolicyX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert build() {
+        ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert result = new ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((bitField0_ & 0x00000001) != 0)) {
+          ca_ = java.util.Collections.unmodifiableList(ca_);
+          bitField0_ = (bitField0_ & ~0x00000001);
+        }
+        result.ca_ = ca_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.threshold_ = threshold_;
+          to_bitField0_ |= 0x00000001;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert.getDefaultInstance()) return this;
+        if (!other.ca_.isEmpty()) {
+          if (ca_.isEmpty()) {
+            ca_ = other.ca_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+          } else {
+            ensureCaIsMutable();
+            ca_.addAll(other.ca_);
+          }
+          onChanged();
+        }
+        if (other.hasThreshold()) {
+          setThreshold(other.getThreshold());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasThreshold()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private java.util.List ca_ = java.util.Collections.emptyList();
+      private void ensureCaIsMutable() {
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          ca_ = new java.util.ArrayList(ca_);
+          bitField0_ |= 0x00000001;
+         }
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public java.util.List
+          getCaList() {
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(ca_) : ca_;
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public int getCaCount() {
+        return ca_.size();
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public com.google.protobuf.ByteString getCa(int index) {
+        return ca_.get(index);
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public Builder setCa(
+          int index, com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCaIsMutable();
+        ca_.set(index, value);
+        onChanged();
+        return this;
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public Builder addCa(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCaIsMutable();
+        ca_.add(value);
+        onChanged();
+        return this;
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public Builder addAllCa(
+          java.lang.Iterable values) {
+        ensureCaIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(
+            values, ca_);
+        onChanged();
+        return this;
+      }
+      /**
+       * 
+       * Slice of ASN.1 encoded X509 certificates.
+       * 

+       *
+       * repeated bytes ca = 1;
+       */
+      public Builder clearCa() {
+        ca_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        onChanged();
+        return this;
+      }
+
+      private int threshold_ ;
+      /**
+       * required sint32 threshold = 2;
+       */
+      public boolean hasThreshold() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required sint32 threshold = 2;
+       */
+      public int getThreshold() {
+        return threshold_;
+      }
+      /**
+       * required sint32 threshold = 2;
+       */
+      public Builder setThreshold(int value) {
+        bitField0_ |= 0x00000002;
+        threshold_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required sint32 threshold = 2;
+       */
+      public Builder clearThreshold() {
+        bitField0_ = (bitField0_ & ~0x00000002);
+        threshold_ = 0;
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.PolicyX509Cert)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.PolicyX509Cert)
+    private static final ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public PolicyX509Cert parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new PolicyX509Cert(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.PolicyX509Cert getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthCreateOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthCreate)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required .ocs.AuthCreateByzcoin byzcoin = 1;
+     */
+    boolean hasByzcoin();
+    /**
+     * required .ocs.AuthCreateByzcoin byzcoin = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin getByzcoin();
+    /**
+     * required .ocs.AuthCreateByzcoin byzcoin = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder getByzcoinOrBuilder();
+
+    /**
+     * required .ocs.AuthCreateX509Cert x509cert = 2;
+     */
+    boolean hasX509Cert();
+    /**
+     * required .ocs.AuthCreateX509Cert x509cert = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert getX509Cert();
+    /**
+     * required .ocs.AuthCreateX509Cert x509cert = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder getX509CertOrBuilder();
+  }
+  /**
+   * 
+   * AuthCreate prooves that the caller has the right to create a new OCS
+   * instance.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthCreate}
+   */
+  public  static final class AuthCreate extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthCreate)
+      AuthCreateOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthCreate.newBuilder() to construct.
+    private AuthCreate(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthCreate() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthCreate(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000001) != 0)) {
+                subBuilder = byzcoin_.toBuilder();
+              }
+              byzcoin_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(byzcoin_);
+                byzcoin_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000001;
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = x509Cert_.toBuilder();
+              }
+              x509Cert_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(x509Cert_);
+                x509Cert_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreate_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreate_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthCreate.class, ch.epfl.dedis.lib.proto.OCS.AuthCreate.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int BYZCOIN_FIELD_NUMBER = 1;
+    private ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin byzcoin_;
+    /**
+     * required .ocs.AuthCreateByzcoin byzcoin = 1;
+     */
+    public boolean hasByzcoin() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required .ocs.AuthCreateByzcoin byzcoin = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin getByzcoin() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance() : byzcoin_;
+    }
+    /**
+     * required .ocs.AuthCreateByzcoin byzcoin = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder getByzcoinOrBuilder() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance() : byzcoin_;
+    }
+
+    public static final int X509CERT_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert x509Cert_;
+    /**
+     * required .ocs.AuthCreateX509Cert x509cert = 2;
+     */
+    public boolean hasX509Cert() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required .ocs.AuthCreateX509Cert x509cert = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert getX509Cert() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance() : x509Cert_;
+    }
+    /**
+     * required .ocs.AuthCreateX509Cert x509cert = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder getX509CertOrBuilder() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance() : x509Cert_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasByzcoin()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasX509Cert()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getByzcoin().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeMessage(1, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getX509Cert());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(1, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getX509Cert());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthCreate)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthCreate other = (ch.epfl.dedis.lib.proto.OCS.AuthCreate) obj;
+
+      if (hasByzcoin() != other.hasByzcoin()) return false;
+      if (hasByzcoin()) {
+        if (!getByzcoin()
+            .equals(other.getByzcoin())) return false;
+      }
+      if (hasX509Cert() != other.hasX509Cert()) return false;
+      if (hasX509Cert()) {
+        if (!getX509Cert()
+            .equals(other.getX509Cert())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasByzcoin()) {
+        hash = (37 * hash) + BYZCOIN_FIELD_NUMBER;
+        hash = (53 * hash) + getByzcoin().hashCode();
+      }
+      if (hasX509Cert()) {
+        hash = (37 * hash) + X509CERT_FIELD_NUMBER;
+        hash = (53 * hash) + getX509Cert().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthCreate prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthCreate prooves that the caller has the right to create a new OCS
+     * instance.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthCreate}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthCreate)
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreate_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreate_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthCreate.class, ch.epfl.dedis.lib.proto.OCS.AuthCreate.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthCreate.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getByzcoinFieldBuilder();
+          getX509CertFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreate_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreate getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthCreate.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreate build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreate result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreate buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreate result = new ch.epfl.dedis.lib.proto.OCS.AuthCreate(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (byzcoinBuilder_ == null) {
+            result.byzcoin_ = byzcoin_;
+          } else {
+            result.byzcoin_ = byzcoinBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000001;
+        }
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (x509CertBuilder_ == null) {
+            result.x509Cert_ = x509Cert_;
+          } else {
+            result.x509Cert_ = x509CertBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthCreate) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthCreate)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthCreate other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthCreate.getDefaultInstance()) return this;
+        if (other.hasByzcoin()) {
+          mergeByzcoin(other.getByzcoin());
+        }
+        if (other.hasX509Cert()) {
+          mergeX509Cert(other.getX509Cert());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasByzcoin()) {
+          return false;
+        }
+        if (!hasX509Cert()) {
+          return false;
+        }
+        if (!getByzcoin().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreate parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthCreate) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin byzcoin_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder> byzcoinBuilder_;
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public boolean hasByzcoin() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin getByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance() : byzcoin_;
+        } else {
+          return byzcoinBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public Builder setByzcoin(ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          byzcoin_ = value;
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public Builder setByzcoin(
+          ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder builderForValue) {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = builderForValue.build();
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public Builder mergeByzcoin(ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0) &&
+              byzcoin_ != null &&
+              byzcoin_ != ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance()) {
+            byzcoin_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.newBuilder(byzcoin_).mergeFrom(value).buildPartial();
+          } else {
+            byzcoin_ = value;
+          }
+          onChanged();
+        } else {
+          byzcoinBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public Builder clearByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+          onChanged();
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder getByzcoinBuilder() {
+        bitField0_ |= 0x00000001;
+        onChanged();
+        return getByzcoinFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder getByzcoinOrBuilder() {
+        if (byzcoinBuilder_ != null) {
+          return byzcoinBuilder_.getMessageOrBuilder();
+        } else {
+          return byzcoin_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance() : byzcoin_;
+        }
+      }
+      /**
+       * required .ocs.AuthCreateByzcoin byzcoin = 1;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder> 
+          getByzcoinFieldBuilder() {
+        if (byzcoinBuilder_ == null) {
+          byzcoinBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder>(
+                  getByzcoin(),
+                  getParentForChildren(),
+                  isClean());
+          byzcoin_ = null;
+        }
+        return byzcoinBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert x509Cert_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder> x509CertBuilder_;
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public boolean hasX509Cert() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert getX509Cert() {
+        if (x509CertBuilder_ == null) {
+          return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance() : x509Cert_;
+        } else {
+          return x509CertBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public Builder setX509Cert(ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          x509Cert_ = value;
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public Builder setX509Cert(
+          ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder builderForValue) {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = builderForValue.build();
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public Builder mergeX509Cert(ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              x509Cert_ != null &&
+              x509Cert_ != ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance()) {
+            x509Cert_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.newBuilder(x509Cert_).mergeFrom(value).buildPartial();
+          } else {
+            x509Cert_ = value;
+          }
+          onChanged();
+        } else {
+          x509CertBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public Builder clearX509Cert() {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+          onChanged();
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder getX509CertBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getX509CertFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder getX509CertOrBuilder() {
+        if (x509CertBuilder_ != null) {
+          return x509CertBuilder_.getMessageOrBuilder();
+        } else {
+          return x509Cert_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance() : x509Cert_;
+        }
+      }
+      /**
+       * required .ocs.AuthCreateX509Cert x509cert = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder> 
+          getX509CertFieldBuilder() {
+        if (x509CertBuilder_ == null) {
+          x509CertBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder>(
+                  getX509Cert(),
+                  getParentForChildren(),
+                  isClean());
+          x509Cert_ = null;
+        }
+        return x509CertBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthCreate)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthCreate)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthCreate DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthCreate();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreate getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthCreate parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthCreate(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreate getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthCreateByzcoinOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthCreateByzcoin)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    boolean hasByzcoinid();
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    com.google.protobuf.ByteString getByzcoinid();
+
+    /**
+     * required bytes ltsinstance = 2;
+     */
+    boolean hasLtsinstance();
+    /**
+     * required bytes ltsinstance = 2;
+     */
+    com.google.protobuf.ByteString getLtsinstance();
+  }
+  /**
+   * 
+   * AuthCreateByzcoin must give the ByzcoinID and the proof to the LTSInstance
+   * for the creation of a new OCS.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthCreateByzcoin}
+   */
+  public  static final class AuthCreateByzcoin extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthCreateByzcoin)
+      AuthCreateByzcoinOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthCreateByzcoin.newBuilder() to construct.
+    private AuthCreateByzcoin(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthCreateByzcoin() {
+      byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
+      ltsinstance_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthCreateByzcoin(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              byzcoinid_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              bitField0_ |= 0x00000002;
+              ltsinstance_ = input.readBytes();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateByzcoin_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateByzcoin_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.class, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int BYZCOINID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString byzcoinid_;
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    public boolean hasByzcoinid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes byzcoinid = 1;
+     */
+    public com.google.protobuf.ByteString getByzcoinid() {
+      return byzcoinid_;
+    }
+
+    public static final int LTSINSTANCE_FIELD_NUMBER = 2;
+    private com.google.protobuf.ByteString ltsinstance_;
+    /**
+     * required bytes ltsinstance = 2;
+     */
+    public boolean hasLtsinstance() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required bytes ltsinstance = 2;
+     */
+    public com.google.protobuf.ByteString getLtsinstance() {
+      return ltsinstance_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasByzcoinid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasLtsinstance()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, byzcoinid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeBytes(2, ltsinstance_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, byzcoinid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(2, ltsinstance_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin other = (ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin) obj;
+
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
+      if (hasByzcoinid()) {
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
+      }
+      if (hasLtsinstance() != other.hasLtsinstance()) return false;
+      if (hasLtsinstance()) {
+        if (!getLtsinstance()
+            .equals(other.getLtsinstance())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasByzcoinid()) {
+        hash = (37 * hash) + BYZCOINID_FIELD_NUMBER;
+        hash = (53 * hash) + getByzcoinid().hashCode();
+      }
+      if (hasLtsinstance()) {
+        hash = (37 * hash) + LTSINSTANCE_FIELD_NUMBER;
+        hash = (53 * hash) + getLtsinstance().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthCreateByzcoin must give the ByzcoinID and the proof to the LTSInstance
+     * for the creation of a new OCS.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthCreateByzcoin}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthCreateByzcoin)
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoinOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateByzcoin_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateByzcoin_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.class, ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ltsinstance_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateByzcoin_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin result = new ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.byzcoinid_ = byzcoinid_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          to_bitField0_ |= 0x00000002;
+        }
+        result.ltsinstance_ = ltsinstance_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin.getDefaultInstance()) return this;
+        if (other.hasByzcoinid()) {
+          setByzcoinid(other.getByzcoinid());
+        }
+        if (other.hasLtsinstance()) {
+          setLtsinstance(other.getLtsinstance());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasByzcoinid()) {
+          return false;
+        }
+        if (!hasLtsinstance()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString byzcoinid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public boolean hasByzcoinid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public com.google.protobuf.ByteString getByzcoinid() {
+        return byzcoinid_;
+      }
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public Builder setByzcoinid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        byzcoinid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes byzcoinid = 1;
+       */
+      public Builder clearByzcoinid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        byzcoinid_ = getDefaultInstance().getByzcoinid();
+        onChanged();
+        return this;
+      }
+
+      private com.google.protobuf.ByteString ltsinstance_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ltsinstance = 2;
+       */
+      public boolean hasLtsinstance() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required bytes ltsinstance = 2;
+       */
+      public com.google.protobuf.ByteString getLtsinstance() {
+        return ltsinstance_;
+      }
+      /**
+       * required bytes ltsinstance = 2;
+       */
+      public Builder setLtsinstance(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000002;
+        ltsinstance_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ltsinstance = 2;
+       */
+      public Builder clearLtsinstance() {
+        bitField0_ = (bitField0_ & ~0x00000002);
+        ltsinstance_ = getDefaultInstance().getLtsinstance();
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthCreateByzcoin)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthCreateByzcoin)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthCreateByzcoin parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthCreateByzcoin(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreateByzcoin getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthCreateX509CertOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthCreateX509Cert)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * repeated bytes certificates = 1;
+     */
+    java.util.List getCertificatesList();
+    /**
+     * repeated bytes certificates = 1;
+     */
+    int getCertificatesCount();
+    /**
+     * repeated bytes certificates = 1;
+     */
+    com.google.protobuf.ByteString getCertificates(int index);
+  }
+  /**
+   * 
+   * AuthCreateX509Cert must give a threshold number of certificates to proof that
+   * the caller has the right to create a new OCS.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthCreateX509Cert}
+   */
+  public  static final class AuthCreateX509Cert extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthCreateX509Cert)
+      AuthCreateX509CertOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthCreateX509Cert.newBuilder() to construct.
+    private AuthCreateX509Cert(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthCreateX509Cert() {
+      certificates_ = java.util.Collections.emptyList();
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthCreateX509Cert(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                certificates_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000001;
+              }
+              certificates_.add(input.readBytes());
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          certificates_ = java.util.Collections.unmodifiableList(certificates_); // C
+        }
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateX509Cert_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateX509Cert_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.class, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder.class);
+    }
+
+    public static final int CERTIFICATES_FIELD_NUMBER = 1;
+    private java.util.List certificates_;
+    /**
+     * repeated bytes certificates = 1;
+     */
+    public java.util.List
+        getCertificatesList() {
+      return certificates_;
+    }
+    /**
+     * repeated bytes certificates = 1;
+     */
+    public int getCertificatesCount() {
+      return certificates_.size();
+    }
+    /**
+     * repeated bytes certificates = 1;
+     */
+    public com.google.protobuf.ByteString getCertificates(int index) {
+      return certificates_.get(index);
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      for (int i = 0; i < certificates_.size(); i++) {
+        output.writeBytes(1, certificates_.get(i));
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      {
+        int dataSize = 0;
+        for (int i = 0; i < certificates_.size(); i++) {
+          dataSize += com.google.protobuf.CodedOutputStream
+            .computeBytesSizeNoTag(certificates_.get(i));
+        }
+        size += dataSize;
+        size += 1 * getCertificatesList().size();
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert other = (ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert) obj;
+
+      if (!getCertificatesList()
+          .equals(other.getCertificatesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (getCertificatesCount() > 0) {
+        hash = (37 * hash) + CERTIFICATES_FIELD_NUMBER;
+        hash = (53 * hash) + getCertificatesList().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthCreateX509Cert must give a threshold number of certificates to proof that
+     * the caller has the right to create a new OCS.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthCreateX509Cert}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthCreateX509Cert)
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateX509CertOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateX509Cert_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.class, ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        certificates_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthCreateX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert result = new ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert(this);
+        int from_bitField0_ = bitField0_;
+        if (((bitField0_ & 0x00000001) != 0)) {
+          certificates_ = java.util.Collections.unmodifiableList(certificates_);
+          bitField0_ = (bitField0_ & ~0x00000001);
+        }
+        result.certificates_ = certificates_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert.getDefaultInstance()) return this;
+        if (!other.certificates_.isEmpty()) {
+          if (certificates_.isEmpty()) {
+            certificates_ = other.certificates_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+          } else {
+            ensureCertificatesIsMutable();
+            certificates_.addAll(other.certificates_);
+          }
+          onChanged();
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private java.util.List certificates_ = java.util.Collections.emptyList();
+      private void ensureCertificatesIsMutable() {
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          certificates_ = new java.util.ArrayList(certificates_);
+          bitField0_ |= 0x00000001;
+         }
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public java.util.List
+          getCertificatesList() {
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(certificates_) : certificates_;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public int getCertificatesCount() {
+        return certificates_.size();
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public com.google.protobuf.ByteString getCertificates(int index) {
+        return certificates_.get(index);
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder setCertificates(
+          int index, com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCertificatesIsMutable();
+        certificates_.set(index, value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder addCertificates(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCertificatesIsMutable();
+        certificates_.add(value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder addAllCertificates(
+          java.lang.Iterable values) {
+        ensureCertificatesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(
+            values, certificates_);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder clearCertificates() {
+        certificates_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthCreateX509Cert)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthCreateX509Cert)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthCreateX509Cert parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthCreateX509Cert(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthCreateX509Cert getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthReencryptOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthReencrypt)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes ephemeral = 1;
+     */
+    boolean hasEphemeral();
+    /**
+     * required bytes ephemeral = 1;
+     */
+    com.google.protobuf.ByteString getEphemeral();
+
+    /**
+     * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+     */
+    boolean hasByzcoin();
+    /**
+     * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin getByzcoin();
+    /**
+     * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder getByzcoinOrBuilder();
+
+    /**
+     * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+     */
+    boolean hasX509Cert();
+    /**
+     * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert getX509Cert();
+    /**
+     * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder getX509CertOrBuilder();
+  }
+  /**
+   * 
+   * AuthReencrypt holds one of the possible authentication proofs for a reencryption request. Each
+   * authentication proof must hold the secret to be reencrypted, the ephemeral key, as well
+   * as the proof itself that the request is valid. For each of the authentication
+   * schemes, this proof will be different.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthReencrypt}
+   */
+  public  static final class AuthReencrypt extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthReencrypt)
+      AuthReencryptOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthReencrypt.newBuilder() to construct.
+    private AuthReencrypt(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthReencrypt() {
+      ephemeral_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthReencrypt(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              ephemeral_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = byzcoin_.toBuilder();
+              }
+              byzcoin_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(byzcoin_);
+                byzcoin_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            case 26: {
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000004) != 0)) {
+                subBuilder = x509Cert_.toBuilder();
+              }
+              x509Cert_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(x509Cert_);
+                x509Cert_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000004;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencrypt_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencrypt_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.class, ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int EPHEMERAL_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString ephemeral_;
+    /**
+     * required bytes ephemeral = 1;
+     */
+    public boolean hasEphemeral() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes ephemeral = 1;
+     */
+    public com.google.protobuf.ByteString getEphemeral() {
+      return ephemeral_;
+    }
+
+    public static final int BYZCOIN_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin byzcoin_;
+    /**
+     * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+     */
+    public boolean hasByzcoin() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin getByzcoin() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance() : byzcoin_;
+    }
+    /**
+     * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder getByzcoinOrBuilder() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance() : byzcoin_;
+    }
+
+    public static final int X509CERT_FIELD_NUMBER = 3;
+    private ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert x509Cert_;
+    /**
+     * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+     */
+    public boolean hasX509Cert() {
+      return ((bitField0_ & 0x00000004) != 0);
+    }
+    /**
+     * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert getX509Cert() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance() : x509Cert_;
+    }
+    /**
+     * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder getX509CertOrBuilder() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance() : x509Cert_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasEphemeral()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (hasByzcoin()) {
+        if (!getByzcoin().isInitialized()) {
+          memoizedIsInitialized = 0;
+          return false;
+        }
+      }
+      if (hasX509Cert()) {
+        if (!getX509Cert().isInitialized()) {
+          memoizedIsInitialized = 0;
+          return false;
+        }
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, ephemeral_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        output.writeMessage(3, getX509Cert());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, ephemeral_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(3, getX509Cert());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthReencrypt)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthReencrypt other = (ch.epfl.dedis.lib.proto.OCS.AuthReencrypt) obj;
+
+      if (hasEphemeral() != other.hasEphemeral()) return false;
+      if (hasEphemeral()) {
+        if (!getEphemeral()
+            .equals(other.getEphemeral())) return false;
+      }
+      if (hasByzcoin() != other.hasByzcoin()) return false;
+      if (hasByzcoin()) {
+        if (!getByzcoin()
+            .equals(other.getByzcoin())) return false;
+      }
+      if (hasX509Cert() != other.hasX509Cert()) return false;
+      if (hasX509Cert()) {
+        if (!getX509Cert()
+            .equals(other.getX509Cert())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasEphemeral()) {
+        hash = (37 * hash) + EPHEMERAL_FIELD_NUMBER;
+        hash = (53 * hash) + getEphemeral().hashCode();
+      }
+      if (hasByzcoin()) {
+        hash = (37 * hash) + BYZCOIN_FIELD_NUMBER;
+        hash = (53 * hash) + getByzcoin().hashCode();
+      }
+      if (hasX509Cert()) {
+        hash = (37 * hash) + X509CERT_FIELD_NUMBER;
+        hash = (53 * hash) + getX509Cert().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthReencrypt prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthReencrypt holds one of the possible authentication proofs for a reencryption request. Each
+     * authentication proof must hold the secret to be reencrypted, the ephemeral key, as well
+     * as the proof itself that the request is valid. For each of the authentication
+     * schemes, this proof will be different.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthReencrypt}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthReencrypt)
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencrypt_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencrypt_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.class, ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getByzcoinFieldBuilder();
+          getX509CertFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ephemeral_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencrypt_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencrypt result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencrypt result = new ch.epfl.dedis.lib.proto.OCS.AuthReencrypt(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.ephemeral_ = ephemeral_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (byzcoinBuilder_ == null) {
+            result.byzcoin_ = byzcoin_;
+          } else {
+            result.byzcoin_ = byzcoinBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (x509CertBuilder_ == null) {
+            result.x509Cert_ = x509Cert_;
+          } else {
+            result.x509Cert_ = x509CertBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000004;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthReencrypt) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthReencrypt)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthReencrypt other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthReencrypt.getDefaultInstance()) return this;
+        if (other.hasEphemeral()) {
+          setEphemeral(other.getEphemeral());
+        }
+        if (other.hasByzcoin()) {
+          mergeByzcoin(other.getByzcoin());
+        }
+        if (other.hasX509Cert()) {
+          mergeX509Cert(other.getX509Cert());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasEphemeral()) {
+          return false;
+        }
+        if (hasByzcoin()) {
+          if (!getByzcoin().isInitialized()) {
+            return false;
+          }
+        }
+        if (hasX509Cert()) {
+          if (!getX509Cert().isInitialized()) {
+            return false;
+          }
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencrypt parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthReencrypt) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString ephemeral_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ephemeral = 1;
+       */
+      public boolean hasEphemeral() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes ephemeral = 1;
+       */
+      public com.google.protobuf.ByteString getEphemeral() {
+        return ephemeral_;
+      }
+      /**
+       * required bytes ephemeral = 1;
+       */
+      public Builder setEphemeral(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        ephemeral_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ephemeral = 1;
+       */
+      public Builder clearEphemeral() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ephemeral_ = getDefaultInstance().getEphemeral();
+        onChanged();
+        return this;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin byzcoin_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder> byzcoinBuilder_;
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public boolean hasByzcoin() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin getByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance() : byzcoin_;
+        } else {
+          return byzcoinBuilder_.getMessage();
+        }
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public Builder setByzcoin(ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          byzcoin_ = value;
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public Builder setByzcoin(
+          ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder builderForValue) {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = builderForValue.build();
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public Builder mergeByzcoin(ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              byzcoin_ != null &&
+              byzcoin_ != ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance()) {
+            byzcoin_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.newBuilder(byzcoin_).mergeFrom(value).buildPartial();
+          } else {
+            byzcoin_ = value;
+          }
+          onChanged();
+        } else {
+          byzcoinBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public Builder clearByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+          onChanged();
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder getByzcoinBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getByzcoinFieldBuilder().getBuilder();
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder getByzcoinOrBuilder() {
+        if (byzcoinBuilder_ != null) {
+          return byzcoinBuilder_.getMessageOrBuilder();
+        } else {
+          return byzcoin_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance() : byzcoin_;
+        }
+      }
+      /**
+       * optional .ocs.AuthReencryptByzCoin byzcoin = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder> 
+          getByzcoinFieldBuilder() {
+        if (byzcoinBuilder_ == null) {
+          byzcoinBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder>(
+                  getByzcoin(),
+                  getParentForChildren(),
+                  isClean());
+          byzcoin_ = null;
+        }
+        return byzcoinBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert x509Cert_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder> x509CertBuilder_;
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public boolean hasX509Cert() {
+        return ((bitField0_ & 0x00000004) != 0);
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert getX509Cert() {
+        if (x509CertBuilder_ == null) {
+          return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance() : x509Cert_;
+        } else {
+          return x509CertBuilder_.getMessage();
+        }
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public Builder setX509Cert(ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          x509Cert_ = value;
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public Builder setX509Cert(
+          ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder builderForValue) {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = builderForValue.build();
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public Builder mergeX509Cert(ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (((bitField0_ & 0x00000004) != 0) &&
+              x509Cert_ != null &&
+              x509Cert_ != ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance()) {
+            x509Cert_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.newBuilder(x509Cert_).mergeFrom(value).buildPartial();
+          } else {
+            x509Cert_ = value;
+          }
+          onChanged();
+        } else {
+          x509CertBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public Builder clearX509Cert() {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+          onChanged();
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder getX509CertBuilder() {
+        bitField0_ |= 0x00000004;
+        onChanged();
+        return getX509CertFieldBuilder().getBuilder();
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder getX509CertOrBuilder() {
+        if (x509CertBuilder_ != null) {
+          return x509CertBuilder_.getMessageOrBuilder();
+        } else {
+          return x509Cert_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance() : x509Cert_;
+        }
+      }
+      /**
+       * optional .ocs.AuthReencryptX509Cert x509cert = 3;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder> 
+          getX509CertFieldBuilder() {
+        if (x509CertBuilder_ == null) {
+          x509CertBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder>(
+                  getX509Cert(),
+                  getParentForChildren(),
+                  isClean());
+          x509Cert_ = null;
+        }
+        return x509CertBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthReencrypt)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthReencrypt)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthReencrypt DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthReencrypt();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencrypt getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthReencrypt parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthReencrypt(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencrypt getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthReencryptByzCoinOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthReencryptByzCoin)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * 
+     * Write is the proof containing the write request.
+     * 

+     *
+     * required bytes write = 1;
+     */
+    boolean hasWrite();
+    /**
+     * 
+     * Write is the proof containing the write request.
+     * 

+     *
+     * required bytes write = 1;
+     */
+    com.google.protobuf.ByteString getWrite();
+
+    /**
+     * 
+     * Read is the proof that he has been accepted to read the secret.
+     * 

+     *
+     * required bytes read = 2;
+     */
+    boolean hasRead();
+    /**
+     * 
+     * Read is the proof that he has been accepted to read the secret.
+     * 

+     *
+     * required bytes read = 2;
+     */
+    com.google.protobuf.ByteString getRead();
+
+    /**
+     * 
+     * Ephemeral can be non-nil to point to a key to which the data needs to be
+     * re-encrypted to, but then Signature also needs to be non-nil.
+     * 

+     *
+     * required bytes ephemeral = 3;
+     */
+    boolean hasEphemeral();
+    /**
+     * 
+     * Ephemeral can be non-nil to point to a key to which the data needs to be
+     * re-encrypted to, but then Signature also needs to be non-nil.
+     * 

+     *
+     * required bytes ephemeral = 3;
+     */
+    com.google.protobuf.ByteString getEphemeral();
+
+    /**
+     * 
+     * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+     * Read instance to make sure it's a valid reencryption-request.
+     * 

+     *
+     * optional .darc.Signature signature = 4;
+     */
+    boolean hasSignature();
+    /**
+     * 
+     * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+     * Read instance to make sure it's a valid reencryption-request.
+     * 

+     *
+     * optional .darc.Signature signature = 4;
+     */
+    ch.epfl.dedis.lib.proto.DarcProto.Signature getSignature();
+    /**
+     * 
+     * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+     * Read instance to make sure it's a valid reencryption-request.
+     * 

+     *
+     * optional .darc.Signature signature = 4;
+     */
+    ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder getSignatureOrBuilder();
+  }
+  /**
+   * 
+   * AuthReencryptByzCoin holds the proof of the write instance, holding the secret itself.
+   * The proof of the read instance holds the ephemeral key. Both proofs can be
+   * verified using one of the stored ByzCoinIDs.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthReencryptByzCoin}
+   */
+  public  static final class AuthReencryptByzCoin extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthReencryptByzCoin)
+      AuthReencryptByzCoinOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthReencryptByzCoin.newBuilder() to construct.
+    private AuthReencryptByzCoin(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthReencryptByzCoin() {
+      write_ = com.google.protobuf.ByteString.EMPTY;
+      read_ = com.google.protobuf.ByteString.EMPTY;
+      ephemeral_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthReencryptByzCoin(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              write_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              bitField0_ |= 0x00000002;
+              read_ = input.readBytes();
+              break;
+            }
+            case 26: {
+              bitField0_ |= 0x00000004;
+              ephemeral_ = input.readBytes();
+              break;
+            }
+            case 34: {
+              ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000008) != 0)) {
+                subBuilder = signature_.toBuilder();
+              }
+              signature_ = input.readMessage(ch.epfl.dedis.lib.proto.DarcProto.Signature.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(signature_);
+                signature_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000008;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptByzCoin_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptByzCoin_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.class, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int WRITE_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString write_;
+    /**
+     * 
+     * Write is the proof containing the write request.
+     * 

+     *
+     * required bytes write = 1;
+     */
+    public boolean hasWrite() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * 
+     * Write is the proof containing the write request.
+     * 

+     *
+     * required bytes write = 1;
+     */
+    public com.google.protobuf.ByteString getWrite() {
+      return write_;
+    }
+
+    public static final int READ_FIELD_NUMBER = 2;
+    private com.google.protobuf.ByteString read_;
+    /**
+     * 
+     * Read is the proof that he has been accepted to read the secret.
+     * 

+     *
+     * required bytes read = 2;
+     */
+    public boolean hasRead() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * 
+     * Read is the proof that he has been accepted to read the secret.
+     * 

+     *
+     * required bytes read = 2;
+     */
+    public com.google.protobuf.ByteString getRead() {
+      return read_;
+    }
+
+    public static final int EPHEMERAL_FIELD_NUMBER = 3;
+    private com.google.protobuf.ByteString ephemeral_;
+    /**
+     * 
+     * Ephemeral can be non-nil to point to a key to which the data needs to be
+     * re-encrypted to, but then Signature also needs to be non-nil.
+     * 

+     *
+     * required bytes ephemeral = 3;
+     */
+    public boolean hasEphemeral() {
+      return ((bitField0_ & 0x00000004) != 0);
+    }
+    /**
+     * 
+     * Ephemeral can be non-nil to point to a key to which the data needs to be
+     * re-encrypted to, but then Signature also needs to be non-nil.
+     * 

+     *
+     * required bytes ephemeral = 3;
+     */
+    public com.google.protobuf.ByteString getEphemeral() {
+      return ephemeral_;
+    }
+
+    public static final int SIGNATURE_FIELD_NUMBER = 4;
+    private ch.epfl.dedis.lib.proto.DarcProto.Signature signature_;
+    /**
+     * 
+     * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+     * Read instance to make sure it's a valid reencryption-request.
+     * 

+     *
+     * optional .darc.Signature signature = 4;
+     */
+    public boolean hasSignature() {
+      return ((bitField0_ & 0x00000008) != 0);
+    }
+    /**
+     * 
+     * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+     * Read instance to make sure it's a valid reencryption-request.
+     * 

+     *
+     * optional .darc.Signature signature = 4;
+     */
+    public ch.epfl.dedis.lib.proto.DarcProto.Signature getSignature() {
+      return signature_ == null ? ch.epfl.dedis.lib.proto.DarcProto.Signature.getDefaultInstance() : signature_;
+    }
+    /**
+     * 
+     * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+     * Read instance to make sure it's a valid reencryption-request.
+     * 

+     *
+     * optional .darc.Signature signature = 4;
+     */
+    public ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder getSignatureOrBuilder() {
+      return signature_ == null ? ch.epfl.dedis.lib.proto.DarcProto.Signature.getDefaultInstance() : signature_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasWrite()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasRead()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasEphemeral()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (hasSignature()) {
+        if (!getSignature().isInitialized()) {
+          memoizedIsInitialized = 0;
+          return false;
+        }
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, write_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeBytes(2, read_);
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        output.writeBytes(3, ephemeral_);
+      }
+      if (((bitField0_ & 0x00000008) != 0)) {
+        output.writeMessage(4, getSignature());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, write_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(2, read_);
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(3, ephemeral_);
+      }
+      if (((bitField0_ & 0x00000008) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(4, getSignature());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin other = (ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin) obj;
+
+      if (hasWrite() != other.hasWrite()) return false;
+      if (hasWrite()) {
+        if (!getWrite()
+            .equals(other.getWrite())) return false;
+      }
+      if (hasRead() != other.hasRead()) return false;
+      if (hasRead()) {
+        if (!getRead()
+            .equals(other.getRead())) return false;
+      }
+      if (hasEphemeral() != other.hasEphemeral()) return false;
+      if (hasEphemeral()) {
+        if (!getEphemeral()
+            .equals(other.getEphemeral())) return false;
+      }
+      if (hasSignature() != other.hasSignature()) return false;
+      if (hasSignature()) {
+        if (!getSignature()
+            .equals(other.getSignature())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasWrite()) {
+        hash = (37 * hash) + WRITE_FIELD_NUMBER;
+        hash = (53 * hash) + getWrite().hashCode();
+      }
+      if (hasRead()) {
+        hash = (37 * hash) + READ_FIELD_NUMBER;
+        hash = (53 * hash) + getRead().hashCode();
+      }
+      if (hasEphemeral()) {
+        hash = (37 * hash) + EPHEMERAL_FIELD_NUMBER;
+        hash = (53 * hash) + getEphemeral().hashCode();
+      }
+      if (hasSignature()) {
+        hash = (37 * hash) + SIGNATURE_FIELD_NUMBER;
+        hash = (53 * hash) + getSignature().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthReencryptByzCoin holds the proof of the write instance, holding the secret itself.
+     * The proof of the read instance holds the ephemeral key. Both proofs can be
+     * verified using one of the stored ByzCoinIDs.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthReencryptByzCoin}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthReencryptByzCoin)
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoinOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptByzCoin_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptByzCoin_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.class, ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getSignatureFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        write_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        read_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000002);
+        ephemeral_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000004);
+        if (signatureBuilder_ == null) {
+          signature_ = null;
+        } else {
+          signatureBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000008);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptByzCoin_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin result = new ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.write_ = write_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          to_bitField0_ |= 0x00000002;
+        }
+        result.read_ = read_;
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          to_bitField0_ |= 0x00000004;
+        }
+        result.ephemeral_ = ephemeral_;
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (signatureBuilder_ == null) {
+            result.signature_ = signature_;
+          } else {
+            result.signature_ = signatureBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000008;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin.getDefaultInstance()) return this;
+        if (other.hasWrite()) {
+          setWrite(other.getWrite());
+        }
+        if (other.hasRead()) {
+          setRead(other.getRead());
+        }
+        if (other.hasEphemeral()) {
+          setEphemeral(other.getEphemeral());
+        }
+        if (other.hasSignature()) {
+          mergeSignature(other.getSignature());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasWrite()) {
+          return false;
+        }
+        if (!hasRead()) {
+          return false;
+        }
+        if (!hasEphemeral()) {
+          return false;
+        }
+        if (hasSignature()) {
+          if (!getSignature().isInitialized()) {
+            return false;
+          }
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString write_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * 
+       * Write is the proof containing the write request.
+       * 

+       *
+       * required bytes write = 1;
+       */
+      public boolean hasWrite() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * 
+       * Write is the proof containing the write request.
+       * 

+       *
+       * required bytes write = 1;
+       */
+      public com.google.protobuf.ByteString getWrite() {
+        return write_;
+      }
+      /**
+       * 
+       * Write is the proof containing the write request.
+       * 

+       *
+       * required bytes write = 1;
+       */
+      public Builder setWrite(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        write_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * 
+       * Write is the proof containing the write request.
+       * 

+       *
+       * required bytes write = 1;
+       */
+      public Builder clearWrite() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        write_ = getDefaultInstance().getWrite();
+        onChanged();
+        return this;
+      }
+
+      private com.google.protobuf.ByteString read_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * 
+       * Read is the proof that he has been accepted to read the secret.
+       * 

+       *
+       * required bytes read = 2;
+       */
+      public boolean hasRead() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * 
+       * Read is the proof that he has been accepted to read the secret.
+       * 

+       *
+       * required bytes read = 2;
+       */
+      public com.google.protobuf.ByteString getRead() {
+        return read_;
+      }
+      /**
+       * 
+       * Read is the proof that he has been accepted to read the secret.
+       * 

+       *
+       * required bytes read = 2;
+       */
+      public Builder setRead(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000002;
+        read_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * 
+       * Read is the proof that he has been accepted to read the secret.
+       * 

+       *
+       * required bytes read = 2;
+       */
+      public Builder clearRead() {
+        bitField0_ = (bitField0_ & ~0x00000002);
+        read_ = getDefaultInstance().getRead();
+        onChanged();
+        return this;
+      }
+
+      private com.google.protobuf.ByteString ephemeral_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * 
+       * Ephemeral can be non-nil to point to a key to which the data needs to be
+       * re-encrypted to, but then Signature also needs to be non-nil.
+       * 

+       *
+       * required bytes ephemeral = 3;
+       */
+      public boolean hasEphemeral() {
+        return ((bitField0_ & 0x00000004) != 0);
+      }
+      /**
+       * 
+       * Ephemeral can be non-nil to point to a key to which the data needs to be
+       * re-encrypted to, but then Signature also needs to be non-nil.
+       * 

+       *
+       * required bytes ephemeral = 3;
+       */
+      public com.google.protobuf.ByteString getEphemeral() {
+        return ephemeral_;
+      }
+      /**
+       * 
+       * Ephemeral can be non-nil to point to a key to which the data needs to be
+       * re-encrypted to, but then Signature also needs to be non-nil.
+       * 

+       *
+       * required bytes ephemeral = 3;
+       */
+      public Builder setEphemeral(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000004;
+        ephemeral_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * 
+       * Ephemeral can be non-nil to point to a key to which the data needs to be
+       * re-encrypted to, but then Signature also needs to be non-nil.
+       * 

+       *
+       * required bytes ephemeral = 3;
+       */
+      public Builder clearEphemeral() {
+        bitField0_ = (bitField0_ & ~0x00000004);
+        ephemeral_ = getDefaultInstance().getEphemeral();
+        onChanged();
+        return this;
+      }
+
+      private ch.epfl.dedis.lib.proto.DarcProto.Signature signature_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.DarcProto.Signature, ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder> signatureBuilder_;
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public boolean hasSignature() {
+        return ((bitField0_ & 0x00000008) != 0);
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public ch.epfl.dedis.lib.proto.DarcProto.Signature getSignature() {
+        if (signatureBuilder_ == null) {
+          return signature_ == null ? ch.epfl.dedis.lib.proto.DarcProto.Signature.getDefaultInstance() : signature_;
+        } else {
+          return signatureBuilder_.getMessage();
+        }
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public Builder setSignature(ch.epfl.dedis.lib.proto.DarcProto.Signature value) {
+        if (signatureBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          signature_ = value;
+          onChanged();
+        } else {
+          signatureBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000008;
+        return this;
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public Builder setSignature(
+          ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder builderForValue) {
+        if (signatureBuilder_ == null) {
+          signature_ = builderForValue.build();
+          onChanged();
+        } else {
+          signatureBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000008;
+        return this;
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public Builder mergeSignature(ch.epfl.dedis.lib.proto.DarcProto.Signature value) {
+        if (signatureBuilder_ == null) {
+          if (((bitField0_ & 0x00000008) != 0) &&
+              signature_ != null &&
+              signature_ != ch.epfl.dedis.lib.proto.DarcProto.Signature.getDefaultInstance()) {
+            signature_ =
+              ch.epfl.dedis.lib.proto.DarcProto.Signature.newBuilder(signature_).mergeFrom(value).buildPartial();
+          } else {
+            signature_ = value;
+          }
+          onChanged();
+        } else {
+          signatureBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000008;
+        return this;
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public Builder clearSignature() {
+        if (signatureBuilder_ == null) {
+          signature_ = null;
+          onChanged();
+        } else {
+          signatureBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000008);
+        return this;
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder getSignatureBuilder() {
+        bitField0_ |= 0x00000008;
+        onChanged();
+        return getSignatureFieldBuilder().getBuilder();
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      public ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder getSignatureOrBuilder() {
+        if (signatureBuilder_ != null) {
+          return signatureBuilder_.getMessageOrBuilder();
+        } else {
+          return signature_ == null ?
+              ch.epfl.dedis.lib.proto.DarcProto.Signature.getDefaultInstance() : signature_;
+        }
+      }
+      /**
+       * 
+       * If Ephemeral si non-nil, it must be signed by the darc responsible for the
+       * Read instance to make sure it's a valid reencryption-request.
+       * 

+       *
+       * optional .darc.Signature signature = 4;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.DarcProto.Signature, ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder> 
+          getSignatureFieldBuilder() {
+        if (signatureBuilder_ == null) {
+          signatureBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.DarcProto.Signature, ch.epfl.dedis.lib.proto.DarcProto.Signature.Builder, ch.epfl.dedis.lib.proto.DarcProto.SignatureOrBuilder>(
+                  getSignature(),
+                  getParentForChildren(),
+                  isClean());
+          signature_ = null;
+        }
+        return signatureBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthReencryptByzCoin)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthReencryptByzCoin)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthReencryptByzCoin parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthReencryptByzCoin(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptByzCoin getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthReencryptX509CertOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthReencryptX509Cert)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes u = 1;
+     */
+    boolean hasU();
+    /**
+     * required bytes u = 1;
+     */
+    com.google.protobuf.ByteString getU();
+
+    /**
+     * repeated bytes certificates = 2;
+     */
+    java.util.List getCertificatesList();
+    /**
+     * repeated bytes certificates = 2;
+     */
+    int getCertificatesCount();
+    /**
+     * repeated bytes certificates = 2;
+     */
+    com.google.protobuf.ByteString getCertificates(int index);
+  }
+  /**
+   * 
+   * AuthReencryptX509Cert holds the proof that at least a threshold number of clients
+   * accepted the reencryption.
+   * For each client, there must exist a certificate that can be verified by the
+   * CA certificate from X509Cert. Additionally, each client must sign the
+   * following message:
+   *   sha256( Secret | Ephemeral | Time )
+   * 

+   *
+   * Protobuf type {@code ocs.AuthReencryptX509Cert}
+   */
+  public  static final class AuthReencryptX509Cert extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthReencryptX509Cert)
+      AuthReencryptX509CertOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthReencryptX509Cert.newBuilder() to construct.
+    private AuthReencryptX509Cert(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthReencryptX509Cert() {
+      u_ = com.google.protobuf.ByteString.EMPTY;
+      certificates_ = java.util.Collections.emptyList();
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthReencryptX509Cert(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              u_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
+                certificates_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000002;
+              }
+              certificates_.add(input.readBytes());
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
+          certificates_ = java.util.Collections.unmodifiableList(certificates_); // C
+        }
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptX509Cert_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptX509Cert_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.class, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int U_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString u_;
+    /**
+     * required bytes u = 1;
+     */
+    public boolean hasU() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes u = 1;
+     */
+    public com.google.protobuf.ByteString getU() {
+      return u_;
+    }
+
+    public static final int CERTIFICATES_FIELD_NUMBER = 2;
+    private java.util.List certificates_;
+    /**
+     * repeated bytes certificates = 2;
+     */
+    public java.util.List
+        getCertificatesList() {
+      return certificates_;
+    }
+    /**
+     * repeated bytes certificates = 2;
+     */
+    public int getCertificatesCount() {
+      return certificates_.size();
+    }
+    /**
+     * repeated bytes certificates = 2;
+     */
+    public com.google.protobuf.ByteString getCertificates(int index) {
+      return certificates_.get(index);
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasU()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, u_);
+      }
+      for (int i = 0; i < certificates_.size(); i++) {
+        output.writeBytes(2, certificates_.get(i));
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, u_);
+      }
+      {
+        int dataSize = 0;
+        for (int i = 0; i < certificates_.size(); i++) {
+          dataSize += com.google.protobuf.CodedOutputStream
+            .computeBytesSizeNoTag(certificates_.get(i));
+        }
+        size += dataSize;
+        size += 1 * getCertificatesList().size();
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert other = (ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert) obj;
+
+      if (hasU() != other.hasU()) return false;
+      if (hasU()) {
+        if (!getU()
+            .equals(other.getU())) return false;
+      }
+      if (!getCertificatesList()
+          .equals(other.getCertificatesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasU()) {
+        hash = (37 * hash) + U_FIELD_NUMBER;
+        hash = (53 * hash) + getU().hashCode();
+      }
+      if (getCertificatesCount() > 0) {
+        hash = (37 * hash) + CERTIFICATES_FIELD_NUMBER;
+        hash = (53 * hash) + getCertificatesList().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthReencryptX509Cert holds the proof that at least a threshold number of clients
+     * accepted the reencryption.
+     * For each client, there must exist a certificate that can be verified by the
+     * CA certificate from X509Cert. Additionally, each client must sign the
+     * following message:
+     *   sha256( Secret | Ephemeral | Time )
+     * 

+     *
+     * Protobuf type {@code ocs.AuthReencryptX509Cert}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthReencryptX509Cert)
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509CertOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptX509Cert_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.class, ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        u_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        certificates_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReencryptX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert result = new ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.u_ = u_;
+        if (((bitField0_ & 0x00000002) != 0)) {
+          certificates_ = java.util.Collections.unmodifiableList(certificates_);
+          bitField0_ = (bitField0_ & ~0x00000002);
+        }
+        result.certificates_ = certificates_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert.getDefaultInstance()) return this;
+        if (other.hasU()) {
+          setU(other.getU());
+        }
+        if (!other.certificates_.isEmpty()) {
+          if (certificates_.isEmpty()) {
+            certificates_ = other.certificates_;
+            bitField0_ = (bitField0_ & ~0x00000002);
+          } else {
+            ensureCertificatesIsMutable();
+            certificates_.addAll(other.certificates_);
+          }
+          onChanged();
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasU()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString u_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes u = 1;
+       */
+      public boolean hasU() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes u = 1;
+       */
+      public com.google.protobuf.ByteString getU() {
+        return u_;
+      }
+      /**
+       * required bytes u = 1;
+       */
+      public Builder setU(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        u_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes u = 1;
+       */
+      public Builder clearU() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        u_ = getDefaultInstance().getU();
+        onChanged();
+        return this;
+      }
+
+      private java.util.List certificates_ = java.util.Collections.emptyList();
+      private void ensureCertificatesIsMutable() {
+        if (!((bitField0_ & 0x00000002) != 0)) {
+          certificates_ = new java.util.ArrayList(certificates_);
+          bitField0_ |= 0x00000002;
+         }
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public java.util.List
+          getCertificatesList() {
+        return ((bitField0_ & 0x00000002) != 0) ?
+                 java.util.Collections.unmodifiableList(certificates_) : certificates_;
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public int getCertificatesCount() {
+        return certificates_.size();
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public com.google.protobuf.ByteString getCertificates(int index) {
+        return certificates_.get(index);
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public Builder setCertificates(
+          int index, com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCertificatesIsMutable();
+        certificates_.set(index, value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public Builder addCertificates(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCertificatesIsMutable();
+        certificates_.add(value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public Builder addAllCertificates(
+          java.lang.Iterable values) {
+        ensureCertificatesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(
+            values, certificates_);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 2;
+       */
+      public Builder clearCertificates() {
+        certificates_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000002);
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthReencryptX509Cert)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthReencryptX509Cert)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthReencryptX509Cert parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthReencryptX509Cert(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthReencryptX509Cert getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthReshareOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthReshare)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+     */
+    boolean hasByzcoin();
+    /**
+     * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin getByzcoin();
+    /**
+     * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder getByzcoinOrBuilder();
+
+    /**
+     * optional .ocs.AuthReshareX509Cert x509cert = 2;
+     */
+    boolean hasX509Cert();
+    /**
+     * optional .ocs.AuthReshareX509Cert x509cert = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert getX509Cert();
+    /**
+     * optional .ocs.AuthReshareX509Cert x509cert = 2;
+     */
+    ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder getX509CertOrBuilder();
+  }
+  /**
+   * 
+   * AuthReshare holds the proof that at least a threshold number of clients accepted the
+   * request to reshare the secret key. The authentication must hold the new roster, as
+   * well as the proof that the new roster should be applied to a given OCS.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthReshare}
+   */
+  public  static final class AuthReshare extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthReshare)
+      AuthReshareOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthReshare.newBuilder() to construct.
+    private AuthReshare(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthReshare() {
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthReshare(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000001) != 0)) {
+                subBuilder = byzcoin_.toBuilder();
+              }
+              byzcoin_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(byzcoin_);
+                byzcoin_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000001;
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = x509Cert_.toBuilder();
+              }
+              x509Cert_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(x509Cert_);
+                x509Cert_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshare_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshare_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthReshare.class, ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int BYZCOIN_FIELD_NUMBER = 1;
+    private ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin byzcoin_;
+    /**
+     * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+     */
+    public boolean hasByzcoin() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin getByzcoin() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance() : byzcoin_;
+    }
+    /**
+     * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder getByzcoinOrBuilder() {
+      return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance() : byzcoin_;
+    }
+
+    public static final int X509CERT_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert x509Cert_;
+    /**
+     * optional .ocs.AuthReshareX509Cert x509cert = 2;
+     */
+    public boolean hasX509Cert() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * optional .ocs.AuthReshareX509Cert x509cert = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert getX509Cert() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance() : x509Cert_;
+    }
+    /**
+     * optional .ocs.AuthReshareX509Cert x509cert = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder getX509CertOrBuilder() {
+      return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance() : x509Cert_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (hasByzcoin()) {
+        if (!getByzcoin().isInitialized()) {
+          memoizedIsInitialized = 0;
+          return false;
+        }
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeMessage(1, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getX509Cert());
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(1, getByzcoin());
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getX509Cert());
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthReshare)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthReshare other = (ch.epfl.dedis.lib.proto.OCS.AuthReshare) obj;
+
+      if (hasByzcoin() != other.hasByzcoin()) return false;
+      if (hasByzcoin()) {
+        if (!getByzcoin()
+            .equals(other.getByzcoin())) return false;
+      }
+      if (hasX509Cert() != other.hasX509Cert()) return false;
+      if (hasX509Cert()) {
+        if (!getX509Cert()
+            .equals(other.getX509Cert())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasByzcoin()) {
+        hash = (37 * hash) + BYZCOIN_FIELD_NUMBER;
+        hash = (53 * hash) + getByzcoin().hashCode();
+      }
+      if (hasX509Cert()) {
+        hash = (37 * hash) + X509CERT_FIELD_NUMBER;
+        hash = (53 * hash) + getX509Cert().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthReshare prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthReshare holds the proof that at least a threshold number of clients accepted the
+     * request to reshare the secret key. The authentication must hold the new roster, as
+     * well as the proof that the new roster should be applied to a given OCS.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthReshare}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthReshare)
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshare_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshare_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthReshare.class, ch.epfl.dedis.lib.proto.OCS.AuthReshare.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthReshare.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getByzcoinFieldBuilder();
+          getX509CertFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshare_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshare getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshare build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshare result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshare buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshare result = new ch.epfl.dedis.lib.proto.OCS.AuthReshare(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (byzcoinBuilder_ == null) {
+            result.byzcoin_ = byzcoin_;
+          } else {
+            result.byzcoin_ = byzcoinBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000001;
+        }
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (x509CertBuilder_ == null) {
+            result.x509Cert_ = x509Cert_;
+          } else {
+            result.x509Cert_ = x509CertBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthReshare) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthReshare)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthReshare other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthReshare.getDefaultInstance()) return this;
+        if (other.hasByzcoin()) {
+          mergeByzcoin(other.getByzcoin());
+        }
+        if (other.hasX509Cert()) {
+          mergeX509Cert(other.getX509Cert());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (hasByzcoin()) {
+          if (!getByzcoin().isInitialized()) {
+            return false;
+          }
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshare parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthReshare) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin byzcoin_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder> byzcoinBuilder_;
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public boolean hasByzcoin() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin getByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          return byzcoin_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance() : byzcoin_;
+        } else {
+          return byzcoinBuilder_.getMessage();
+        }
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public Builder setByzcoin(ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          byzcoin_ = value;
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public Builder setByzcoin(
+          ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder builderForValue) {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = builderForValue.build();
+          onChanged();
+        } else {
+          byzcoinBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public Builder mergeByzcoin(ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin value) {
+        if (byzcoinBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0) &&
+              byzcoin_ != null &&
+              byzcoin_ != ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance()) {
+            byzcoin_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.newBuilder(byzcoin_).mergeFrom(value).buildPartial();
+          } else {
+            byzcoin_ = value;
+          }
+          onChanged();
+        } else {
+          byzcoinBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000001;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public Builder clearByzcoin() {
+        if (byzcoinBuilder_ == null) {
+          byzcoin_ = null;
+          onChanged();
+        } else {
+          byzcoinBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder getByzcoinBuilder() {
+        bitField0_ |= 0x00000001;
+        onChanged();
+        return getByzcoinFieldBuilder().getBuilder();
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder getByzcoinOrBuilder() {
+        if (byzcoinBuilder_ != null) {
+          return byzcoinBuilder_.getMessageOrBuilder();
+        } else {
+          return byzcoin_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance() : byzcoin_;
+        }
+      }
+      /**
+       * optional .ocs.AuthReshareByzCoin byzcoin = 1;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder> 
+          getByzcoinFieldBuilder() {
+        if (byzcoinBuilder_ == null) {
+          byzcoinBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder>(
+                  getByzcoin(),
+                  getParentForChildren(),
+                  isClean());
+          byzcoin_ = null;
+        }
+        return byzcoinBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert x509Cert_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder> x509CertBuilder_;
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public boolean hasX509Cert() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert getX509Cert() {
+        if (x509CertBuilder_ == null) {
+          return x509Cert_ == null ? ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance() : x509Cert_;
+        } else {
+          return x509CertBuilder_.getMessage();
+        }
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public Builder setX509Cert(ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          x509Cert_ = value;
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public Builder setX509Cert(
+          ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder builderForValue) {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = builderForValue.build();
+          onChanged();
+        } else {
+          x509CertBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public Builder mergeX509Cert(ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert value) {
+        if (x509CertBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              x509Cert_ != null &&
+              x509Cert_ != ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance()) {
+            x509Cert_ =
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.newBuilder(x509Cert_).mergeFrom(value).buildPartial();
+          } else {
+            x509Cert_ = value;
+          }
+          onChanged();
+        } else {
+          x509CertBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public Builder clearX509Cert() {
+        if (x509CertBuilder_ == null) {
+          x509Cert_ = null;
+          onChanged();
+        } else {
+          x509CertBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder getX509CertBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getX509CertFieldBuilder().getBuilder();
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder getX509CertOrBuilder() {
+        if (x509CertBuilder_ != null) {
+          return x509CertBuilder_.getMessageOrBuilder();
+        } else {
+          return x509Cert_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance() : x509Cert_;
+        }
+      }
+      /**
+       * optional .ocs.AuthReshareX509Cert x509cert = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder> 
+          getX509CertFieldBuilder() {
+        if (x509CertBuilder_ == null) {
+          x509CertBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder>(
+                  getX509Cert(),
+                  getParentForChildren(),
+                  isClean());
+          x509Cert_ = null;
+        }
+        return x509CertBuilder_;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthReshare)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthReshare)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthReshare DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthReshare();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshare getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthReshare parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthReshare(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshare getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthReshareByzCoinOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthReshareByzCoin)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes reshare = 1;
+     */
+    boolean hasReshare();
+    /**
+     * required bytes reshare = 1;
+     */
+    com.google.protobuf.ByteString getReshare();
+  }
+  /**
+   * 
+   * AuthReshareByzCoin holds the byzcoin-proof that contains the latest OCS-instance
+   * which includes the roster. The OCS-nodes will make sure that the version of the
+   * OCS-instance is bigger than the current version.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthReshareByzCoin}
+   */
+  public  static final class AuthReshareByzCoin extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthReshareByzCoin)
+      AuthReshareByzCoinOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthReshareByzCoin.newBuilder() to construct.
+    private AuthReshareByzCoin(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthReshareByzCoin() {
+      reshare_ = com.google.protobuf.ByteString.EMPTY;
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthReshareByzCoin(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              reshare_ = input.readBytes();
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareByzCoin_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareByzCoin_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.class, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int RESHARE_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString reshare_;
+    /**
+     * required bytes reshare = 1;
+     */
+    public boolean hasReshare() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes reshare = 1;
+     */
+    public com.google.protobuf.ByteString getReshare() {
+      return reshare_;
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasReshare()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, reshare_);
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, reshare_);
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin other = (ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin) obj;
+
+      if (hasReshare() != other.hasReshare()) return false;
+      if (hasReshare()) {
+        if (!getReshare()
+            .equals(other.getReshare())) return false;
+      }
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasReshare()) {
+        hash = (37 * hash) + RESHARE_FIELD_NUMBER;
+        hash = (53 * hash) + getReshare().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthReshareByzCoin holds the byzcoin-proof that contains the latest OCS-instance
+     * which includes the roster. The OCS-nodes will make sure that the version of the
+     * OCS-instance is bigger than the current version.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthReshareByzCoin}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthReshareByzCoin)
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoinOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareByzCoin_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareByzCoin_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.class, ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        reshare_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareByzCoin_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin result = new ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.reshare_ = reshare_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin.getDefaultInstance()) return this;
+        if (other.hasReshare()) {
+          setReshare(other.getReshare());
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasReshare()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString reshare_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes reshare = 1;
+       */
+      public boolean hasReshare() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes reshare = 1;
+       */
+      public com.google.protobuf.ByteString getReshare() {
+        return reshare_;
+      }
+      /**
+       * required bytes reshare = 1;
+       */
+      public Builder setReshare(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        reshare_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes reshare = 1;
+       */
+      public Builder clearReshare() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        reshare_ = getDefaultInstance().getReshare();
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthReshareByzCoin)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthReshareByzCoin)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthReshareByzCoin parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthReshareByzCoin(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareByzCoin getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface AuthReshareX509CertOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.AuthReshareX509Cert)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * repeated bytes certificates = 1;
+     */
+    java.util.List getCertificatesList();
+    /**
+     * repeated bytes certificates = 1;
+     */
+    int getCertificatesCount();
+    /**
+     * repeated bytes certificates = 1;
+     */
+    com.google.protobuf.ByteString getCertificates(int index);
+  }
+  /**
+   * 
+   * AuthReshareX509Cert holds the X509 proof that the new roster is valid.
+   * 

+   *
+   * Protobuf type {@code ocs.AuthReshareX509Cert}
+   */
+  public  static final class AuthReshareX509Cert extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.AuthReshareX509Cert)
+      AuthReshareX509CertOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use AuthReshareX509Cert.newBuilder() to construct.
+    private AuthReshareX509Cert(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private AuthReshareX509Cert() {
+      certificates_ = java.util.Collections.emptyList();
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private AuthReshareX509Cert(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                certificates_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000001;
+              }
+              certificates_.add(input.readBytes());
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          certificates_ = java.util.Collections.unmodifiableList(certificates_); // C
+        }
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareX509Cert_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareX509Cert_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.class, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder.class);
+    }
+
+    public static final int CERTIFICATES_FIELD_NUMBER = 1;
+    private java.util.List certificates_;
+    /**
+     * repeated bytes certificates = 1;
+     */
+    public java.util.List
+        getCertificatesList() {
+      return certificates_;
+    }
+    /**
+     * repeated bytes certificates = 1;
+     */
+    public int getCertificatesCount() {
+      return certificates_.size();
+    }
+    /**
+     * repeated bytes certificates = 1;
+     */
+    public com.google.protobuf.ByteString getCertificates(int index) {
+      return certificates_.get(index);
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      for (int i = 0; i < certificates_.size(); i++) {
+        output.writeBytes(1, certificates_.get(i));
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      {
+        int dataSize = 0;
+        for (int i = 0; i < certificates_.size(); i++) {
+          dataSize += com.google.protobuf.CodedOutputStream
+            .computeBytesSizeNoTag(certificates_.get(i));
+        }
+        size += dataSize;
+        size += 1 * getCertificatesList().size();
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert other = (ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert) obj;
+
+      if (!getCertificatesList()
+          .equals(other.getCertificatesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (getCertificatesCount() > 0) {
+        hash = (37 * hash) + CERTIFICATES_FIELD_NUMBER;
+        hash = (53 * hash) + getCertificatesList().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * AuthReshareX509Cert holds the X509 proof that the new roster is valid.
+     * 

+     *
+     * Protobuf type {@code ocs.AuthReshareX509Cert}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.AuthReshareX509Cert)
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareX509CertOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareX509Cert_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.class, ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        certificates_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_AuthReshareX509Cert_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert build() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert result = new ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert(this);
+        int from_bitField0_ = bitField0_;
+        if (((bitField0_ & 0x00000001) != 0)) {
+          certificates_ = java.util.Collections.unmodifiableList(certificates_);
+          bitField0_ = (bitField0_ & ~0x00000001);
+        }
+        result.certificates_ = certificates_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert.getDefaultInstance()) return this;
+        if (!other.certificates_.isEmpty()) {
+          if (certificates_.isEmpty()) {
+            certificates_ = other.certificates_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+          } else {
+            ensureCertificatesIsMutable();
+            certificates_.addAll(other.certificates_);
+          }
+          onChanged();
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private java.util.List certificates_ = java.util.Collections.emptyList();
+      private void ensureCertificatesIsMutable() {
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          certificates_ = new java.util.ArrayList(certificates_);
+          bitField0_ |= 0x00000001;
+         }
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public java.util.List
+          getCertificatesList() {
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(certificates_) : certificates_;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public int getCertificatesCount() {
+        return certificates_.size();
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public com.google.protobuf.ByteString getCertificates(int index) {
+        return certificates_.get(index);
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder setCertificates(
+          int index, com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCertificatesIsMutable();
+        certificates_.set(index, value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder addCertificates(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureCertificatesIsMutable();
+        certificates_.add(value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder addAllCertificates(
+          java.lang.Iterable values) {
+        ensureCertificatesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(
+            values, certificates_);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes certificates = 1;
+       */
+      public Builder clearCertificates() {
+        certificates_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.AuthReshareX509Cert)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.AuthReshareX509Cert)
+    private static final ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public AuthReshareX509Cert parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new AuthReshareX509Cert(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.AuthReshareX509Cert getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  public interface OCSProofOrBuilder extends
+      // @@protoc_insertion_point(interface_extends:ocs.OCSProof)
+      com.google.protobuf.MessageOrBuilder {
+
+    /**
+     * required bytes ocsid = 1;
+     */
+    boolean hasOcsid();
+    /**
+     * required bytes ocsid = 1;
+     */
+    com.google.protobuf.ByteString getOcsid();
+
+    /**
+     * required .onet.Roster roster = 2;
+     */
+    boolean hasRoster();
+    /**
+     * required .onet.Roster roster = 2;
+     */
+    ch.epfl.dedis.lib.proto.OnetProto.Roster getRoster();
+    /**
+     * required .onet.Roster roster = 2;
+     */
+    ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder();
+
+    /**
+     * required .ocs.Policy policyreencrypt = 3;
+     */
+    boolean hasPolicyreencrypt();
+    /**
+     * required .ocs.Policy policyreencrypt = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreencrypt();
+    /**
+     * required .ocs.Policy policyreencrypt = 3;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreencryptOrBuilder();
+
+    /**
+     * required .ocs.Policy policyreshare = 4;
+     */
+    boolean hasPolicyreshare();
+    /**
+     * required .ocs.Policy policyreshare = 4;
+     */
+    ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreshare();
+    /**
+     * required .ocs.Policy policyreshare = 4;
+     */
+    ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreshareOrBuilder();
+
+    /**
+     * repeated bytes signatures = 5;
+     */
+    java.util.List getSignaturesList();
+    /**
+     * repeated bytes signatures = 5;
+     */
+    int getSignaturesCount();
+    /**
+     * repeated bytes signatures = 5;
+     */
+    com.google.protobuf.ByteString getSignatures(int index);
+  }
+  /**
+   * 
+   * OCSProof can be used to proof
+   * 

+   *
+   * Protobuf type {@code ocs.OCSProof}
+   */
+  public  static final class OCSProof extends
+      com.google.protobuf.GeneratedMessageV3 implements
+      // @@protoc_insertion_point(message_implements:ocs.OCSProof)
+      OCSProofOrBuilder {
+  private static final long serialVersionUID = 0L;
+    // Use OCSProof.newBuilder() to construct.
+    private OCSProof(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+      super(builder);
+    }
+    private OCSProof() {
+      ocsid_ = com.google.protobuf.ByteString.EMPTY;
+      signatures_ = java.util.Collections.emptyList();
+    }
+
+    @java.lang.Override
+    public final com.google.protobuf.UnknownFieldSet
+    getUnknownFields() {
+      return this.unknownFields;
+    }
+    private OCSProof(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      this();
+      if (extensionRegistry == null) {
+        throw new java.lang.NullPointerException();
+      }
+      int mutable_bitField0_ = 0;
+      com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+          com.google.protobuf.UnknownFieldSet.newBuilder();
+      try {
+        boolean done = false;
+        while (!done) {
+          int tag = input.readTag();
+          switch (tag) {
+            case 0:
+              done = true;
+              break;
+            case 10: {
+              bitField0_ |= 0x00000001;
+              ocsid_ = input.readBytes();
+              break;
+            }
+            case 18: {
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000002) != 0)) {
+                subBuilder = roster_.toBuilder();
+              }
+              roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(roster_);
+                roster_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000002;
+              break;
+            }
+            case 26: {
+              ch.epfl.dedis.lib.proto.OCS.Policy.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000004) != 0)) {
+                subBuilder = policyreencrypt_.toBuilder();
+              }
+              policyreencrypt_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.Policy.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(policyreencrypt_);
+                policyreencrypt_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000004;
+              break;
+            }
+            case 34: {
+              ch.epfl.dedis.lib.proto.OCS.Policy.Builder subBuilder = null;
+              if (((bitField0_ & 0x00000008) != 0)) {
+                subBuilder = policyreshare_.toBuilder();
+              }
+              policyreshare_ = input.readMessage(ch.epfl.dedis.lib.proto.OCS.Policy.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(policyreshare_);
+                policyreshare_ = subBuilder.buildPartial();
+              }
+              bitField0_ |= 0x00000008;
+              break;
+            }
+            case 42: {
+              if (!((mutable_bitField0_ & 0x00000010) != 0)) {
+                signatures_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000010;
+              }
+              signatures_.add(input.readBytes());
+              break;
+            }
+            default: {
+              if (!parseUnknownField(
+                  input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+          }
+        }
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        throw e.setUnfinishedMessage(this);
+      } catch (java.io.IOException e) {
+        throw new com.google.protobuf.InvalidProtocolBufferException(
+            e).setUnfinishedMessage(this);
+      } finally {
+        if (((mutable_bitField0_ & 0x00000010) != 0)) {
+          signatures_ = java.util.Collections.unmodifiableList(signatures_); // C
+        }
+        this.unknownFields = unknownFields.build();
+        makeExtensionsImmutable();
+      }
+    }
+    public static final com.google.protobuf.Descriptors.Descriptor
+        getDescriptor() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_OCSProof_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_OCSProof_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              ch.epfl.dedis.lib.proto.OCS.OCSProof.class, ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder.class);
+    }
+
+    private int bitField0_;
+    public static final int OCSID_FIELD_NUMBER = 1;
+    private com.google.protobuf.ByteString ocsid_;
+    /**
+     * required bytes ocsid = 1;
+     */
+    public boolean hasOcsid() {
+      return ((bitField0_ & 0x00000001) != 0);
+    }
+    /**
+     * required bytes ocsid = 1;
+     */
+    public com.google.protobuf.ByteString getOcsid() {
+      return ocsid_;
+    }
+
+    public static final int ROSTER_FIELD_NUMBER = 2;
+    private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
+    /**
+     * required .onet.Roster roster = 2;
+     */
+    public boolean hasRoster() {
+      return ((bitField0_ & 0x00000002) != 0);
+    }
+    /**
+     * required .onet.Roster roster = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OnetProto.Roster getRoster() {
+      return roster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+    }
+    /**
+     * required .onet.Roster roster = 2;
+     */
+    public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
+      return roster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+    }
+
+    public static final int POLICYREENCRYPT_FIELD_NUMBER = 3;
+    private ch.epfl.dedis.lib.proto.OCS.Policy policyreencrypt_;
+    /**
+     * required .ocs.Policy policyreencrypt = 3;
+     */
+    public boolean hasPolicyreencrypt() {
+      return ((bitField0_ & 0x00000004) != 0);
+    }
+    /**
+     * required .ocs.Policy policyreencrypt = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreencrypt() {
+      return policyreencrypt_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+    }
+    /**
+     * required .ocs.Policy policyreencrypt = 3;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreencryptOrBuilder() {
+      return policyreencrypt_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+    }
+
+    public static final int POLICYRESHARE_FIELD_NUMBER = 4;
+    private ch.epfl.dedis.lib.proto.OCS.Policy policyreshare_;
+    /**
+     * required .ocs.Policy policyreshare = 4;
+     */
+    public boolean hasPolicyreshare() {
+      return ((bitField0_ & 0x00000008) != 0);
+    }
+    /**
+     * required .ocs.Policy policyreshare = 4;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreshare() {
+      return policyreshare_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+    }
+    /**
+     * required .ocs.Policy policyreshare = 4;
+     */
+    public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreshareOrBuilder() {
+      return policyreshare_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+    }
+
+    public static final int SIGNATURES_FIELD_NUMBER = 5;
+    private java.util.List signatures_;
+    /**
+     * repeated bytes signatures = 5;
+     */
+    public java.util.List
+        getSignaturesList() {
+      return signatures_;
+    }
+    /**
+     * repeated bytes signatures = 5;
+     */
+    public int getSignaturesCount() {
+      return signatures_.size();
+    }
+    /**
+     * repeated bytes signatures = 5;
+     */
+    public com.google.protobuf.ByteString getSignatures(int index) {
+      return signatures_.get(index);
+    }
+
+    private byte memoizedIsInitialized = -1;
+    @java.lang.Override
+    public final boolean isInitialized() {
+      byte isInitialized = memoizedIsInitialized;
+      if (isInitialized == 1) return true;
+      if (isInitialized == 0) return false;
+
+      if (!hasOcsid()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasRoster()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasPolicyreencrypt()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!hasPolicyreshare()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getRoster().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getPolicyreencrypt().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      if (!getPolicyreshare().isInitialized()) {
+        memoizedIsInitialized = 0;
+        return false;
+      }
+      memoizedIsInitialized = 1;
+      return true;
+    }
+
+    @java.lang.Override
+    public void writeTo(com.google.protobuf.CodedOutputStream output)
+                        throws java.io.IOException {
+      if (((bitField0_ & 0x00000001) != 0)) {
+        output.writeBytes(1, ocsid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        output.writeMessage(2, getRoster());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        output.writeMessage(3, getPolicyreencrypt());
+      }
+      if (((bitField0_ & 0x00000008) != 0)) {
+        output.writeMessage(4, getPolicyreshare());
+      }
+      for (int i = 0; i < signatures_.size(); i++) {
+        output.writeBytes(5, signatures_.get(i));
+      }
+      unknownFields.writeTo(output);
+    }
+
+    @java.lang.Override
+    public int getSerializedSize() {
+      int size = memoizedSize;
+      if (size != -1) return size;
+
+      size = 0;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeBytesSize(1, ocsid_);
+      }
+      if (((bitField0_ & 0x00000002) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(2, getRoster());
+      }
+      if (((bitField0_ & 0x00000004) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(3, getPolicyreencrypt());
+      }
+      if (((bitField0_ & 0x00000008) != 0)) {
+        size += com.google.protobuf.CodedOutputStream
+          .computeMessageSize(4, getPolicyreshare());
+      }
+      {
+        int dataSize = 0;
+        for (int i = 0; i < signatures_.size(); i++) {
+          dataSize += com.google.protobuf.CodedOutputStream
+            .computeBytesSizeNoTag(signatures_.get(i));
+        }
+        size += dataSize;
+        size += 1 * getSignaturesList().size();
+      }
+      size += unknownFields.getSerializedSize();
+      memoizedSize = size;
+      return size;
+    }
+
+    @java.lang.Override
+    public boolean equals(final java.lang.Object obj) {
+      if (obj == this) {
+       return true;
+      }
+      if (!(obj instanceof ch.epfl.dedis.lib.proto.OCS.OCSProof)) {
+        return super.equals(obj);
+      }
+      ch.epfl.dedis.lib.proto.OCS.OCSProof other = (ch.epfl.dedis.lib.proto.OCS.OCSProof) obj;
+
+      if (hasOcsid() != other.hasOcsid()) return false;
+      if (hasOcsid()) {
+        if (!getOcsid()
+            .equals(other.getOcsid())) return false;
+      }
+      if (hasRoster() != other.hasRoster()) return false;
+      if (hasRoster()) {
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
+      }
+      if (hasPolicyreencrypt() != other.hasPolicyreencrypt()) return false;
+      if (hasPolicyreencrypt()) {
+        if (!getPolicyreencrypt()
+            .equals(other.getPolicyreencrypt())) return false;
+      }
+      if (hasPolicyreshare() != other.hasPolicyreshare()) return false;
+      if (hasPolicyreshare()) {
+        if (!getPolicyreshare()
+            .equals(other.getPolicyreshare())) return false;
+      }
+      if (!getSignaturesList()
+          .equals(other.getSignaturesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
+    }
+
+    @java.lang.Override
+    public int hashCode() {
+      if (memoizedHashCode != 0) {
+        return memoizedHashCode;
+      }
+      int hash = 41;
+      hash = (19 * hash) + getDescriptor().hashCode();
+      if (hasOcsid()) {
+        hash = (37 * hash) + OCSID_FIELD_NUMBER;
+        hash = (53 * hash) + getOcsid().hashCode();
+      }
+      if (hasRoster()) {
+        hash = (37 * hash) + ROSTER_FIELD_NUMBER;
+        hash = (53 * hash) + getRoster().hashCode();
+      }
+      if (hasPolicyreencrypt()) {
+        hash = (37 * hash) + POLICYREENCRYPT_FIELD_NUMBER;
+        hash = (53 * hash) + getPolicyreencrypt().hashCode();
+      }
+      if (hasPolicyreshare()) {
+        hash = (37 * hash) + POLICYRESHARE_FIELD_NUMBER;
+        hash = (53 * hash) + getPolicyreshare().hashCode();
+      }
+      if (getSignaturesCount() > 0) {
+        hash = (37 * hash) + SIGNATURES_FIELD_NUMBER;
+        hash = (53 * hash) + getSignaturesList().hashCode();
+      }
+      hash = (29 * hash) + unknownFields.hashCode();
+      memoizedHashCode = hash;
+      return hash;
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        java.nio.ByteBuffer data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        java.nio.ByteBuffer data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        com.google.protobuf.ByteString data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        com.google.protobuf.ByteString data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(byte[] data)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        byte[] data,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws com.google.protobuf.InvalidProtocolBufferException {
+      return PARSER.parseFrom(data, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseDelimitedFrom(java.io.InputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseDelimitedFrom(
+        java.io.InputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseDelimitedWithIOException(PARSER, input, extensionRegistry);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        com.google.protobuf.CodedInputStream input)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input);
+    }
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof parseFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      return com.google.protobuf.GeneratedMessageV3
+          .parseWithIOException(PARSER, input, extensionRegistry);
+    }
+
+    @java.lang.Override
+    public Builder newBuilderForType() { return newBuilder(); }
+    public static Builder newBuilder() {
+      return DEFAULT_INSTANCE.toBuilder();
+    }
+    public static Builder newBuilder(ch.epfl.dedis.lib.proto.OCS.OCSProof prototype) {
+      return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+    }
+    @java.lang.Override
+    public Builder toBuilder() {
+      return this == DEFAULT_INSTANCE
+          ? new Builder() : new Builder().mergeFrom(this);
+    }
+
+    @java.lang.Override
+    protected Builder newBuilderForType(
+        com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      Builder builder = new Builder(parent);
+      return builder;
+    }
+    /**
+     * 
+     * OCSProof can be used to proof
+     * 

+     *
+     * Protobuf type {@code ocs.OCSProof}
+     */
+    public static final class Builder extends
+        com.google.protobuf.GeneratedMessageV3.Builder implements
+        // @@protoc_insertion_point(builder_implements:ocs.OCSProof)
+        ch.epfl.dedis.lib.proto.OCS.OCSProofOrBuilder {
+      public static final com.google.protobuf.Descriptors.Descriptor
+          getDescriptor() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_OCSProof_descriptor;
+      }
+
+      @java.lang.Override
+      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+          internalGetFieldAccessorTable() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_OCSProof_fieldAccessorTable
+            .ensureFieldAccessorsInitialized(
+                ch.epfl.dedis.lib.proto.OCS.OCSProof.class, ch.epfl.dedis.lib.proto.OCS.OCSProof.Builder.class);
+      }
+
+      // Construct using ch.epfl.dedis.lib.proto.OCS.OCSProof.newBuilder()
+      private Builder() {
+        maybeForceBuilderInitialization();
+      }
+
+      private Builder(
+          com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+        super(parent);
+        maybeForceBuilderInitialization();
+      }
+      private void maybeForceBuilderInitialization() {
+        if (com.google.protobuf.GeneratedMessageV3
+                .alwaysUseFieldBuilders) {
+          getRosterFieldBuilder();
+          getPolicyreencryptFieldBuilder();
+          getPolicyreshareFieldBuilder();
+        }
+      }
+      @java.lang.Override
+      public Builder clear() {
+        super.clear();
+        ocsid_ = com.google.protobuf.ByteString.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (rosterBuilder_ == null) {
+          roster_ = null;
+        } else {
+          rosterBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        if (policyreencryptBuilder_ == null) {
+          policyreencrypt_ = null;
+        } else {
+          policyreencryptBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        if (policyreshareBuilder_ == null) {
+          policyreshare_ = null;
+        } else {
+          policyreshareBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000008);
+        signatures_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000010);
+        return this;
+      }
+
+      @java.lang.Override
+      public com.google.protobuf.Descriptors.Descriptor
+          getDescriptorForType() {
+        return ch.epfl.dedis.lib.proto.OCS.internal_static_ocs_OCSProof_descriptor;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.OCSProof getDefaultInstanceForType() {
+        return ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance();
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.OCSProof build() {
+        ch.epfl.dedis.lib.proto.OCS.OCSProof result = buildPartial();
+        if (!result.isInitialized()) {
+          throw newUninitializedMessageException(result);
+        }
+        return result;
+      }
+
+      @java.lang.Override
+      public ch.epfl.dedis.lib.proto.OCS.OCSProof buildPartial() {
+        ch.epfl.dedis.lib.proto.OCS.OCSProof result = new ch.epfl.dedis.lib.proto.OCS.OCSProof(this);
+        int from_bitField0_ = bitField0_;
+        int to_bitField0_ = 0;
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          to_bitField0_ |= 0x00000001;
+        }
+        result.ocsid_ = ocsid_;
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000002;
+        }
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (policyreencryptBuilder_ == null) {
+            result.policyreencrypt_ = policyreencrypt_;
+          } else {
+            result.policyreencrypt_ = policyreencryptBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000004;
+        }
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (policyreshareBuilder_ == null) {
+            result.policyreshare_ = policyreshare_;
+          } else {
+            result.policyreshare_ = policyreshareBuilder_.build();
+          }
+          to_bitField0_ |= 0x00000008;
+        }
+        if (((bitField0_ & 0x00000010) != 0)) {
+          signatures_ = java.util.Collections.unmodifiableList(signatures_);
+          bitField0_ = (bitField0_ & ~0x00000010);
+        }
+        result.signatures_ = signatures_;
+        result.bitField0_ = to_bitField0_;
+        onBuilt();
+        return result;
+      }
+
+      @java.lang.Override
+      public Builder clone() {
+        return super.clone();
+      }
+      @java.lang.Override
+      public Builder setField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.setField(field, value);
+      }
+      @java.lang.Override
+      public Builder clearField(
+          com.google.protobuf.Descriptors.FieldDescriptor field) {
+        return super.clearField(field);
+      }
+      @java.lang.Override
+      public Builder clearOneof(
+          com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+        return super.clearOneof(oneof);
+      }
+      @java.lang.Override
+      public Builder setRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          int index, java.lang.Object value) {
+        return super.setRepeatedField(field, index, value);
+      }
+      @java.lang.Override
+      public Builder addRepeatedField(
+          com.google.protobuf.Descriptors.FieldDescriptor field,
+          java.lang.Object value) {
+        return super.addRepeatedField(field, value);
+      }
+      @java.lang.Override
+      public Builder mergeFrom(com.google.protobuf.Message other) {
+        if (other instanceof ch.epfl.dedis.lib.proto.OCS.OCSProof) {
+          return mergeFrom((ch.epfl.dedis.lib.proto.OCS.OCSProof)other);
+        } else {
+          super.mergeFrom(other);
+          return this;
+        }
+      }
+
+      public Builder mergeFrom(ch.epfl.dedis.lib.proto.OCS.OCSProof other) {
+        if (other == ch.epfl.dedis.lib.proto.OCS.OCSProof.getDefaultInstance()) return this;
+        if (other.hasOcsid()) {
+          setOcsid(other.getOcsid());
+        }
+        if (other.hasRoster()) {
+          mergeRoster(other.getRoster());
+        }
+        if (other.hasPolicyreencrypt()) {
+          mergePolicyreencrypt(other.getPolicyreencrypt());
+        }
+        if (other.hasPolicyreshare()) {
+          mergePolicyreshare(other.getPolicyreshare());
+        }
+        if (!other.signatures_.isEmpty()) {
+          if (signatures_.isEmpty()) {
+            signatures_ = other.signatures_;
+            bitField0_ = (bitField0_ & ~0x00000010);
+          } else {
+            ensureSignaturesIsMutable();
+            signatures_.addAll(other.signatures_);
+          }
+          onChanged();
+        }
+        this.mergeUnknownFields(other.unknownFields);
+        onChanged();
+        return this;
+      }
+
+      @java.lang.Override
+      public final boolean isInitialized() {
+        if (!hasOcsid()) {
+          return false;
+        }
+        if (!hasRoster()) {
+          return false;
+        }
+        if (!hasPolicyreencrypt()) {
+          return false;
+        }
+        if (!hasPolicyreshare()) {
+          return false;
+        }
+        if (!getRoster().isInitialized()) {
+          return false;
+        }
+        if (!getPolicyreencrypt().isInitialized()) {
+          return false;
+        }
+        if (!getPolicyreshare().isInitialized()) {
+          return false;
+        }
+        return true;
+      }
+
+      @java.lang.Override
+      public Builder mergeFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+        ch.epfl.dedis.lib.proto.OCS.OCSProof parsedMessage = null;
+        try {
+          parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          parsedMessage = (ch.epfl.dedis.lib.proto.OCS.OCSProof) e.getUnfinishedMessage();
+          throw e.unwrapIOException();
+        } finally {
+          if (parsedMessage != null) {
+            mergeFrom(parsedMessage);
+          }
+        }
+        return this;
+      }
+      private int bitField0_;
+
+      private com.google.protobuf.ByteString ocsid_ = com.google.protobuf.ByteString.EMPTY;
+      /**
+       * required bytes ocsid = 1;
+       */
+      public boolean hasOcsid() {
+        return ((bitField0_ & 0x00000001) != 0);
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public com.google.protobuf.ByteString getOcsid() {
+        return ocsid_;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder setOcsid(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  bitField0_ |= 0x00000001;
+        ocsid_ = value;
+        onChanged();
+        return this;
+      }
+      /**
+       * required bytes ocsid = 1;
+       */
+      public Builder clearOcsid() {
+        bitField0_ = (bitField0_ & ~0x00000001);
+        ocsid_ = getDefaultInstance().getOcsid();
+        onChanged();
+        return this;
+      }
+
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public boolean hasRoster() {
+        return ((bitField0_ & 0x00000002) != 0);
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.Roster getRoster() {
+        if (rosterBuilder_ == null) {
+          return roster_ == null ? ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+        } else {
+          return rosterBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public Builder setRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
+        if (rosterBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          roster_ = value;
+          onChanged();
+        } else {
+          rosterBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public Builder setRoster(
+          ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder builderForValue) {
+        if (rosterBuilder_ == null) {
+          roster_ = builderForValue.build();
+          onChanged();
+        } else {
+          rosterBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
+        if (rosterBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0) &&
+              roster_ != null &&
+              roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
+            roster_ =
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.newBuilder(roster_).mergeFrom(value).buildPartial();
+          } else {
+            roster_ = value;
+          }
+          onChanged();
+        } else {
+          rosterBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000002;
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public Builder clearRoster() {
+        if (rosterBuilder_ == null) {
+          roster_ = null;
+          onChanged();
+        } else {
+          rosterBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        return this;
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder getRosterBuilder() {
+        bitField0_ |= 0x00000002;
+        onChanged();
+        return getRosterFieldBuilder().getBuilder();
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
+        if (rosterBuilder_ != null) {
+          return rosterBuilder_.getMessageOrBuilder();
+        } else {
+          return roster_ == null ?
+              ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance() : roster_;
+        }
+      }
+      /**
+       * required .onet.Roster roster = 2;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> 
+          getRosterFieldBuilder() {
+        if (rosterBuilder_ == null) {
+          rosterBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder>(
+                  getRoster(),
+                  getParentForChildren(),
+                  isClean());
+          roster_ = null;
+        }
+        return rosterBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.Policy policyreencrypt_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> policyreencryptBuilder_;
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public boolean hasPolicyreencrypt() {
+        return ((bitField0_ & 0x00000004) != 0);
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreencrypt() {
+        if (policyreencryptBuilder_ == null) {
+          return policyreencrypt_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+        } else {
+          return policyreencryptBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public Builder setPolicyreencrypt(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreencryptBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          policyreencrypt_ = value;
+          onChanged();
+        } else {
+          policyreencryptBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public Builder setPolicyreencrypt(
+          ch.epfl.dedis.lib.proto.OCS.Policy.Builder builderForValue) {
+        if (policyreencryptBuilder_ == null) {
+          policyreencrypt_ = builderForValue.build();
+          onChanged();
+        } else {
+          policyreencryptBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public Builder mergePolicyreencrypt(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreencryptBuilder_ == null) {
+          if (((bitField0_ & 0x00000004) != 0) &&
+              policyreencrypt_ != null &&
+              policyreencrypt_ != ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance()) {
+            policyreencrypt_ =
+              ch.epfl.dedis.lib.proto.OCS.Policy.newBuilder(policyreencrypt_).mergeFrom(value).buildPartial();
+          } else {
+            policyreencrypt_ = value;
+          }
+          onChanged();
+        } else {
+          policyreencryptBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000004;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public Builder clearPolicyreencrypt() {
+        if (policyreencryptBuilder_ == null) {
+          policyreencrypt_ = null;
+          onChanged();
+        } else {
+          policyreencryptBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000004);
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy.Builder getPolicyreencryptBuilder() {
+        bitField0_ |= 0x00000004;
+        onChanged();
+        return getPolicyreencryptFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreencryptOrBuilder() {
+        if (policyreencryptBuilder_ != null) {
+          return policyreencryptBuilder_.getMessageOrBuilder();
+        } else {
+          return policyreencrypt_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreencrypt_;
+        }
+      }
+      /**
+       * required .ocs.Policy policyreencrypt = 3;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> 
+          getPolicyreencryptFieldBuilder() {
+        if (policyreencryptBuilder_ == null) {
+          policyreencryptBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder>(
+                  getPolicyreencrypt(),
+                  getParentForChildren(),
+                  isClean());
+          policyreencrypt_ = null;
+        }
+        return policyreencryptBuilder_;
+      }
+
+      private ch.epfl.dedis.lib.proto.OCS.Policy policyreshare_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> policyreshareBuilder_;
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public boolean hasPolicyreshare() {
+        return ((bitField0_ & 0x00000008) != 0);
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy getPolicyreshare() {
+        if (policyreshareBuilder_ == null) {
+          return policyreshare_ == null ? ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+        } else {
+          return policyreshareBuilder_.getMessage();
+        }
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public Builder setPolicyreshare(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreshareBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          policyreshare_ = value;
+          onChanged();
+        } else {
+          policyreshareBuilder_.setMessage(value);
+        }
+        bitField0_ |= 0x00000008;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public Builder setPolicyreshare(
+          ch.epfl.dedis.lib.proto.OCS.Policy.Builder builderForValue) {
+        if (policyreshareBuilder_ == null) {
+          policyreshare_ = builderForValue.build();
+          onChanged();
+        } else {
+          policyreshareBuilder_.setMessage(builderForValue.build());
+        }
+        bitField0_ |= 0x00000008;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public Builder mergePolicyreshare(ch.epfl.dedis.lib.proto.OCS.Policy value) {
+        if (policyreshareBuilder_ == null) {
+          if (((bitField0_ & 0x00000008) != 0) &&
+              policyreshare_ != null &&
+              policyreshare_ != ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance()) {
+            policyreshare_ =
+              ch.epfl.dedis.lib.proto.OCS.Policy.newBuilder(policyreshare_).mergeFrom(value).buildPartial();
+          } else {
+            policyreshare_ = value;
+          }
+          onChanged();
+        } else {
+          policyreshareBuilder_.mergeFrom(value);
+        }
+        bitField0_ |= 0x00000008;
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public Builder clearPolicyreshare() {
+        if (policyreshareBuilder_ == null) {
+          policyreshare_ = null;
+          onChanged();
+        } else {
+          policyreshareBuilder_.clear();
+        }
+        bitField0_ = (bitField0_ & ~0x00000008);
+        return this;
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.Policy.Builder getPolicyreshareBuilder() {
+        bitField0_ |= 0x00000008;
+        onChanged();
+        return getPolicyreshareFieldBuilder().getBuilder();
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      public ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder getPolicyreshareOrBuilder() {
+        if (policyreshareBuilder_ != null) {
+          return policyreshareBuilder_.getMessageOrBuilder();
+        } else {
+          return policyreshare_ == null ?
+              ch.epfl.dedis.lib.proto.OCS.Policy.getDefaultInstance() : policyreshare_;
+        }
+      }
+      /**
+       * required .ocs.Policy policyreshare = 4;
+       */
+      private com.google.protobuf.SingleFieldBuilderV3<
+          ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder> 
+          getPolicyreshareFieldBuilder() {
+        if (policyreshareBuilder_ == null) {
+          policyreshareBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
+              ch.epfl.dedis.lib.proto.OCS.Policy, ch.epfl.dedis.lib.proto.OCS.Policy.Builder, ch.epfl.dedis.lib.proto.OCS.PolicyOrBuilder>(
+                  getPolicyreshare(),
+                  getParentForChildren(),
+                  isClean());
+          policyreshare_ = null;
+        }
+        return policyreshareBuilder_;
+      }
+
+      private java.util.List signatures_ = java.util.Collections.emptyList();
+      private void ensureSignaturesIsMutable() {
+        if (!((bitField0_ & 0x00000010) != 0)) {
+          signatures_ = new java.util.ArrayList(signatures_);
+          bitField0_ |= 0x00000010;
+         }
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public java.util.List
+          getSignaturesList() {
+        return ((bitField0_ & 0x00000010) != 0) ?
+                 java.util.Collections.unmodifiableList(signatures_) : signatures_;
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public int getSignaturesCount() {
+        return signatures_.size();
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public com.google.protobuf.ByteString getSignatures(int index) {
+        return signatures_.get(index);
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public Builder setSignatures(
+          int index, com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureSignaturesIsMutable();
+        signatures_.set(index, value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public Builder addSignatures(com.google.protobuf.ByteString value) {
+        if (value == null) {
+    throw new NullPointerException();
+  }
+  ensureSignaturesIsMutable();
+        signatures_.add(value);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public Builder addAllSignatures(
+          java.lang.Iterable values) {
+        ensureSignaturesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(
+            values, signatures_);
+        onChanged();
+        return this;
+      }
+      /**
+       * repeated bytes signatures = 5;
+       */
+      public Builder clearSignatures() {
+        signatures_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000010);
+        onChanged();
+        return this;
+      }
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
+      }
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
+      }
+
+
+      // @@protoc_insertion_point(builder_scope:ocs.OCSProof)
+    }
+
+    // @@protoc_insertion_point(class_scope:ocs.OCSProof)
+    private static final ch.epfl.dedis.lib.proto.OCS.OCSProof DEFAULT_INSTANCE;
+    static {
+      DEFAULT_INSTANCE = new ch.epfl.dedis.lib.proto.OCS.OCSProof();
+    }
+
+    public static ch.epfl.dedis.lib.proto.OCS.OCSProof getDefaultInstance() {
+      return DEFAULT_INSTANCE;
+    }
+
+    @java.lang.Deprecated public static final com.google.protobuf.Parser
+        PARSER = new com.google.protobuf.AbstractParser() {
+      @java.lang.Override
+      public OCSProof parsePartialFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+        return new OCSProof(input, extensionRegistry);
+      }
+    };
+
+    public static com.google.protobuf.Parser parser() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Parser getParserForType() {
+      return PARSER;
+    }
+
+    @java.lang.Override
+    public ch.epfl.dedis.lib.proto.OCS.OCSProof getDefaultInstanceForType() {
+      return DEFAULT_INSTANCE;
+    }
+
+  }
+
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AddPolicyCreateOCS_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AddPolicyCreateOCS_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AddPolicyCreateOCSReply_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AddPolicyCreateOCSReply_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_CreateOCS_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_CreateOCS_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_CreateOCSReply_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_CreateOCSReply_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_GetProof_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_GetProof_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_GetProofReply_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_GetProofReply_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_Reencrypt_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_Reencrypt_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_ReencryptReply_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_ReencryptReply_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_Reshare_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_Reshare_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_ReshareReply_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_ReshareReply_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_Policy_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_Policy_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_PolicyByzCoin_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_PolicyByzCoin_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_PolicyX509Cert_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_PolicyX509Cert_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthCreate_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthCreate_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthCreateByzcoin_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthCreateByzcoin_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthCreateX509Cert_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthCreateX509Cert_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthReencrypt_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthReencrypt_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthReencryptByzCoin_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthReencryptByzCoin_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthReencryptX509Cert_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthReencryptX509Cert_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthReshare_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthReshare_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthReshareByzCoin_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthReshareByzCoin_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_AuthReshareX509Cert_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_AuthReshareX509Cert_fieldAccessorTable;
+  private static final com.google.protobuf.Descriptors.Descriptor
+    internal_static_ocs_OCSProof_descriptor;
+  private static final 
+    com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_ocs_OCSProof_fieldAccessorTable;
+
+  public static com.google.protobuf.Descriptors.FileDescriptor
+      getDescriptor() {
+    return descriptor;
+  }
+  private static  com.google.protobuf.Descriptors.FileDescriptor
+      descriptor;
+  static {
+    java.lang.String[] descriptorData = {
+      "\n\tocs.proto\022\003ocs\032\nonet.proto\032\ndarc.proto" +
+      "\"1\n\022AddPolicyCreateOCS\022\033\n\006create\030\001 \002(\0132\013" +
+      ".ocs.Policy\"\031\n\027AddPolicyCreateOCSReply\"s" +
+      "\n\tCreateOCS\022\034\n\006roster\030\001 \002(\0132\014.onet.Roste" +
+      "r\022$\n\017policyreencrypt\030\002 \002(\0132\013.ocs.Policy\022" +
+      "\"\n\rpolicyreshare\030\003 \002(\0132\013.ocs.Policy\"\037\n\016C" +
+      "reateOCSReply\022\r\n\005ocsid\030\001 \002(\014\"\031\n\010GetProof" +
+      "\022\r\n\005ocsid\030\001 \002(\014\"-\n\rGetProofReply\022\034\n\005proo" +
+      "f\030\001 \002(\0132\r.ocs.OCSProof\"<\n\tReencrypt\022\r\n\005o" +
+      "csid\030\001 \002(\014\022 \n\004auth\030\002 \002(\0132\022.ocs.AuthReenc" +
+      "rypt\"7\n\016ReencryptReply\022\t\n\001x\030\001 \002(\014\022\017\n\007xha" +
+      "tenc\030\002 \002(\014\022\t\n\001c\030\003 \002(\014\"Y\n\007Reshare\022\r\n\005ocsi" +
+      "d\030\001 \002(\014\022\037\n\tnewroster\030\002 \002(\0132\014.onet.Roster" +
+      "\022\036\n\004auth\030\003 \002(\0132\020.ocs.AuthReshare\"\033\n\014Resh" +
+      "areReply\022\013\n\003sig\030\001 \002(\014\"T\n\006Policy\022#\n\007byzco" +
+      "in\030\001 \001(\0132\022.ocs.PolicyByzCoin\022%\n\010x509cert" +
+      "\030\002 \001(\0132\023.ocs.PolicyX509Cert\"/\n\rPolicyByz" +
+      "Coin\022\021\n\tbyzcoinid\030\001 \002(\014\022\013\n\003ttl\030\002 \002(\004\"/\n\016" +
+      "PolicyX509Cert\022\n\n\002ca\030\001 \003(\014\022\021\n\tthreshold\030" +
+      "\002 \002(\021\"`\n\nAuthCreate\022\'\n\007byzcoin\030\001 \002(\0132\026.o" +
+      "cs.AuthCreateByzcoin\022)\n\010x509cert\030\002 \002(\0132\027" +
+      ".ocs.AuthCreateX509Cert\";\n\021AuthCreateByz" +
+      "coin\022\021\n\tbyzcoinid\030\001 \002(\014\022\023\n\013ltsinstance\030\002" +
+      " \002(\014\"*\n\022AuthCreateX509Cert\022\024\n\014certificat" +
+      "es\030\001 \003(\014\"|\n\rAuthReencrypt\022\021\n\tephemeral\030\001" +
+      " \002(\014\022*\n\007byzcoin\030\002 \001(\0132\031.ocs.AuthReencryp" +
+      "tByzCoin\022,\n\010x509cert\030\003 \001(\0132\032.ocs.AuthRee" +
+      "ncryptX509Cert\"j\n\024AuthReencryptByzCoin\022\r" +
+      "\n\005write\030\001 \002(\014\022\014\n\004read\030\002 \002(\014\022\021\n\tephemeral" +
+      "\030\003 \002(\014\022\"\n\tsignature\030\004 \001(\0132\017.darc.Signatu" +
+      "re\"8\n\025AuthReencryptX509Cert\022\t\n\001u\030\001 \002(\014\022\024" +
+      "\n\014certificates\030\002 \003(\014\"c\n\013AuthReshare\022(\n\007b" +
+      "yzcoin\030\001 \001(\0132\027.ocs.AuthReshareByzCoin\022*\n" +
+      "\010x509cert\030\002 \001(\0132\030.ocs.AuthReshareX509Cer" +
+      "t\"%\n\022AuthReshareByzCoin\022\017\n\007reshare\030\001 \002(\014" +
+      "\"+\n\023AuthReshareX509Cert\022\024\n\014certificates\030" +
+      "\001 \003(\014\"\225\001\n\010OCSProof\022\r\n\005ocsid\030\001 \002(\014\022\034\n\006ros" +
+      "ter\030\002 \002(\0132\014.onet.Roster\022$\n\017policyreencry" +
+      "pt\030\003 \002(\0132\013.ocs.Policy\022\"\n\rpolicyreshare\030\004" +
+      " \002(\0132\013.ocs.Policy\022\022\n\nsignatures\030\005 \003(\014B\036\n" +
+      "\027ch.epfl.dedis.lib.protoB\003OCS"
+    };
+    com.google.protobuf.Descriptors.FileDescriptor.InternalDescriptorAssigner assigner =
+        new com.google.protobuf.Descriptors.FileDescriptor.    InternalDescriptorAssigner() {
+          public com.google.protobuf.ExtensionRegistry assignDescriptors(
+              com.google.protobuf.Descriptors.FileDescriptor root) {
+            descriptor = root;
+            return null;
+          }
+        };
+    com.google.protobuf.Descriptors.FileDescriptor
+      .internalBuildGeneratedFileFrom(descriptorData,
+        new com.google.protobuf.Descriptors.FileDescriptor[] {
+          ch.epfl.dedis.lib.proto.OnetProto.getDescriptor(),
+          ch.epfl.dedis.lib.proto.DarcProto.getDescriptor(),
+        }, assigner);
+    internal_static_ocs_AddPolicyCreateOCS_descriptor =
+      getDescriptor().getMessageTypes().get(0);
+    internal_static_ocs_AddPolicyCreateOCS_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AddPolicyCreateOCS_descriptor,
+        new java.lang.String[] { "Create", });
+    internal_static_ocs_AddPolicyCreateOCSReply_descriptor =
+      getDescriptor().getMessageTypes().get(1);
+    internal_static_ocs_AddPolicyCreateOCSReply_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AddPolicyCreateOCSReply_descriptor,
+        new java.lang.String[] { });
+    internal_static_ocs_CreateOCS_descriptor =
+      getDescriptor().getMessageTypes().get(2);
+    internal_static_ocs_CreateOCS_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_CreateOCS_descriptor,
+        new java.lang.String[] { "Roster", "Policyreencrypt", "Policyreshare", });
+    internal_static_ocs_CreateOCSReply_descriptor =
+      getDescriptor().getMessageTypes().get(3);
+    internal_static_ocs_CreateOCSReply_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_CreateOCSReply_descriptor,
+        new java.lang.String[] { "Ocsid", });
+    internal_static_ocs_GetProof_descriptor =
+      getDescriptor().getMessageTypes().get(4);
+    internal_static_ocs_GetProof_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_GetProof_descriptor,
+        new java.lang.String[] { "Ocsid", });
+    internal_static_ocs_GetProofReply_descriptor =
+      getDescriptor().getMessageTypes().get(5);
+    internal_static_ocs_GetProofReply_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_GetProofReply_descriptor,
+        new java.lang.String[] { "Proof", });
+    internal_static_ocs_Reencrypt_descriptor =
+      getDescriptor().getMessageTypes().get(6);
+    internal_static_ocs_Reencrypt_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_Reencrypt_descriptor,
+        new java.lang.String[] { "Ocsid", "Auth", });
+    internal_static_ocs_ReencryptReply_descriptor =
+      getDescriptor().getMessageTypes().get(7);
+    internal_static_ocs_ReencryptReply_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_ReencryptReply_descriptor,
+        new java.lang.String[] { "X", "Xhatenc", "C", });
+    internal_static_ocs_Reshare_descriptor =
+      getDescriptor().getMessageTypes().get(8);
+    internal_static_ocs_Reshare_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_Reshare_descriptor,
+        new java.lang.String[] { "Ocsid", "Newroster", "Auth", });
+    internal_static_ocs_ReshareReply_descriptor =
+      getDescriptor().getMessageTypes().get(9);
+    internal_static_ocs_ReshareReply_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_ReshareReply_descriptor,
+        new java.lang.String[] { "Sig", });
+    internal_static_ocs_Policy_descriptor =
+      getDescriptor().getMessageTypes().get(10);
+    internal_static_ocs_Policy_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_Policy_descriptor,
+        new java.lang.String[] { "Byzcoin", "X509Cert", });
+    internal_static_ocs_PolicyByzCoin_descriptor =
+      getDescriptor().getMessageTypes().get(11);
+    internal_static_ocs_PolicyByzCoin_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_PolicyByzCoin_descriptor,
+        new java.lang.String[] { "Byzcoinid", "Ttl", });
+    internal_static_ocs_PolicyX509Cert_descriptor =
+      getDescriptor().getMessageTypes().get(12);
+    internal_static_ocs_PolicyX509Cert_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_PolicyX509Cert_descriptor,
+        new java.lang.String[] { "Ca", "Threshold", });
+    internal_static_ocs_AuthCreate_descriptor =
+      getDescriptor().getMessageTypes().get(13);
+    internal_static_ocs_AuthCreate_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthCreate_descriptor,
+        new java.lang.String[] { "Byzcoin", "X509Cert", });
+    internal_static_ocs_AuthCreateByzcoin_descriptor =
+      getDescriptor().getMessageTypes().get(14);
+    internal_static_ocs_AuthCreateByzcoin_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthCreateByzcoin_descriptor,
+        new java.lang.String[] { "Byzcoinid", "Ltsinstance", });
+    internal_static_ocs_AuthCreateX509Cert_descriptor =
+      getDescriptor().getMessageTypes().get(15);
+    internal_static_ocs_AuthCreateX509Cert_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthCreateX509Cert_descriptor,
+        new java.lang.String[] { "Certificates", });
+    internal_static_ocs_AuthReencrypt_descriptor =
+      getDescriptor().getMessageTypes().get(16);
+    internal_static_ocs_AuthReencrypt_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthReencrypt_descriptor,
+        new java.lang.String[] { "Ephemeral", "Byzcoin", "X509Cert", });
+    internal_static_ocs_AuthReencryptByzCoin_descriptor =
+      getDescriptor().getMessageTypes().get(17);
+    internal_static_ocs_AuthReencryptByzCoin_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthReencryptByzCoin_descriptor,
+        new java.lang.String[] { "Write", "Read", "Ephemeral", "Signature", });
+    internal_static_ocs_AuthReencryptX509Cert_descriptor =
+      getDescriptor().getMessageTypes().get(18);
+    internal_static_ocs_AuthReencryptX509Cert_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthReencryptX509Cert_descriptor,
+        new java.lang.String[] { "U", "Certificates", });
+    internal_static_ocs_AuthReshare_descriptor =
+      getDescriptor().getMessageTypes().get(19);
+    internal_static_ocs_AuthReshare_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthReshare_descriptor,
+        new java.lang.String[] { "Byzcoin", "X509Cert", });
+    internal_static_ocs_AuthReshareByzCoin_descriptor =
+      getDescriptor().getMessageTypes().get(20);
+    internal_static_ocs_AuthReshareByzCoin_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthReshareByzCoin_descriptor,
+        new java.lang.String[] { "Reshare", });
+    internal_static_ocs_AuthReshareX509Cert_descriptor =
+      getDescriptor().getMessageTypes().get(21);
+    internal_static_ocs_AuthReshareX509Cert_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_AuthReshareX509Cert_descriptor,
+        new java.lang.String[] { "Certificates", });
+    internal_static_ocs_OCSProof_descriptor =
+      getDescriptor().getMessageTypes().get(22);
+    internal_static_ocs_OCSProof_fieldAccessorTable = new
+      com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+        internal_static_ocs_OCSProof_descriptor,
+        new java.lang.String[] { "Ocsid", "Roster", "Policyreencrypt", "Policyreshare", "Signatures", });
+    ch.epfl.dedis.lib.proto.OnetProto.getDescriptor();
+    ch.epfl.dedis.lib.proto.DarcProto.getDescriptor();
+  }
+
+  // @@protoc_insertion_point(outer_class_scope)
+}
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/OnetProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/OnetProto.java
index 8d3ce10613..8d4638f74e 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/OnetProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/OnetProto.java
@@ -108,7 +108,7 @@ private Roster(
               break;
             }
             case 18: {
-              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
                 list_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000002;
               }
@@ -136,7 +136,7 @@ private Roster(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
           list_ = java.util.Collections.unmodifiableList(list_);
         }
         this.unknownFields = unknownFields.build();
@@ -163,7 +163,7 @@ private Roster(
      * optional bytes id = 1;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional bytes id = 1;
@@ -213,7 +213,7 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentityOrBuilder getListOrBui
      * required bytes aggregate = 3;
      */
     public boolean hasAggregate() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes aggregate = 3;
@@ -246,13 +246,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, id_);
       }
       for (int i = 0; i < list_.size(); i++) {
         output.writeMessage(2, list_.get(i));
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(3, aggregate_);
       }
       unknownFields.writeTo(output);
@@ -264,7 +264,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, id_);
       }
@@ -272,7 +272,7 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, list_.get(i));
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, aggregate_);
       }
@@ -291,21 +291,20 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.OnetProto.Roster other = (ch.epfl.dedis.lib.proto.OnetProto.Roster) obj;
 
-      boolean result = true;
-      result = result && (hasId() == other.hasId());
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && getListList()
-          .equals(other.getListList());
-      result = result && (hasAggregate() == other.hasAggregate());
+      if (!getListList()
+          .equals(other.getListList())) return false;
+      if (hasAggregate() != other.hasAggregate()) return false;
       if (hasAggregate()) {
-        result = result && getAggregate()
-            .equals(other.getAggregate());
+        if (!getAggregate()
+            .equals(other.getAggregate())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -499,12 +498,12 @@ public ch.epfl.dedis.lib.proto.OnetProto.Roster buildPartial() {
         ch.epfl.dedis.lib.proto.OnetProto.Roster result = new ch.epfl.dedis.lib.proto.OnetProto.Roster(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.id_ = id_;
         if (listBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002)) {
+          if (((bitField0_ & 0x00000002) != 0)) {
             list_ = java.util.Collections.unmodifiableList(list_);
             bitField0_ = (bitField0_ & ~0x00000002);
           }
@@ -512,7 +511,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.Roster buildPartial() {
         } else {
           result.list_ = listBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.aggregate_ = aggregate_;
@@ -523,35 +522,35 @@ public ch.epfl.dedis.lib.proto.OnetProto.Roster buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -640,7 +639,7 @@ public Builder mergeFrom(
        * optional bytes id = 1;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional bytes id = 1;
@@ -673,7 +672,7 @@ public Builder clearId() {
       private java.util.List list_ =
         java.util.Collections.emptyList();
       private void ensureListIsMutable() {
-        if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        if (!((bitField0_ & 0x00000002) != 0)) {
           list_ = new java.util.ArrayList(list_);
           bitField0_ |= 0x00000002;
          }
@@ -902,7 +901,7 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.Builder addListBuilde
           listBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity, ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.Builder, ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentityOrBuilder>(
                   list_,
-                  ((bitField0_ & 0x00000002) == 0x00000002),
+                  ((bitField0_ & 0x00000002) != 0),
                   getParentForChildren(),
                   isClean());
           list_ = null;
@@ -915,7 +914,7 @@ public ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.Builder addListBuilde
        * required bytes aggregate = 3;
        */
       public boolean hasAggregate() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes aggregate = 3;
@@ -1075,7 +1074,7 @@ private Status(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 field_ = com.google.protobuf.MapField.newMapField(
                     FieldDefaultEntryHolder.defaultEntry);
                 mutable_bitField0_ |= 0x00000001;
@@ -1261,11 +1260,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.OnetProto.Status other = (ch.epfl.dedis.lib.proto.OnetProto.Status) obj;
 
-      boolean result = true;
-      result = result && internalGetField().equals(
-          other.internalGetField());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!internalGetField().equals(
+          other.internalGetField())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1470,35 +1468,35 @@ public ch.epfl.dedis.lib.proto.OnetProto.Status buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/Personhood.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/Personhood.java
index 550cc26a83..df60ca4d07 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/Personhood.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/Personhood.java
@@ -58,7 +58,6 @@ private PartyList(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private PartyList() {
-      wipeparties_ = false;
     }
 
     @java.lang.Override
@@ -87,7 +86,7 @@ private PartyList(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.Personhood.Party.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = newparty_.toBuilder();
               }
               newparty_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.Party.parser(), extensionRegistry);
@@ -142,7 +141,7 @@ private PartyList(
      * optional .personhood.Party newparty = 1;
      */
     public boolean hasNewparty() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .personhood.Party newparty = 1;
@@ -163,7 +162,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PartyOrBuilder getNewpartyOrBuilder()
      * optional bool wipeparties = 2;
      */
     public boolean hasWipeparties() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional bool wipeparties = 2;
@@ -192,10 +191,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getNewparty());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBool(2, wipeparties_);
       }
       unknownFields.writeTo(output);
@@ -207,11 +206,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getNewparty());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBoolSize(2, wipeparties_);
       }
@@ -230,19 +229,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PartyList other = (ch.epfl.dedis.lib.proto.Personhood.PartyList) obj;
 
-      boolean result = true;
-      result = result && (hasNewparty() == other.hasNewparty());
+      if (hasNewparty() != other.hasNewparty()) return false;
       if (hasNewparty()) {
-        result = result && getNewparty()
-            .equals(other.getNewparty());
+        if (!getNewparty()
+            .equals(other.getNewparty())) return false;
       }
-      result = result && (hasWipeparties() == other.hasWipeparties());
+      if (hasWipeparties() != other.hasWipeparties()) return false;
       if (hasWipeparties()) {
-        result = result && (getWipeparties()
-            == other.getWipeparties());
+        if (getWipeparties()
+            != other.getWipeparties()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -436,18 +434,18 @@ public ch.epfl.dedis.lib.proto.Personhood.PartyList buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PartyList result = new ch.epfl.dedis.lib.proto.Personhood.PartyList(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (newpartyBuilder_ == null) {
+            result.newparty_ = newparty_;
+          } else {
+            result.newparty_ = newpartyBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (newpartyBuilder_ == null) {
-          result.newparty_ = newparty_;
-        } else {
-          result.newparty_ = newpartyBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.wipeparties_ = wipeparties_;
           to_bitField0_ |= 0x00000002;
         }
-        result.wipeparties_ = wipeparties_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -455,35 +453,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PartyList buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -538,14 +536,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.Personhood.Party newparty_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.Party newparty_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.Party, ch.epfl.dedis.lib.proto.Personhood.Party.Builder, ch.epfl.dedis.lib.proto.Personhood.PartyOrBuilder> newpartyBuilder_;
       /**
        * optional .personhood.Party newparty = 1;
        */
       public boolean hasNewparty() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional .personhood.Party newparty = 1;
@@ -592,7 +590,7 @@ public Builder setNewparty(
        */
       public Builder mergeNewparty(ch.epfl.dedis.lib.proto.Personhood.Party value) {
         if (newpartyBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               newparty_ != null &&
               newparty_ != ch.epfl.dedis.lib.proto.Personhood.Party.getDefaultInstance()) {
             newparty_ =
@@ -661,7 +659,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PartyOrBuilder getNewpartyOrBuilder()
        * optional bool wipeparties = 2;
        */
       public boolean hasWipeparties() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional bool wipeparties = 2;
@@ -814,7 +812,7 @@ private PartyListResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 parties_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -837,7 +835,7 @@ private PartyListResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           parties_ = java.util.Collections.unmodifiableList(parties_);
         }
         this.unknownFields = unknownFields.build();
@@ -943,11 +941,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PartyListResponse other = (ch.epfl.dedis.lib.proto.Personhood.PartyListResponse) obj;
 
-      boolean result = true;
-      result = result && getPartiesList()
-          .equals(other.getPartiesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getPartiesList()
+          .equals(other.getPartiesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1134,7 +1131,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PartyListResponse buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PartyListResponse result = new ch.epfl.dedis.lib.proto.Personhood.PartyListResponse(this);
         int from_bitField0_ = bitField0_;
         if (partiesBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             parties_ = java.util.Collections.unmodifiableList(parties_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -1148,35 +1145,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PartyListResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1254,7 +1251,7 @@ public Builder mergeFrom(
       private java.util.List parties_ =
         java.util.Collections.emptyList();
       private void ensurePartiesIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           parties_ = new java.util.ArrayList(parties_);
           bitField0_ |= 0x00000001;
          }
@@ -1483,7 +1480,7 @@ public ch.epfl.dedis.lib.proto.Personhood.Party.Builder addPartiesBuilder(
           partiesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.Party, ch.epfl.dedis.lib.proto.Personhood.Party.Builder, ch.epfl.dedis.lib.proto.Personhood.PartyOrBuilder>(
                   parties_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           parties_ = null;
@@ -1653,7 +1650,7 @@ private Party(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = roster_.toBuilder();
               }
               roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
@@ -1717,7 +1714,7 @@ private Party(
      * required .onet.Roster roster = 1;
      */
     public boolean hasRoster() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -1750,7 +1747,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
      * required bytes byzcoinid = 2;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -1773,7 +1770,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * required bytes instanceid = 3;
      */
     public boolean hasInstanceid() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -1816,13 +1813,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getRoster());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, instanceid_);
       }
       unknownFields.writeTo(output);
@@ -1834,15 +1831,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getRoster());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, instanceid_);
       }
@@ -1861,24 +1858,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Party other = (ch.epfl.dedis.lib.proto.Personhood.Party) obj;
 
-      boolean result = true;
-      result = result && (hasRoster() == other.hasRoster());
+      if (hasRoster() != other.hasRoster()) return false;
       if (hasRoster()) {
-        result = result && getRoster()
-            .equals(other.getRoster());
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
       }
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasInstanceid() == other.hasInstanceid());
+      if (hasInstanceid() != other.hasInstanceid()) return false;
       if (hasInstanceid()) {
-        result = result && getInstanceid()
-            .equals(other.getInstanceid());
+        if (!getInstanceid()
+            .equals(other.getInstanceid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2076,19 +2072,19 @@ public ch.epfl.dedis.lib.proto.Personhood.Party buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Party result = new ch.epfl.dedis.lib.proto.Personhood.Party(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (rosterBuilder_ == null) {
-          result.roster_ = roster_;
-        } else {
-          result.roster_ = rosterBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.instanceid_ = instanceid_;
@@ -2099,35 +2095,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Party buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2192,7 +2188,7 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_ = null;
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
       /**
@@ -2203,7 +2199,7 @@ public Builder mergeFrom(
        * required .onet.Roster roster = 1;
        */
       public boolean hasRoster() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -2266,7 +2262,7 @@ public Builder setRoster(
        */
       public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
         if (rosterBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               roster_ != null &&
               roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
             roster_ =
@@ -2355,7 +2351,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
        * required bytes byzcoinid = 2;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -2406,7 +2402,7 @@ public Builder clearByzcoinid() {
        * required bytes instanceid = 3;
        */
       public boolean hasInstanceid() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -2544,7 +2540,6 @@ private RoPaSciList(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private RoPaSciList() {
-      wipe_ = false;
     }
 
     @java.lang.Override
@@ -2573,7 +2568,7 @@ private RoPaSciList(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.Personhood.RoPaSci.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = newropasci_.toBuilder();
               }
               newropasci_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.RoPaSci.parser(), extensionRegistry);
@@ -2628,7 +2623,7 @@ private RoPaSciList(
      * optional .personhood.RoPaSci newropasci = 1;
      */
     public boolean hasNewropasci() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .personhood.RoPaSci newropasci = 1;
@@ -2649,7 +2644,7 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciOrBuilder getNewropasciOrBuilde
      * optional bool wipe = 2;
      */
     public boolean hasWipe() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional bool wipe = 2;
@@ -2678,10 +2673,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getNewropasci());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBool(2, wipe_);
       }
       unknownFields.writeTo(output);
@@ -2693,11 +2688,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getNewropasci());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBoolSize(2, wipe_);
       }
@@ -2716,19 +2711,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.RoPaSciList other = (ch.epfl.dedis.lib.proto.Personhood.RoPaSciList) obj;
 
-      boolean result = true;
-      result = result && (hasNewropasci() == other.hasNewropasci());
+      if (hasNewropasci() != other.hasNewropasci()) return false;
       if (hasNewropasci()) {
-        result = result && getNewropasci()
-            .equals(other.getNewropasci());
+        if (!getNewropasci()
+            .equals(other.getNewropasci())) return false;
       }
-      result = result && (hasWipe() == other.hasWipe());
+      if (hasWipe() != other.hasWipe()) return false;
       if (hasWipe()) {
-        result = result && (getWipe()
-            == other.getWipe());
+        if (getWipe()
+            != other.getWipe()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2922,18 +2916,18 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciList buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.RoPaSciList result = new ch.epfl.dedis.lib.proto.Personhood.RoPaSciList(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (newropasciBuilder_ == null) {
+            result.newropasci_ = newropasci_;
+          } else {
+            result.newropasci_ = newropasciBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (newropasciBuilder_ == null) {
-          result.newropasci_ = newropasci_;
-        } else {
-          result.newropasci_ = newropasciBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.wipe_ = wipe_;
           to_bitField0_ |= 0x00000002;
         }
-        result.wipe_ = wipe_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -2941,35 +2935,35 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciList buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3024,14 +3018,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.Personhood.RoPaSci newropasci_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.RoPaSci newropasci_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.RoPaSci, ch.epfl.dedis.lib.proto.Personhood.RoPaSci.Builder, ch.epfl.dedis.lib.proto.Personhood.RoPaSciOrBuilder> newropasciBuilder_;
       /**
        * optional .personhood.RoPaSci newropasci = 1;
        */
       public boolean hasNewropasci() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional .personhood.RoPaSci newropasci = 1;
@@ -3078,7 +3072,7 @@ public Builder setNewropasci(
        */
       public Builder mergeNewropasci(ch.epfl.dedis.lib.proto.Personhood.RoPaSci value) {
         if (newropasciBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               newropasci_ != null &&
               newropasci_ != ch.epfl.dedis.lib.proto.Personhood.RoPaSci.getDefaultInstance()) {
             newropasci_ =
@@ -3147,7 +3141,7 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciOrBuilder getNewropasciOrBuilde
        * optional bool wipe = 2;
        */
       public boolean hasWipe() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional bool wipe = 2;
@@ -3300,7 +3294,7 @@ private RoPaSciListResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 ropascis_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -3323,7 +3317,7 @@ private RoPaSciListResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           ropascis_ = java.util.Collections.unmodifiableList(ropascis_);
         }
         this.unknownFields = unknownFields.build();
@@ -3429,11 +3423,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.RoPaSciListResponse other = (ch.epfl.dedis.lib.proto.Personhood.RoPaSciListResponse) obj;
 
-      boolean result = true;
-      result = result && getRopascisList()
-          .equals(other.getRopascisList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getRopascisList()
+          .equals(other.getRopascisList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -3620,7 +3613,7 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciListResponse buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.RoPaSciListResponse result = new ch.epfl.dedis.lib.proto.Personhood.RoPaSciListResponse(this);
         int from_bitField0_ = bitField0_;
         if (ropascisBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             ropascis_ = java.util.Collections.unmodifiableList(ropascis_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -3634,35 +3627,35 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciListResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3740,7 +3733,7 @@ public Builder mergeFrom(
       private java.util.List ropascis_ =
         java.util.Collections.emptyList();
       private void ensureRopascisIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           ropascis_ = new java.util.ArrayList(ropascis_);
           bitField0_ |= 0x00000001;
          }
@@ -3969,7 +3962,7 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSci.Builder addRopascisBuilder(
           ropascisBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.RoPaSci, ch.epfl.dedis.lib.proto.Personhood.RoPaSci.Builder, ch.epfl.dedis.lib.proto.Personhood.RoPaSciOrBuilder>(
                   ropascis_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           ropascis_ = null;
@@ -4145,7 +4138,7 @@ private RoPaSci(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes byzcoinid = 1;
@@ -4160,7 +4153,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * required bytes ropasciid = 2;
      */
     public boolean hasRopasciid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes ropasciid = 2;
@@ -4191,10 +4184,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, ropasciid_);
       }
       unknownFields.writeTo(output);
@@ -4206,11 +4199,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, ropasciid_);
       }
@@ -4229,19 +4222,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.RoPaSci other = (ch.epfl.dedis.lib.proto.Personhood.RoPaSci) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasRopasciid() == other.hasRopasciid());
+      if (hasRopasciid() != other.hasRopasciid()) return false;
       if (hasRopasciid()) {
-        result = result && getRopasciid()
-            .equals(other.getRopasciid());
+        if (!getRopasciid()
+            .equals(other.getRopasciid())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4428,11 +4420,11 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSci buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.RoPaSci result = new ch.epfl.dedis.lib.proto.Personhood.RoPaSci(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.ropasciid_ = ropasciid_;
@@ -4443,35 +4435,35 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSci buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4532,7 +4524,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes byzcoinid = 1;
@@ -4567,7 +4559,7 @@ public Builder clearByzcoinid() {
        * required bytes ropasciid = 2;
        */
       public boolean hasRopasciid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes ropasciid = 2;
@@ -4757,7 +4749,7 @@ private StringReply(
      * required string reply = 1;
      */
     public boolean hasReply() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string reply = 1;
@@ -4811,7 +4803,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, reply_);
       }
       unknownFields.writeTo(output);
@@ -4823,7 +4815,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, reply_);
       }
       size += unknownFields.getSerializedSize();
@@ -4841,14 +4833,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.StringReply other = (ch.epfl.dedis.lib.proto.Personhood.StringReply) obj;
 
-      boolean result = true;
-      result = result && (hasReply() == other.hasReply());
+      if (hasReply() != other.hasReply()) return false;
       if (hasReply()) {
-        result = result && getReply()
-            .equals(other.getReply());
+        if (!getReply()
+            .equals(other.getReply())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5030,7 +5021,7 @@ public ch.epfl.dedis.lib.proto.Personhood.StringReply buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.StringReply result = new ch.epfl.dedis.lib.proto.Personhood.StringReply(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.reply_ = reply_;
@@ -5041,35 +5032,35 @@ public ch.epfl.dedis.lib.proto.Personhood.StringReply buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -5126,7 +5117,7 @@ public Builder mergeFrom(
        * required string reply = 1;
        */
       public boolean hasReply() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string reply = 1;
@@ -5335,8 +5326,6 @@ private RoPaSciStruct(com.google.protobuf.GeneratedMessageV3.Builder builder)
     private RoPaSciStruct() {
       description_ = "";
       firstplayerhash_ = com.google.protobuf.ByteString.EMPTY;
-      firstplayer_ = 0;
-      secondplayer_ = 0;
       secondplayeraccount_ = com.google.protobuf.ByteString.EMPTY;
     }
 
@@ -5372,7 +5361,7 @@ private RoPaSciStruct(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = stake_.toBuilder();
               }
               stake_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.parser(), extensionRegistry);
@@ -5442,7 +5431,7 @@ private RoPaSciStruct(
      * required string description = 1;
      */
     public boolean hasDescription() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string description = 1;
@@ -5484,7 +5473,7 @@ public java.lang.String getDescription() {
      * required .byzcoin.Coin stake = 2;
      */
     public boolean hasStake() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .byzcoin.Coin stake = 2;
@@ -5505,7 +5494,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getStakeOrBuilder() {
      * required bytes firstplayerhash = 3;
      */
     public boolean hasFirstplayerhash() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required bytes firstplayerhash = 3;
@@ -5520,7 +5509,7 @@ public com.google.protobuf.ByteString getFirstplayerhash() {
      * optional sint32 firstplayer = 4;
      */
     public boolean hasFirstplayer() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * optional sint32 firstplayer = 4;
@@ -5535,7 +5524,7 @@ public int getFirstplayer() {
      * optional sint32 secondplayer = 5;
      */
     public boolean hasSecondplayer() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * optional sint32 secondplayer = 5;
@@ -5550,7 +5539,7 @@ public int getSecondplayer() {
      * optional bytes secondplayeraccount = 6;
      */
     public boolean hasSecondplayeraccount() {
-      return ((bitField0_ & 0x00000020) == 0x00000020);
+      return ((bitField0_ & 0x00000020) != 0);
     }
     /**
      * optional bytes secondplayeraccount = 6;
@@ -5589,22 +5578,22 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, description_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getStake());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, firstplayerhash_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeSInt32(4, firstplayer_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeSInt32(5, secondplayer_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         output.writeBytes(6, secondplayeraccount_);
       }
       unknownFields.writeTo(output);
@@ -5616,26 +5605,26 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, description_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getStake());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, firstplayerhash_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(4, firstplayer_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(5, secondplayer_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(6, secondplayeraccount_);
       }
@@ -5654,39 +5643,38 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.RoPaSciStruct other = (ch.epfl.dedis.lib.proto.Personhood.RoPaSciStruct) obj;
 
-      boolean result = true;
-      result = result && (hasDescription() == other.hasDescription());
+      if (hasDescription() != other.hasDescription()) return false;
       if (hasDescription()) {
-        result = result && getDescription()
-            .equals(other.getDescription());
+        if (!getDescription()
+            .equals(other.getDescription())) return false;
       }
-      result = result && (hasStake() == other.hasStake());
+      if (hasStake() != other.hasStake()) return false;
       if (hasStake()) {
-        result = result && getStake()
-            .equals(other.getStake());
+        if (!getStake()
+            .equals(other.getStake())) return false;
       }
-      result = result && (hasFirstplayerhash() == other.hasFirstplayerhash());
+      if (hasFirstplayerhash() != other.hasFirstplayerhash()) return false;
       if (hasFirstplayerhash()) {
-        result = result && getFirstplayerhash()
-            .equals(other.getFirstplayerhash());
+        if (!getFirstplayerhash()
+            .equals(other.getFirstplayerhash())) return false;
       }
-      result = result && (hasFirstplayer() == other.hasFirstplayer());
+      if (hasFirstplayer() != other.hasFirstplayer()) return false;
       if (hasFirstplayer()) {
-        result = result && (getFirstplayer()
-            == other.getFirstplayer());
+        if (getFirstplayer()
+            != other.getFirstplayer()) return false;
       }
-      result = result && (hasSecondplayer() == other.hasSecondplayer());
+      if (hasSecondplayer() != other.hasSecondplayer()) return false;
       if (hasSecondplayer()) {
-        result = result && (getSecondplayer()
-            == other.getSecondplayer());
+        if (getSecondplayer()
+            != other.getSecondplayer()) return false;
       }
-      result = result && (hasSecondplayeraccount() == other.hasSecondplayeraccount());
+      if (hasSecondplayeraccount() != other.hasSecondplayeraccount()) return false;
       if (hasSecondplayeraccount()) {
-        result = result && getSecondplayeraccount()
-            .equals(other.getSecondplayeraccount());
+        if (!getSecondplayeraccount()
+            .equals(other.getSecondplayeraccount())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5902,31 +5890,31 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciStruct buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.RoPaSciStruct result = new ch.epfl.dedis.lib.proto.Personhood.RoPaSciStruct(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.description_ = description_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (stakeBuilder_ == null) {
+            result.stake_ = stake_;
+          } else {
+            result.stake_ = stakeBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (stakeBuilder_ == null) {
-          result.stake_ = stake_;
-        } else {
-          result.stake_ = stakeBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.firstplayerhash_ = firstplayerhash_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.firstplayer_ = firstplayer_;
           to_bitField0_ |= 0x00000008;
         }
-        result.firstplayer_ = firstplayer_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
+          result.secondplayer_ = secondplayer_;
           to_bitField0_ |= 0x00000010;
         }
-        result.secondplayer_ = secondplayer_;
-        if (((from_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((from_bitField0_ & 0x00000020) != 0)) {
           to_bitField0_ |= 0x00000020;
         }
         result.secondplayeraccount_ = secondplayeraccount_;
@@ -5937,35 +5925,35 @@ public ch.epfl.dedis.lib.proto.Personhood.RoPaSciStruct buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -6046,7 +6034,7 @@ public Builder mergeFrom(
        * required string description = 1;
        */
       public boolean hasDescription() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string description = 1;
@@ -6117,14 +6105,14 @@ public Builder setDescriptionBytes(
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin stake_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin stake_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Coin, ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder> stakeBuilder_;
       /**
        * required .byzcoin.Coin stake = 2;
        */
       public boolean hasStake() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .byzcoin.Coin stake = 2;
@@ -6171,7 +6159,7 @@ public Builder setStake(
        */
       public Builder mergeStake(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin value) {
         if (stakeBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               stake_ != null &&
               stake_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.getDefaultInstance()) {
             stake_ =
@@ -6240,7 +6228,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getStakeOrBuilder() {
        * required bytes firstplayerhash = 3;
        */
       public boolean hasFirstplayerhash() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes firstplayerhash = 3;
@@ -6275,7 +6263,7 @@ public Builder clearFirstplayerhash() {
        * optional sint32 firstplayer = 4;
        */
       public boolean hasFirstplayer() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * optional sint32 firstplayer = 4;
@@ -6307,7 +6295,7 @@ public Builder clearFirstplayer() {
        * optional sint32 secondplayer = 5;
        */
       public boolean hasSecondplayer() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * optional sint32 secondplayer = 5;
@@ -6339,7 +6327,7 @@ public Builder clearSecondplayer() {
        * optional bytes secondplayeraccount = 6;
        */
       public boolean hasSecondplayeraccount() {
-        return ((bitField0_ & 0x00000020) == 0x00000020);
+        return ((bitField0_ & 0x00000020) != 0);
       }
       /**
        * optional bytes secondplayeraccount = 6;
@@ -6494,7 +6482,7 @@ private CredentialStruct(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 credentials_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -6517,7 +6505,7 @@ private CredentialStruct(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           credentials_ = java.util.Collections.unmodifiableList(credentials_);
         }
         this.unknownFields = unknownFields.build();
@@ -6623,11 +6611,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.CredentialStruct other = (ch.epfl.dedis.lib.proto.Personhood.CredentialStruct) obj;
 
-      boolean result = true;
-      result = result && getCredentialsList()
-          .equals(other.getCredentialsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getCredentialsList()
+          .equals(other.getCredentialsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -6813,7 +6800,7 @@ public ch.epfl.dedis.lib.proto.Personhood.CredentialStruct buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.CredentialStruct result = new ch.epfl.dedis.lib.proto.Personhood.CredentialStruct(this);
         int from_bitField0_ = bitField0_;
         if (credentialsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             credentials_ = java.util.Collections.unmodifiableList(credentials_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -6827,35 +6814,35 @@ public ch.epfl.dedis.lib.proto.Personhood.CredentialStruct buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -6933,7 +6920,7 @@ public Builder mergeFrom(
       private java.util.List credentials_ =
         java.util.Collections.emptyList();
       private void ensureCredentialsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           credentials_ = new java.util.ArrayList(credentials_);
           bitField0_ |= 0x00000001;
          }
@@ -7162,7 +7149,7 @@ public ch.epfl.dedis.lib.proto.Personhood.Credential.Builder addCredentialsBuild
           credentialsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.Credential, ch.epfl.dedis.lib.proto.Personhood.Credential.Builder, ch.epfl.dedis.lib.proto.Personhood.CredentialOrBuilder>(
                   credentials_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           credentials_ = null;
@@ -7316,7 +7303,7 @@ private Credential(
               break;
             }
             case 18: {
-              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
                 attributes_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000002;
               }
@@ -7339,7 +7326,7 @@ private Credential(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
           attributes_ = java.util.Collections.unmodifiableList(attributes_);
         }
         this.unknownFields = unknownFields.build();
@@ -7366,7 +7353,7 @@ private Credential(
      * required string name = 1;
      */
     public boolean hasName() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string name = 1;
@@ -7461,7 +7448,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, name_);
       }
       for (int i = 0; i < attributes_.size(); i++) {
@@ -7476,7 +7463,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, name_);
       }
       for (int i = 0; i < attributes_.size(); i++) {
@@ -7498,16 +7485,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Credential other = (ch.epfl.dedis.lib.proto.Personhood.Credential) obj;
 
-      boolean result = true;
-      result = result && (hasName() == other.hasName());
+      if (hasName() != other.hasName()) return false;
       if (hasName()) {
-        result = result && getName()
-            .equals(other.getName());
+        if (!getName()
+            .equals(other.getName())) return false;
       }
-      result = result && getAttributesList()
-          .equals(other.getAttributesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getAttributesList()
+          .equals(other.getAttributesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -7699,12 +7685,12 @@ public ch.epfl.dedis.lib.proto.Personhood.Credential buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Credential result = new ch.epfl.dedis.lib.proto.Personhood.Credential(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.name_ = name_;
         if (attributesBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002)) {
+          if (((bitField0_ & 0x00000002) != 0)) {
             attributes_ = java.util.Collections.unmodifiableList(attributes_);
             bitField0_ = (bitField0_ & ~0x00000002);
           }
@@ -7719,35 +7705,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Credential buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -7835,7 +7821,7 @@ public Builder mergeFrom(
        * required string name = 1;
        */
       public boolean hasName() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string name = 1;
@@ -7909,7 +7895,7 @@ public Builder setNameBytes(
       private java.util.List attributes_ =
         java.util.Collections.emptyList();
       private void ensureAttributesIsMutable() {
-        if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        if (!((bitField0_ & 0x00000002) != 0)) {
           attributes_ = new java.util.ArrayList(attributes_);
           bitField0_ |= 0x00000002;
          }
@@ -8138,7 +8124,7 @@ public ch.epfl.dedis.lib.proto.Personhood.Attribute.Builder addAttributesBuilder
           attributesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.Attribute, ch.epfl.dedis.lib.proto.Personhood.Attribute.Builder, ch.epfl.dedis.lib.proto.Personhood.AttributeOrBuilder>(
                   attributes_,
-                  ((bitField0_ & 0x00000002) == 0x00000002),
+                  ((bitField0_ & 0x00000002) != 0),
                   getParentForChildren(),
                   isClean());
           attributes_ = null;
@@ -8320,7 +8306,7 @@ private Attribute(
      * required string name = 1;
      */
     public boolean hasName() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string name = 1;
@@ -8362,7 +8348,7 @@ public java.lang.String getName() {
      * required bytes value = 2;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes value = 2;
@@ -8393,10 +8379,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, value_);
       }
       unknownFields.writeTo(output);
@@ -8408,10 +8394,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, value_);
       }
@@ -8430,19 +8416,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Attribute other = (ch.epfl.dedis.lib.proto.Personhood.Attribute) obj;
 
-      boolean result = true;
-      result = result && (hasName() == other.hasName());
+      if (hasName() != other.hasName()) return false;
       if (hasName()) {
-        result = result && getName()
-            .equals(other.getName());
+        if (!getName()
+            .equals(other.getName())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && getValue()
-            .equals(other.getValue());
+        if (!getValue()
+            .equals(other.getValue())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -8629,11 +8614,11 @@ public ch.epfl.dedis.lib.proto.Personhood.Attribute buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Attribute result = new ch.epfl.dedis.lib.proto.Personhood.Attribute(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.name_ = name_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.value_ = value_;
@@ -8644,35 +8629,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Attribute buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -8735,7 +8720,7 @@ public Builder mergeFrom(
        * required string name = 1;
        */
       public boolean hasName() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string name = 1;
@@ -8811,7 +8796,7 @@ public Builder setNameBytes(
        * required bytes value = 2;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes value = 2;
@@ -9018,7 +9003,7 @@ private SpawnerStruct(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = costdarc_.toBuilder();
               }
               costdarc_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.parser(), extensionRegistry);
@@ -9031,7 +9016,7 @@ private SpawnerStruct(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = costcoin_.toBuilder();
               }
               costcoin_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.parser(), extensionRegistry);
@@ -9044,7 +9029,7 @@ private SpawnerStruct(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = costcredential_.toBuilder();
               }
               costcredential_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.parser(), extensionRegistry);
@@ -9057,7 +9042,7 @@ private SpawnerStruct(
             }
             case 34: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000008) == 0x00000008)) {
+              if (((bitField0_ & 0x00000008) != 0)) {
                 subBuilder = costparty_.toBuilder();
               }
               costparty_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.parser(), extensionRegistry);
@@ -9075,7 +9060,7 @@ private SpawnerStruct(
             }
             case 50: {
               ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000020) == 0x00000020)) {
+              if (((bitField0_ & 0x00000020) != 0)) {
                 subBuilder = costropasci_.toBuilder();
               }
               costropasci_ = input.readMessage(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.parser(), extensionRegistry);
@@ -9125,7 +9110,7 @@ private SpawnerStruct(
      * required .byzcoin.Coin costdarc = 1;
      */
     public boolean hasCostdarc() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .byzcoin.Coin costdarc = 1;
@@ -9146,7 +9131,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostdarcOrBuilder()
      * required .byzcoin.Coin costcoin = 2;
      */
     public boolean hasCostcoin() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .byzcoin.Coin costcoin = 2;
@@ -9167,7 +9152,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostcoinOrBuilder()
      * required .byzcoin.Coin costcredential = 3;
      */
     public boolean hasCostcredential() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required .byzcoin.Coin costcredential = 3;
@@ -9188,7 +9173,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostcredentialOrBui
      * required .byzcoin.Coin costparty = 4;
      */
     public boolean hasCostparty() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * required .byzcoin.Coin costparty = 4;
@@ -9209,7 +9194,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostpartyOrBuilder(
      * required bytes beneficiary = 5;
      */
     public boolean hasBeneficiary() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * required bytes beneficiary = 5;
@@ -9224,7 +9209,7 @@ public com.google.protobuf.ByteString getBeneficiary() {
      * optional .byzcoin.Coin costropasci = 6;
      */
     public boolean hasCostropasci() {
-      return ((bitField0_ & 0x00000020) == 0x00000020);
+      return ((bitField0_ & 0x00000020) != 0);
     }
     /**
      * optional .byzcoin.Coin costropasci = 6;
@@ -9295,22 +9280,22 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getCostdarc());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getCostcoin());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getCostcredential());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeMessage(4, getCostparty());
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeBytes(5, beneficiary_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         output.writeMessage(6, getCostropasci());
       }
       unknownFields.writeTo(output);
@@ -9322,27 +9307,27 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getCostdarc());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getCostcoin());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getCostcredential());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(4, getCostparty());
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(5, beneficiary_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(6, getCostropasci());
       }
@@ -9361,39 +9346,38 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.SpawnerStruct other = (ch.epfl.dedis.lib.proto.Personhood.SpawnerStruct) obj;
 
-      boolean result = true;
-      result = result && (hasCostdarc() == other.hasCostdarc());
+      if (hasCostdarc() != other.hasCostdarc()) return false;
       if (hasCostdarc()) {
-        result = result && getCostdarc()
-            .equals(other.getCostdarc());
+        if (!getCostdarc()
+            .equals(other.getCostdarc())) return false;
       }
-      result = result && (hasCostcoin() == other.hasCostcoin());
+      if (hasCostcoin() != other.hasCostcoin()) return false;
       if (hasCostcoin()) {
-        result = result && getCostcoin()
-            .equals(other.getCostcoin());
+        if (!getCostcoin()
+            .equals(other.getCostcoin())) return false;
       }
-      result = result && (hasCostcredential() == other.hasCostcredential());
+      if (hasCostcredential() != other.hasCostcredential()) return false;
       if (hasCostcredential()) {
-        result = result && getCostcredential()
-            .equals(other.getCostcredential());
+        if (!getCostcredential()
+            .equals(other.getCostcredential())) return false;
       }
-      result = result && (hasCostparty() == other.hasCostparty());
+      if (hasCostparty() != other.hasCostparty()) return false;
       if (hasCostparty()) {
-        result = result && getCostparty()
-            .equals(other.getCostparty());
+        if (!getCostparty()
+            .equals(other.getCostparty())) return false;
       }
-      result = result && (hasBeneficiary() == other.hasBeneficiary());
+      if (hasBeneficiary() != other.hasBeneficiary()) return false;
       if (hasBeneficiary()) {
-        result = result && getBeneficiary()
-            .equals(other.getBeneficiary());
+        if (!getBeneficiary()
+            .equals(other.getBeneficiary())) return false;
       }
-      result = result && (hasCostropasci() == other.hasCostropasci());
+      if (hasCostropasci() != other.hasCostropasci()) return false;
       if (hasCostropasci()) {
-        result = result && getCostropasci()
-            .equals(other.getCostropasci());
+        if (!getCostropasci()
+            .equals(other.getCostropasci())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -9630,50 +9614,50 @@ public ch.epfl.dedis.lib.proto.Personhood.SpawnerStruct buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.SpawnerStruct result = new ch.epfl.dedis.lib.proto.Personhood.SpawnerStruct(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (costdarcBuilder_ == null) {
+            result.costdarc_ = costdarc_;
+          } else {
+            result.costdarc_ = costdarcBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (costdarcBuilder_ == null) {
-          result.costdarc_ = costdarc_;
-        } else {
-          result.costdarc_ = costdarcBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (costcoinBuilder_ == null) {
+            result.costcoin_ = costcoin_;
+          } else {
+            result.costcoin_ = costcoinBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (costcoinBuilder_ == null) {
-          result.costcoin_ = costcoin_;
-        } else {
-          result.costcoin_ = costcoinBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (costcredentialBuilder_ == null) {
+            result.costcredential_ = costcredential_;
+          } else {
+            result.costcredential_ = costcredentialBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (costcredentialBuilder_ == null) {
-          result.costcredential_ = costcredential_;
-        } else {
-          result.costcredential_ = costcredentialBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (costpartyBuilder_ == null) {
+            result.costparty_ = costparty_;
+          } else {
+            result.costparty_ = costpartyBuilder_.build();
+          }
           to_bitField0_ |= 0x00000008;
         }
-        if (costpartyBuilder_ == null) {
-          result.costparty_ = costparty_;
-        } else {
-          result.costparty_ = costpartyBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
           to_bitField0_ |= 0x00000010;
         }
         result.beneficiary_ = beneficiary_;
-        if (((from_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((from_bitField0_ & 0x00000020) != 0)) {
+          if (costropasciBuilder_ == null) {
+            result.costropasci_ = costropasci_;
+          } else {
+            result.costropasci_ = costropasciBuilder_.build();
+          }
           to_bitField0_ |= 0x00000020;
         }
-        if (costropasciBuilder_ == null) {
-          result.costropasci_ = costropasci_;
-        } else {
-          result.costropasci_ = costropasciBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -9681,35 +9665,35 @@ public ch.epfl.dedis.lib.proto.Personhood.SpawnerStruct buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -9803,14 +9787,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costdarc_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costdarc_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Coin, ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder> costdarcBuilder_;
       /**
        * required .byzcoin.Coin costdarc = 1;
        */
       public boolean hasCostdarc() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .byzcoin.Coin costdarc = 1;
@@ -9857,7 +9841,7 @@ public Builder setCostdarc(
        */
       public Builder mergeCostdarc(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin value) {
         if (costdarcBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               costdarc_ != null &&
               costdarc_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.getDefaultInstance()) {
             costdarc_ =
@@ -9921,14 +9905,14 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostdarcOrBuilder()
         return costdarcBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costcoin_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costcoin_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Coin, ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder> costcoinBuilder_;
       /**
        * required .byzcoin.Coin costcoin = 2;
        */
       public boolean hasCostcoin() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .byzcoin.Coin costcoin = 2;
@@ -9975,7 +9959,7 @@ public Builder setCostcoin(
        */
       public Builder mergeCostcoin(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin value) {
         if (costcoinBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               costcoin_ != null &&
               costcoin_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.getDefaultInstance()) {
             costcoin_ =
@@ -10039,14 +10023,14 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostcoinOrBuilder()
         return costcoinBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costcredential_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costcredential_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Coin, ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder> costcredentialBuilder_;
       /**
        * required .byzcoin.Coin costcredential = 3;
        */
       public boolean hasCostcredential() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required .byzcoin.Coin costcredential = 3;
@@ -10093,7 +10077,7 @@ public Builder setCostcredential(
        */
       public Builder mergeCostcredential(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin value) {
         if (costcredentialBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               costcredential_ != null &&
               costcredential_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.getDefaultInstance()) {
             costcredential_ =
@@ -10157,14 +10141,14 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostcredentialOrBui
         return costcredentialBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costparty_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costparty_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Coin, ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder> costpartyBuilder_;
       /**
        * required .byzcoin.Coin costparty = 4;
        */
       public boolean hasCostparty() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required .byzcoin.Coin costparty = 4;
@@ -10211,7 +10195,7 @@ public Builder setCostparty(
        */
       public Builder mergeCostparty(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin value) {
         if (costpartyBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008) &&
+          if (((bitField0_ & 0x00000008) != 0) &&
               costparty_ != null &&
               costparty_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.getDefaultInstance()) {
             costparty_ =
@@ -10280,7 +10264,7 @@ public ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder getCostpartyOrBuilder(
        * required bytes beneficiary = 5;
        */
       public boolean hasBeneficiary() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * required bytes beneficiary = 5;
@@ -10310,14 +10294,14 @@ public Builder clearBeneficiary() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costropasci_ = null;
+      private ch.epfl.dedis.lib.proto.ByzCoinProto.Coin costropasci_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.ByzCoinProto.Coin, ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.Builder, ch.epfl.dedis.lib.proto.ByzCoinProto.CoinOrBuilder> costropasciBuilder_;
       /**
        * optional .byzcoin.Coin costropasci = 6;
        */
       public boolean hasCostropasci() {
-        return ((bitField0_ & 0x00000020) == 0x00000020);
+        return ((bitField0_ & 0x00000020) != 0);
       }
       /**
        * optional .byzcoin.Coin costropasci = 6;
@@ -10364,7 +10348,7 @@ public Builder setCostropasci(
        */
       public Builder mergeCostropasci(ch.epfl.dedis.lib.proto.ByzCoinProto.Coin value) {
         if (costropasciBuilder_ == null) {
-          if (((bitField0_ & 0x00000020) == 0x00000020) &&
+          if (((bitField0_ & 0x00000020) != 0) &&
               costropasci_ != null &&
               costropasci_ != ch.epfl.dedis.lib.proto.ByzCoinProto.Coin.getDefaultInstance()) {
             costropasci_ =
@@ -10737,11 +10721,8 @@ private PopPartyStruct(com.google.protobuf.GeneratedMessageV3.Builder builder
       super(builder);
     }
     private PopPartyStruct() {
-      state_ = 0;
-      organizers_ = 0;
       finalizations_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       miners_ = java.util.Collections.emptyList();
-      miningreward_ = 0L;
       previous_ = com.google.protobuf.ByteString.EMPTY;
       next_ = com.google.protobuf.ByteString.EMPTY;
     }
@@ -10782,7 +10763,7 @@ private PopPartyStruct(
             }
             case 26: {
               com.google.protobuf.ByteString bs = input.readBytes();
-              if (!((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
+              if (!((mutable_bitField0_ & 0x00000004) != 0)) {
                 finalizations_ = new com.google.protobuf.LazyStringArrayList();
                 mutable_bitField0_ |= 0x00000004;
               }
@@ -10791,7 +10772,7 @@ private PopPartyStruct(
             }
             case 34: {
               ch.epfl.dedis.lib.proto.Personhood.PopDesc.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = description_.toBuilder();
               }
               description_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.PopDesc.parser(), extensionRegistry);
@@ -10804,7 +10785,7 @@ private PopPartyStruct(
             }
             case 42: {
               ch.epfl.dedis.lib.proto.Personhood.Attendees.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000008) == 0x00000008)) {
+              if (((bitField0_ & 0x00000008) != 0)) {
                 subBuilder = attendees_.toBuilder();
               }
               attendees_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.Attendees.parser(), extensionRegistry);
@@ -10816,7 +10797,7 @@ private PopPartyStruct(
               break;
             }
             case 50: {
-              if (!((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+              if (!((mutable_bitField0_ & 0x00000020) != 0)) {
                 miners_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000020;
               }
@@ -10854,10 +10835,10 @@ private PopPartyStruct(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((mutable_bitField0_ & 0x00000004) != 0)) {
           finalizations_ = finalizations_.getUnmodifiableView();
         }
-        if (((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((mutable_bitField0_ & 0x00000020) != 0)) {
           miners_ = java.util.Collections.unmodifiableList(miners_);
         }
         this.unknownFields = unknownFields.build();
@@ -10891,7 +10872,7 @@ private PopPartyStruct(
      * required sint32 state = 1;
      */
     public boolean hasState() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -10917,7 +10898,7 @@ public int getState() {
      * required sint32 organizers = 2;
      */
     public boolean hasOrganizers() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -10990,7 +10971,7 @@ public java.lang.String getFinalizations(int index) {
      * required .personhood.PopDesc description = 4;
      */
     public boolean hasDescription() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -11025,7 +11006,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder getDescriptionOrBuild
      * required .personhood.Attendees attendees = 5;
      */
     public boolean hasAttendees() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -11118,7 +11099,7 @@ public ch.epfl.dedis.lib.proto.Personhood.LRSTagOrBuilder getMinersOrBuilder(
      * required uint64 miningreward = 7;
      */
     public boolean hasMiningreward() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * 
@@ -11142,7 +11123,7 @@ public long getMiningreward() {
      * optional bytes previous = 8;
      */
     public boolean hasPrevious() {
-      return ((bitField0_ & 0x00000020) == 0x00000020);
+      return ((bitField0_ & 0x00000020) != 0);
     }
     /**
      * 
@@ -11167,7 +11148,7 @@ public com.google.protobuf.ByteString getPrevious() {
      * optional bytes next = 9;
      */
     public boolean hasNext() {
-      return ((bitField0_ & 0x00000040) == 0x00000040);
+      return ((bitField0_ & 0x00000040) != 0);
     }
     /**
      * 
@@ -11225,31 +11206,31 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, state_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeSInt32(2, organizers_);
       }
       for (int i = 0; i < finalizations_.size(); i++) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 3, finalizations_.getRaw(i));
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(4, getDescription());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeMessage(5, getAttendees());
       }
       for (int i = 0; i < miners_.size(); i++) {
         output.writeMessage(6, miners_.get(i));
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeUInt64(7, miningreward_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         output.writeBytes(8, previous_);
       }
-      if (((bitField0_ & 0x00000040) == 0x00000040)) {
+      if (((bitField0_ & 0x00000040) != 0)) {
         output.writeBytes(9, next_);
       }
       unknownFields.writeTo(output);
@@ -11261,11 +11242,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, state_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(2, organizers_);
       }
@@ -11277,11 +11258,11 @@ public int getSerializedSize() {
         size += dataSize;
         size += 1 * getFinalizationsList().size();
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(4, getDescription());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(5, getAttendees());
       }
@@ -11289,15 +11270,15 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(6, miners_.get(i));
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(7, miningreward_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(8, previous_);
       }
-      if (((bitField0_ & 0x00000040) == 0x00000040)) {
+      if (((bitField0_ & 0x00000040) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(9, next_);
       }
@@ -11316,48 +11297,47 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct other = (ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct) obj;
 
-      boolean result = true;
-      result = result && (hasState() == other.hasState());
+      if (hasState() != other.hasState()) return false;
       if (hasState()) {
-        result = result && (getState()
-            == other.getState());
+        if (getState()
+            != other.getState()) return false;
       }
-      result = result && (hasOrganizers() == other.hasOrganizers());
+      if (hasOrganizers() != other.hasOrganizers()) return false;
       if (hasOrganizers()) {
-        result = result && (getOrganizers()
-            == other.getOrganizers());
+        if (getOrganizers()
+            != other.getOrganizers()) return false;
       }
-      result = result && getFinalizationsList()
-          .equals(other.getFinalizationsList());
-      result = result && (hasDescription() == other.hasDescription());
+      if (!getFinalizationsList()
+          .equals(other.getFinalizationsList())) return false;
+      if (hasDescription() != other.hasDescription()) return false;
       if (hasDescription()) {
-        result = result && getDescription()
-            .equals(other.getDescription());
+        if (!getDescription()
+            .equals(other.getDescription())) return false;
       }
-      result = result && (hasAttendees() == other.hasAttendees());
+      if (hasAttendees() != other.hasAttendees()) return false;
       if (hasAttendees()) {
-        result = result && getAttendees()
-            .equals(other.getAttendees());
+        if (!getAttendees()
+            .equals(other.getAttendees())) return false;
       }
-      result = result && getMinersList()
-          .equals(other.getMinersList());
-      result = result && (hasMiningreward() == other.hasMiningreward());
+      if (!getMinersList()
+          .equals(other.getMinersList())) return false;
+      if (hasMiningreward() != other.hasMiningreward()) return false;
       if (hasMiningreward()) {
-        result = result && (getMiningreward()
-            == other.getMiningreward());
+        if (getMiningreward()
+            != other.getMiningreward()) return false;
       }
-      result = result && (hasPrevious() == other.hasPrevious());
+      if (hasPrevious() != other.hasPrevious()) return false;
       if (hasPrevious()) {
-        result = result && getPrevious()
-            .equals(other.getPrevious());
+        if (!getPrevious()
+            .equals(other.getPrevious())) return false;
       }
-      result = result && (hasNext() == other.hasNext());
+      if (hasNext() != other.hasNext()) return false;
       if (hasNext()) {
-        result = result && getNext()
-            .equals(other.getNext());
+        if (!getNext()
+            .equals(other.getNext())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -11602,37 +11582,37 @@ public ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct result = new ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.state_ = state_;
           to_bitField0_ |= 0x00000001;
         }
-        result.state_ = state_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.organizers_ = organizers_;
           to_bitField0_ |= 0x00000002;
         }
-        result.organizers_ = organizers_;
-        if (((bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((bitField0_ & 0x00000004) != 0)) {
           finalizations_ = finalizations_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000004);
         }
         result.finalizations_ = finalizations_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (descriptionBuilder_ == null) {
+            result.description_ = description_;
+          } else {
+            result.description_ = descriptionBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (descriptionBuilder_ == null) {
-          result.description_ = description_;
-        } else {
-          result.description_ = descriptionBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
+          if (attendeesBuilder_ == null) {
+            result.attendees_ = attendees_;
+          } else {
+            result.attendees_ = attendeesBuilder_.build();
+          }
           to_bitField0_ |= 0x00000008;
         }
-        if (attendeesBuilder_ == null) {
-          result.attendees_ = attendees_;
-        } else {
-          result.attendees_ = attendeesBuilder_.build();
-        }
         if (minersBuilder_ == null) {
-          if (((bitField0_ & 0x00000020) == 0x00000020)) {
+          if (((bitField0_ & 0x00000020) != 0)) {
             miners_ = java.util.Collections.unmodifiableList(miners_);
             bitField0_ = (bitField0_ & ~0x00000020);
           }
@@ -11640,15 +11620,15 @@ public ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct buildPartial() {
         } else {
           result.miners_ = minersBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000040) == 0x00000040)) {
+        if (((from_bitField0_ & 0x00000040) != 0)) {
+          result.miningreward_ = miningreward_;
           to_bitField0_ |= 0x00000010;
         }
-        result.miningreward_ = miningreward_;
-        if (((from_bitField0_ & 0x00000080) == 0x00000080)) {
+        if (((from_bitField0_ & 0x00000080) != 0)) {
           to_bitField0_ |= 0x00000020;
         }
         result.previous_ = previous_;
-        if (((from_bitField0_ & 0x00000100) == 0x00000100)) {
+        if (((from_bitField0_ & 0x00000100) != 0)) {
           to_bitField0_ |= 0x00000040;
         }
         result.next_ = next_;
@@ -11659,35 +11639,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PopPartyStruct buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -11823,7 +11803,7 @@ public Builder mergeFrom(
        * required sint32 state = 1;
        */
       public boolean hasState() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -11880,7 +11860,7 @@ public Builder clearState() {
        * required sint32 organizers = 2;
        */
       public boolean hasOrganizers() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -11921,7 +11901,7 @@ public Builder clearOrganizers() {
 
       private com.google.protobuf.LazyStringList finalizations_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       private void ensureFinalizationsIsMutable() {
-        if (!((bitField0_ & 0x00000004) == 0x00000004)) {
+        if (!((bitField0_ & 0x00000004) != 0)) {
           finalizations_ = new com.google.protobuf.LazyStringArrayList(finalizations_);
           bitField0_ |= 0x00000004;
          }
@@ -12057,7 +12037,7 @@ public Builder addFinalizationsBytes(
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.PopDesc description_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.PopDesc description_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.PopDesc, ch.epfl.dedis.lib.proto.Personhood.PopDesc.Builder, ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder> descriptionBuilder_;
       /**
@@ -12069,7 +12049,7 @@ public Builder addFinalizationsBytes(
        * required .personhood.PopDesc description = 4;
        */
       public boolean hasDescription() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -12136,7 +12116,7 @@ public Builder setDescription(
        */
       public Builder mergeDescription(ch.epfl.dedis.lib.proto.Personhood.PopDesc value) {
         if (descriptionBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008) &&
+          if (((bitField0_ & 0x00000008) != 0) &&
               description_ != null &&
               description_ != ch.epfl.dedis.lib.proto.Personhood.PopDesc.getDefaultInstance()) {
             description_ =
@@ -12220,7 +12200,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder getDescriptionOrBuild
         return descriptionBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.Attendees attendees_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.Attendees attendees_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.Attendees, ch.epfl.dedis.lib.proto.Personhood.Attendees.Builder, ch.epfl.dedis.lib.proto.Personhood.AttendeesOrBuilder> attendeesBuilder_;
       /**
@@ -12231,7 +12211,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder getDescriptionOrBuild
        * required .personhood.Attendees attendees = 5;
        */
       public boolean hasAttendees() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * 
@@ -12294,7 +12274,7 @@ public Builder setAttendees(
        */
       public Builder mergeAttendees(ch.epfl.dedis.lib.proto.Personhood.Attendees value) {
         if (attendeesBuilder_ == null) {
-          if (((bitField0_ & 0x00000010) == 0x00000010) &&
+          if (((bitField0_ & 0x00000010) != 0) &&
               attendees_ != null &&
               attendees_ != ch.epfl.dedis.lib.proto.Personhood.Attendees.getDefaultInstance()) {
             attendees_ =
@@ -12377,7 +12357,7 @@ public ch.epfl.dedis.lib.proto.Personhood.AttendeesOrBuilder getAttendeesOrBuild
       private java.util.List miners_ =
         java.util.Collections.emptyList();
       private void ensureMinersIsMutable() {
-        if (!((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (!((bitField0_ & 0x00000020) != 0)) {
           miners_ = new java.util.ArrayList(miners_);
           bitField0_ |= 0x00000020;
          }
@@ -12696,7 +12676,7 @@ public ch.epfl.dedis.lib.proto.Personhood.LRSTag.Builder addMinersBuilder(
           minersBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.LRSTag, ch.epfl.dedis.lib.proto.Personhood.LRSTag.Builder, ch.epfl.dedis.lib.proto.Personhood.LRSTagOrBuilder>(
                   miners_,
-                  ((bitField0_ & 0x00000020) == 0x00000020),
+                  ((bitField0_ & 0x00000020) != 0),
                   getParentForChildren(),
                   isClean());
           miners_ = null;
@@ -12713,7 +12693,7 @@ public ch.epfl.dedis.lib.proto.Personhood.LRSTag.Builder addMinersBuilder(
        * required uint64 miningreward = 7;
        */
       public boolean hasMiningreward() {
-        return ((bitField0_ & 0x00000040) == 0x00000040);
+        return ((bitField0_ & 0x00000040) != 0);
       }
       /**
        * 
@@ -12762,7 +12742,7 @@ public Builder clearMiningreward() {
        * optional bytes previous = 8;
        */
       public boolean hasPrevious() {
-        return ((bitField0_ & 0x00000080) == 0x00000080);
+        return ((bitField0_ & 0x00000080) != 0);
       }
       /**
        * 
@@ -12817,7 +12797,7 @@ public Builder clearPrevious() {
        * optional bytes next = 9;
        */
       public boolean hasNext() {
-        return ((bitField0_ & 0x00000100) == 0x00000100);
+        return ((bitField0_ & 0x00000100) != 0);
       }
       /**
        * 
@@ -13032,7 +13012,6 @@ private PopDesc(com.google.protobuf.GeneratedMessageV3.Builder builder) {
     private PopDesc() {
       name_ = "";
       purpose_ = "";
-      datetime_ = 0L;
       location_ = "";
     }
 
@@ -13126,7 +13105,7 @@ private PopDesc(
      * required string name = 1;
      */
     public boolean hasName() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -13180,7 +13159,7 @@ public java.lang.String getName() {
      * required string purpose = 2;
      */
     public boolean hasPurpose() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -13234,7 +13213,7 @@ public java.lang.String getPurpose() {
      * required uint64 datetime = 3;
      */
     public boolean hasDatetime() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * 
@@ -13257,7 +13236,7 @@ public long getDatetime() {
      * required string location = 4;
      */
     public boolean hasLocation() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * 
@@ -13331,16 +13310,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 2, purpose_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeUInt64(3, datetime_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 4, location_);
       }
       unknownFields.writeTo(output);
@@ -13352,17 +13331,17 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, name_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(2, purpose_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeUInt64Size(3, datetime_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(4, location_);
       }
       size += unknownFields.getSerializedSize();
@@ -13380,29 +13359,28 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PopDesc other = (ch.epfl.dedis.lib.proto.Personhood.PopDesc) obj;
 
-      boolean result = true;
-      result = result && (hasName() == other.hasName());
+      if (hasName() != other.hasName()) return false;
       if (hasName()) {
-        result = result && getName()
-            .equals(other.getName());
+        if (!getName()
+            .equals(other.getName())) return false;
       }
-      result = result && (hasPurpose() == other.hasPurpose());
+      if (hasPurpose() != other.hasPurpose()) return false;
       if (hasPurpose()) {
-        result = result && getPurpose()
-            .equals(other.getPurpose());
+        if (!getPurpose()
+            .equals(other.getPurpose())) return false;
       }
-      result = result && (hasDatetime() == other.hasDatetime());
+      if (hasDatetime() != other.hasDatetime()) return false;
       if (hasDatetime()) {
-        result = result && (getDatetime()
-            == other.getDatetime());
+        if (getDatetime()
+            != other.getDatetime()) return false;
       }
-      result = result && (hasLocation() == other.hasLocation());
+      if (hasLocation() != other.hasLocation()) return false;
       if (hasLocation()) {
-        result = result && getLocation()
-            .equals(other.getLocation());
+        if (!getLocation()
+            .equals(other.getLocation())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -13602,19 +13580,19 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDesc buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PopDesc result = new ch.epfl.dedis.lib.proto.Personhood.PopDesc(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.name_ = name_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.purpose_ = purpose_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          result.datetime_ = datetime_;
           to_bitField0_ |= 0x00000004;
         }
-        result.datetime_ = datetime_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.location_ = location_;
@@ -13625,35 +13603,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDesc buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -13736,7 +13714,7 @@ public Builder mergeFrom(
        * required string name = 1;
        */
       public boolean hasName() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -13836,7 +13814,7 @@ public Builder setNameBytes(
        * required string purpose = 2;
        */
       public boolean hasPurpose() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -13936,7 +13914,7 @@ public Builder setPurposeBytes(
        * required uint64 datetime = 3;
        */
       public boolean hasDatetime() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * 
@@ -13984,7 +13962,7 @@ public Builder clearDatetime() {
        * required string location = 4;
        */
       public boolean hasLocation() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * 
@@ -14227,7 +14205,7 @@ private FinalStatement(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.Personhood.PopDesc.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = desc_.toBuilder();
               }
               desc_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.PopDesc.parser(), extensionRegistry);
@@ -14240,7 +14218,7 @@ private FinalStatement(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.Personhood.Attendees.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = attendees_.toBuilder();
               }
               attendees_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.Attendees.parser(), extensionRegistry);
@@ -14294,7 +14272,7 @@ private FinalStatement(
      * optional .personhood.PopDesc desc = 1;
      */
     public boolean hasDesc() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -14327,7 +14305,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder getDescOrBuilder() {
      * required .personhood.Attendees attendees = 2;
      */
     public boolean hasAttendees() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * 
@@ -14374,10 +14352,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getDesc());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getAttendees());
       }
       unknownFields.writeTo(output);
@@ -14389,11 +14367,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getDesc());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getAttendees());
       }
@@ -14412,19 +14390,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.FinalStatement other = (ch.epfl.dedis.lib.proto.Personhood.FinalStatement) obj;
 
-      boolean result = true;
-      result = result && (hasDesc() == other.hasDesc());
+      if (hasDesc() != other.hasDesc()) return false;
       if (hasDesc()) {
-        result = result && getDesc()
-            .equals(other.getDesc());
+        if (!getDesc()
+            .equals(other.getDesc())) return false;
       }
-      result = result && (hasAttendees() == other.hasAttendees());
+      if (hasAttendees() != other.hasAttendees()) return false;
       if (hasAttendees()) {
-        result = result && getAttendees()
-            .equals(other.getAttendees());
+        if (!getAttendees()
+            .equals(other.getAttendees())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -14622,22 +14599,22 @@ public ch.epfl.dedis.lib.proto.Personhood.FinalStatement buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.FinalStatement result = new ch.epfl.dedis.lib.proto.Personhood.FinalStatement(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (descBuilder_ == null) {
+            result.desc_ = desc_;
+          } else {
+            result.desc_ = descBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (descBuilder_ == null) {
-          result.desc_ = desc_;
-        } else {
-          result.desc_ = descBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (attendeesBuilder_ == null) {
+            result.attendees_ = attendees_;
+          } else {
+            result.attendees_ = attendeesBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (attendeesBuilder_ == null) {
-          result.attendees_ = attendees_;
-        } else {
-          result.attendees_ = attendeesBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -14645,35 +14622,35 @@ public ch.epfl.dedis.lib.proto.Personhood.FinalStatement buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -14731,7 +14708,7 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.Personhood.PopDesc desc_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.PopDesc desc_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.PopDesc, ch.epfl.dedis.lib.proto.Personhood.PopDesc.Builder, ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder> descBuilder_;
       /**
@@ -14742,7 +14719,7 @@ public Builder mergeFrom(
        * optional .personhood.PopDesc desc = 1;
        */
       public boolean hasDesc() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -14805,7 +14782,7 @@ public Builder setDesc(
        */
       public Builder mergeDesc(ch.epfl.dedis.lib.proto.Personhood.PopDesc value) {
         if (descBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               desc_ != null &&
               desc_ != ch.epfl.dedis.lib.proto.Personhood.PopDesc.getDefaultInstance()) {
             desc_ =
@@ -14885,7 +14862,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder getDescOrBuilder() {
         return descBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.Attendees attendees_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.Attendees attendees_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.Attendees, ch.epfl.dedis.lib.proto.Personhood.Attendees.Builder, ch.epfl.dedis.lib.proto.Personhood.AttendeesOrBuilder> attendeesBuilder_;
       /**
@@ -14896,7 +14873,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PopDescOrBuilder getDescOrBuilder() {
        * required .personhood.Attendees attendees = 2;
        */
       public boolean hasAttendees() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * 
@@ -14959,7 +14936,7 @@ public Builder setAttendees(
        */
       public Builder mergeAttendees(ch.epfl.dedis.lib.proto.Personhood.Attendees value) {
         if (attendeesBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               attendees_ != null &&
               attendees_ != ch.epfl.dedis.lib.proto.Personhood.Attendees.getDefaultInstance()) {
             attendees_ =
@@ -15153,7 +15130,7 @@ private Attendees(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 keys_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -15175,8 +15152,8 @@ private Attendees(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-          keys_ = java.util.Collections.unmodifiableList(keys_);
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          keys_ = java.util.Collections.unmodifiableList(keys_); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -15267,11 +15244,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Attendees other = (ch.epfl.dedis.lib.proto.Personhood.Attendees) obj;
 
-      boolean result = true;
-      result = result && getKeysList()
-          .equals(other.getKeysList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getKeysList()
+          .equals(other.getKeysList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -15451,7 +15427,7 @@ public ch.epfl.dedis.lib.proto.Personhood.Attendees build() {
       public ch.epfl.dedis.lib.proto.Personhood.Attendees buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Attendees result = new ch.epfl.dedis.lib.proto.Personhood.Attendees(this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((bitField0_ & 0x00000001) != 0)) {
           keys_ = java.util.Collections.unmodifiableList(keys_);
           bitField0_ = (bitField0_ & ~0x00000001);
         }
@@ -15462,35 +15438,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Attendees buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -15546,7 +15522,7 @@ public Builder mergeFrom(
 
       private java.util.List keys_ = java.util.Collections.emptyList();
       private void ensureKeysIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           keys_ = new java.util.ArrayList(keys_);
           bitField0_ |= 0x00000001;
          }
@@ -15556,7 +15532,8 @@ private void ensureKeysIsMutable() {
        */
       public java.util.List
           getKeysList() {
-        return java.util.Collections.unmodifiableList(keys_);
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(keys_) : keys_;
       }
       /**
        * repeated bytes keys = 1;
@@ -15769,7 +15746,7 @@ private LRSTag(
      * required bytes tag = 1;
      */
     public boolean hasTag() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes tag = 1;
@@ -15796,7 +15773,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, tag_);
       }
       unknownFields.writeTo(output);
@@ -15808,7 +15785,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, tag_);
       }
@@ -15827,14 +15804,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.LRSTag other = (ch.epfl.dedis.lib.proto.Personhood.LRSTag) obj;
 
-      boolean result = true;
-      result = result && (hasTag() == other.hasTag());
+      if (hasTag() != other.hasTag()) return false;
       if (hasTag()) {
-        result = result && getTag()
-            .equals(other.getTag());
+        if (!getTag()
+            .equals(other.getTag())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -16015,7 +15991,7 @@ public ch.epfl.dedis.lib.proto.Personhood.LRSTag buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.LRSTag result = new ch.epfl.dedis.lib.proto.Personhood.LRSTag(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.tag_ = tag_;
@@ -16026,35 +16002,35 @@ public ch.epfl.dedis.lib.proto.Personhood.LRSTag buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -16109,7 +16085,7 @@ public Builder mergeFrom(
        * required bytes tag = 1;
        */
       public boolean hasTag() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes tag = 1;
@@ -16294,7 +16270,7 @@ private Poll(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.Personhood.PollStruct.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = newpoll_.toBuilder();
               }
               newpoll_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.PollStruct.parser(), extensionRegistry);
@@ -16307,7 +16283,7 @@ private Poll(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.Personhood.PollList.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = list_.toBuilder();
               }
               list_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.PollList.parser(), extensionRegistry);
@@ -16320,7 +16296,7 @@ private Poll(
             }
             case 34: {
               ch.epfl.dedis.lib.proto.Personhood.PollAnswer.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000008) == 0x00000008)) {
+              if (((bitField0_ & 0x00000008) != 0)) {
                 subBuilder = answer_.toBuilder();
               }
               answer_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.PollAnswer.parser(), extensionRegistry);
@@ -16370,7 +16346,7 @@ private Poll(
      * required bytes byzcoinid = 1;
      */
     public boolean hasByzcoinid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes byzcoinid = 1;
@@ -16385,7 +16361,7 @@ public com.google.protobuf.ByteString getByzcoinid() {
      * optional .personhood.PollStruct newpoll = 2;
      */
     public boolean hasNewpoll() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional .personhood.PollStruct newpoll = 2;
@@ -16406,7 +16382,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PollStructOrBuilder getNewpollOrBuilde
      * optional .personhood.PollList list = 3;
      */
     public boolean hasList() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * optional .personhood.PollList list = 3;
@@ -16427,7 +16403,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PollListOrBuilder getListOrBuilder() {
      * optional .personhood.PollAnswer answer = 4;
      */
     public boolean hasAnswer() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * optional .personhood.PollAnswer answer = 4;
@@ -16472,16 +16448,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getNewpoll());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getList());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeMessage(4, getAnswer());
       }
       unknownFields.writeTo(output);
@@ -16493,19 +16469,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, byzcoinid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getNewpoll());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getList());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(4, getAnswer());
       }
@@ -16524,29 +16500,28 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Poll other = (ch.epfl.dedis.lib.proto.Personhood.Poll) obj;
 
-      boolean result = true;
-      result = result && (hasByzcoinid() == other.hasByzcoinid());
+      if (hasByzcoinid() != other.hasByzcoinid()) return false;
       if (hasByzcoinid()) {
-        result = result && getByzcoinid()
-            .equals(other.getByzcoinid());
+        if (!getByzcoinid()
+            .equals(other.getByzcoinid())) return false;
       }
-      result = result && (hasNewpoll() == other.hasNewpoll());
+      if (hasNewpoll() != other.hasNewpoll()) return false;
       if (hasNewpoll()) {
-        result = result && getNewpoll()
-            .equals(other.getNewpoll());
+        if (!getNewpoll()
+            .equals(other.getNewpoll())) return false;
       }
-      result = result && (hasList() == other.hasList());
+      if (hasList() != other.hasList()) return false;
       if (hasList()) {
-        result = result && getList()
-            .equals(other.getList());
+        if (!getList()
+            .equals(other.getList())) return false;
       }
-      result = result && (hasAnswer() == other.hasAnswer());
+      if (hasAnswer() != other.hasAnswer()) return false;
       if (hasAnswer()) {
-        result = result && getAnswer()
-            .equals(other.getAnswer());
+        if (!getAnswer()
+            .equals(other.getAnswer())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -16760,34 +16735,34 @@ public ch.epfl.dedis.lib.proto.Personhood.Poll buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Poll result = new ch.epfl.dedis.lib.proto.Personhood.Poll(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.byzcoinid_ = byzcoinid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (newpollBuilder_ == null) {
+            result.newpoll_ = newpoll_;
+          } else {
+            result.newpoll_ = newpollBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (newpollBuilder_ == null) {
-          result.newpoll_ = newpoll_;
-        } else {
-          result.newpoll_ = newpollBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (listBuilder_ == null) {
+            result.list_ = list_;
+          } else {
+            result.list_ = listBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (listBuilder_ == null) {
-          result.list_ = list_;
-        } else {
-          result.list_ = listBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (answerBuilder_ == null) {
+            result.answer_ = answer_;
+          } else {
+            result.answer_ = answerBuilder_.build();
+          }
           to_bitField0_ |= 0x00000008;
         }
-        if (answerBuilder_ == null) {
-          result.answer_ = answer_;
-        } else {
-          result.answer_ = answerBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -16795,35 +16770,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Poll buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -16897,7 +16872,7 @@ public Builder mergeFrom(
        * required bytes byzcoinid = 1;
        */
       public boolean hasByzcoinid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes byzcoinid = 1;
@@ -16927,14 +16902,14 @@ public Builder clearByzcoinid() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.PollStruct newpoll_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.PollStruct newpoll_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.PollStruct, ch.epfl.dedis.lib.proto.Personhood.PollStruct.Builder, ch.epfl.dedis.lib.proto.Personhood.PollStructOrBuilder> newpollBuilder_;
       /**
        * optional .personhood.PollStruct newpoll = 2;
        */
       public boolean hasNewpoll() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional .personhood.PollStruct newpoll = 2;
@@ -16981,7 +16956,7 @@ public Builder setNewpoll(
        */
       public Builder mergeNewpoll(ch.epfl.dedis.lib.proto.Personhood.PollStruct value) {
         if (newpollBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               newpoll_ != null &&
               newpoll_ != ch.epfl.dedis.lib.proto.Personhood.PollStruct.getDefaultInstance()) {
             newpoll_ =
@@ -17045,14 +17020,14 @@ public ch.epfl.dedis.lib.proto.Personhood.PollStructOrBuilder getNewpollOrBuilde
         return newpollBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.PollList list_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.PollList list_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.PollList, ch.epfl.dedis.lib.proto.Personhood.PollList.Builder, ch.epfl.dedis.lib.proto.Personhood.PollListOrBuilder> listBuilder_;
       /**
        * optional .personhood.PollList list = 3;
        */
       public boolean hasList() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * optional .personhood.PollList list = 3;
@@ -17099,7 +17074,7 @@ public Builder setList(
        */
       public Builder mergeList(ch.epfl.dedis.lib.proto.Personhood.PollList value) {
         if (listBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               list_ != null &&
               list_ != ch.epfl.dedis.lib.proto.Personhood.PollList.getDefaultInstance()) {
             list_ =
@@ -17163,14 +17138,14 @@ public ch.epfl.dedis.lib.proto.Personhood.PollListOrBuilder getListOrBuilder() {
         return listBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.PollAnswer answer_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.PollAnswer answer_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.PollAnswer, ch.epfl.dedis.lib.proto.Personhood.PollAnswer.Builder, ch.epfl.dedis.lib.proto.Personhood.PollAnswerOrBuilder> answerBuilder_;
       /**
        * optional .personhood.PollAnswer answer = 4;
        */
       public boolean hasAnswer() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * optional .personhood.PollAnswer answer = 4;
@@ -17217,7 +17192,7 @@ public Builder setAnswer(
        */
       public Builder mergeAnswer(ch.epfl.dedis.lib.proto.Personhood.PollAnswer value) {
         if (answerBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008) &&
+          if (((bitField0_ & 0x00000008) != 0) &&
               answer_ != null &&
               answer_ != ch.epfl.dedis.lib.proto.Personhood.PollAnswer.getDefaultInstance()) {
             answer_ =
@@ -17395,7 +17370,7 @@ private PollList(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 partyids_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -17417,8 +17392,8 @@ private PollList(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-          partyids_ = java.util.Collections.unmodifiableList(partyids_);
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          partyids_ = java.util.Collections.unmodifiableList(partyids_); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -17509,11 +17484,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PollList other = (ch.epfl.dedis.lib.proto.Personhood.PollList) obj;
 
-      boolean result = true;
-      result = result && getPartyidsList()
-          .equals(other.getPartyidsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getPartyidsList()
+          .equals(other.getPartyidsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -17693,7 +17667,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PollList build() {
       public ch.epfl.dedis.lib.proto.Personhood.PollList buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PollList result = new ch.epfl.dedis.lib.proto.Personhood.PollList(this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((bitField0_ & 0x00000001) != 0)) {
           partyids_ = java.util.Collections.unmodifiableList(partyids_);
           bitField0_ = (bitField0_ & ~0x00000001);
         }
@@ -17704,35 +17678,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PollList buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -17788,7 +17762,7 @@ public Builder mergeFrom(
 
       private java.util.List partyids_ = java.util.Collections.emptyList();
       private void ensurePartyidsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           partyids_ = new java.util.ArrayList(partyids_);
           bitField0_ |= 0x00000001;
          }
@@ -17798,7 +17772,8 @@ private void ensurePartyidsIsMutable() {
        */
       public java.util.List
           getPartyidsList() {
-        return java.util.Collections.unmodifiableList(partyids_);
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(partyids_) : partyids_;
       }
       /**
        * repeated bytes partyids = 1;
@@ -17963,7 +17938,6 @@ private PollAnswer(com.google.protobuf.GeneratedMessageV3.Builder builder) {
     }
     private PollAnswer() {
       pollid_ = com.google.protobuf.ByteString.EMPTY;
-      choice_ = 0;
       lrs_ = com.google.protobuf.ByteString.EMPTY;
     }
 
@@ -18045,7 +18019,7 @@ private PollAnswer(
      * required bytes pollid = 1;
      */
     public boolean hasPollid() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes pollid = 1;
@@ -18060,7 +18034,7 @@ public com.google.protobuf.ByteString getPollid() {
      * required sint32 choice = 2;
      */
     public boolean hasChoice() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required sint32 choice = 2;
@@ -18075,7 +18049,7 @@ public int getChoice() {
      * required bytes lrs = 3;
      */
     public boolean hasLrs() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required bytes lrs = 3;
@@ -18110,13 +18084,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, pollid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeSInt32(2, choice_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, lrs_);
       }
       unknownFields.writeTo(output);
@@ -18128,15 +18102,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, pollid_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(2, choice_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, lrs_);
       }
@@ -18155,24 +18129,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PollAnswer other = (ch.epfl.dedis.lib.proto.Personhood.PollAnswer) obj;
 
-      boolean result = true;
-      result = result && (hasPollid() == other.hasPollid());
+      if (hasPollid() != other.hasPollid()) return false;
       if (hasPollid()) {
-        result = result && getPollid()
-            .equals(other.getPollid());
+        if (!getPollid()
+            .equals(other.getPollid())) return false;
       }
-      result = result && (hasChoice() == other.hasChoice());
+      if (hasChoice() != other.hasChoice()) return false;
       if (hasChoice()) {
-        result = result && (getChoice()
-            == other.getChoice());
+        if (getChoice()
+            != other.getChoice()) return false;
       }
-      result = result && (hasLrs() == other.hasLrs());
+      if (hasLrs() != other.hasLrs()) return false;
       if (hasLrs()) {
-        result = result && getLrs()
-            .equals(other.getLrs());
+        if (!getLrs()
+            .equals(other.getLrs())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -18369,15 +18342,15 @@ public ch.epfl.dedis.lib.proto.Personhood.PollAnswer buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PollAnswer result = new ch.epfl.dedis.lib.proto.Personhood.PollAnswer(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.pollid_ = pollid_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.choice_ = choice_;
           to_bitField0_ |= 0x00000002;
         }
-        result.choice_ = choice_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.lrs_ = lrs_;
@@ -18388,35 +18361,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PollAnswer buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -18483,7 +18456,7 @@ public Builder mergeFrom(
        * required bytes pollid = 1;
        */
       public boolean hasPollid() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes pollid = 1;
@@ -18518,7 +18491,7 @@ public Builder clearPollid() {
        * required sint32 choice = 2;
        */
       public boolean hasChoice() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required sint32 choice = 2;
@@ -18550,7 +18523,7 @@ public Builder clearChoice() {
        * required bytes lrs = 3;
        */
       public boolean hasLrs() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes lrs = 3;
@@ -18798,7 +18771,7 @@ private PollStruct(
             }
             case 42: {
               com.google.protobuf.ByteString bs = input.readBytes();
-              if (!((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
+              if (!((mutable_bitField0_ & 0x00000010) != 0)) {
                 choices_ = new com.google.protobuf.LazyStringArrayList();
                 mutable_bitField0_ |= 0x00000010;
               }
@@ -18806,7 +18779,7 @@ private PollStruct(
               break;
             }
             case 50: {
-              if (!((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+              if (!((mutable_bitField0_ & 0x00000020) != 0)) {
                 chosen_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000020;
               }
@@ -18829,10 +18802,10 @@ private PollStruct(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((mutable_bitField0_ & 0x00000010) != 0)) {
           choices_ = choices_.getUnmodifiableView();
         }
-        if (((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((mutable_bitField0_ & 0x00000020) != 0)) {
           chosen_ = java.util.Collections.unmodifiableList(chosen_);
         }
         this.unknownFields = unknownFields.build();
@@ -18859,7 +18832,7 @@ private PollStruct(
      * required bytes personhood = 1;
      */
     public boolean hasPersonhood() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes personhood = 1;
@@ -18874,7 +18847,7 @@ public com.google.protobuf.ByteString getPersonhood() {
      * optional bytes pollid = 2;
      */
     public boolean hasPollid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional bytes pollid = 2;
@@ -18889,7 +18862,7 @@ public com.google.protobuf.ByteString getPollid() {
      * required string title = 3;
      */
     public boolean hasTitle() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required string title = 3;
@@ -18931,7 +18904,7 @@ public java.lang.String getTitle() {
      * required string description = 4;
      */
     public boolean hasDescription() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * required string description = 4;
@@ -19063,16 +19036,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, personhood_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, pollid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 3, title_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 4, description_);
       }
       for (int i = 0; i < choices_.size(); i++) {
@@ -19090,18 +19063,18 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, personhood_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, pollid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(3, title_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(4, description_);
       }
       {
@@ -19131,33 +19104,32 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PollStruct other = (ch.epfl.dedis.lib.proto.Personhood.PollStruct) obj;
 
-      boolean result = true;
-      result = result && (hasPersonhood() == other.hasPersonhood());
+      if (hasPersonhood() != other.hasPersonhood()) return false;
       if (hasPersonhood()) {
-        result = result && getPersonhood()
-            .equals(other.getPersonhood());
+        if (!getPersonhood()
+            .equals(other.getPersonhood())) return false;
       }
-      result = result && (hasPollid() == other.hasPollid());
+      if (hasPollid() != other.hasPollid()) return false;
       if (hasPollid()) {
-        result = result && getPollid()
-            .equals(other.getPollid());
+        if (!getPollid()
+            .equals(other.getPollid())) return false;
       }
-      result = result && (hasTitle() == other.hasTitle());
+      if (hasTitle() != other.hasTitle()) return false;
       if (hasTitle()) {
-        result = result && getTitle()
-            .equals(other.getTitle());
+        if (!getTitle()
+            .equals(other.getTitle())) return false;
       }
-      result = result && (hasDescription() == other.hasDescription());
+      if (hasDescription() != other.hasDescription()) return false;
       if (hasDescription()) {
-        result = result && getDescription()
-            .equals(other.getDescription());
-      }
-      result = result && getChoicesList()
-          .equals(other.getChoicesList());
-      result = result && getChosenList()
-          .equals(other.getChosenList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+        if (!getDescription()
+            .equals(other.getDescription())) return false;
+      }
+      if (!getChoicesList()
+          .equals(other.getChoicesList())) return false;
+      if (!getChosenList()
+          .equals(other.getChosenList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -19373,29 +19345,29 @@ public ch.epfl.dedis.lib.proto.Personhood.PollStruct buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PollStruct result = new ch.epfl.dedis.lib.proto.Personhood.PollStruct(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.personhood_ = personhood_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.pollid_ = pollid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.title_ = title_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.description_ = description_;
-        if (((bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((bitField0_ & 0x00000010) != 0)) {
           choices_ = choices_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000010);
         }
         result.choices_ = choices_;
         if (chosenBuilder_ == null) {
-          if (((bitField0_ & 0x00000020) == 0x00000020)) {
+          if (((bitField0_ & 0x00000020) != 0)) {
             chosen_ = java.util.Collections.unmodifiableList(chosen_);
             bitField0_ = (bitField0_ & ~0x00000020);
           }
@@ -19410,35 +19382,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PollStruct buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -19553,7 +19525,7 @@ public Builder mergeFrom(
        * required bytes personhood = 1;
        */
       public boolean hasPersonhood() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes personhood = 1;
@@ -19588,7 +19560,7 @@ public Builder clearPersonhood() {
        * optional bytes pollid = 2;
        */
       public boolean hasPollid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional bytes pollid = 2;
@@ -19623,7 +19595,7 @@ public Builder clearPollid() {
        * required string title = 3;
        */
       public boolean hasTitle() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required string title = 3;
@@ -19699,7 +19671,7 @@ public Builder setTitleBytes(
        * required string description = 4;
        */
       public boolean hasDescription() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required string description = 4;
@@ -19772,7 +19744,7 @@ public Builder setDescriptionBytes(
 
       private com.google.protobuf.LazyStringList choices_ = com.google.protobuf.LazyStringArrayList.EMPTY;
       private void ensureChoicesIsMutable() {
-        if (!((bitField0_ & 0x00000010) == 0x00000010)) {
+        if (!((bitField0_ & 0x00000010) != 0)) {
           choices_ = new com.google.protobuf.LazyStringArrayList(choices_);
           bitField0_ |= 0x00000010;
          }
@@ -19866,7 +19838,7 @@ public Builder addChoicesBytes(
       private java.util.List chosen_ =
         java.util.Collections.emptyList();
       private void ensureChosenIsMutable() {
-        if (!((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (!((bitField0_ & 0x00000020) != 0)) {
           chosen_ = new java.util.ArrayList(chosen_);
           bitField0_ |= 0x00000020;
          }
@@ -20095,7 +20067,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PollChoice.Builder addChosenBuilder(
           chosenBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.PollChoice, ch.epfl.dedis.lib.proto.Personhood.PollChoice.Builder, ch.epfl.dedis.lib.proto.Personhood.PollChoiceOrBuilder>(
                   chosen_,
-                  ((bitField0_ & 0x00000020) == 0x00000020),
+                  ((bitField0_ & 0x00000020) != 0),
                   getParentForChildren(),
                   isClean());
           chosen_ = null;
@@ -20194,7 +20166,6 @@ private PollChoice(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private PollChoice() {
-      choice_ = 0;
       lrstag_ = com.google.protobuf.ByteString.EMPTY;
     }
 
@@ -20271,7 +20242,7 @@ private PollChoice(
      * required sint32 choice = 1;
      */
     public boolean hasChoice() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required sint32 choice = 1;
@@ -20286,7 +20257,7 @@ public int getChoice() {
      * required bytes lrstag = 2;
      */
     public boolean hasLrstag() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes lrstag = 2;
@@ -20317,10 +20288,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, choice_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, lrstag_);
       }
       unknownFields.writeTo(output);
@@ -20332,11 +20303,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, choice_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, lrstag_);
       }
@@ -20355,19 +20326,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PollChoice other = (ch.epfl.dedis.lib.proto.Personhood.PollChoice) obj;
 
-      boolean result = true;
-      result = result && (hasChoice() == other.hasChoice());
+      if (hasChoice() != other.hasChoice()) return false;
       if (hasChoice()) {
-        result = result && (getChoice()
-            == other.getChoice());
+        if (getChoice()
+            != other.getChoice()) return false;
       }
-      result = result && (hasLrstag() == other.hasLrstag());
+      if (hasLrstag() != other.hasLrstag()) return false;
       if (hasLrstag()) {
-        result = result && getLrstag()
-            .equals(other.getLrstag());
+        if (!getLrstag()
+            .equals(other.getLrstag())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -20554,11 +20524,11 @@ public ch.epfl.dedis.lib.proto.Personhood.PollChoice buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PollChoice result = new ch.epfl.dedis.lib.proto.Personhood.PollChoice(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.choice_ = choice_;
           to_bitField0_ |= 0x00000001;
         }
-        result.choice_ = choice_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.lrstag_ = lrstag_;
@@ -20569,35 +20539,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PollChoice buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -20658,7 +20628,7 @@ public Builder mergeFrom(
        * required sint32 choice = 1;
        */
       public boolean hasChoice() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required sint32 choice = 1;
@@ -20690,7 +20660,7 @@ public Builder clearChoice() {
        * required bytes lrstag = 2;
        */
       public boolean hasLrstag() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes lrstag = 2;
@@ -20847,7 +20817,7 @@ private PollResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 polls_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -20870,7 +20840,7 @@ private PollResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           polls_ = java.util.Collections.unmodifiableList(polls_);
         }
         this.unknownFields = unknownFields.build();
@@ -20976,11 +20946,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.PollResponse other = (ch.epfl.dedis.lib.proto.Personhood.PollResponse) obj;
 
-      boolean result = true;
-      result = result && getPollsList()
-          .equals(other.getPollsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getPollsList()
+          .equals(other.getPollsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -21168,7 +21137,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PollResponse buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.PollResponse result = new ch.epfl.dedis.lib.proto.Personhood.PollResponse(this);
         int from_bitField0_ = bitField0_;
         if (pollsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             polls_ = java.util.Collections.unmodifiableList(polls_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -21182,35 +21151,35 @@ public ch.epfl.dedis.lib.proto.Personhood.PollResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -21288,7 +21257,7 @@ public Builder mergeFrom(
       private java.util.List polls_ =
         java.util.Collections.emptyList();
       private void ensurePollsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           polls_ = new java.util.ArrayList(polls_);
           bitField0_ |= 0x00000001;
          }
@@ -21517,7 +21486,7 @@ public ch.epfl.dedis.lib.proto.Personhood.PollStruct.Builder addPollsBuilder(
           pollsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.PollStruct, ch.epfl.dedis.lib.proto.Personhood.PollStruct.Builder, ch.epfl.dedis.lib.proto.Personhood.PollStructOrBuilder>(
                   polls_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           polls_ = null;
@@ -21693,9 +21662,8 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Capabilities other = (ch.epfl.dedis.lib.proto.Personhood.Capabilities) obj;
 
-      boolean result = true;
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -21874,35 +21842,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Capabilities buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -22077,7 +22045,7 @@ private CapabilitiesResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 capabilities_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -22100,7 +22068,7 @@ private CapabilitiesResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           capabilities_ = java.util.Collections.unmodifiableList(capabilities_);
         }
         this.unknownFields = unknownFields.build();
@@ -22206,11 +22174,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.CapabilitiesResponse other = (ch.epfl.dedis.lib.proto.Personhood.CapabilitiesResponse) obj;
 
-      boolean result = true;
-      result = result && getCapabilitiesList()
-          .equals(other.getCapabilitiesList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getCapabilitiesList()
+          .equals(other.getCapabilitiesList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -22403,7 +22370,7 @@ public ch.epfl.dedis.lib.proto.Personhood.CapabilitiesResponse buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.CapabilitiesResponse result = new ch.epfl.dedis.lib.proto.Personhood.CapabilitiesResponse(this);
         int from_bitField0_ = bitField0_;
         if (capabilitiesBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             capabilities_ = java.util.Collections.unmodifiableList(capabilities_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -22417,35 +22384,35 @@ public ch.epfl.dedis.lib.proto.Personhood.CapabilitiesResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -22523,7 +22490,7 @@ public Builder mergeFrom(
       private java.util.List capabilities_ =
         java.util.Collections.emptyList();
       private void ensureCapabilitiesIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           capabilities_ = new java.util.ArrayList(capabilities_);
           bitField0_ |= 0x00000001;
          }
@@ -22752,7 +22719,7 @@ public ch.epfl.dedis.lib.proto.Personhood.Capability.Builder addCapabilitiesBuil
           capabilitiesBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.Capability, ch.epfl.dedis.lib.proto.Personhood.Capability.Builder, ch.epfl.dedis.lib.proto.Personhood.CapabilityOrBuilder>(
                   capabilities_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           capabilities_ = null;
@@ -22934,7 +22901,7 @@ private Capability(
      * required string endpoint = 1;
      */
     public boolean hasEndpoint() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required string endpoint = 1;
@@ -22976,7 +22943,7 @@ public java.lang.String getEndpoint() {
      * required bytes version = 2;
      */
     public boolean hasVersion() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes version = 2;
@@ -23007,10 +22974,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 1, endpoint_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, version_);
       }
       unknownFields.writeTo(output);
@@ -23022,10 +22989,10 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, endpoint_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, version_);
       }
@@ -23044,19 +23011,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Capability other = (ch.epfl.dedis.lib.proto.Personhood.Capability) obj;
 
-      boolean result = true;
-      result = result && (hasEndpoint() == other.hasEndpoint());
+      if (hasEndpoint() != other.hasEndpoint()) return false;
       if (hasEndpoint()) {
-        result = result && getEndpoint()
-            .equals(other.getEndpoint());
+        if (!getEndpoint()
+            .equals(other.getEndpoint())) return false;
       }
-      result = result && (hasVersion() == other.hasVersion());
+      if (hasVersion() != other.hasVersion()) return false;
       if (hasVersion()) {
-        result = result && getVersion()
-            .equals(other.getVersion());
+        if (!getVersion()
+            .equals(other.getVersion())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -23243,11 +23209,11 @@ public ch.epfl.dedis.lib.proto.Personhood.Capability buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Capability result = new ch.epfl.dedis.lib.proto.Personhood.Capability(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.endpoint_ = endpoint_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.version_ = version_;
@@ -23258,35 +23224,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Capability buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -23349,7 +23315,7 @@ public Builder mergeFrom(
        * required string endpoint = 1;
        */
       public boolean hasEndpoint() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required string endpoint = 1;
@@ -23425,7 +23391,7 @@ public Builder setEndpointBytes(
        * required bytes version = 2;
        */
       public boolean hasVersion() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes version = 2;
@@ -23585,7 +23551,6 @@ private UserLocation() {
       publickey_ = com.google.protobuf.ByteString.EMPTY;
       credentialiid_ = com.google.protobuf.ByteString.EMPTY;
       location_ = "";
-      time_ = 0L;
     }
 
     @java.lang.Override
@@ -23624,7 +23589,7 @@ private UserLocation(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.Personhood.CredentialStruct.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = credential_.toBuilder();
               }
               credential_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.CredentialStruct.parser(), extensionRegistry);
@@ -23685,7 +23650,7 @@ private UserLocation(
      * required bytes publickey = 1;
      */
     public boolean hasPublickey() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes publickey = 1;
@@ -23700,7 +23665,7 @@ public com.google.protobuf.ByteString getPublickey() {
      * optional bytes credentialiid = 2;
      */
     public boolean hasCredentialiid() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional bytes credentialiid = 2;
@@ -23715,7 +23680,7 @@ public com.google.protobuf.ByteString getCredentialiid() {
      * optional .personhood.CredentialStruct credential = 3;
      */
     public boolean hasCredential() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * optional .personhood.CredentialStruct credential = 3;
@@ -23736,7 +23701,7 @@ public ch.epfl.dedis.lib.proto.Personhood.CredentialStructOrBuilder getCredentia
      * optional string location = 4;
      */
     public boolean hasLocation() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * optional string location = 4;
@@ -23778,7 +23743,7 @@ public java.lang.String getLocation() {
      * required sint64 time = 5;
      */
     public boolean hasTime() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * required sint64 time = 5;
@@ -23815,19 +23780,19 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, publickey_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, credentialiid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getCredential());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         com.google.protobuf.GeneratedMessageV3.writeString(output, 4, location_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeSInt64(5, time_);
       }
       unknownFields.writeTo(output);
@@ -23839,22 +23804,22 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, publickey_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, credentialiid_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getCredential());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.GeneratedMessageV3.computeStringSize(4, location_);
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt64Size(5, time_);
       }
@@ -23873,34 +23838,33 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.UserLocation other = (ch.epfl.dedis.lib.proto.Personhood.UserLocation) obj;
 
-      boolean result = true;
-      result = result && (hasPublickey() == other.hasPublickey());
+      if (hasPublickey() != other.hasPublickey()) return false;
       if (hasPublickey()) {
-        result = result && getPublickey()
-            .equals(other.getPublickey());
+        if (!getPublickey()
+            .equals(other.getPublickey())) return false;
       }
-      result = result && (hasCredentialiid() == other.hasCredentialiid());
+      if (hasCredentialiid() != other.hasCredentialiid()) return false;
       if (hasCredentialiid()) {
-        result = result && getCredentialiid()
-            .equals(other.getCredentialiid());
+        if (!getCredentialiid()
+            .equals(other.getCredentialiid())) return false;
       }
-      result = result && (hasCredential() == other.hasCredential());
+      if (hasCredential() != other.hasCredential()) return false;
       if (hasCredential()) {
-        result = result && getCredential()
-            .equals(other.getCredential());
+        if (!getCredential()
+            .equals(other.getCredential())) return false;
       }
-      result = result && (hasLocation() == other.hasLocation());
+      if (hasLocation() != other.hasLocation()) return false;
       if (hasLocation()) {
-        result = result && getLocation()
-            .equals(other.getLocation());
+        if (!getLocation()
+            .equals(other.getLocation())) return false;
       }
-      result = result && (hasTime() == other.hasTime());
+      if (hasTime() != other.hasTime()) return false;
       if (hasTime()) {
-        result = result && (getTime()
-            == other.getTime());
+        if (getTime()
+            != other.getTime()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -24111,30 +24075,30 @@ public ch.epfl.dedis.lib.proto.Personhood.UserLocation buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.UserLocation result = new ch.epfl.dedis.lib.proto.Personhood.UserLocation(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.publickey_ = publickey_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.credentialiid_ = credentialiid_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (credentialBuilder_ == null) {
+            result.credential_ = credential_;
+          } else {
+            result.credential_ = credentialBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (credentialBuilder_ == null) {
-          result.credential_ = credential_;
-        } else {
-          result.credential_ = credentialBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000008;
         }
         result.location_ = location_;
-        if (((from_bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((from_bitField0_ & 0x00000010) != 0)) {
+          result.time_ = time_;
           to_bitField0_ |= 0x00000010;
         }
-        result.time_ = time_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -24142,35 +24106,35 @@ public ch.epfl.dedis.lib.proto.Personhood.UserLocation buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -24247,7 +24211,7 @@ public Builder mergeFrom(
        * required bytes publickey = 1;
        */
       public boolean hasPublickey() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes publickey = 1;
@@ -24282,7 +24246,7 @@ public Builder clearPublickey() {
        * optional bytes credentialiid = 2;
        */
       public boolean hasCredentialiid() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional bytes credentialiid = 2;
@@ -24312,14 +24276,14 @@ public Builder clearCredentialiid() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.Personhood.CredentialStruct credential_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.CredentialStruct credential_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.CredentialStruct, ch.epfl.dedis.lib.proto.Personhood.CredentialStruct.Builder, ch.epfl.dedis.lib.proto.Personhood.CredentialStructOrBuilder> credentialBuilder_;
       /**
        * optional .personhood.CredentialStruct credential = 3;
        */
       public boolean hasCredential() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * optional .personhood.CredentialStruct credential = 3;
@@ -24366,7 +24330,7 @@ public Builder setCredential(
        */
       public Builder mergeCredential(ch.epfl.dedis.lib.proto.Personhood.CredentialStruct value) {
         if (credentialBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               credential_ != null &&
               credential_ != ch.epfl.dedis.lib.proto.Personhood.CredentialStruct.getDefaultInstance()) {
             credential_ =
@@ -24435,7 +24399,7 @@ public ch.epfl.dedis.lib.proto.Personhood.CredentialStructOrBuilder getCredentia
        * optional string location = 4;
        */
       public boolean hasLocation() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * optional string location = 4;
@@ -24511,7 +24475,7 @@ public Builder setLocationBytes(
        * required sint64 time = 5;
        */
       public boolean hasTime() {
-        return ((bitField0_ & 0x00000010) == 0x00000010);
+        return ((bitField0_ & 0x00000010) != 0);
       }
       /**
        * required sint64 time = 5;
@@ -24633,7 +24597,6 @@ private Meetup(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private Meetup() {
-      wipe_ = false;
     }
 
     @java.lang.Override
@@ -24662,7 +24625,7 @@ private Meetup(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.Personhood.UserLocation.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = userlocation_.toBuilder();
               }
               userlocation_ = input.readMessage(ch.epfl.dedis.lib.proto.Personhood.UserLocation.parser(), extensionRegistry);
@@ -24717,7 +24680,7 @@ private Meetup(
      * optional .personhood.UserLocation userlocation = 1;
      */
     public boolean hasUserlocation() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .personhood.UserLocation userlocation = 1;
@@ -24738,7 +24701,7 @@ public ch.epfl.dedis.lib.proto.Personhood.UserLocationOrBuilder getUserlocationO
      * optional bool wipe = 2;
      */
     public boolean hasWipe() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * optional bool wipe = 2;
@@ -24767,10 +24730,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getUserlocation());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBool(2, wipe_);
       }
       unknownFields.writeTo(output);
@@ -24782,11 +24745,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getUserlocation());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBoolSize(2, wipe_);
       }
@@ -24805,19 +24768,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.Meetup other = (ch.epfl.dedis.lib.proto.Personhood.Meetup) obj;
 
-      boolean result = true;
-      result = result && (hasUserlocation() == other.hasUserlocation());
+      if (hasUserlocation() != other.hasUserlocation()) return false;
       if (hasUserlocation()) {
-        result = result && getUserlocation()
-            .equals(other.getUserlocation());
+        if (!getUserlocation()
+            .equals(other.getUserlocation())) return false;
       }
-      result = result && (hasWipe() == other.hasWipe());
+      if (hasWipe() != other.hasWipe()) return false;
       if (hasWipe()) {
-        result = result && (getWipe()
-            == other.getWipe());
+        if (getWipe()
+            != other.getWipe()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -25010,18 +24972,18 @@ public ch.epfl.dedis.lib.proto.Personhood.Meetup buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.Meetup result = new ch.epfl.dedis.lib.proto.Personhood.Meetup(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (userlocationBuilder_ == null) {
+            result.userlocation_ = userlocation_;
+          } else {
+            result.userlocation_ = userlocationBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (userlocationBuilder_ == null) {
-          result.userlocation_ = userlocation_;
-        } else {
-          result.userlocation_ = userlocationBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.wipe_ = wipe_;
           to_bitField0_ |= 0x00000002;
         }
-        result.wipe_ = wipe_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -25029,35 +24991,35 @@ public ch.epfl.dedis.lib.proto.Personhood.Meetup buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -25112,14 +25074,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.Personhood.UserLocation userlocation_ = null;
+      private ch.epfl.dedis.lib.proto.Personhood.UserLocation userlocation_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.Personhood.UserLocation, ch.epfl.dedis.lib.proto.Personhood.UserLocation.Builder, ch.epfl.dedis.lib.proto.Personhood.UserLocationOrBuilder> userlocationBuilder_;
       /**
        * optional .personhood.UserLocation userlocation = 1;
        */
       public boolean hasUserlocation() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional .personhood.UserLocation userlocation = 1;
@@ -25166,7 +25128,7 @@ public Builder setUserlocation(
        */
       public Builder mergeUserlocation(ch.epfl.dedis.lib.proto.Personhood.UserLocation value) {
         if (userlocationBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               userlocation_ != null &&
               userlocation_ != ch.epfl.dedis.lib.proto.Personhood.UserLocation.getDefaultInstance()) {
             userlocation_ =
@@ -25235,7 +25197,7 @@ public ch.epfl.dedis.lib.proto.Personhood.UserLocationOrBuilder getUserlocationO
        * optional bool wipe = 2;
        */
       public boolean hasWipe() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional bool wipe = 2;
@@ -25387,7 +25349,7 @@ private MeetupResponse(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 users_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -25410,7 +25372,7 @@ private MeetupResponse(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           users_ = java.util.Collections.unmodifiableList(users_);
         }
         this.unknownFields = unknownFields.build();
@@ -25516,11 +25478,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.Personhood.MeetupResponse other = (ch.epfl.dedis.lib.proto.Personhood.MeetupResponse) obj;
 
-      boolean result = true;
-      result = result && getUsersList()
-          .equals(other.getUsersList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getUsersList()
+          .equals(other.getUsersList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -25706,7 +25667,7 @@ public ch.epfl.dedis.lib.proto.Personhood.MeetupResponse buildPartial() {
         ch.epfl.dedis.lib.proto.Personhood.MeetupResponse result = new ch.epfl.dedis.lib.proto.Personhood.MeetupResponse(this);
         int from_bitField0_ = bitField0_;
         if (usersBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             users_ = java.util.Collections.unmodifiableList(users_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -25720,35 +25681,35 @@ public ch.epfl.dedis.lib.proto.Personhood.MeetupResponse buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -25826,7 +25787,7 @@ public Builder mergeFrom(
       private java.util.List users_ =
         java.util.Collections.emptyList();
       private void ensureUsersIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           users_ = new java.util.ArrayList(users_);
           bitField0_ |= 0x00000001;
          }
@@ -26055,7 +26016,7 @@ public ch.epfl.dedis.lib.proto.Personhood.UserLocation.Builder addUsersBuilder(
           usersBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.Personhood.UserLocation, ch.epfl.dedis.lib.proto.Personhood.UserLocation.Builder, ch.epfl.dedis.lib.proto.Personhood.UserLocationOrBuilder>(
                   users_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           users_ = null;
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/SkipchainProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/SkipchainProto.java
index c32d33035b..f1717227bc 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/SkipchainProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/SkipchainProto.java
@@ -104,7 +104,7 @@ private StoreSkipBlock(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = newBlock_.toBuilder();
               }
               newBlock_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -159,7 +159,7 @@ private StoreSkipBlock(
      * required bytes targetSkipChainID = 1;
      */
     public boolean hasTargetSkipChainID() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes targetSkipChainID = 1;
@@ -174,7 +174,7 @@ public com.google.protobuf.ByteString getTargetSkipChainID() {
      * required .skipchain.SkipBlock newBlock = 2;
      */
     public boolean hasNewBlock() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .skipchain.SkipBlock newBlock = 2;
@@ -195,7 +195,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getNewBlockOrBu
      * optional bytes signature = 3;
      */
     public boolean hasSignature() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * optional bytes signature = 3;
@@ -230,13 +230,13 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, targetSkipChainID_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getNewBlock());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(3, signature_);
       }
       unknownFields.writeTo(output);
@@ -248,15 +248,15 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, targetSkipChainID_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getNewBlock());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, signature_);
       }
@@ -275,24 +275,23 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlock other = (ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlock) obj;
 
-      boolean result = true;
-      result = result && (hasTargetSkipChainID() == other.hasTargetSkipChainID());
+      if (hasTargetSkipChainID() != other.hasTargetSkipChainID()) return false;
       if (hasTargetSkipChainID()) {
-        result = result && getTargetSkipChainID()
-            .equals(other.getTargetSkipChainID());
+        if (!getTargetSkipChainID()
+            .equals(other.getTargetSkipChainID())) return false;
       }
-      result = result && (hasNewBlock() == other.hasNewBlock());
+      if (hasNewBlock() != other.hasNewBlock()) return false;
       if (hasNewBlock()) {
-        result = result && getNewBlock()
-            .equals(other.getNewBlock());
+        if (!getNewBlock()
+            .equals(other.getNewBlock())) return false;
       }
-      result = result && (hasSignature() == other.hasSignature());
+      if (hasSignature() != other.hasSignature()) return false;
       if (hasSignature()) {
-        result = result && getSignature()
-            .equals(other.getSignature());
+        if (!getSignature()
+            .equals(other.getSignature())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -493,19 +492,19 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlock buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlock result = new ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlock(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.targetSkipChainID_ = targetSkipChainID_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (newBlockBuilder_ == null) {
+            result.newBlock_ = newBlock_;
+          } else {
+            result.newBlock_ = newBlockBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (newBlockBuilder_ == null) {
-          result.newBlock_ = newBlock_;
-        } else {
-          result.newBlock_ = newBlockBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.signature_ = signature_;
@@ -516,35 +515,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlock buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -611,7 +610,7 @@ public Builder mergeFrom(
        * required bytes targetSkipChainID = 1;
        */
       public boolean hasTargetSkipChainID() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes targetSkipChainID = 1;
@@ -641,14 +640,14 @@ public Builder clearTargetSkipChainID() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock newBlock_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock newBlock_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> newBlockBuilder_;
       /**
        * required .skipchain.SkipBlock newBlock = 2;
        */
       public boolean hasNewBlock() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .skipchain.SkipBlock newBlock = 2;
@@ -695,7 +694,7 @@ public Builder setNewBlock(
        */
       public Builder mergeNewBlock(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (newBlockBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               newBlock_ != null &&
               newBlock_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             newBlock_ =
@@ -764,7 +763,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getNewBlockOrBu
        * optional bytes signature = 3;
        */
       public boolean hasSignature() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * optional bytes signature = 3;
@@ -922,7 +921,7 @@ private StoreSkipBlockReply(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = previous_.toBuilder();
               }
               previous_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -935,7 +934,7 @@ private StoreSkipBlockReply(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = latest_.toBuilder();
               }
               latest_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -985,7 +984,7 @@ private StoreSkipBlockReply(
      * optional .skipchain.SkipBlock previous = 1;
      */
     public boolean hasPrevious() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .skipchain.SkipBlock previous = 1;
@@ -1006,7 +1005,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getPreviousOrBu
      * required .skipchain.SkipBlock latest = 2;
      */
     public boolean hasLatest() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .skipchain.SkipBlock latest = 2;
@@ -1049,10 +1048,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getPrevious());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(2, getLatest());
       }
       unknownFields.writeTo(output);
@@ -1064,11 +1063,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getPrevious());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getLatest());
       }
@@ -1087,19 +1086,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlockReply other = (ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlockReply) obj;
 
-      boolean result = true;
-      result = result && (hasPrevious() == other.hasPrevious());
+      if (hasPrevious() != other.hasPrevious()) return false;
       if (hasPrevious()) {
-        result = result && getPrevious()
-            .equals(other.getPrevious());
+        if (!getPrevious()
+            .equals(other.getPrevious())) return false;
       }
-      result = result && (hasLatest() == other.hasLatest());
+      if (hasLatest() != other.hasLatest()) return false;
       if (hasLatest()) {
-        result = result && getLatest()
-            .equals(other.getLatest());
+        if (!getLatest()
+            .equals(other.getLatest())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1297,22 +1295,22 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlockReply buildPartial()
         ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlockReply result = new ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlockReply(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (previousBuilder_ == null) {
+            result.previous_ = previous_;
+          } else {
+            result.previous_ = previousBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (previousBuilder_ == null) {
-          result.previous_ = previous_;
-        } else {
-          result.previous_ = previousBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (latestBuilder_ == null) {
+            result.latest_ = latest_;
+          } else {
+            result.latest_ = latestBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (latestBuilder_ == null) {
-          result.latest_ = latest_;
-        } else {
-          result.latest_ = latestBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -1320,35 +1318,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.StoreSkipBlockReply buildPartial()
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1409,14 +1407,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock previous_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock previous_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> previousBuilder_;
       /**
        * optional .skipchain.SkipBlock previous = 1;
        */
       public boolean hasPrevious() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * optional .skipchain.SkipBlock previous = 1;
@@ -1463,7 +1461,7 @@ public Builder setPrevious(
        */
       public Builder mergePrevious(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (previousBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               previous_ != null &&
               previous_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             previous_ =
@@ -1527,14 +1525,14 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getPreviousOrBu
         return previousBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock latest_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock latest_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> latestBuilder_;
       /**
        * required .skipchain.SkipBlock latest = 2;
        */
       public boolean hasLatest() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .skipchain.SkipBlock latest = 2;
@@ -1581,7 +1579,7 @@ public Builder setLatest(
        */
       public Builder mergeLatest(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (latestBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               latest_ != null &&
               latest_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             latest_ =
@@ -1814,9 +1812,8 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDs other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDs) obj;
 
-      boolean result = true;
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1996,35 +1993,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDs buildPartial()
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2181,7 +2178,7 @@ private GetAllSkipChainIDsReply(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 skipChainIDs_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -2203,8 +2200,8 @@ private GetAllSkipChainIDsReply(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-          skipChainIDs_ = java.util.Collections.unmodifiableList(skipChainIDs_);
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          skipChainIDs_ = java.util.Collections.unmodifiableList(skipChainIDs_); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -2295,11 +2292,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply) obj;
 
-      boolean result = true;
-      result = result && getSkipChainIDsList()
-          .equals(other.getSkipChainIDsList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getSkipChainIDsList()
+          .equals(other.getSkipChainIDsList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2479,7 +2475,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply build() {
       public ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply result = new ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply(this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((bitField0_ & 0x00000001) != 0)) {
           skipChainIDs_ = java.util.Collections.unmodifiableList(skipChainIDs_);
           bitField0_ = (bitField0_ & ~0x00000001);
         }
@@ -2490,35 +2486,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetAllSkipChainIDsReply buildParti
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2574,7 +2570,7 @@ public Builder mergeFrom(
 
       private java.util.List skipChainIDs_ = java.util.Collections.emptyList();
       private void ensureSkipChainIDsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           skipChainIDs_ = new java.util.ArrayList(skipChainIDs_);
           bitField0_ |= 0x00000001;
          }
@@ -2584,7 +2580,8 @@ private void ensureSkipChainIDsIsMutable() {
        */
       public java.util.List
           getSkipChainIDsList() {
-        return java.util.Collections.unmodifiableList(skipChainIDs_);
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(skipChainIDs_) : skipChainIDs_;
       }
       /**
        * repeated bytes skipChainIDs = 1;
@@ -2797,7 +2794,7 @@ private GetSingleBlock(
      * required bytes id = 1;
      */
     public boolean hasId() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes id = 1;
@@ -2824,7 +2821,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, id_);
       }
       unknownFields.writeTo(output);
@@ -2836,7 +2833,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, id_);
       }
@@ -2855,14 +2852,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlock other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlock) obj;
 
-      boolean result = true;
-      result = result && (hasId() == other.hasId());
+      if (hasId() != other.hasId()) return false;
       if (hasId()) {
-        result = result && getId()
-            .equals(other.getId());
+        if (!getId()
+            .equals(other.getId())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -3043,7 +3039,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlock buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlock result = new ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlock(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.id_ = id_;
@@ -3054,35 +3050,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlock buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3137,7 +3133,7 @@ public Builder mergeFrom(
        * required bytes id = 1;
        */
       public boolean hasId() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes id = 1;
@@ -3260,7 +3256,6 @@ private GetSingleBlockByIndex(com.google.protobuf.GeneratedMessageV3.Builder
     }
     private GetSingleBlockByIndex() {
       genesis_ = com.google.protobuf.ByteString.EMPTY;
-      index_ = 0;
     }
 
     @java.lang.Override
@@ -3336,7 +3331,7 @@ private GetSingleBlockByIndex(
      * required bytes genesis = 1;
      */
     public boolean hasGenesis() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes genesis = 1;
@@ -3351,7 +3346,7 @@ public com.google.protobuf.ByteString getGenesis() {
      * required sint32 index = 2;
      */
     public boolean hasIndex() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required sint32 index = 2;
@@ -3382,10 +3377,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, genesis_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeSInt32(2, index_);
       }
       unknownFields.writeTo(output);
@@ -3397,11 +3392,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, genesis_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(2, index_);
       }
@@ -3420,19 +3415,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndex other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndex) obj;
 
-      boolean result = true;
-      result = result && (hasGenesis() == other.hasGenesis());
+      if (hasGenesis() != other.hasGenesis()) return false;
       if (hasGenesis()) {
-        result = result && getGenesis()
-            .equals(other.getGenesis());
+        if (!getGenesis()
+            .equals(other.getGenesis())) return false;
       }
-      result = result && (hasIndex() == other.hasIndex());
+      if (hasIndex() != other.hasIndex()) return false;
       if (hasIndex()) {
-        result = result && (getIndex()
-            == other.getIndex());
+        if (getIndex()
+            != other.getIndex()) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -3620,14 +3614,14 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndex buildPartial
         ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndex result = new ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndex(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.genesis_ = genesis_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.index_ = index_;
           to_bitField0_ |= 0x00000002;
         }
-        result.index_ = index_;
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -3635,35 +3629,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndex buildPartial
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -3724,7 +3718,7 @@ public Builder mergeFrom(
        * required bytes genesis = 1;
        */
       public boolean hasGenesis() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes genesis = 1;
@@ -3759,7 +3753,7 @@ public Builder clearGenesis() {
        * required sint32 index = 2;
        */
       public boolean hasIndex() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required sint32 index = 2;
@@ -3926,7 +3920,7 @@ private GetSingleBlockByIndexReply(
               break;
             case 10: {
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = skipblock_.toBuilder();
               }
               skipblock_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.parser(), extensionRegistry);
@@ -3938,7 +3932,7 @@ private GetSingleBlockByIndexReply(
               break;
             }
             case 18: {
-              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
                 links_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000002;
               }
@@ -3961,7 +3955,7 @@ private GetSingleBlockByIndexReply(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((mutable_bitField0_ & 0x00000002) != 0)) {
           links_ = java.util.Collections.unmodifiableList(links_);
         }
         this.unknownFields = unknownFields.build();
@@ -3988,7 +3982,7 @@ private GetSingleBlockByIndexReply(
      * required .skipchain.SkipBlock skipblock = 1;
      */
     public boolean hasSkipblock() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .skipchain.SkipBlock skipblock = 1;
@@ -4066,7 +4060,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(1, getSkipblock());
       }
       for (int i = 0; i < links_.size(); i++) {
@@ -4081,7 +4075,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, getSkipblock());
       }
@@ -4104,16 +4098,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndexReply other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndexReply) obj;
 
-      boolean result = true;
-      result = result && (hasSkipblock() == other.hasSkipblock());
+      if (hasSkipblock() != other.hasSkipblock()) return false;
       if (hasSkipblock()) {
-        result = result && getSkipblock()
-            .equals(other.getSkipblock());
+        if (!getSkipblock()
+            .equals(other.getSkipblock())) return false;
       }
-      result = result && getLinksList()
-          .equals(other.getLinksList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getLinksList()
+          .equals(other.getLinksList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -4311,16 +4304,16 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndexReply buildPa
         ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndexReply result = new ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndexReply(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          if (skipblockBuilder_ == null) {
+            result.skipblock_ = skipblock_;
+          } else {
+            result.skipblock_ = skipblockBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (skipblockBuilder_ == null) {
-          result.skipblock_ = skipblock_;
-        } else {
-          result.skipblock_ = skipblockBuilder_.build();
-        }
         if (linksBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002)) {
+          if (((bitField0_ & 0x00000002) != 0)) {
             links_ = java.util.Collections.unmodifiableList(links_);
             bitField0_ = (bitField0_ & ~0x00000002);
           }
@@ -4335,35 +4328,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetSingleBlockByIndexReply buildPa
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -4447,14 +4440,14 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock skipblock_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock skipblock_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder> skipblockBuilder_;
       /**
        * required .skipchain.SkipBlock skipblock = 1;
        */
       public boolean hasSkipblock() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required .skipchain.SkipBlock skipblock = 1;
@@ -4501,7 +4494,7 @@ public Builder setSkipblock(
        */
       public Builder mergeSkipblock(ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock value) {
         if (skipblockBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001) &&
+          if (((bitField0_ & 0x00000001) != 0) &&
               skipblock_ != null &&
               skipblock_ != ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.getDefaultInstance()) {
             skipblock_ =
@@ -4568,7 +4561,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder getSkipblockOrB
       private java.util.List links_ =
         java.util.Collections.emptyList();
       private void ensureLinksIsMutable() {
-        if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        if (!((bitField0_ & 0x00000002) != 0)) {
           links_ = new java.util.ArrayList(links_);
           bitField0_ |= 0x00000002;
          }
@@ -4797,7 +4790,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder addLinksBuilde
           linksBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink, ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLinkOrBuilder>(
                   links_,
-                  ((bitField0_ & 0x00000002) == 0x00000002),
+                  ((bitField0_ & 0x00000002) != 0),
                   getParentForChildren(),
                   isClean());
           links_ = null;
@@ -4972,7 +4965,7 @@ private GetUpdateChain(
      * required bytes latestID = 1;
      */
     public boolean hasLatestID() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * 
@@ -5003,7 +4996,7 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, latestID_);
       }
       unknownFields.writeTo(output);
@@ -5015,7 +5008,7 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, latestID_);
       }
@@ -5034,14 +5027,13 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChain other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChain) obj;
 
-      boolean result = true;
-      result = result && (hasLatestID() == other.hasLatestID());
+      if (hasLatestID() != other.hasLatestID()) return false;
       if (hasLatestID()) {
-        result = result && getLatestID()
-            .equals(other.getLatestID());
+        if (!getLatestID()
+            .equals(other.getLatestID())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5224,7 +5216,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChain buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChain result = new ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChain(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.latestID_ = latestID_;
@@ -5235,35 +5227,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChain buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -5322,7 +5314,7 @@ public Builder mergeFrom(
        * required bytes latestID = 1;
        */
       public boolean hasLatestID() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * 
@@ -5515,7 +5507,7 @@ private GetUpdateChainReply(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 update_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -5538,7 +5530,7 @@ private GetUpdateChainReply(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           update_ = java.util.Collections.unmodifiableList(update_);
         }
         this.unknownFields = unknownFields.build();
@@ -5669,11 +5661,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChainReply other = (ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChainReply) obj;
 
-      boolean result = true;
-      result = result && getUpdateList()
-          .equals(other.getUpdateList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getUpdateList()
+          .equals(other.getUpdateList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -5860,7 +5851,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChainReply buildPartial()
         ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChainReply result = new ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChainReply(this);
         int from_bitField0_ = bitField0_;
         if (updateBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             update_ = java.util.Collections.unmodifiableList(update_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -5874,35 +5865,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.GetUpdateChainReply buildPartial()
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -5980,7 +5971,7 @@ public Builder mergeFrom(
       private java.util.List update_ =
         java.util.Collections.emptyList();
       private void ensureUpdateIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           update_ = new java.util.ArrayList(update_);
           bitField0_ |= 0x00000001;
          }
@@ -6299,7 +6290,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder addUpdateBuilder
           updateBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlockOrBuilder>(
                   update_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           update_ = null;
@@ -6511,10 +6502,6 @@ private SkipBlock(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private SkipBlock() {
-      index_ = 0;
-      height_ = 0;
-      maxHeight_ = 0;
-      baseHeight_ = 0;
       backlinks_ = java.util.Collections.emptyList();
       verifiers_ = java.util.Collections.emptyList();
       genesis_ = com.google.protobuf.ByteString.EMPTY;
@@ -6569,7 +6556,7 @@ private SkipBlock(
               break;
             }
             case 42: {
-              if (!((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
+              if (!((mutable_bitField0_ & 0x00000010) != 0)) {
                 backlinks_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000010;
               }
@@ -6577,7 +6564,7 @@ private SkipBlock(
               break;
             }
             case 50: {
-              if (!((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
+              if (!((mutable_bitField0_ & 0x00000020) != 0)) {
                 verifiers_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000020;
               }
@@ -6596,7 +6583,7 @@ private SkipBlock(
             }
             case 74: {
               ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000040) == 0x00000040)) {
+              if (((bitField0_ & 0x00000040) != 0)) {
                 subBuilder = roster_.toBuilder();
               }
               roster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
@@ -6613,7 +6600,7 @@ private SkipBlock(
               break;
             }
             case 90: {
-              if (!((mutable_bitField0_ & 0x00000400) == 0x00000400)) {
+              if (!((mutable_bitField0_ & 0x00000400) != 0)) {
                 forward_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000400;
               }
@@ -6641,13 +6628,13 @@ private SkipBlock(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000010) == 0x00000010)) {
-          backlinks_ = java.util.Collections.unmodifiableList(backlinks_);
+        if (((mutable_bitField0_ & 0x00000010) != 0)) {
+          backlinks_ = java.util.Collections.unmodifiableList(backlinks_); // C
         }
-        if (((mutable_bitField0_ & 0x00000020) == 0x00000020)) {
-          verifiers_ = java.util.Collections.unmodifiableList(verifiers_);
+        if (((mutable_bitField0_ & 0x00000020) != 0)) {
+          verifiers_ = java.util.Collections.unmodifiableList(verifiers_); // C
         }
-        if (((mutable_bitField0_ & 0x00000400) == 0x00000400)) {
+        if (((mutable_bitField0_ & 0x00000400) != 0)) {
           forward_ = java.util.Collections.unmodifiableList(forward_);
         }
         this.unknownFields = unknownFields.build();
@@ -6674,7 +6661,7 @@ private SkipBlock(
      * required sint32 index = 1;
      */
     public boolean hasIndex() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required sint32 index = 1;
@@ -6689,7 +6676,7 @@ public int getIndex() {
      * required sint32 height = 2;
      */
     public boolean hasHeight() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required sint32 height = 2;
@@ -6704,7 +6691,7 @@ public int getHeight() {
      * required sint32 max_height = 3;
      */
     public boolean hasMaxHeight() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required sint32 max_height = 3;
@@ -6719,7 +6706,7 @@ public int getMaxHeight() {
      * required sint32 base_height = 4;
      */
     public boolean hasBaseHeight() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * required sint32 base_height = 4;
@@ -6778,7 +6765,7 @@ public com.google.protobuf.ByteString getVerifiers(int index) {
      * required bytes genesis = 7;
      */
     public boolean hasGenesis() {
-      return ((bitField0_ & 0x00000010) == 0x00000010);
+      return ((bitField0_ & 0x00000010) != 0);
     }
     /**
      * required bytes genesis = 7;
@@ -6793,7 +6780,7 @@ public com.google.protobuf.ByteString getGenesis() {
      * required bytes data = 8;
      */
     public boolean hasData() {
-      return ((bitField0_ & 0x00000020) == 0x00000020);
+      return ((bitField0_ & 0x00000020) != 0);
     }
     /**
      * required bytes data = 8;
@@ -6808,7 +6795,7 @@ public com.google.protobuf.ByteString getData() {
      * required .onet.Roster roster = 9;
      */
     public boolean hasRoster() {
-      return ((bitField0_ & 0x00000040) == 0x00000040);
+      return ((bitField0_ & 0x00000040) != 0);
     }
     /**
      * required .onet.Roster roster = 9;
@@ -6829,7 +6816,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
      * required bytes hash = 10;
      */
     public boolean hasHash() {
-      return ((bitField0_ & 0x00000080) == 0x00000080);
+      return ((bitField0_ & 0x00000080) != 0);
     }
     /**
      * required bytes hash = 10;
@@ -6879,7 +6866,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLinkOrBuilder getForwardOrB
      * optional bytes payload = 12;
      */
     public boolean hasPayload() {
-      return ((bitField0_ & 0x00000100) == 0x00000100);
+      return ((bitField0_ & 0x00000100) != 0);
     }
     /**
      * optional bytes payload = 12;
@@ -6944,16 +6931,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, index_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeSInt32(2, height_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeSInt32(3, maxHeight_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeSInt32(4, baseHeight_);
       }
       for (int i = 0; i < backlinks_.size(); i++) {
@@ -6962,22 +6949,22 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
       for (int i = 0; i < verifiers_.size(); i++) {
         output.writeBytes(6, verifiers_.get(i));
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         output.writeBytes(7, genesis_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         output.writeBytes(8, data_);
       }
-      if (((bitField0_ & 0x00000040) == 0x00000040)) {
+      if (((bitField0_ & 0x00000040) != 0)) {
         output.writeMessage(9, getRoster());
       }
-      if (((bitField0_ & 0x00000080) == 0x00000080)) {
+      if (((bitField0_ & 0x00000080) != 0)) {
         output.writeBytes(10, hash_);
       }
       for (int i = 0; i < forward_.size(); i++) {
         output.writeMessage(11, forward_.get(i));
       }
-      if (((bitField0_ & 0x00000100) == 0x00000100)) {
+      if (((bitField0_ & 0x00000100) != 0)) {
         output.writeBytes(12, payload_);
       }
       unknownFields.writeTo(output);
@@ -6989,19 +6976,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, index_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(2, height_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(3, maxHeight_);
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(4, baseHeight_);
       }
@@ -7023,19 +7010,19 @@ public int getSerializedSize() {
         size += dataSize;
         size += 1 * getVerifiersList().size();
       }
-      if (((bitField0_ & 0x00000010) == 0x00000010)) {
+      if (((bitField0_ & 0x00000010) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(7, genesis_);
       }
-      if (((bitField0_ & 0x00000020) == 0x00000020)) {
+      if (((bitField0_ & 0x00000020) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(8, data_);
       }
-      if (((bitField0_ & 0x00000040) == 0x00000040)) {
+      if (((bitField0_ & 0x00000040) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(9, getRoster());
       }
-      if (((bitField0_ & 0x00000080) == 0x00000080)) {
+      if (((bitField0_ & 0x00000080) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(10, hash_);
       }
@@ -7043,7 +7030,7 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(11, forward_.get(i));
       }
-      if (((bitField0_ & 0x00000100) == 0x00000100)) {
+      if (((bitField0_ & 0x00000100) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(12, payload_);
       }
@@ -7062,60 +7049,59 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock other = (ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock) obj;
 
-      boolean result = true;
-      result = result && (hasIndex() == other.hasIndex());
+      if (hasIndex() != other.hasIndex()) return false;
       if (hasIndex()) {
-        result = result && (getIndex()
-            == other.getIndex());
+        if (getIndex()
+            != other.getIndex()) return false;
       }
-      result = result && (hasHeight() == other.hasHeight());
+      if (hasHeight() != other.hasHeight()) return false;
       if (hasHeight()) {
-        result = result && (getHeight()
-            == other.getHeight());
+        if (getHeight()
+            != other.getHeight()) return false;
       }
-      result = result && (hasMaxHeight() == other.hasMaxHeight());
+      if (hasMaxHeight() != other.hasMaxHeight()) return false;
       if (hasMaxHeight()) {
-        result = result && (getMaxHeight()
-            == other.getMaxHeight());
+        if (getMaxHeight()
+            != other.getMaxHeight()) return false;
       }
-      result = result && (hasBaseHeight() == other.hasBaseHeight());
+      if (hasBaseHeight() != other.hasBaseHeight()) return false;
       if (hasBaseHeight()) {
-        result = result && (getBaseHeight()
-            == other.getBaseHeight());
-      }
-      result = result && getBacklinksList()
-          .equals(other.getBacklinksList());
-      result = result && getVerifiersList()
-          .equals(other.getVerifiersList());
-      result = result && (hasGenesis() == other.hasGenesis());
+        if (getBaseHeight()
+            != other.getBaseHeight()) return false;
+      }
+      if (!getBacklinksList()
+          .equals(other.getBacklinksList())) return false;
+      if (!getVerifiersList()
+          .equals(other.getVerifiersList())) return false;
+      if (hasGenesis() != other.hasGenesis()) return false;
       if (hasGenesis()) {
-        result = result && getGenesis()
-            .equals(other.getGenesis());
+        if (!getGenesis()
+            .equals(other.getGenesis())) return false;
       }
-      result = result && (hasData() == other.hasData());
+      if (hasData() != other.hasData()) return false;
       if (hasData()) {
-        result = result && getData()
-            .equals(other.getData());
+        if (!getData()
+            .equals(other.getData())) return false;
       }
-      result = result && (hasRoster() == other.hasRoster());
+      if (hasRoster() != other.hasRoster()) return false;
       if (hasRoster()) {
-        result = result && getRoster()
-            .equals(other.getRoster());
+        if (!getRoster()
+            .equals(other.getRoster())) return false;
       }
-      result = result && (hasHash() == other.hasHash());
+      if (hasHash() != other.hasHash()) return false;
       if (hasHash()) {
-        result = result && getHash()
-            .equals(other.getHash());
+        if (!getHash()
+            .equals(other.getHash())) return false;
       }
-      result = result && getForwardList()
-          .equals(other.getForwardList());
-      result = result && (hasPayload() == other.hasPayload());
+      if (!getForwardList()
+          .equals(other.getForwardList())) return false;
+      if (hasPayload() != other.hasPayload()) return false;
       if (hasPayload()) {
-        result = result && getPayload()
-            .equals(other.getPayload());
+        if (!getPayload()
+            .equals(other.getPayload())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -7368,54 +7354,54 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock result = new ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.index_ = index_;
           to_bitField0_ |= 0x00000001;
         }
-        result.index_ = index_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          result.height_ = height_;
           to_bitField0_ |= 0x00000002;
         }
-        result.height_ = height_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          result.maxHeight_ = maxHeight_;
           to_bitField0_ |= 0x00000004;
         }
-        result.maxHeight_ = maxHeight_;
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          result.baseHeight_ = baseHeight_;
           to_bitField0_ |= 0x00000008;
         }
-        result.baseHeight_ = baseHeight_;
-        if (((bitField0_ & 0x00000010) == 0x00000010)) {
+        if (((bitField0_ & 0x00000010) != 0)) {
           backlinks_ = java.util.Collections.unmodifiableList(backlinks_);
           bitField0_ = (bitField0_ & ~0x00000010);
         }
         result.backlinks_ = backlinks_;
-        if (((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (((bitField0_ & 0x00000020) != 0)) {
           verifiers_ = java.util.Collections.unmodifiableList(verifiers_);
           bitField0_ = (bitField0_ & ~0x00000020);
         }
         result.verifiers_ = verifiers_;
-        if (((from_bitField0_ & 0x00000040) == 0x00000040)) {
+        if (((from_bitField0_ & 0x00000040) != 0)) {
           to_bitField0_ |= 0x00000010;
         }
         result.genesis_ = genesis_;
-        if (((from_bitField0_ & 0x00000080) == 0x00000080)) {
+        if (((from_bitField0_ & 0x00000080) != 0)) {
           to_bitField0_ |= 0x00000020;
         }
         result.data_ = data_;
-        if (((from_bitField0_ & 0x00000100) == 0x00000100)) {
+        if (((from_bitField0_ & 0x00000100) != 0)) {
+          if (rosterBuilder_ == null) {
+            result.roster_ = roster_;
+          } else {
+            result.roster_ = rosterBuilder_.build();
+          }
           to_bitField0_ |= 0x00000040;
         }
-        if (rosterBuilder_ == null) {
-          result.roster_ = roster_;
-        } else {
-          result.roster_ = rosterBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000200) == 0x00000200)) {
+        if (((from_bitField0_ & 0x00000200) != 0)) {
           to_bitField0_ |= 0x00000080;
         }
         result.hash_ = hash_;
         if (forwardBuilder_ == null) {
-          if (((bitField0_ & 0x00000400) == 0x00000400)) {
+          if (((bitField0_ & 0x00000400) != 0)) {
             forward_ = java.util.Collections.unmodifiableList(forward_);
             bitField0_ = (bitField0_ & ~0x00000400);
           }
@@ -7423,7 +7409,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock buildPartial() {
         } else {
           result.forward_ = forwardBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000800) == 0x00000800)) {
+        if (((from_bitField0_ & 0x00000800) != 0)) {
           to_bitField0_ |= 0x00000100;
         }
         result.payload_ = payload_;
@@ -7434,35 +7420,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SkipBlock buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -7616,7 +7602,7 @@ public Builder mergeFrom(
        * required sint32 index = 1;
        */
       public boolean hasIndex() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required sint32 index = 1;
@@ -7648,7 +7634,7 @@ public Builder clearIndex() {
        * required sint32 height = 2;
        */
       public boolean hasHeight() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required sint32 height = 2;
@@ -7680,7 +7666,7 @@ public Builder clearHeight() {
        * required sint32 max_height = 3;
        */
       public boolean hasMaxHeight() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required sint32 max_height = 3;
@@ -7712,7 +7698,7 @@ public Builder clearMaxHeight() {
        * required sint32 base_height = 4;
        */
       public boolean hasBaseHeight() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required sint32 base_height = 4;
@@ -7741,7 +7727,7 @@ public Builder clearBaseHeight() {
 
       private java.util.List backlinks_ = java.util.Collections.emptyList();
       private void ensureBacklinksIsMutable() {
-        if (!((bitField0_ & 0x00000010) == 0x00000010)) {
+        if (!((bitField0_ & 0x00000010) != 0)) {
           backlinks_ = new java.util.ArrayList(backlinks_);
           bitField0_ |= 0x00000010;
          }
@@ -7751,7 +7737,8 @@ private void ensureBacklinksIsMutable() {
        */
       public java.util.List
           getBacklinksList() {
-        return java.util.Collections.unmodifiableList(backlinks_);
+        return ((bitField0_ & 0x00000010) != 0) ?
+                 java.util.Collections.unmodifiableList(backlinks_) : backlinks_;
       }
       /**
        * repeated bytes backlinks = 5;
@@ -7813,7 +7800,7 @@ public Builder clearBacklinks() {
 
       private java.util.List verifiers_ = java.util.Collections.emptyList();
       private void ensureVerifiersIsMutable() {
-        if (!((bitField0_ & 0x00000020) == 0x00000020)) {
+        if (!((bitField0_ & 0x00000020) != 0)) {
           verifiers_ = new java.util.ArrayList(verifiers_);
           bitField0_ |= 0x00000020;
          }
@@ -7823,7 +7810,8 @@ private void ensureVerifiersIsMutable() {
        */
       public java.util.List
           getVerifiersList() {
-        return java.util.Collections.unmodifiableList(verifiers_);
+        return ((bitField0_ & 0x00000020) != 0) ?
+                 java.util.Collections.unmodifiableList(verifiers_) : verifiers_;
       }
       /**
        * repeated bytes verifiers = 6;
@@ -7888,7 +7876,7 @@ public Builder clearVerifiers() {
        * required bytes genesis = 7;
        */
       public boolean hasGenesis() {
-        return ((bitField0_ & 0x00000040) == 0x00000040);
+        return ((bitField0_ & 0x00000040) != 0);
       }
       /**
        * required bytes genesis = 7;
@@ -7923,7 +7911,7 @@ public Builder clearGenesis() {
        * required bytes data = 8;
        */
       public boolean hasData() {
-        return ((bitField0_ & 0x00000080) == 0x00000080);
+        return ((bitField0_ & 0x00000080) != 0);
       }
       /**
        * required bytes data = 8;
@@ -7953,14 +7941,14 @@ public Builder clearData() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_ = null;
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster roster_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> rosterBuilder_;
       /**
        * required .onet.Roster roster = 9;
        */
       public boolean hasRoster() {
-        return ((bitField0_ & 0x00000100) == 0x00000100);
+        return ((bitField0_ & 0x00000100) != 0);
       }
       /**
        * required .onet.Roster roster = 9;
@@ -8007,7 +7995,7 @@ public Builder setRoster(
        */
       public Builder mergeRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
         if (rosterBuilder_ == null) {
-          if (((bitField0_ & 0x00000100) == 0x00000100) &&
+          if (((bitField0_ & 0x00000100) != 0) &&
               roster_ != null &&
               roster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
             roster_ =
@@ -8076,7 +8064,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getRosterOrBuilder() {
        * required bytes hash = 10;
        */
       public boolean hasHash() {
-        return ((bitField0_ & 0x00000200) == 0x00000200);
+        return ((bitField0_ & 0x00000200) != 0);
       }
       /**
        * required bytes hash = 10;
@@ -8109,7 +8097,7 @@ public Builder clearHash() {
       private java.util.List forward_ =
         java.util.Collections.emptyList();
       private void ensureForwardIsMutable() {
-        if (!((bitField0_ & 0x00000400) == 0x00000400)) {
+        if (!((bitField0_ & 0x00000400) != 0)) {
           forward_ = new java.util.ArrayList(forward_);
           bitField0_ |= 0x00000400;
          }
@@ -8338,7 +8326,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder addForwardBuil
           forwardBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink, ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLinkOrBuilder>(
                   forward_,
-                  ((bitField0_ & 0x00000400) == 0x00000400),
+                  ((bitField0_ & 0x00000400) != 0),
                   getParentForChildren(),
                   isClean());
           forward_ = null;
@@ -8351,7 +8339,7 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink.Builder addForwardBuil
        * optional bytes payload = 12;
        */
       public boolean hasPayload() {
-        return ((bitField0_ & 0x00000800) == 0x00000800);
+        return ((bitField0_ & 0x00000800) != 0);
       }
       /**
        * optional bytes payload = 12;
@@ -8534,7 +8522,7 @@ private ForwardLink(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000004) == 0x00000004)) {
+              if (((bitField0_ & 0x00000004) != 0)) {
                 subBuilder = newRoster_.toBuilder();
               }
               newRoster_ = input.readMessage(ch.epfl.dedis.lib.proto.OnetProto.Roster.parser(), extensionRegistry);
@@ -8547,7 +8535,7 @@ private ForwardLink(
             }
             case 34: {
               ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000008) == 0x00000008)) {
+              if (((bitField0_ & 0x00000008) != 0)) {
                 subBuilder = signature_.toBuilder();
               }
               signature_ = input.readMessage(ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig.parser(), extensionRegistry);
@@ -8597,7 +8585,7 @@ private ForwardLink(
      * required bytes from = 1;
      */
     public boolean hasFrom() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes from = 1;
@@ -8612,7 +8600,7 @@ public com.google.protobuf.ByteString getFrom() {
      * required bytes to = 2;
      */
     public boolean hasTo() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes to = 2;
@@ -8627,7 +8615,7 @@ public com.google.protobuf.ByteString getTo() {
      * optional .onet.Roster newRoster = 3;
      */
     public boolean hasNewRoster() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * optional .onet.Roster newRoster = 3;
@@ -8648,7 +8636,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getNewRosterOrBuilder()
      * required .skipchain.ByzcoinSig signature = 4;
      */
     public boolean hasSignature() {
-      return ((bitField0_ & 0x00000008) == 0x00000008);
+      return ((bitField0_ & 0x00000008) != 0);
     }
     /**
      * required .skipchain.ByzcoinSig signature = 4;
@@ -8699,16 +8687,16 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, from_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, to_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeMessage(3, getNewRoster());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         output.writeMessage(4, getSignature());
       }
       unknownFields.writeTo(output);
@@ -8720,19 +8708,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, from_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, to_);
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getNewRoster());
       }
-      if (((bitField0_ & 0x00000008) == 0x00000008)) {
+      if (((bitField0_ & 0x00000008) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(4, getSignature());
       }
@@ -8751,29 +8739,28 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink other = (ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink) obj;
 
-      boolean result = true;
-      result = result && (hasFrom() == other.hasFrom());
+      if (hasFrom() != other.hasFrom()) return false;
       if (hasFrom()) {
-        result = result && getFrom()
-            .equals(other.getFrom());
+        if (!getFrom()
+            .equals(other.getFrom())) return false;
       }
-      result = result && (hasTo() == other.hasTo());
+      if (hasTo() != other.hasTo()) return false;
       if (hasTo()) {
-        result = result && getTo()
-            .equals(other.getTo());
+        if (!getTo()
+            .equals(other.getTo())) return false;
       }
-      result = result && (hasNewRoster() == other.hasNewRoster());
+      if (hasNewRoster() != other.hasNewRoster()) return false;
       if (hasNewRoster()) {
-        result = result && getNewRoster()
-            .equals(other.getNewRoster());
+        if (!getNewRoster()
+            .equals(other.getNewRoster())) return false;
       }
-      result = result && (hasSignature() == other.hasSignature());
+      if (hasSignature() != other.hasSignature()) return false;
       if (hasSignature()) {
-        result = result && getSignature()
-            .equals(other.getSignature());
+        if (!getSignature()
+            .equals(other.getSignature())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -8978,30 +8965,30 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink result = new ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.from_ = from_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.to_ = to_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (newRosterBuilder_ == null) {
+            result.newRoster_ = newRoster_;
+          } else {
+            result.newRoster_ = newRosterBuilder_.build();
+          }
           to_bitField0_ |= 0x00000004;
         }
-        if (newRosterBuilder_ == null) {
-          result.newRoster_ = newRoster_;
-        } else {
-          result.newRoster_ = newRosterBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
+          if (signatureBuilder_ == null) {
+            result.signature_ = signature_;
+          } else {
+            result.signature_ = signatureBuilder_.build();
+          }
           to_bitField0_ |= 0x00000008;
         }
-        if (signatureBuilder_ == null) {
-          result.signature_ = signature_;
-        } else {
-          result.signature_ = signatureBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -9009,35 +8996,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ForwardLink buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -9115,7 +9102,7 @@ public Builder mergeFrom(
        * required bytes from = 1;
        */
       public boolean hasFrom() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes from = 1;
@@ -9150,7 +9137,7 @@ public Builder clearFrom() {
        * required bytes to = 2;
        */
       public boolean hasTo() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes to = 2;
@@ -9180,14 +9167,14 @@ public Builder clearTo() {
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.OnetProto.Roster newRoster_ = null;
+      private ch.epfl.dedis.lib.proto.OnetProto.Roster newRoster_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.OnetProto.Roster, ch.epfl.dedis.lib.proto.OnetProto.Roster.Builder, ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder> newRosterBuilder_;
       /**
        * optional .onet.Roster newRoster = 3;
        */
       public boolean hasNewRoster() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * optional .onet.Roster newRoster = 3;
@@ -9234,7 +9221,7 @@ public Builder setNewRoster(
        */
       public Builder mergeNewRoster(ch.epfl.dedis.lib.proto.OnetProto.Roster value) {
         if (newRosterBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               newRoster_ != null &&
               newRoster_ != ch.epfl.dedis.lib.proto.OnetProto.Roster.getDefaultInstance()) {
             newRoster_ =
@@ -9298,14 +9285,14 @@ public ch.epfl.dedis.lib.proto.OnetProto.RosterOrBuilder getNewRosterOrBuilder()
         return newRosterBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig signature_ = null;
+      private ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig signature_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig, ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig.Builder, ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSigOrBuilder> signatureBuilder_;
       /**
        * required .skipchain.ByzcoinSig signature = 4;
        */
       public boolean hasSignature() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required .skipchain.ByzcoinSig signature = 4;
@@ -9352,7 +9339,7 @@ public Builder setSignature(
        */
       public Builder mergeSignature(ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig value) {
         if (signatureBuilder_ == null) {
-          if (((bitField0_ & 0x00000008) == 0x00000008) &&
+          if (((bitField0_ & 0x00000008) != 0) &&
               signature_ != null &&
               signature_ != ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig.getDefaultInstance()) {
             signature_ =
@@ -9580,7 +9567,7 @@ private ByzcoinSig(
      * required bytes msg = 1;
      */
     public boolean hasMsg() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes msg = 1;
@@ -9595,7 +9582,7 @@ public com.google.protobuf.ByteString getMsg() {
      * required bytes sig = 2;
      */
     public boolean hasSig() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes sig = 2;
@@ -9626,10 +9613,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, msg_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, sig_);
       }
       unknownFields.writeTo(output);
@@ -9641,11 +9628,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, msg_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, sig_);
       }
@@ -9664,19 +9651,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig other = (ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig) obj;
 
-      boolean result = true;
-      result = result && (hasMsg() == other.hasMsg());
+      if (hasMsg() != other.hasMsg()) return false;
       if (hasMsg()) {
-        result = result && getMsg()
-            .equals(other.getMsg());
+        if (!getMsg()
+            .equals(other.getMsg())) return false;
       }
-      result = result && (hasSig() == other.hasSig());
+      if (hasSig() != other.hasSig()) return false;
       if (hasSig()) {
-        result = result && getSig()
-            .equals(other.getSig());
+        if (!getSig()
+            .equals(other.getSig())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -9859,11 +9845,11 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig result = new ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.msg_ = msg_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.sig_ = sig_;
@@ -9874,35 +9860,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.ByzcoinSig buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -9963,7 +9949,7 @@ public Builder mergeFrom(
        * required bytes msg = 1;
        */
       public boolean hasMsg() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes msg = 1;
@@ -9998,7 +9984,7 @@ public Builder clearMsg() {
        * required bytes sig = 2;
        */
       public boolean hasSig() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes sig = 2;
@@ -10192,7 +10178,7 @@ private SchnorrSig(
      * required bytes challenge = 1;
      */
     public boolean hasChallenge() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes challenge = 1;
@@ -10207,7 +10193,7 @@ public com.google.protobuf.ByteString getChallenge() {
      * required bytes response = 2;
      */
     public boolean hasResponse() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes response = 2;
@@ -10238,10 +10224,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, challenge_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, response_);
       }
       unknownFields.writeTo(output);
@@ -10253,11 +10239,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, challenge_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, response_);
       }
@@ -10276,19 +10262,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.SchnorrSig other = (ch.epfl.dedis.lib.proto.SkipchainProto.SchnorrSig) obj;
 
-      boolean result = true;
-      result = result && (hasChallenge() == other.hasChallenge());
+      if (hasChallenge() != other.hasChallenge()) return false;
       if (hasChallenge()) {
-        result = result && getChallenge()
-            .equals(other.getChallenge());
+        if (!getChallenge()
+            .equals(other.getChallenge())) return false;
       }
-      result = result && (hasResponse() == other.hasResponse());
+      if (hasResponse() != other.hasResponse()) return false;
       if (hasResponse()) {
-        result = result && getResponse()
-            .equals(other.getResponse());
+        if (!getResponse()
+            .equals(other.getResponse())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -10471,11 +10456,11 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SchnorrSig buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.SchnorrSig result = new ch.epfl.dedis.lib.proto.SkipchainProto.SchnorrSig(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.challenge_ = challenge_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.response_ = response_;
@@ -10486,35 +10471,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.SchnorrSig buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -10575,7 +10560,7 @@ public Builder mergeFrom(
        * required bytes challenge = 1;
        */
       public boolean hasChallenge() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes challenge = 1;
@@ -10610,7 +10595,7 @@ public Builder clearChallenge() {
        * required bytes response = 2;
        */
       public boolean hasResponse() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes response = 2;
@@ -10727,7 +10712,6 @@ private Exception(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private Exception() {
-      index_ = 0;
       commitment_ = com.google.protobuf.ByteString.EMPTY;
     }
 
@@ -10804,7 +10788,7 @@ private Exception(
      * required sint32 index = 1;
      */
     public boolean hasIndex() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required sint32 index = 1;
@@ -10819,7 +10803,7 @@ public int getIndex() {
      * required bytes commitment = 2;
      */
     public boolean hasCommitment() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes commitment = 2;
@@ -10850,10 +10834,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeSInt32(1, index_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, commitment_);
       }
       unknownFields.writeTo(output);
@@ -10865,11 +10849,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeSInt32Size(1, index_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, commitment_);
       }
@@ -10888,19 +10872,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.SkipchainProto.Exception other = (ch.epfl.dedis.lib.proto.SkipchainProto.Exception) obj;
 
-      boolean result = true;
-      result = result && (hasIndex() == other.hasIndex());
+      if (hasIndex() != other.hasIndex()) return false;
       if (hasIndex()) {
-        result = result && (getIndex()
-            == other.getIndex());
+        if (getIndex()
+            != other.getIndex()) return false;
       }
-      result = result && (hasCommitment() == other.hasCommitment());
+      if (hasCommitment() != other.hasCommitment()) return false;
       if (hasCommitment()) {
-        result = result && getCommitment()
-            .equals(other.getCommitment());
+        if (!getCommitment()
+            .equals(other.getCommitment())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -11083,11 +11066,11 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.Exception buildPartial() {
         ch.epfl.dedis.lib.proto.SkipchainProto.Exception result = new ch.epfl.dedis.lib.proto.SkipchainProto.Exception(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
+          result.index_ = index_;
           to_bitField0_ |= 0x00000001;
         }
-        result.index_ = index_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.commitment_ = commitment_;
@@ -11098,35 +11081,35 @@ public ch.epfl.dedis.lib.proto.SkipchainProto.Exception buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -11187,7 +11170,7 @@ public Builder mergeFrom(
        * required sint32 index = 1;
        */
       public boolean hasIndex() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required sint32 index = 1;
@@ -11219,7 +11202,7 @@ public Builder clearIndex() {
        * required bytes commitment = 2;
        */
       public boolean hasCommitment() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes commitment = 2;
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/StatusProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/StatusProto.java
index 15fd7f4fdf..f2ce7b0c36 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/StatusProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/StatusProto.java
@@ -130,9 +130,8 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.StatusProto.Request other = (ch.epfl.dedis.lib.proto.StatusProto.Request) obj;
 
-      boolean result = true;
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -311,35 +310,35 @@ public ch.epfl.dedis.lib.proto.StatusProto.Request buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -529,7 +528,7 @@ private Response(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 status_ = com.google.protobuf.MapField.newMapField(
                     StatusDefaultEntryHolder.defaultEntry);
                 mutable_bitField0_ |= 0x00000001;
@@ -543,7 +542,7 @@ private Response(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = serveridentity_.toBuilder();
               }
               serveridentity_ = input.readMessage(ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.parser(), extensionRegistry);
@@ -681,7 +680,7 @@ public ch.epfl.dedis.lib.proto.OnetProto.Status getStatusOrThrow(
      * optional .network.ServerIdentity serveridentity = 2;
      */
     public boolean hasServeridentity() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * optional .network.ServerIdentity serveridentity = 2;
@@ -722,7 +721,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
           internalGetStatus(),
           StatusDefaultEntryHolder.defaultEntry,
           1);
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(2, getServeridentity());
       }
       unknownFields.writeTo(output);
@@ -744,7 +743,7 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
             .computeMessageSize(1, status__);
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getServeridentity());
       }
@@ -763,16 +762,15 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.StatusProto.Response other = (ch.epfl.dedis.lib.proto.StatusProto.Response) obj;
 
-      boolean result = true;
-      result = result && internalGetStatus().equals(
-          other.internalGetStatus());
-      result = result && (hasServeridentity() == other.hasServeridentity());
+      if (!internalGetStatus().equals(
+          other.internalGetStatus())) return false;
+      if (hasServeridentity() != other.hasServeridentity()) return false;
       if (hasServeridentity()) {
-        result = result && getServeridentity()
-            .equals(other.getServeridentity());
+        if (!getServeridentity()
+            .equals(other.getServeridentity())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -987,14 +985,14 @@ public ch.epfl.dedis.lib.proto.StatusProto.Response buildPartial() {
         int to_bitField0_ = 0;
         result.status_ = internalGetStatus();
         result.status_.makeImmutable();
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (serveridentityBuilder_ == null) {
+            result.serveridentity_ = serveridentity_;
+          } else {
+            result.serveridentity_ = serveridentityBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (serveridentityBuilder_ == null) {
-          result.serveridentity_ = serveridentity_;
-        } else {
-          result.serveridentity_ = serveridentityBuilder_.build();
-        }
         result.bitField0_ = to_bitField0_;
         onBuilt();
         return result;
@@ -1002,35 +1000,35 @@ public ch.epfl.dedis.lib.proto.StatusProto.Response buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1207,14 +1205,14 @@ public Builder putAllStatus(
         return this;
       }
 
-      private ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity serveridentity_ = null;
+      private ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity serveridentity_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity, ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.Builder, ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentityOrBuilder> serveridentityBuilder_;
       /**
        * optional .network.ServerIdentity serveridentity = 2;
        */
       public boolean hasServeridentity() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * optional .network.ServerIdentity serveridentity = 2;
@@ -1261,7 +1259,7 @@ public Builder setServeridentity(
        */
       public Builder mergeServeridentity(ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity value) {
         if (serveridentityBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               serveridentity_ != null &&
               serveridentity_ != ch.epfl.dedis.lib.proto.NetworkProto.ServerIdentity.getDefaultInstance()) {
             serveridentity_ =
diff --git a/external/java/src/main/java/ch/epfl/dedis/lib/proto/TrieProto.java b/external/java/src/main/java/ch/epfl/dedis/lib/proto/TrieProto.java
index 1bc9b9b4e2..f81f398f4a 100644
--- a/external/java/src/main/java/ch/epfl/dedis/lib/proto/TrieProto.java
+++ b/external/java/src/main/java/ch/epfl/dedis/lib/proto/TrieProto.java
@@ -126,7 +126,7 @@ private InteriorNode(
      * required bytes left = 1;
      */
     public boolean hasLeft() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes left = 1;
@@ -141,7 +141,7 @@ public com.google.protobuf.ByteString getLeft() {
      * required bytes right = 2;
      */
     public boolean hasRight() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes right = 2;
@@ -172,10 +172,10 @@ public final boolean isInitialized() {
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output)
                         throws java.io.IOException {
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(1, left_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(2, right_);
       }
       unknownFields.writeTo(output);
@@ -187,11 +187,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(1, left_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, right_);
       }
@@ -210,19 +210,18 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.TrieProto.InteriorNode other = (ch.epfl.dedis.lib.proto.TrieProto.InteriorNode) obj;
 
-      boolean result = true;
-      result = result && (hasLeft() == other.hasLeft());
+      if (hasLeft() != other.hasLeft()) return false;
       if (hasLeft()) {
-        result = result && getLeft()
-            .equals(other.getLeft());
+        if (!getLeft()
+            .equals(other.getLeft())) return false;
       }
-      result = result && (hasRight() == other.hasRight());
+      if (hasRight() != other.hasRight()) return false;
       if (hasRight()) {
-        result = result && getRight()
-            .equals(other.getRight());
+        if (!getRight()
+            .equals(other.getRight())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -405,11 +404,11 @@ public ch.epfl.dedis.lib.proto.TrieProto.InteriorNode buildPartial() {
         ch.epfl.dedis.lib.proto.TrieProto.InteriorNode result = new ch.epfl.dedis.lib.proto.TrieProto.InteriorNode(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((from_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((from_bitField0_ & 0x00000001) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.left_ = left_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.right_ = right_;
@@ -420,35 +419,35 @@ public ch.epfl.dedis.lib.proto.TrieProto.InteriorNode buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -509,7 +508,7 @@ public Builder mergeFrom(
        * required bytes left = 1;
        */
       public boolean hasLeft() {
-        return ((bitField0_ & 0x00000001) == 0x00000001);
+        return ((bitField0_ & 0x00000001) != 0);
       }
       /**
        * required bytes left = 1;
@@ -544,7 +543,7 @@ public Builder clearLeft() {
        * required bytes right = 2;
        */
       public boolean hasRight() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes right = 2;
@@ -656,7 +655,7 @@ private EmptyNode(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private EmptyNode() {
-      prefix_ = java.util.Collections.emptyList();
+      prefix_ = emptyBooleanList();
     }
 
     @java.lang.Override
@@ -684,22 +683,22 @@ private EmptyNode(
               done = true;
               break;
             case 8: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-                prefix_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                prefix_ = newBooleanList();
                 mutable_bitField0_ |= 0x00000001;
               }
-              prefix_.add(input.readBool());
+              prefix_.addBoolean(input.readBool());
               break;
             }
             case 10: {
               int length = input.readRawVarint32();
               int limit = input.pushLimit(length);
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001) && input.getBytesUntilLimit() > 0) {
-                prefix_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000001) != 0) && input.getBytesUntilLimit() > 0) {
+                prefix_ = newBooleanList();
                 mutable_bitField0_ |= 0x00000001;
               }
               while (input.getBytesUntilLimit() > 0) {
-                prefix_.add(input.readBool());
+                prefix_.addBoolean(input.readBool());
               }
               input.popLimit(limit);
               break;
@@ -719,8 +718,8 @@ private EmptyNode(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-          prefix_ = java.util.Collections.unmodifiableList(prefix_);
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          prefix_.makeImmutable(); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -740,7 +739,7 @@ private EmptyNode(
     }
 
     public static final int PREFIX_FIELD_NUMBER = 1;
-    private java.util.List prefix_;
+    private com.google.protobuf.Internal.BooleanList prefix_;
     /**
      * repeated bool prefix = 1 [packed = true];
      */
@@ -758,7 +757,7 @@ public int getPrefixCount() {
      * repeated bool prefix = 1 [packed = true];
      */
     public boolean getPrefix(int index) {
-      return prefix_.get(index);
+      return prefix_.getBoolean(index);
     }
     private int prefixMemoizedSerializedSize = -1;
 
@@ -782,7 +781,7 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
         output.writeUInt32NoTag(prefixMemoizedSerializedSize);
       }
       for (int i = 0; i < prefix_.size(); i++) {
-        output.writeBoolNoTag(prefix_.get(i));
+        output.writeBoolNoTag(prefix_.getBoolean(i));
       }
       unknownFields.writeTo(output);
     }
@@ -819,11 +818,10 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.TrieProto.EmptyNode other = (ch.epfl.dedis.lib.proto.TrieProto.EmptyNode) obj;
 
-      boolean result = true;
-      result = result && getPrefixList()
-          .equals(other.getPrefixList());
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!getPrefixList()
+          .equals(other.getPrefixList())) return false;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -970,7 +968,7 @@ private void maybeForceBuilderInitialization() {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        prefix_ = java.util.Collections.emptyList();
+        prefix_ = emptyBooleanList();
         bitField0_ = (bitField0_ & ~0x00000001);
         return this;
       }
@@ -999,8 +997,8 @@ public ch.epfl.dedis.lib.proto.TrieProto.EmptyNode build() {
       public ch.epfl.dedis.lib.proto.TrieProto.EmptyNode buildPartial() {
         ch.epfl.dedis.lib.proto.TrieProto.EmptyNode result = new ch.epfl.dedis.lib.proto.TrieProto.EmptyNode(this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
-          prefix_ = java.util.Collections.unmodifiableList(prefix_);
+        if (((bitField0_ & 0x00000001) != 0)) {
+          prefix_.makeImmutable();
           bitField0_ = (bitField0_ & ~0x00000001);
         }
         result.prefix_ = prefix_;
@@ -1010,35 +1008,35 @@ public ch.epfl.dedis.lib.proto.TrieProto.EmptyNode buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1092,10 +1090,10 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private java.util.List prefix_ = java.util.Collections.emptyList();
+      private com.google.protobuf.Internal.BooleanList prefix_ = emptyBooleanList();
       private void ensurePrefixIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
-          prefix_ = new java.util.ArrayList(prefix_);
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          prefix_ = mutableCopy(prefix_);
           bitField0_ |= 0x00000001;
          }
       }
@@ -1104,7 +1102,8 @@ private void ensurePrefixIsMutable() {
        */
       public java.util.List
           getPrefixList() {
-        return java.util.Collections.unmodifiableList(prefix_);
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(prefix_) : prefix_;
       }
       /**
        * repeated bool prefix = 1 [packed = true];
@@ -1116,7 +1115,7 @@ public int getPrefixCount() {
        * repeated bool prefix = 1 [packed = true];
        */
       public boolean getPrefix(int index) {
-        return prefix_.get(index);
+        return prefix_.getBoolean(index);
       }
       /**
        * repeated bool prefix = 1 [packed = true];
@@ -1124,7 +1123,7 @@ public boolean getPrefix(int index) {
       public Builder setPrefix(
           int index, boolean value) {
         ensurePrefixIsMutable();
-        prefix_.set(index, value);
+        prefix_.setBoolean(index, value);
         onChanged();
         return this;
       }
@@ -1133,7 +1132,7 @@ public Builder setPrefix(
        */
       public Builder addPrefix(boolean value) {
         ensurePrefixIsMutable();
-        prefix_.add(value);
+        prefix_.addBoolean(value);
         onChanged();
         return this;
       }
@@ -1152,7 +1151,7 @@ public Builder addAllPrefix(
        * repeated bool prefix = 1 [packed = true];
        */
       public Builder clearPrefix() {
-        prefix_ = java.util.Collections.emptyList();
+        prefix_ = emptyBooleanList();
         bitField0_ = (bitField0_ & ~0x00000001);
         onChanged();
         return this;
@@ -1258,7 +1257,7 @@ private LeafNode(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
     private LeafNode() {
-      prefix_ = java.util.Collections.emptyList();
+      prefix_ = emptyBooleanList();
       key_ = com.google.protobuf.ByteString.EMPTY;
       value_ = com.google.protobuf.ByteString.EMPTY;
     }
@@ -1288,22 +1287,22 @@ private LeafNode(
               done = true;
               break;
             case 8: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-                prefix_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                prefix_ = newBooleanList();
                 mutable_bitField0_ |= 0x00000001;
               }
-              prefix_.add(input.readBool());
+              prefix_.addBoolean(input.readBool());
               break;
             }
             case 10: {
               int length = input.readRawVarint32();
               int limit = input.pushLimit(length);
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001) && input.getBytesUntilLimit() > 0) {
-                prefix_ = new java.util.ArrayList();
+              if (!((mutable_bitField0_ & 0x00000001) != 0) && input.getBytesUntilLimit() > 0) {
+                prefix_ = newBooleanList();
                 mutable_bitField0_ |= 0x00000001;
               }
               while (input.getBytesUntilLimit() > 0) {
-                prefix_.add(input.readBool());
+                prefix_.addBoolean(input.readBool());
               }
               input.popLimit(limit);
               break;
@@ -1333,8 +1332,8 @@ private LeafNode(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
-          prefix_ = java.util.Collections.unmodifiableList(prefix_);
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
+          prefix_.makeImmutable(); // C
         }
         this.unknownFields = unknownFields.build();
         makeExtensionsImmutable();
@@ -1355,7 +1354,7 @@ private LeafNode(
 
     private int bitField0_;
     public static final int PREFIX_FIELD_NUMBER = 1;
-    private java.util.List prefix_;
+    private com.google.protobuf.Internal.BooleanList prefix_;
     /**
      * repeated bool prefix = 1 [packed = true];
      */
@@ -1373,7 +1372,7 @@ public int getPrefixCount() {
      * repeated bool prefix = 1 [packed = true];
      */
     public boolean getPrefix(int index) {
-      return prefix_.get(index);
+      return prefix_.getBoolean(index);
     }
     private int prefixMemoizedSerializedSize = -1;
 
@@ -1383,7 +1382,7 @@ public boolean getPrefix(int index) {
      * required bytes key = 2;
      */
     public boolean hasKey() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required bytes key = 2;
@@ -1398,7 +1397,7 @@ public com.google.protobuf.ByteString getKey() {
      * required bytes value = 3;
      */
     public boolean hasValue() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required bytes value = 3;
@@ -1435,12 +1434,12 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
         output.writeUInt32NoTag(prefixMemoizedSerializedSize);
       }
       for (int i = 0; i < prefix_.size(); i++) {
-        output.writeBoolNoTag(prefix_.get(i));
+        output.writeBoolNoTag(prefix_.getBoolean(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeBytes(2, key_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeBytes(3, value_);
       }
       unknownFields.writeTo(output);
@@ -1463,11 +1462,11 @@ public int getSerializedSize() {
         }
         prefixMemoizedSerializedSize = dataSize;
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(2, key_);
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(3, value_);
       }
@@ -1486,21 +1485,20 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.TrieProto.LeafNode other = (ch.epfl.dedis.lib.proto.TrieProto.LeafNode) obj;
 
-      boolean result = true;
-      result = result && getPrefixList()
-          .equals(other.getPrefixList());
-      result = result && (hasKey() == other.hasKey());
+      if (!getPrefixList()
+          .equals(other.getPrefixList())) return false;
+      if (hasKey() != other.hasKey()) return false;
       if (hasKey()) {
-        result = result && getKey()
-            .equals(other.getKey());
+        if (!getKey()
+            .equals(other.getKey())) return false;
       }
-      result = result && (hasValue() == other.hasValue());
+      if (hasValue() != other.hasValue()) return false;
       if (hasValue()) {
-        result = result && getValue()
-            .equals(other.getValue());
+        if (!getValue()
+            .equals(other.getValue())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -1655,7 +1653,7 @@ private void maybeForceBuilderInitialization() {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        prefix_ = java.util.Collections.emptyList();
+        prefix_ = emptyBooleanList();
         bitField0_ = (bitField0_ & ~0x00000001);
         key_ = com.google.protobuf.ByteString.EMPTY;
         bitField0_ = (bitField0_ & ~0x00000002);
@@ -1689,16 +1687,16 @@ public ch.epfl.dedis.lib.proto.TrieProto.LeafNode buildPartial() {
         ch.epfl.dedis.lib.proto.TrieProto.LeafNode result = new ch.epfl.dedis.lib.proto.TrieProto.LeafNode(this);
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
-        if (((bitField0_ & 0x00000001) == 0x00000001)) {
-          prefix_ = java.util.Collections.unmodifiableList(prefix_);
+        if (((bitField0_ & 0x00000001) != 0)) {
+          prefix_.makeImmutable();
           bitField0_ = (bitField0_ & ~0x00000001);
         }
         result.prefix_ = prefix_;
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
           to_bitField0_ |= 0x00000001;
         }
         result.key_ = key_;
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
           to_bitField0_ |= 0x00000002;
         }
         result.value_ = value_;
@@ -1709,35 +1707,35 @@ public ch.epfl.dedis.lib.proto.TrieProto.LeafNode buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -1803,10 +1801,10 @@ public Builder mergeFrom(
       }
       private int bitField0_;
 
-      private java.util.List prefix_ = java.util.Collections.emptyList();
+      private com.google.protobuf.Internal.BooleanList prefix_ = emptyBooleanList();
       private void ensurePrefixIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
-          prefix_ = new java.util.ArrayList(prefix_);
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          prefix_ = mutableCopy(prefix_);
           bitField0_ |= 0x00000001;
          }
       }
@@ -1815,7 +1813,8 @@ private void ensurePrefixIsMutable() {
        */
       public java.util.List
           getPrefixList() {
-        return java.util.Collections.unmodifiableList(prefix_);
+        return ((bitField0_ & 0x00000001) != 0) ?
+                 java.util.Collections.unmodifiableList(prefix_) : prefix_;
       }
       /**
        * repeated bool prefix = 1 [packed = true];
@@ -1827,7 +1826,7 @@ public int getPrefixCount() {
        * repeated bool prefix = 1 [packed = true];
        */
       public boolean getPrefix(int index) {
-        return prefix_.get(index);
+        return prefix_.getBoolean(index);
       }
       /**
        * repeated bool prefix = 1 [packed = true];
@@ -1835,7 +1834,7 @@ public boolean getPrefix(int index) {
       public Builder setPrefix(
           int index, boolean value) {
         ensurePrefixIsMutable();
-        prefix_.set(index, value);
+        prefix_.setBoolean(index, value);
         onChanged();
         return this;
       }
@@ -1844,7 +1843,7 @@ public Builder setPrefix(
        */
       public Builder addPrefix(boolean value) {
         ensurePrefixIsMutable();
-        prefix_.add(value);
+        prefix_.addBoolean(value);
         onChanged();
         return this;
       }
@@ -1863,7 +1862,7 @@ public Builder addAllPrefix(
        * repeated bool prefix = 1 [packed = true];
        */
       public Builder clearPrefix() {
-        prefix_ = java.util.Collections.emptyList();
+        prefix_ = emptyBooleanList();
         bitField0_ = (bitField0_ & ~0x00000001);
         onChanged();
         return this;
@@ -1874,7 +1873,7 @@ public Builder clearPrefix() {
        * required bytes key = 2;
        */
       public boolean hasKey() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required bytes key = 2;
@@ -1909,7 +1908,7 @@ public Builder clearKey() {
        * required bytes value = 3;
        */
       public boolean hasValue() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required bytes value = 3;
@@ -2100,7 +2099,7 @@ private Proof(
               done = true;
               break;
             case 10: {
-              if (!((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
                 interiors_ = new java.util.ArrayList();
                 mutable_bitField0_ |= 0x00000001;
               }
@@ -2110,7 +2109,7 @@ private Proof(
             }
             case 18: {
               ch.epfl.dedis.lib.proto.TrieProto.LeafNode.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000001) == 0x00000001)) {
+              if (((bitField0_ & 0x00000001) != 0)) {
                 subBuilder = leaf_.toBuilder();
               }
               leaf_ = input.readMessage(ch.epfl.dedis.lib.proto.TrieProto.LeafNode.parser(), extensionRegistry);
@@ -2123,7 +2122,7 @@ private Proof(
             }
             case 26: {
               ch.epfl.dedis.lib.proto.TrieProto.EmptyNode.Builder subBuilder = null;
-              if (((bitField0_ & 0x00000002) == 0x00000002)) {
+              if (((bitField0_ & 0x00000002) != 0)) {
                 subBuilder = empty_.toBuilder();
               }
               empty_ = input.readMessage(ch.epfl.dedis.lib.proto.TrieProto.EmptyNode.parser(), extensionRegistry);
@@ -2154,7 +2153,7 @@ private Proof(
         throw new com.google.protobuf.InvalidProtocolBufferException(
             e).setUnfinishedMessage(this);
       } finally {
-        if (((mutable_bitField0_ & 0x00000001) == 0x00000001)) {
+        if (((mutable_bitField0_ & 0x00000001) != 0)) {
           interiors_ = java.util.Collections.unmodifiableList(interiors_);
         }
         this.unknownFields = unknownFields.build();
@@ -2216,7 +2215,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.InteriorNodeOrBuilder getInteriorsOrBui
      * required .trie.LeafNode leaf = 2;
      */
     public boolean hasLeaf() {
-      return ((bitField0_ & 0x00000001) == 0x00000001);
+      return ((bitField0_ & 0x00000001) != 0);
     }
     /**
      * required .trie.LeafNode leaf = 2;
@@ -2237,7 +2236,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.LeafNodeOrBuilder getLeafOrBuilder() {
      * required .trie.EmptyNode empty = 3;
      */
     public boolean hasEmpty() {
-      return ((bitField0_ & 0x00000002) == 0x00000002);
+      return ((bitField0_ & 0x00000002) != 0);
     }
     /**
      * required .trie.EmptyNode empty = 3;
@@ -2258,7 +2257,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.EmptyNodeOrBuilder getEmptyOrBuilder()
      * required bytes nonce = 4;
      */
     public boolean hasNonce() {
-      return ((bitField0_ & 0x00000004) == 0x00000004);
+      return ((bitField0_ & 0x00000004) != 0);
     }
     /**
      * required bytes nonce = 4;
@@ -2306,13 +2305,13 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
       for (int i = 0; i < interiors_.size(); i++) {
         output.writeMessage(1, interiors_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         output.writeMessage(2, getLeaf());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         output.writeMessage(3, getEmpty());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         output.writeBytes(4, nonce_);
       }
       unknownFields.writeTo(output);
@@ -2328,15 +2327,15 @@ public int getSerializedSize() {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(1, interiors_.get(i));
       }
-      if (((bitField0_ & 0x00000001) == 0x00000001)) {
+      if (((bitField0_ & 0x00000001) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(2, getLeaf());
       }
-      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+      if (((bitField0_ & 0x00000002) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeMessageSize(3, getEmpty());
       }
-      if (((bitField0_ & 0x00000004) == 0x00000004)) {
+      if (((bitField0_ & 0x00000004) != 0)) {
         size += com.google.protobuf.CodedOutputStream
           .computeBytesSize(4, nonce_);
       }
@@ -2355,26 +2354,25 @@ public boolean equals(final java.lang.Object obj) {
       }
       ch.epfl.dedis.lib.proto.TrieProto.Proof other = (ch.epfl.dedis.lib.proto.TrieProto.Proof) obj;
 
-      boolean result = true;
-      result = result && getInteriorsList()
-          .equals(other.getInteriorsList());
-      result = result && (hasLeaf() == other.hasLeaf());
+      if (!getInteriorsList()
+          .equals(other.getInteriorsList())) return false;
+      if (hasLeaf() != other.hasLeaf()) return false;
       if (hasLeaf()) {
-        result = result && getLeaf()
-            .equals(other.getLeaf());
+        if (!getLeaf()
+            .equals(other.getLeaf())) return false;
       }
-      result = result && (hasEmpty() == other.hasEmpty());
+      if (hasEmpty() != other.hasEmpty()) return false;
       if (hasEmpty()) {
-        result = result && getEmpty()
-            .equals(other.getEmpty());
+        if (!getEmpty()
+            .equals(other.getEmpty())) return false;
       }
-      result = result && (hasNonce() == other.hasNonce());
+      if (hasNonce() != other.hasNonce()) return false;
       if (hasNonce()) {
-        result = result && getNonce()
-            .equals(other.getNonce());
+        if (!getNonce()
+            .equals(other.getNonce())) return false;
       }
-      result = result && unknownFields.equals(other.unknownFields);
-      return result;
+      if (!unknownFields.equals(other.unknownFields)) return false;
+      return true;
     }
 
     @java.lang.Override
@@ -2589,7 +2587,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.Proof buildPartial() {
         int from_bitField0_ = bitField0_;
         int to_bitField0_ = 0;
         if (interiorsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) == 0x00000001)) {
+          if (((bitField0_ & 0x00000001) != 0)) {
             interiors_ = java.util.Collections.unmodifiableList(interiors_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
@@ -2597,23 +2595,23 @@ public ch.epfl.dedis.lib.proto.TrieProto.Proof buildPartial() {
         } else {
           result.interiors_ = interiorsBuilder_.build();
         }
-        if (((from_bitField0_ & 0x00000002) == 0x00000002)) {
+        if (((from_bitField0_ & 0x00000002) != 0)) {
+          if (leafBuilder_ == null) {
+            result.leaf_ = leaf_;
+          } else {
+            result.leaf_ = leafBuilder_.build();
+          }
           to_bitField0_ |= 0x00000001;
         }
-        if (leafBuilder_ == null) {
-          result.leaf_ = leaf_;
-        } else {
-          result.leaf_ = leafBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000004) == 0x00000004)) {
+        if (((from_bitField0_ & 0x00000004) != 0)) {
+          if (emptyBuilder_ == null) {
+            result.empty_ = empty_;
+          } else {
+            result.empty_ = emptyBuilder_.build();
+          }
           to_bitField0_ |= 0x00000002;
         }
-        if (emptyBuilder_ == null) {
-          result.empty_ = empty_;
-        } else {
-          result.empty_ = emptyBuilder_.build();
-        }
-        if (((from_bitField0_ & 0x00000008) == 0x00000008)) {
+        if (((from_bitField0_ & 0x00000008) != 0)) {
           to_bitField0_ |= 0x00000004;
         }
         result.nonce_ = nonce_;
@@ -2624,35 +2622,35 @@ public ch.epfl.dedis.lib.proto.TrieProto.Proof buildPartial() {
 
       @java.lang.Override
       public Builder clone() {
-        return (Builder) super.clone();
+        return super.clone();
       }
       @java.lang.Override
       public Builder setField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.setField(field, value);
+        return super.setField(field, value);
       }
       @java.lang.Override
       public Builder clearField(
           com.google.protobuf.Descriptors.FieldDescriptor field) {
-        return (Builder) super.clearField(field);
+        return super.clearField(field);
       }
       @java.lang.Override
       public Builder clearOneof(
           com.google.protobuf.Descriptors.OneofDescriptor oneof) {
-        return (Builder) super.clearOneof(oneof);
+        return super.clearOneof(oneof);
       }
       @java.lang.Override
       public Builder setRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           int index, java.lang.Object value) {
-        return (Builder) super.setRepeatedField(field, index, value);
+        return super.setRepeatedField(field, index, value);
       }
       @java.lang.Override
       public Builder addRepeatedField(
           com.google.protobuf.Descriptors.FieldDescriptor field,
           java.lang.Object value) {
-        return (Builder) super.addRepeatedField(field, value);
+        return super.addRepeatedField(field, value);
       }
       @java.lang.Override
       public Builder mergeFrom(com.google.protobuf.Message other) {
@@ -2751,7 +2749,7 @@ public Builder mergeFrom(
       private java.util.List interiors_ =
         java.util.Collections.emptyList();
       private void ensureInteriorsIsMutable() {
-        if (!((bitField0_ & 0x00000001) == 0x00000001)) {
+        if (!((bitField0_ & 0x00000001) != 0)) {
           interiors_ = new java.util.ArrayList(interiors_);
           bitField0_ |= 0x00000001;
          }
@@ -2980,7 +2978,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.InteriorNode.Builder addInteriorsBuilde
           interiorsBuilder_ = new com.google.protobuf.RepeatedFieldBuilderV3<
               ch.epfl.dedis.lib.proto.TrieProto.InteriorNode, ch.epfl.dedis.lib.proto.TrieProto.InteriorNode.Builder, ch.epfl.dedis.lib.proto.TrieProto.InteriorNodeOrBuilder>(
                   interiors_,
-                  ((bitField0_ & 0x00000001) == 0x00000001),
+                  ((bitField0_ & 0x00000001) != 0),
                   getParentForChildren(),
                   isClean());
           interiors_ = null;
@@ -2988,14 +2986,14 @@ public ch.epfl.dedis.lib.proto.TrieProto.InteriorNode.Builder addInteriorsBuilde
         return interiorsBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.TrieProto.LeafNode leaf_ = null;
+      private ch.epfl.dedis.lib.proto.TrieProto.LeafNode leaf_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.TrieProto.LeafNode, ch.epfl.dedis.lib.proto.TrieProto.LeafNode.Builder, ch.epfl.dedis.lib.proto.TrieProto.LeafNodeOrBuilder> leafBuilder_;
       /**
        * required .trie.LeafNode leaf = 2;
        */
       public boolean hasLeaf() {
-        return ((bitField0_ & 0x00000002) == 0x00000002);
+        return ((bitField0_ & 0x00000002) != 0);
       }
       /**
        * required .trie.LeafNode leaf = 2;
@@ -3042,7 +3040,7 @@ public Builder setLeaf(
        */
       public Builder mergeLeaf(ch.epfl.dedis.lib.proto.TrieProto.LeafNode value) {
         if (leafBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) == 0x00000002) &&
+          if (((bitField0_ & 0x00000002) != 0) &&
               leaf_ != null &&
               leaf_ != ch.epfl.dedis.lib.proto.TrieProto.LeafNode.getDefaultInstance()) {
             leaf_ =
@@ -3106,14 +3104,14 @@ public ch.epfl.dedis.lib.proto.TrieProto.LeafNodeOrBuilder getLeafOrBuilder() {
         return leafBuilder_;
       }
 
-      private ch.epfl.dedis.lib.proto.TrieProto.EmptyNode empty_ = null;
+      private ch.epfl.dedis.lib.proto.TrieProto.EmptyNode empty_;
       private com.google.protobuf.SingleFieldBuilderV3<
           ch.epfl.dedis.lib.proto.TrieProto.EmptyNode, ch.epfl.dedis.lib.proto.TrieProto.EmptyNode.Builder, ch.epfl.dedis.lib.proto.TrieProto.EmptyNodeOrBuilder> emptyBuilder_;
       /**
        * required .trie.EmptyNode empty = 3;
        */
       public boolean hasEmpty() {
-        return ((bitField0_ & 0x00000004) == 0x00000004);
+        return ((bitField0_ & 0x00000004) != 0);
       }
       /**
        * required .trie.EmptyNode empty = 3;
@@ -3160,7 +3158,7 @@ public Builder setEmpty(
        */
       public Builder mergeEmpty(ch.epfl.dedis.lib.proto.TrieProto.EmptyNode value) {
         if (emptyBuilder_ == null) {
-          if (((bitField0_ & 0x00000004) == 0x00000004) &&
+          if (((bitField0_ & 0x00000004) != 0) &&
               empty_ != null &&
               empty_ != ch.epfl.dedis.lib.proto.TrieProto.EmptyNode.getDefaultInstance()) {
             empty_ =
@@ -3229,7 +3227,7 @@ public ch.epfl.dedis.lib.proto.TrieProto.EmptyNodeOrBuilder getEmptyOrBuilder()
        * required bytes nonce = 4;
        */
       public boolean hasNonce() {
-        return ((bitField0_ & 0x00000008) == 0x00000008);
+        return ((bitField0_ & 0x00000008) != 0);
       }
       /**
        * required bytes nonce = 4;
diff --git a/external/js/cothority/package-lock.json b/external/js/cothority/package-lock.json
index d00758b590..937fe271d8 100644
--- a/external/js/cothority/package-lock.json
+++ b/external/js/cothority/package-lock.json
@@ -3083,7 +3083,8 @@
         "ansi-regex": {
           "version": "2.1.1",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "aproba": {
           "version": "1.2.0",
@@ -3104,12 +3105,14 @@
         "balanced-match": {
           "version": "1.0.0",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "brace-expansion": {
           "version": "1.1.11",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "balanced-match": "^1.0.0",
             "concat-map": "0.0.1"
@@ -3124,17 +3127,20 @@
         "code-point-at": {
           "version": "1.1.0",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "concat-map": {
           "version": "0.0.1",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "console-control-strings": {
           "version": "1.1.0",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "core-util-is": {
           "version": "1.0.2",
@@ -3251,7 +3257,8 @@
         "inherits": {
           "version": "2.0.3",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "ini": {
           "version": "1.3.5",
@@ -3263,6 +3270,7 @@
           "version": "1.0.0",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "number-is-nan": "^1.0.0"
           }
@@ -3277,6 +3285,7 @@
           "version": "3.0.4",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "brace-expansion": "^1.1.7"
           }
@@ -3284,12 +3293,14 @@
         "minimist": {
           "version": "0.0.8",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "minipass": {
           "version": "2.3.5",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "safe-buffer": "^5.1.2",
             "yallist": "^3.0.0"
@@ -3308,6 +3319,7 @@
           "version": "0.5.1",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "minimist": "0.0.8"
           }
@@ -3388,7 +3400,8 @@
         "number-is-nan": {
           "version": "1.0.1",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "object-assign": {
           "version": "4.1.1",
@@ -3400,6 +3413,7 @@
           "version": "1.4.0",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "wrappy": "1"
           }
@@ -3485,7 +3499,8 @@
         "safe-buffer": {
           "version": "5.1.2",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "safer-buffer": {
           "version": "2.1.2",
@@ -3521,6 +3536,7 @@
           "version": "1.0.2",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "code-point-at": "^1.0.0",
             "is-fullwidth-code-point": "^1.0.0",
@@ -3540,6 +3556,7 @@
           "version": "3.0.1",
           "bundled": true,
           "dev": true,
+          "optional": true,
           "requires": {
             "ansi-regex": "^2.0.0"
           }
@@ -3583,12 +3600,14 @@
         "wrappy": {
           "version": "1.0.2",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         },
         "yallist": {
           "version": "3.0.3",
           "bundled": true,
-          "dev": true
+          "dev": true,
+          "optional": true
         }
       }
     },
diff --git a/external/js/cothority/src/protobuf/models.json b/external/js/cothority/src/protobuf/models.json
index a44d4b27a5..59a8ef3812 100644
--- a/external/js/cothority/src/protobuf/models.json
+++ b/external/js/cothority/src/protobuf/models.json
@@ -1 +1 @@
-{"nested":{"cothority":{},"authprox":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"AuthProxProto"},"nested":{"EnrollRequest":{"fields":{"type":{"rule":"required","type":"string","id":1},"issuer":{"rule":"required","type":"string","id":2},"participants":{"rule":"repeated","type":"bytes","id":3},"longpri":{"rule":"required","type":"PriShare","id":4},"longpubs":{"rule":"repeated","type":"bytes","id":5}}},"EnrollResponse":{"fields":{}},"SignatureRequest":{"fields":{"type":{"rule":"required","type":"string","id":1},"issuer":{"rule":"required","type":"string","id":2},"authinfo":{"rule":"required","type":"bytes","id":3},"randpri":{"rule":"required","type":"PriShare","id":4},"randpubs":{"rule":"repeated","type":"bytes","id":5},"message":{"rule":"required","type":"bytes","id":6}}},"PriShare":{"fields":{}},"PartialSig":{"fields":{"partial":{"rule":"required","type":"PriShare","id":1},"sessionid":{"rule":"required","type":"bytes","id":2},"signature":{"rule":"required","type":"bytes","id":3}}},"SignatureResponse":{"fields":{"partialsignature":{"rule":"required","type":"PartialSig","id":1}}},"EnrollmentsRequest":{"fields":{"types":{"rule":"repeated","type":"string","id":1},"issuers":{"rule":"repeated","type":"string","id":2}}},"EnrollmentsResponse":{"fields":{"enrollments":{"rule":"repeated","type":"EnrollmentInfo","id":1,"options":{"packed":false}}}},"EnrollmentInfo":{"fields":{"type":{"rule":"required","type":"string","id":1},"issuer":{"rule":"required","type":"string","id":2},"public":{"rule":"required","type":"bytes","id":3}}}}},"byzcoin":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"ByzCoinProto"},"nested":{"DataHeader":{"fields":{"trieroot":{"rule":"required","type":"bytes","id":1},"clienttransactionhash":{"rule":"required","type":"bytes","id":2},"statechangeshash":{"rule":"required","type":"bytes","id":3},"timestamp":{"rule":"required","type":"sint64","id":4}}},"DataBody":{"fields":{"txresults":{"rule":"repeated","type":"TxResult","id":1,"options":{"packed":false}}}},"CreateGenesisBlock":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"roster":{"rule":"required","type":"onet.Roster","id":2},"genesisdarc":{"rule":"required","type":"darc.Darc","id":3},"blockinterval":{"rule":"required","type":"sint64","id":4},"maxblocksize":{"type":"sint32","id":5},"darccontractids":{"rule":"repeated","type":"string","id":6}}},"CreateGenesisBlockResponse":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"skipblock":{"type":"skipchain.SkipBlock","id":2}}},"AddTxRequest":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"skipchainid":{"rule":"required","type":"bytes","id":2},"transaction":{"rule":"required","type":"ClientTransaction","id":3},"inclusionwait":{"type":"sint32","id":4}}},"AddTxResponse":{"fields":{"version":{"rule":"required","type":"sint32","id":1}}},"GetProof":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"key":{"rule":"required","type":"bytes","id":2},"id":{"rule":"required","type":"bytes","id":3}}},"GetProofResponse":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"proof":{"rule":"required","type":"Proof","id":2}}},"CheckAuthorization":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"byzcoinid":{"rule":"required","type":"bytes","id":2},"darcid":{"rule":"required","type":"bytes","id":3},"identities":{"rule":"repeated","type":"darc.Identity","id":4,"options":{"packed":false}}}},"CheckAuthorizationResponse":{"fields":{"actions":{"rule":"repeated","type":"string","id":1}}},"ChainConfig":{"fields":{"blockinterval":{"rule":"required","type":"sint64","id":1},"roster":{"rule":"required","type":"onet.Roster","id":2},"maxblocksize":{"rule":"required","type":"sint32","id":3},"darccontractids":{"rule":"repeated","type":"string","id":4}}},"Proof":{"fields":{"inclusionproof":{"rule":"required","type":"trie.Proof","id":1},"latest":{"rule":"required","type":"skipchain.SkipBlock","id":2},"links":{"rule":"repeated","type":"skipchain.ForwardLink","id":3,"options":{"packed":false}}}},"Instruction":{"fields":{"instanceid":{"rule":"required","type":"bytes","id":1},"spawn":{"type":"Spawn","id":2},"invoke":{"type":"Invoke","id":3},"delete":{"type":"Delete","id":4},"signercounter":{"rule":"repeated","type":"uint64","id":5,"options":{"packed":true}},"signeridentities":{"rule":"repeated","type":"darc.Identity","id":6,"options":{"packed":false}},"signatures":{"rule":"repeated","type":"bytes","id":7}}},"Spawn":{"fields":{"contractid":{"rule":"required","type":"string","id":1},"args":{"rule":"repeated","type":"Argument","id":2,"options":{"packed":false}}}},"Invoke":{"fields":{"contractid":{"rule":"required","type":"string","id":1},"command":{"rule":"required","type":"string","id":2},"args":{"rule":"repeated","type":"Argument","id":3,"options":{"packed":false}}}},"Delete":{"fields":{"contractid":{"rule":"required","type":"string","id":1}}},"Argument":{"fields":{"name":{"rule":"required","type":"string","id":1},"value":{"rule":"required","type":"bytes","id":2}}},"ClientTransaction":{"fields":{"instructions":{"rule":"repeated","type":"Instruction","id":1,"options":{"packed":false}}}},"TxResult":{"fields":{"clienttransaction":{"rule":"required","type":"ClientTransaction","id":1},"accepted":{"rule":"required","type":"bool","id":2}}},"StateChange":{"fields":{"stateaction":{"rule":"required","type":"sint32","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"contractid":{"rule":"required","type":"string","id":3},"value":{"rule":"required","type":"bytes","id":4},"darcid":{"rule":"required","type":"bytes","id":5},"version":{"rule":"required","type":"uint64","id":6}}},"Coin":{"fields":{"name":{"rule":"required","type":"bytes","id":1},"value":{"rule":"required","type":"uint64","id":2}}},"StreamingRequest":{"fields":{"id":{"rule":"required","type":"bytes","id":1}}},"StreamingResponse":{"fields":{"block":{"type":"skipchain.SkipBlock","id":1}}},"DownloadState":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"nonce":{"rule":"required","type":"uint64","id":2},"length":{"rule":"required","type":"sint32","id":3}}},"DownloadStateResponse":{"fields":{"keyvalues":{"rule":"repeated","type":"DBKeyValue","id":1,"options":{"packed":false}},"nonce":{"rule":"required","type":"uint64","id":2}}},"DBKeyValue":{"fields":{"key":{"rule":"required","type":"bytes","id":1},"value":{"rule":"required","type":"bytes","id":2}}},"StateChangeBody":{"fields":{"stateaction":{"rule":"required","type":"sint32","id":1},"contractid":{"rule":"required","type":"string","id":2},"value":{"rule":"required","type":"bytes","id":3},"version":{"rule":"required","type":"uint64","id":4},"darcid":{"rule":"required","type":"bytes","id":5}}},"GetSignerCounters":{"fields":{"signerids":{"rule":"repeated","type":"string","id":1},"skipchainid":{"rule":"required","type":"bytes","id":2}}},"GetSignerCountersResponse":{"fields":{"counters":{"rule":"repeated","type":"uint64","id":1,"options":{"packed":true}}}},"GetInstanceVersion":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"version":{"rule":"required","type":"uint64","id":3}}},"GetLastInstanceVersion":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2}}},"GetInstanceVersionResponse":{"fields":{"statechange":{"rule":"required","type":"StateChange","id":1},"blockindex":{"rule":"required","type":"sint32","id":2}}},"GetAllInstanceVersion":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2}}},"GetAllInstanceVersionResponse":{"fields":{"statechanges":{"rule":"repeated","type":"GetInstanceVersionResponse","id":1,"options":{"packed":false}}}},"CheckStateChangeValidity":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"version":{"rule":"required","type":"uint64","id":3}}},"CheckStateChangeValidityResponse":{"fields":{"statechanges":{"rule":"repeated","type":"StateChange","id":1,"options":{"packed":false}},"blockid":{"rule":"required","type":"bytes","id":2}}},"DebugRequest":{"fields":{"byzcoinid":{"type":"bytes","id":1}}},"DebugResponse":{"fields":{"byzcoins":{"rule":"repeated","type":"DebugResponseByzcoin","id":1,"options":{"packed":false}},"dump":{"rule":"repeated","type":"DebugResponseState","id":2,"options":{"packed":false}}}},"DebugResponseByzcoin":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"genesis":{"type":"skipchain.SkipBlock","id":2},"latest":{"type":"skipchain.SkipBlock","id":3}}},"DebugResponseState":{"fields":{"key":{"rule":"required","type":"bytes","id":1},"state":{"rule":"required","type":"StateChangeBody","id":2}}},"DebugRemoveRequest":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"signature":{"rule":"required","type":"bytes","id":2}}}}},"skipchain":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"SkipchainProto"},"nested":{"StoreSkipBlock":{"fields":{"targetSkipChainID":{"rule":"required","type":"bytes","id":1},"newBlock":{"rule":"required","type":"SkipBlock","id":2},"signature":{"type":"bytes","id":3}}},"StoreSkipBlockReply":{"fields":{"previous":{"type":"SkipBlock","id":1},"latest":{"rule":"required","type":"SkipBlock","id":2}}},"GetAllSkipChainIDs":{"fields":{}},"GetAllSkipChainIDsReply":{"fields":{"skipChainIDs":{"rule":"repeated","type":"bytes","id":1}}},"GetSingleBlock":{"fields":{"id":{"rule":"required","type":"bytes","id":1}}},"GetSingleBlockByIndex":{"fields":{"genesis":{"rule":"required","type":"bytes","id":1},"index":{"rule":"required","type":"sint32","id":2}}},"GetSingleBlockByIndexReply":{"fields":{"skipblock":{"rule":"required","type":"SkipBlock","id":1},"links":{"rule":"repeated","type":"ForwardLink","id":2,"options":{"packed":false}}}},"GetUpdateChain":{"fields":{"latestID":{"rule":"required","type":"bytes","id":1}}},"GetUpdateChainReply":{"fields":{"update":{"rule":"repeated","type":"SkipBlock","id":1,"options":{"packed":false}}}},"SkipBlock":{"fields":{"index":{"rule":"required","type":"sint32","id":1},"height":{"rule":"required","type":"sint32","id":2},"maxHeight":{"rule":"required","type":"sint32","id":3},"baseHeight":{"rule":"required","type":"sint32","id":4},"backlinks":{"rule":"repeated","type":"bytes","id":5},"verifiers":{"rule":"repeated","type":"bytes","id":6},"genesis":{"rule":"required","type":"bytes","id":7},"data":{"rule":"required","type":"bytes","id":8},"roster":{"rule":"required","type":"onet.Roster","id":9},"hash":{"rule":"required","type":"bytes","id":10},"forward":{"rule":"repeated","type":"ForwardLink","id":11,"options":{"packed":false}},"payload":{"type":"bytes","id":12}}},"ForwardLink":{"fields":{"from":{"rule":"required","type":"bytes","id":1},"to":{"rule":"required","type":"bytes","id":2},"newRoster":{"type":"onet.Roster","id":3},"signature":{"rule":"required","type":"ByzcoinSig","id":4}}},"ByzcoinSig":{"fields":{"msg":{"rule":"required","type":"bytes","id":1},"sig":{"rule":"required","type":"bytes","id":2}}},"SchnorrSig":{"fields":{"challenge":{"rule":"required","type":"bytes","id":1},"response":{"rule":"required","type":"bytes","id":2}}},"Exception":{"fields":{"index":{"rule":"required","type":"sint32","id":1},"commitment":{"rule":"required","type":"bytes","id":2}}}}},"onet":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"OnetProto"},"nested":{"Roster":{"fields":{"id":{"type":"bytes","id":1},"list":{"rule":"repeated","type":"network.ServerIdentity","id":2,"options":{"packed":false}},"aggregate":{"rule":"required","type":"bytes","id":3}}},"Status":{"fields":{"field":{"keyType":"string","type":"string","id":1}}}}},"network":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"NetworkProto"},"nested":{"ServerIdentity":{"fields":{"public":{"rule":"required","type":"bytes","id":1},"serviceIdentities":{"rule":"repeated","type":"ServiceIdentity","id":2,"options":{"packed":false}},"id":{"rule":"required","type":"bytes","id":3},"address":{"rule":"required","type":"string","id":4},"description":{"rule":"required","type":"string","id":5},"url":{"type":"string","id":6}}},"ServiceIdentity":{"fields":{"name":{"rule":"required","type":"string","id":1},"suite":{"rule":"required","type":"string","id":2},"public":{"rule":"required","type":"bytes","id":3}}}}},"darc":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"DarcProto"},"nested":{"Darc":{"fields":{"version":{"rule":"required","type":"uint64","id":1},"description":{"rule":"required","type":"bytes","id":2},"baseid":{"type":"bytes","id":3},"previd":{"rule":"required","type":"bytes","id":4},"rules":{"rule":"required","type":"Rules","id":5},"signatures":{"rule":"repeated","type":"Signature","id":6,"options":{"packed":false}},"verificationdarcs":{"rule":"repeated","type":"Darc","id":7,"options":{"packed":false}}}},"Identity":{"fields":{"darc":{"type":"IdentityDarc","id":1},"ed25519":{"type":"IdentityEd25519","id":2},"x509ec":{"type":"IdentityX509EC","id":3},"proxy":{"type":"IdentityProxy","id":4}}},"IdentityEd25519":{"fields":{"point":{"rule":"required","type":"bytes","id":1}}},"IdentityX509EC":{"fields":{"public":{"rule":"required","type":"bytes","id":1}}},"IdentityProxy":{"fields":{"data":{"rule":"required","type":"string","id":1},"public":{"rule":"required","type":"bytes","id":2}}},"IdentityDarc":{"fields":{"id":{"rule":"required","type":"bytes","id":1}}},"Signature":{"fields":{"signature":{"rule":"required","type":"bytes","id":1},"signer":{"rule":"required","type":"Identity","id":2}}},"Signer":{"fields":{"ed25519":{"type":"SignerEd25519","id":1},"x509ec":{"type":"SignerX509EC","id":2},"proxy":{"type":"SignerProxy","id":3}}},"SignerEd25519":{"fields":{"point":{"rule":"required","type":"bytes","id":1},"secret":{"rule":"required","type":"bytes","id":2}}},"SignerX509EC":{"fields":{"point":{"rule":"required","type":"bytes","id":1}}},"SignerProxy":{"fields":{"data":{"rule":"required","type":"string","id":1},"public":{"rule":"required","type":"bytes","id":2}}},"Request":{"fields":{"baseid":{"rule":"required","type":"bytes","id":1},"action":{"rule":"required","type":"string","id":2},"msg":{"rule":"required","type":"bytes","id":3},"identities":{"rule":"repeated","type":"Identity","id":4,"options":{"packed":false}},"signatures":{"rule":"repeated","type":"bytes","id":5}}},"Rules":{"fields":{"list":{"rule":"repeated","type":"Rule","id":1,"options":{"packed":false}}}},"Rule":{"fields":{"action":{"rule":"required","type":"string","id":1},"expr":{"rule":"required","type":"bytes","id":2}}}}},"trie":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"TrieProto"},"nested":{"InteriorNode":{"fields":{"left":{"rule":"required","type":"bytes","id":1},"right":{"rule":"required","type":"bytes","id":2}}},"EmptyNode":{"fields":{"prefix":{"rule":"repeated","type":"bool","id":1,"options":{"packed":true}}}},"LeafNode":{"fields":{"prefix":{"rule":"repeated","type":"bool","id":1,"options":{"packed":true}},"key":{"rule":"required","type":"bytes","id":2},"value":{"rule":"required","type":"bytes","id":3}}},"Proof":{"fields":{"interiors":{"rule":"repeated","type":"InteriorNode","id":1,"options":{"packed":false}},"leaf":{"rule":"required","type":"LeafNode","id":2},"empty":{"rule":"required","type":"EmptyNode","id":3},"nonce":{"rule":"required","type":"bytes","id":4}}}}},"calypso":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"Calypso"},"nested":{"Write":{"fields":{"data":{"rule":"required","type":"bytes","id":1},"u":{"rule":"required","type":"bytes","id":2},"ubar":{"rule":"required","type":"bytes","id":3},"e":{"rule":"required","type":"bytes","id":4},"f":{"rule":"required","type":"bytes","id":5},"c":{"rule":"required","type":"bytes","id":6},"extradata":{"type":"bytes","id":7},"ltsid":{"rule":"required","type":"bytes","id":8}}},"Read":{"fields":{"write":{"rule":"required","type":"bytes","id":1},"xc":{"rule":"required","type":"bytes","id":2}}},"Authorise":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1}}},"AuthoriseReply":{"fields":{}},"CreateLTS":{"fields":{"proof":{"rule":"required","type":"byzcoin.Proof","id":1}}},"CreateLTSReply":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"x":{"rule":"required","type":"bytes","id":3}}},"ReshareLTS":{"fields":{"proof":{"rule":"required","type":"byzcoin.Proof","id":1}}},"ReshareLTSReply":{"fields":{}},"DecryptKey":{"fields":{"read":{"rule":"required","type":"byzcoin.Proof","id":1},"write":{"rule":"required","type":"byzcoin.Proof","id":2}}},"DecryptKeyReply":{"fields":{"c":{"rule":"required","type":"bytes","id":1},"xhatenc":{"rule":"required","type":"bytes","id":2},"x":{"rule":"required","type":"bytes","id":3}}},"GetLTSReply":{"fields":{"ltsid":{"rule":"required","type":"bytes","id":1}}},"LtsInstanceInfo":{"fields":{"roster":{"rule":"required","type":"onet.Roster","id":1}}}}},"eventlog":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"EventLogProto"},"nested":{"SearchRequest":{"fields":{"instance":{"rule":"required","type":"bytes","id":1},"id":{"rule":"required","type":"bytes","id":2},"topic":{"rule":"required","type":"string","id":3},"from":{"rule":"required","type":"sint64","id":4},"to":{"rule":"required","type":"sint64","id":5}}},"SearchResponse":{"fields":{"events":{"rule":"repeated","type":"Event","id":1,"options":{"packed":false}},"truncated":{"rule":"required","type":"bool","id":2}}},"Event":{"fields":{"when":{"rule":"required","type":"sint64","id":1},"topic":{"rule":"required","type":"string","id":2},"content":{"rule":"required","type":"string","id":3}}}}},"personhood":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"Personhood"},"nested":{"PartyList":{"fields":{"newparty":{"type":"Party","id":1},"wipeparties":{"type":"bool","id":2}}},"PartyListResponse":{"fields":{"parties":{"rule":"repeated","type":"Party","id":1,"options":{"packed":false}}}},"Party":{"fields":{"roster":{"rule":"required","type":"onet.Roster","id":1},"byzcoinid":{"rule":"required","type":"bytes","id":2},"instanceid":{"rule":"required","type":"bytes","id":3}}},"RoPaSciList":{"fields":{"newropasci":{"type":"RoPaSci","id":1},"wipe":{"type":"bool","id":2}}},"RoPaSciListResponse":{"fields":{"ropascis":{"rule":"repeated","type":"RoPaSci","id":1,"options":{"packed":false}}}},"RoPaSci":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"ropasciid":{"rule":"required","type":"bytes","id":2}}},"StringReply":{"fields":{"reply":{"rule":"required","type":"string","id":1}}},"RoPaSciStruct":{"fields":{"description":{"rule":"required","type":"string","id":1},"stake":{"rule":"required","type":"byzcoin.Coin","id":2},"firstplayerhash":{"rule":"required","type":"bytes","id":3},"firstplayer":{"type":"sint32","id":4},"secondplayer":{"type":"sint32","id":5},"secondplayeraccount":{"type":"bytes","id":6}}},"CredentialStruct":{"fields":{"credentials":{"rule":"repeated","type":"Credential","id":1,"options":{"packed":false}}}},"Credential":{"fields":{"name":{"rule":"required","type":"string","id":1},"attributes":{"rule":"repeated","type":"Attribute","id":2,"options":{"packed":false}}}},"Attribute":{"fields":{"name":{"rule":"required","type":"string","id":1},"value":{"rule":"required","type":"bytes","id":2}}},"SpawnerStruct":{"fields":{"costdarc":{"rule":"required","type":"byzcoin.Coin","id":1},"costcoin":{"rule":"required","type":"byzcoin.Coin","id":2},"costcredential":{"rule":"required","type":"byzcoin.Coin","id":3},"costparty":{"rule":"required","type":"byzcoin.Coin","id":4},"beneficiary":{"rule":"required","type":"bytes","id":5},"costropasci":{"type":"byzcoin.Coin","id":6}}},"PopPartyStruct":{"fields":{"state":{"rule":"required","type":"sint32","id":1},"organizers":{"rule":"required","type":"sint32","id":2},"finalizations":{"rule":"repeated","type":"string","id":3},"description":{"rule":"required","type":"PopDesc","id":4},"attendees":{"rule":"required","type":"Attendees","id":5},"miners":{"rule":"repeated","type":"LRSTag","id":6,"options":{"packed":false}},"miningreward":{"rule":"required","type":"uint64","id":7},"previous":{"type":"bytes","id":8},"next":{"type":"bytes","id":9}}},"PopDesc":{"fields":{"name":{"rule":"required","type":"string","id":1},"purpose":{"rule":"required","type":"string","id":2},"datetime":{"rule":"required","type":"uint64","id":3},"location":{"rule":"required","type":"string","id":4}}},"FinalStatement":{"fields":{"desc":{"type":"PopDesc","id":1},"attendees":{"rule":"required","type":"Attendees","id":2}}},"Attendees":{"fields":{"keys":{"rule":"repeated","type":"bytes","id":1}}},"LRSTag":{"fields":{"tag":{"rule":"required","type":"bytes","id":1}}},"Poll":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"newpoll":{"type":"PollStruct","id":2},"list":{"type":"PollList","id":3},"answer":{"type":"PollAnswer","id":4}}},"PollList":{"fields":{"partyids":{"rule":"repeated","type":"bytes","id":1}}},"PollAnswer":{"fields":{"pollid":{"rule":"required","type":"bytes","id":1},"choice":{"rule":"required","type":"sint32","id":2},"lrs":{"rule":"required","type":"bytes","id":3}}},"PollStruct":{"fields":{"personhood":{"rule":"required","type":"bytes","id":1},"pollid":{"type":"bytes","id":2},"title":{"rule":"required","type":"string","id":3},"description":{"rule":"required","type":"string","id":4},"choices":{"rule":"repeated","type":"string","id":5},"chosen":{"rule":"repeated","type":"PollChoice","id":6,"options":{"packed":false}}}},"PollChoice":{"fields":{"choice":{"rule":"required","type":"sint32","id":1},"lrstag":{"rule":"required","type":"bytes","id":2}}},"PollResponse":{"fields":{"polls":{"rule":"repeated","type":"PollStruct","id":1,"options":{"packed":false}}}},"Capabilities":{"fields":{}},"CapabilitiesResponse":{"fields":{"capabilities":{"rule":"repeated","type":"Capability","id":1,"options":{"packed":false}}}},"Capability":{"fields":{"endpoint":{"rule":"required","type":"string","id":1},"version":{"rule":"required","type":"bytes","id":2}}},"UserLocation":{"fields":{"publickey":{"rule":"required","type":"bytes","id":1},"credentialiid":{"type":"bytes","id":2},"credential":{"type":"CredentialStruct","id":3},"location":{"type":"string","id":4},"time":{"rule":"required","type":"sint64","id":5}}},"Meetup":{"fields":{"userlocation":{"type":"UserLocation","id":1},"wipe":{"type":"bool","id":2}}},"MeetupResponse":{"fields":{"users":{"rule":"repeated","type":"UserLocation","id":1,"options":{"packed":false}}}}}},"status":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"StatusProto"},"nested":{"Request":{"fields":{}},"Response":{"fields":{"status":{"keyType":"string","type":"onet.Status","id":1},"serveridentity":{"type":"network.ServerIdentity","id":2}}}}}}}
\ No newline at end of file
+{"nested":{"cothority":{},"authprox":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"AuthProxProto"},"nested":{"EnrollRequest":{"fields":{"type":{"rule":"required","type":"string","id":1},"issuer":{"rule":"required","type":"string","id":2},"participants":{"rule":"repeated","type":"bytes","id":3},"longpri":{"rule":"required","type":"PriShare","id":4},"longpubs":{"rule":"repeated","type":"bytes","id":5}}},"EnrollResponse":{"fields":{}},"SignatureRequest":{"fields":{"type":{"rule":"required","type":"string","id":1},"issuer":{"rule":"required","type":"string","id":2},"authinfo":{"rule":"required","type":"bytes","id":3},"randpri":{"rule":"required","type":"PriShare","id":4},"randpubs":{"rule":"repeated","type":"bytes","id":5},"message":{"rule":"required","type":"bytes","id":6}}},"PriShare":{"fields":{}},"PartialSig":{"fields":{"partial":{"rule":"required","type":"PriShare","id":1},"sessionid":{"rule":"required","type":"bytes","id":2},"signature":{"rule":"required","type":"bytes","id":3}}},"SignatureResponse":{"fields":{"partialsignature":{"rule":"required","type":"PartialSig","id":1}}},"EnrollmentsRequest":{"fields":{"types":{"rule":"repeated","type":"string","id":1},"issuers":{"rule":"repeated","type":"string","id":2}}},"EnrollmentsResponse":{"fields":{"enrollments":{"rule":"repeated","type":"EnrollmentInfo","id":1,"options":{"packed":false}}}},"EnrollmentInfo":{"fields":{"type":{"rule":"required","type":"string","id":1},"issuer":{"rule":"required","type":"string","id":2},"public":{"rule":"required","type":"bytes","id":3}}}}},"byzcoin":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"ByzCoinProto"},"nested":{"DataHeader":{"fields":{"trieroot":{"rule":"required","type":"bytes","id":1},"clienttransactionhash":{"rule":"required","type":"bytes","id":2},"statechangeshash":{"rule":"required","type":"bytes","id":3},"timestamp":{"rule":"required","type":"sint64","id":4}}},"DataBody":{"fields":{"txresults":{"rule":"repeated","type":"TxResult","id":1,"options":{"packed":false}}}},"CreateGenesisBlock":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"roster":{"rule":"required","type":"onet.Roster","id":2},"genesisdarc":{"rule":"required","type":"darc.Darc","id":3},"blockinterval":{"rule":"required","type":"sint64","id":4},"maxblocksize":{"type":"sint32","id":5},"darccontractids":{"rule":"repeated","type":"string","id":6}}},"CreateGenesisBlockResponse":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"skipblock":{"type":"skipchain.SkipBlock","id":2}}},"AddTxRequest":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"skipchainid":{"rule":"required","type":"bytes","id":2},"transaction":{"rule":"required","type":"ClientTransaction","id":3},"inclusionwait":{"type":"sint32","id":4}}},"AddTxResponse":{"fields":{"version":{"rule":"required","type":"sint32","id":1}}},"GetProof":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"key":{"rule":"required","type":"bytes","id":2},"id":{"rule":"required","type":"bytes","id":3}}},"GetProofResponse":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"proof":{"rule":"required","type":"Proof","id":2}}},"CheckAuthorization":{"fields":{"version":{"rule":"required","type":"sint32","id":1},"byzcoinid":{"rule":"required","type":"bytes","id":2},"darcid":{"rule":"required","type":"bytes","id":3},"identities":{"rule":"repeated","type":"darc.Identity","id":4,"options":{"packed":false}}}},"CheckAuthorizationResponse":{"fields":{"actions":{"rule":"repeated","type":"string","id":1}}},"ChainConfig":{"fields":{"blockinterval":{"rule":"required","type":"sint64","id":1},"roster":{"rule":"required","type":"onet.Roster","id":2},"maxblocksize":{"rule":"required","type":"sint32","id":3},"darccontractids":{"rule":"repeated","type":"string","id":4}}},"Proof":{"fields":{"inclusionproof":{"rule":"required","type":"trie.Proof","id":1},"latest":{"rule":"required","type":"skipchain.SkipBlock","id":2},"links":{"rule":"repeated","type":"skipchain.ForwardLink","id":3,"options":{"packed":false}}}},"Instruction":{"fields":{"instanceid":{"rule":"required","type":"bytes","id":1},"spawn":{"type":"Spawn","id":2},"invoke":{"type":"Invoke","id":3},"delete":{"type":"Delete","id":4},"signercounter":{"rule":"repeated","type":"uint64","id":5,"options":{"packed":true}},"signeridentities":{"rule":"repeated","type":"darc.Identity","id":6,"options":{"packed":false}},"signatures":{"rule":"repeated","type":"bytes","id":7}}},"Spawn":{"fields":{"contractid":{"rule":"required","type":"string","id":1},"args":{"rule":"repeated","type":"Argument","id":2,"options":{"packed":false}}}},"Invoke":{"fields":{"contractid":{"rule":"required","type":"string","id":1},"command":{"rule":"required","type":"string","id":2},"args":{"rule":"repeated","type":"Argument","id":3,"options":{"packed":false}}}},"Delete":{"fields":{"contractid":{"rule":"required","type":"string","id":1}}},"Argument":{"fields":{"name":{"rule":"required","type":"string","id":1},"value":{"rule":"required","type":"bytes","id":2}}},"ClientTransaction":{"fields":{"instructions":{"rule":"repeated","type":"Instruction","id":1,"options":{"packed":false}}}},"TxResult":{"fields":{"clienttransaction":{"rule":"required","type":"ClientTransaction","id":1},"accepted":{"rule":"required","type":"bool","id":2}}},"StateChange":{"fields":{"stateaction":{"rule":"required","type":"sint32","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"contractid":{"rule":"required","type":"string","id":3},"value":{"rule":"required","type":"bytes","id":4},"darcid":{"rule":"required","type":"bytes","id":5},"version":{"rule":"required","type":"uint64","id":6}}},"Coin":{"fields":{"name":{"rule":"required","type":"bytes","id":1},"value":{"rule":"required","type":"uint64","id":2}}},"StreamingRequest":{"fields":{"id":{"rule":"required","type":"bytes","id":1}}},"StreamingResponse":{"fields":{"block":{"type":"skipchain.SkipBlock","id":1}}},"DownloadState":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"nonce":{"rule":"required","type":"uint64","id":2},"length":{"rule":"required","type":"sint32","id":3}}},"DownloadStateResponse":{"fields":{"keyvalues":{"rule":"repeated","type":"DBKeyValue","id":1,"options":{"packed":false}},"nonce":{"rule":"required","type":"uint64","id":2}}},"DBKeyValue":{"fields":{"key":{"rule":"required","type":"bytes","id":1},"value":{"rule":"required","type":"bytes","id":2}}},"StateChangeBody":{"fields":{"stateaction":{"rule":"required","type":"sint32","id":1},"contractid":{"rule":"required","type":"string","id":2},"value":{"rule":"required","type":"bytes","id":3},"version":{"rule":"required","type":"uint64","id":4},"darcid":{"rule":"required","type":"bytes","id":5}}},"GetSignerCounters":{"fields":{"signerids":{"rule":"repeated","type":"string","id":1},"skipchainid":{"rule":"required","type":"bytes","id":2}}},"GetSignerCountersResponse":{"fields":{"counters":{"rule":"repeated","type":"uint64","id":1,"options":{"packed":true}}}},"GetInstanceVersion":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"version":{"rule":"required","type":"uint64","id":3}}},"GetLastInstanceVersion":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2}}},"GetInstanceVersionResponse":{"fields":{"statechange":{"rule":"required","type":"StateChange","id":1},"blockindex":{"rule":"required","type":"sint32","id":2}}},"GetAllInstanceVersion":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2}}},"GetAllInstanceVersionResponse":{"fields":{"statechanges":{"rule":"repeated","type":"GetInstanceVersionResponse","id":1,"options":{"packed":false}}}},"CheckStateChangeValidity":{"fields":{"skipchainid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"version":{"rule":"required","type":"uint64","id":3}}},"CheckStateChangeValidityResponse":{"fields":{"statechanges":{"rule":"repeated","type":"StateChange","id":1,"options":{"packed":false}},"blockid":{"rule":"required","type":"bytes","id":2}}},"DebugRequest":{"fields":{"byzcoinid":{"type":"bytes","id":1}}},"DebugResponse":{"fields":{"byzcoins":{"rule":"repeated","type":"DebugResponseByzcoin","id":1,"options":{"packed":false}},"dump":{"rule":"repeated","type":"DebugResponseState","id":2,"options":{"packed":false}}}},"DebugResponseByzcoin":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"genesis":{"type":"skipchain.SkipBlock","id":2},"latest":{"type":"skipchain.SkipBlock","id":3}}},"DebugResponseState":{"fields":{"key":{"rule":"required","type":"bytes","id":1},"state":{"rule":"required","type":"StateChangeBody","id":2}}},"DebugRemoveRequest":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"signature":{"rule":"required","type":"bytes","id":2}}}}},"skipchain":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"SkipchainProto"},"nested":{"StoreSkipBlock":{"fields":{"targetSkipChainID":{"rule":"required","type":"bytes","id":1},"newBlock":{"rule":"required","type":"SkipBlock","id":2},"signature":{"type":"bytes","id":3}}},"StoreSkipBlockReply":{"fields":{"previous":{"type":"SkipBlock","id":1},"latest":{"rule":"required","type":"SkipBlock","id":2}}},"GetAllSkipChainIDs":{"fields":{}},"GetAllSkipChainIDsReply":{"fields":{"skipChainIDs":{"rule":"repeated","type":"bytes","id":1}}},"GetSingleBlock":{"fields":{"id":{"rule":"required","type":"bytes","id":1}}},"GetSingleBlockByIndex":{"fields":{"genesis":{"rule":"required","type":"bytes","id":1},"index":{"rule":"required","type":"sint32","id":2}}},"GetSingleBlockByIndexReply":{"fields":{"skipblock":{"rule":"required","type":"SkipBlock","id":1},"links":{"rule":"repeated","type":"ForwardLink","id":2,"options":{"packed":false}}}},"GetUpdateChain":{"fields":{"latestID":{"rule":"required","type":"bytes","id":1}}},"GetUpdateChainReply":{"fields":{"update":{"rule":"repeated","type":"SkipBlock","id":1,"options":{"packed":false}}}},"SkipBlock":{"fields":{"index":{"rule":"required","type":"sint32","id":1},"height":{"rule":"required","type":"sint32","id":2},"maxHeight":{"rule":"required","type":"sint32","id":3},"baseHeight":{"rule":"required","type":"sint32","id":4},"backlinks":{"rule":"repeated","type":"bytes","id":5},"verifiers":{"rule":"repeated","type":"bytes","id":6},"genesis":{"rule":"required","type":"bytes","id":7},"data":{"rule":"required","type":"bytes","id":8},"roster":{"rule":"required","type":"onet.Roster","id":9},"hash":{"rule":"required","type":"bytes","id":10},"forward":{"rule":"repeated","type":"ForwardLink","id":11,"options":{"packed":false}},"payload":{"type":"bytes","id":12}}},"ForwardLink":{"fields":{"from":{"rule":"required","type":"bytes","id":1},"to":{"rule":"required","type":"bytes","id":2},"newRoster":{"type":"onet.Roster","id":3},"signature":{"rule":"required","type":"ByzcoinSig","id":4}}},"ByzcoinSig":{"fields":{"msg":{"rule":"required","type":"bytes","id":1},"sig":{"rule":"required","type":"bytes","id":2}}},"SchnorrSig":{"fields":{"challenge":{"rule":"required","type":"bytes","id":1},"response":{"rule":"required","type":"bytes","id":2}}},"Exception":{"fields":{"index":{"rule":"required","type":"sint32","id":1},"commitment":{"rule":"required","type":"bytes","id":2}}}}},"onet":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"OnetProto"},"nested":{"Roster":{"fields":{"id":{"type":"bytes","id":1},"list":{"rule":"repeated","type":"network.ServerIdentity","id":2,"options":{"packed":false}},"aggregate":{"rule":"required","type":"bytes","id":3}}},"Status":{"fields":{"field":{"keyType":"string","type":"string","id":1}}}}},"network":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"NetworkProto"},"nested":{"ServerIdentity":{"fields":{"public":{"rule":"required","type":"bytes","id":1},"serviceIdentities":{"rule":"repeated","type":"ServiceIdentity","id":2,"options":{"packed":false}},"id":{"rule":"required","type":"bytes","id":3},"address":{"rule":"required","type":"string","id":4},"description":{"rule":"required","type":"string","id":5},"url":{"type":"string","id":6}}},"ServiceIdentity":{"fields":{"name":{"rule":"required","type":"string","id":1},"suite":{"rule":"required","type":"string","id":2},"public":{"rule":"required","type":"bytes","id":3}}}}},"darc":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"DarcProto"},"nested":{"Darc":{"fields":{"version":{"rule":"required","type":"uint64","id":1},"description":{"rule":"required","type":"bytes","id":2},"baseid":{"type":"bytes","id":3},"previd":{"rule":"required","type":"bytes","id":4},"rules":{"rule":"required","type":"Rules","id":5},"signatures":{"rule":"repeated","type":"Signature","id":6,"options":{"packed":false}},"verificationdarcs":{"rule":"repeated","type":"Darc","id":7,"options":{"packed":false}}}},"Identity":{"fields":{"darc":{"type":"IdentityDarc","id":1},"ed25519":{"type":"IdentityEd25519","id":2},"x509ec":{"type":"IdentityX509EC","id":3},"proxy":{"type":"IdentityProxy","id":4}}},"IdentityEd25519":{"fields":{"point":{"rule":"required","type":"bytes","id":1}}},"IdentityX509EC":{"fields":{"public":{"rule":"required","type":"bytes","id":1}}},"IdentityProxy":{"fields":{"data":{"rule":"required","type":"string","id":1},"public":{"rule":"required","type":"bytes","id":2}}},"IdentityDarc":{"fields":{"id":{"rule":"required","type":"bytes","id":1}}},"Signature":{"fields":{"signature":{"rule":"required","type":"bytes","id":1},"signer":{"rule":"required","type":"Identity","id":2}}},"Signer":{"fields":{"ed25519":{"type":"SignerEd25519","id":1},"x509ec":{"type":"SignerX509EC","id":2},"proxy":{"type":"SignerProxy","id":3}}},"SignerEd25519":{"fields":{"point":{"rule":"required","type":"bytes","id":1},"secret":{"rule":"required","type":"bytes","id":2}}},"SignerX509EC":{"fields":{"point":{"rule":"required","type":"bytes","id":1}}},"SignerProxy":{"fields":{"data":{"rule":"required","type":"string","id":1},"public":{"rule":"required","type":"bytes","id":2}}},"Request":{"fields":{"baseid":{"rule":"required","type":"bytes","id":1},"action":{"rule":"required","type":"string","id":2},"msg":{"rule":"required","type":"bytes","id":3},"identities":{"rule":"repeated","type":"Identity","id":4,"options":{"packed":false}},"signatures":{"rule":"repeated","type":"bytes","id":5}}},"Rules":{"fields":{"list":{"rule":"repeated","type":"Rule","id":1,"options":{"packed":false}}}},"Rule":{"fields":{"action":{"rule":"required","type":"string","id":1},"expr":{"rule":"required","type":"bytes","id":2}}}}},"trie":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"TrieProto"},"nested":{"InteriorNode":{"fields":{"left":{"rule":"required","type":"bytes","id":1},"right":{"rule":"required","type":"bytes","id":2}}},"EmptyNode":{"fields":{"prefix":{"rule":"repeated","type":"bool","id":1,"options":{"packed":true}}}},"LeafNode":{"fields":{"prefix":{"rule":"repeated","type":"bool","id":1,"options":{"packed":true}},"key":{"rule":"required","type":"bytes","id":2},"value":{"rule":"required","type":"bytes","id":3}}},"Proof":{"fields":{"interiors":{"rule":"repeated","type":"InteriorNode","id":1,"options":{"packed":false}},"leaf":{"rule":"required","type":"LeafNode","id":2},"empty":{"rule":"required","type":"EmptyNode","id":3},"nonce":{"rule":"required","type":"bytes","id":4}}}}},"calypso":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"Calypso"},"nested":{"Write":{"fields":{"data":{"rule":"required","type":"bytes","id":1},"u":{"rule":"required","type":"bytes","id":2},"ubar":{"rule":"required","type":"bytes","id":3},"e":{"rule":"required","type":"bytes","id":4},"f":{"rule":"required","type":"bytes","id":5},"c":{"rule":"required","type":"bytes","id":6},"extradata":{"type":"bytes","id":7},"ltsid":{"rule":"required","type":"bytes","id":8}}},"Read":{"fields":{"write":{"rule":"required","type":"bytes","id":1},"xc":{"rule":"required","type":"bytes","id":2}}},"Authorise":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1}}},"AuthoriseReply":{"fields":{}},"CreateLTS":{"fields":{"proof":{"rule":"required","type":"byzcoin.Proof","id":1}}},"CreateLTSReply":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"instanceid":{"rule":"required","type":"bytes","id":2},"x":{"rule":"required","type":"bytes","id":3}}},"ReshareLTS":{"fields":{"proof":{"rule":"required","type":"byzcoin.Proof","id":1}}},"ReshareLTSReply":{"fields":{}},"DecryptKey":{"fields":{"read":{"rule":"required","type":"byzcoin.Proof","id":1},"write":{"rule":"required","type":"byzcoin.Proof","id":2}}},"DecryptKeyReply":{"fields":{"c":{"rule":"required","type":"bytes","id":1},"xhatenc":{"rule":"required","type":"bytes","id":2},"x":{"rule":"required","type":"bytes","id":3}}},"GetLTSReply":{"fields":{"ltsid":{"rule":"required","type":"bytes","id":1}}},"LtsInstanceInfo":{"fields":{"roster":{"rule":"required","type":"onet.Roster","id":1}}}}},"eventlog":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"EventLogProto"},"nested":{"SearchRequest":{"fields":{"instance":{"rule":"required","type":"bytes","id":1},"id":{"rule":"required","type":"bytes","id":2},"topic":{"rule":"required","type":"string","id":3},"from":{"rule":"required","type":"sint64","id":4},"to":{"rule":"required","type":"sint64","id":5}}},"SearchResponse":{"fields":{"events":{"rule":"repeated","type":"Event","id":1,"options":{"packed":false}},"truncated":{"rule":"required","type":"bool","id":2}}},"Event":{"fields":{"when":{"rule":"required","type":"sint64","id":1},"topic":{"rule":"required","type":"string","id":2},"content":{"rule":"required","type":"string","id":3}}}}},"ocs":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"OCS"},"nested":{"AddPolicyCreateOCS":{"fields":{"create":{"rule":"required","type":"Policy","id":1}}},"AddPolicyCreateOCSReply":{"fields":{}},"CreateOCS":{"fields":{"roster":{"rule":"required","type":"onet.Roster","id":1},"policyreencrypt":{"rule":"required","type":"Policy","id":2},"policyreshare":{"rule":"required","type":"Policy","id":3}}},"CreateOCSReply":{"fields":{"ocsid":{"rule":"required","type":"bytes","id":1}}},"GetProof":{"fields":{"ocsid":{"rule":"required","type":"bytes","id":1}}},"GetProofReply":{"fields":{"proof":{"rule":"required","type":"OCSProof","id":1}}},"Reencrypt":{"fields":{"ocsid":{"rule":"required","type":"bytes","id":1},"auth":{"rule":"required","type":"AuthReencrypt","id":2}}},"ReencryptReply":{"fields":{"x":{"rule":"required","type":"bytes","id":1},"xhatenc":{"rule":"required","type":"bytes","id":2},"c":{"rule":"required","type":"bytes","id":3}}},"Reshare":{"fields":{"ocsid":{"rule":"required","type":"bytes","id":1},"newroster":{"rule":"required","type":"onet.Roster","id":2},"auth":{"rule":"required","type":"AuthReshare","id":3}}},"ReshareReply":{"fields":{"sig":{"rule":"required","type":"bytes","id":1}}},"Policy":{"fields":{"byzcoin":{"type":"PolicyByzCoin","id":1},"x509cert":{"type":"PolicyX509Cert","id":2}}},"PolicyByzCoin":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"ttl":{"rule":"required","type":"uint64","id":2}}},"PolicyX509Cert":{"fields":{"ca":{"rule":"repeated","type":"bytes","id":1},"threshold":{"rule":"required","type":"sint32","id":2}}},"AuthCreate":{"fields":{"byzcoin":{"rule":"required","type":"AuthCreateByzcoin","id":1},"x509cert":{"rule":"required","type":"AuthCreateX509Cert","id":2}}},"AuthCreateByzcoin":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"ltsinstance":{"rule":"required","type":"bytes","id":2}}},"AuthCreateX509Cert":{"fields":{"certificates":{"rule":"repeated","type":"bytes","id":1}}},"AuthReencrypt":{"fields":{"ephemeral":{"rule":"required","type":"bytes","id":1},"byzcoin":{"type":"AuthReencryptByzCoin","id":2},"x509cert":{"type":"AuthReencryptX509Cert","id":3}}},"AuthReencryptByzCoin":{"fields":{"write":{"rule":"required","type":"bytes","id":1},"read":{"rule":"required","type":"bytes","id":2},"ephemeral":{"rule":"required","type":"bytes","id":3},"signature":{"type":"darc.Signature","id":4}}},"AuthReencryptX509Cert":{"fields":{"u":{"rule":"required","type":"bytes","id":1},"certificates":{"rule":"repeated","type":"bytes","id":2}}},"AuthReshare":{"fields":{"byzcoin":{"type":"AuthReshareByzCoin","id":1},"x509cert":{"type":"AuthReshareX509Cert","id":2}}},"AuthReshareByzCoin":{"fields":{"reshare":{"rule":"required","type":"bytes","id":1}}},"AuthReshareX509Cert":{"fields":{"certificates":{"rule":"repeated","type":"bytes","id":1}}},"OCSProof":{"fields":{"ocsid":{"rule":"required","type":"bytes","id":1},"roster":{"rule":"required","type":"onet.Roster","id":2},"policyreencrypt":{"rule":"required","type":"Policy","id":3},"policyreshare":{"rule":"required","type":"Policy","id":4},"signatures":{"rule":"repeated","type":"bytes","id":5}}}}},"personhood":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"Personhood"},"nested":{"PartyList":{"fields":{"newparty":{"type":"Party","id":1},"wipeparties":{"type":"bool","id":2}}},"PartyListResponse":{"fields":{"parties":{"rule":"repeated","type":"Party","id":1,"options":{"packed":false}}}},"Party":{"fields":{"roster":{"rule":"required","type":"onet.Roster","id":1},"byzcoinid":{"rule":"required","type":"bytes","id":2},"instanceid":{"rule":"required","type":"bytes","id":3}}},"RoPaSciList":{"fields":{"newropasci":{"type":"RoPaSci","id":1},"wipe":{"type":"bool","id":2}}},"RoPaSciListResponse":{"fields":{"ropascis":{"rule":"repeated","type":"RoPaSci","id":1,"options":{"packed":false}}}},"RoPaSci":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"ropasciid":{"rule":"required","type":"bytes","id":2}}},"StringReply":{"fields":{"reply":{"rule":"required","type":"string","id":1}}},"RoPaSciStruct":{"fields":{"description":{"rule":"required","type":"string","id":1},"stake":{"rule":"required","type":"byzcoin.Coin","id":2},"firstplayerhash":{"rule":"required","type":"bytes","id":3},"firstplayer":{"type":"sint32","id":4},"secondplayer":{"type":"sint32","id":5},"secondplayeraccount":{"type":"bytes","id":6}}},"CredentialStruct":{"fields":{"credentials":{"rule":"repeated","type":"Credential","id":1,"options":{"packed":false}}}},"Credential":{"fields":{"name":{"rule":"required","type":"string","id":1},"attributes":{"rule":"repeated","type":"Attribute","id":2,"options":{"packed":false}}}},"Attribute":{"fields":{"name":{"rule":"required","type":"string","id":1},"value":{"rule":"required","type":"bytes","id":2}}},"SpawnerStruct":{"fields":{"costdarc":{"rule":"required","type":"byzcoin.Coin","id":1},"costcoin":{"rule":"required","type":"byzcoin.Coin","id":2},"costcredential":{"rule":"required","type":"byzcoin.Coin","id":3},"costparty":{"rule":"required","type":"byzcoin.Coin","id":4},"beneficiary":{"rule":"required","type":"bytes","id":5},"costropasci":{"type":"byzcoin.Coin","id":6}}},"PopPartyStruct":{"fields":{"state":{"rule":"required","type":"sint32","id":1},"organizers":{"rule":"required","type":"sint32","id":2},"finalizations":{"rule":"repeated","type":"string","id":3},"description":{"rule":"required","type":"PopDesc","id":4},"attendees":{"rule":"required","type":"Attendees","id":5},"miners":{"rule":"repeated","type":"LRSTag","id":6,"options":{"packed":false}},"miningreward":{"rule":"required","type":"uint64","id":7},"previous":{"type":"bytes","id":8},"next":{"type":"bytes","id":9}}},"PopDesc":{"fields":{"name":{"rule":"required","type":"string","id":1},"purpose":{"rule":"required","type":"string","id":2},"datetime":{"rule":"required","type":"uint64","id":3},"location":{"rule":"required","type":"string","id":4}}},"FinalStatement":{"fields":{"desc":{"type":"PopDesc","id":1},"attendees":{"rule":"required","type":"Attendees","id":2}}},"Attendees":{"fields":{"keys":{"rule":"repeated","type":"bytes","id":1}}},"LRSTag":{"fields":{"tag":{"rule":"required","type":"bytes","id":1}}},"Poll":{"fields":{"byzcoinid":{"rule":"required","type":"bytes","id":1},"newpoll":{"type":"PollStruct","id":2},"list":{"type":"PollList","id":3},"answer":{"type":"PollAnswer","id":4}}},"PollList":{"fields":{"partyids":{"rule":"repeated","type":"bytes","id":1}}},"PollAnswer":{"fields":{"pollid":{"rule":"required","type":"bytes","id":1},"choice":{"rule":"required","type":"sint32","id":2},"lrs":{"rule":"required","type":"bytes","id":3}}},"PollStruct":{"fields":{"personhood":{"rule":"required","type":"bytes","id":1},"pollid":{"type":"bytes","id":2},"title":{"rule":"required","type":"string","id":3},"description":{"rule":"required","type":"string","id":4},"choices":{"rule":"repeated","type":"string","id":5},"chosen":{"rule":"repeated","type":"PollChoice","id":6,"options":{"packed":false}}}},"PollChoice":{"fields":{"choice":{"rule":"required","type":"sint32","id":1},"lrstag":{"rule":"required","type":"bytes","id":2}}},"PollResponse":{"fields":{"polls":{"rule":"repeated","type":"PollStruct","id":1,"options":{"packed":false}}}},"Capabilities":{"fields":{}},"CapabilitiesResponse":{"fields":{"capabilities":{"rule":"repeated","type":"Capability","id":1,"options":{"packed":false}}}},"Capability":{"fields":{"endpoint":{"rule":"required","type":"string","id":1},"version":{"rule":"required","type":"bytes","id":2}}},"UserLocation":{"fields":{"publickey":{"rule":"required","type":"bytes","id":1},"credentialiid":{"type":"bytes","id":2},"credential":{"type":"CredentialStruct","id":3},"location":{"type":"string","id":4},"time":{"rule":"required","type":"sint64","id":5}}},"Meetup":{"fields":{"userlocation":{"type":"UserLocation","id":1},"wipe":{"type":"bool","id":2}}},"MeetupResponse":{"fields":{"users":{"rule":"repeated","type":"UserLocation","id":1,"options":{"packed":false}}}}}},"status":{"options":{"java_package":"ch.epfl.dedis.lib.proto","java_outer_classname":"StatusProto"},"nested":{"Request":{"fields":{}},"Response":{"fields":{"status":{"keyType":"string","type":"onet.Status","id":1},"serveridentity":{"type":"network.ServerIdentity","id":2}}}}}}}
\ No newline at end of file
diff --git a/external/proto/authprox.proto b/external/proto/authprox.proto
index f8f779c0c6..e92dd11171 100644
--- a/external/proto/authprox.proto
+++ b/external/proto/authprox.proto
@@ -18,7 +18,7 @@ message EnrollResponse {
 }
 
 // SignatureRequest is the request sent to this service to request that
-// the Authentication Proxy check the authentication information and
+// the Policy Proxy check the authentication information and
 // generate a signature connecting some information identifying the
 // holder of the AuthInfo to the message.
 message SignatureRequest {
diff --git a/external/proto/calypso.proto b/external/proto/calypso.proto
index bfe987dcbb..af6b2c8d52 100644
--- a/external/proto/calypso.proto
+++ b/external/proto/calypso.proto
@@ -28,8 +28,9 @@ message Write {
   // f is the proof - written in uppercase here so it is an exported
   // field, but in the OCS-paper it's lowercase.
   required bytes f = 5;
-  // C is the ElGamal parts for the symmetric key material (might also
-  // contain an IV)
+  // C is the ElGamal part for the symmetric key material, at maximum length
+  // of ed25519.Point.EmbedLen * 8 = 240 bits. An eventual IV must be published
+  // in ExtraData, as it is not necessary to be encrypted.
   required bytes c = 6;
   // ExtraData is clear text and application-specific
   optional bytes extradata = 7;
@@ -58,7 +59,7 @@ message Authorise {
 message AuthoriseReply {
 }
 
-// CreateLTS is used to start a DKG and store the private keys in each node.
+// CreateOCS is used to start a DKG and store the private keys in each node.
 // Prior to using this request, the Calypso roster must be recorded on the
 // ByzCoin blockchain in the instance specified by InstanceID.
 message CreateLTS {
@@ -86,7 +87,7 @@ message ReshareLTS {
 message ReshareLTSReply {
 }
 
-// DecryptKey is sent by a reader after he successfully stored a 'Read' request
+// Reencrypt is sent by a reader after he successfully stored a 'Read' request
 // in byzcoin Client.
 message DecryptKey {
   // Read is the proof that he has been accepted to read the secret.
diff --git a/external/proto/darc.proto b/external/proto/darc.proto
index 8d5a778b69..cdb0a624d2 100644
--- a/external/proto/darc.proto
+++ b/external/proto/darc.proto
@@ -59,7 +59,7 @@ message IdentityX509EC {
 }
 
 // IdentityProxy holds the info necessary to verify a claim
-// from an external authentication system via an Authentication Proxy.
+// from an external authentication system via an Policy Proxy.
 message IdentityProxy {
   required string data = 1;
   required bytes public = 2;
@@ -101,7 +101,7 @@ message SignerX509EC {
 }
 
 // SignerProxy holds the information necessary to verify claims
-// coming from external authentication systems via Authentication Proxies.
+// coming from external authentication systems via Policy Proxies.
 message SignerProxy {
   required string data = 1;
   required bytes public = 2;
diff --git a/external/proto/ocs.proto b/external/proto/ocs.proto
new file mode 100644
index 0000000000..f208a174d4
--- /dev/null
+++ b/external/proto/ocs.proto
@@ -0,0 +1,209 @@
+syntax = "proto2";
+package ocs;
+import "onet.proto";
+import "darc.proto";
+
+option java_package = "ch.epfl.dedis.lib.proto";
+option java_outer_classname = "OCS";
+
+// ***
+// API calls
+// ***
+
+// AddPolicyCreateOCS is sent by a local admin to add a rule to define who is
+// authorized to create a new OCS.
+message AddPolicyCreateOCS {
+  required Policy create = 1;
+}
+
+// AddPolicyCreateOCSReply is an empty reply if the policy has been successfully
+// created.
+message AddPolicyCreateOCSReply {
+}
+
+// CreateOCS is sent to the service to request a new OCS cothority.
+// It holds the two policies necessary to define an OCS: how to
+// authenticate a reencryption request, and how to authenticate a
+// resharing request.
+// In the current form, both policies point to the same structure. If at
+// a later moment a new access control backend is added, it might be that
+// the policies will differ for this new backend.
+message CreateOCS {
+  required onet.Roster roster = 1;
+  required Policy policyreencrypt = 2;
+  required Policy policyreshare = 3;
+}
+
+// CreateOCSReply is the reply sent by the conode if the OCS has been
+// setup correctly. It contains the ID of the OCS, which is the binary
+// representation of the aggregate public key. It also has the Sig, which
+// is the collective signature of all nodes on the aggregate public key
+// and the authentication.
+message CreateOCSReply {
+  required bytes ocsid = 1;
+}
+
+// GetProof is sent to a node to have him sign his definition of the
+// given OCS.
+message GetProof {
+  required bytes ocsid = 1;
+}
+
+// GetProofReply contains the additional info that node has on the given
+// OCS, as well as a signature using the services private key.
+message GetProofReply {
+  required OCSProof proof = 1;
+}
+
+// Reencrypt is sent to the service to request a re-encryption of the
+// secret given in AuthReencrypt. AuthReencrypt must also contain the proof that the
+// request is valid, as well as the ephemeral key, to which the secret
+// will be re-encrypted.
+message Reencrypt {
+  required bytes ocsid = 1;
+  required AuthReencrypt auth = 2;
+}
+
+// MessageReencryptReply is the reply if the re-encryption is successful, and
+// it contains XHat, which is the secret re-encrypted to the ephemeral
+// key given in AuthReencrypt.
+message ReencryptReply {
+  required bytes x = 1;
+  required bytes xhatenc = 2;
+  required bytes c = 3;
+}
+
+// Reshare is called to ask OCS to change the roster. It needs a valid
+// authentication before the private keys are re-distributed over the new
+// roster.
+// TODO: should NewRoster be always present in AuthReshare? It will be present
+// TODO: at least in AuthReshareByzCoin, but might not in other AuthReshares
+message Reshare {
+  required bytes ocsid = 1;
+  required onet.Roster newroster = 2;
+  required AuthReshare auth = 3;
+}
+
+// ReshareReply is returned if the resharing has been completed successfully
+// and contains the collective signature on the message
+//   sha256( X | NewRoster )
+message ReshareReply {
+  required bytes sig = 1;
+}
+
+// ***
+// Common structures
+// ***
+
+// Policy holds all possible authentication structures. When using it to call
+// Authorise, only one of the fields must be non-nil.
+message Policy {
+  optional PolicyByzCoin byzcoin = 1;
+  optional PolicyX509Cert x509cert = 2;
+}
+
+// PolicyByzCoin holds the information necessary to authenticate a byzcoin request.
+// In the ByzCoin model, all requests are valid as long as they are stored in the
+// blockchain with the given ID.
+// The TTL is to avoid that too old requests are re-used. If it is 0, it is disabled.
+message PolicyByzCoin {
+  required bytes byzcoinid = 1;
+  required uint64 ttl = 2;
+}
+
+// X509Cert holds the information necessary to authenticate a HyperLedger/Fabric
+// request. In its simplest form, it is simply the CA that will have to sign the
+// certificates of the requesters.
+// The Threshold indicates how many clients must have signed the request before it
+// is accepted.
+message PolicyX509Cert {
+  // Slice of ASN.1 encoded X509 certificates.
+  repeated bytes ca = 1;
+  required sint32 threshold = 2;
+}
+
+// AuthCreate prooves that the caller has the right to create a new OCS
+// instance.
+message AuthCreate {
+  required AuthCreateByzcoin byzcoin = 1;
+  required AuthCreateX509Cert x509cert = 2;
+}
+
+// AuthCreateByzcoin must give the ByzcoinID and the proof to the LTSInstance
+// for the creation of a new OCS.
+message AuthCreateByzcoin {
+  required bytes byzcoinid = 1;
+  required bytes ltsinstance = 2;
+}
+
+// AuthCreateX509Cert must give a threshold number of certificates to proof that
+// the caller has the right to create a new OCS.
+message AuthCreateX509Cert {
+  repeated bytes certificates = 1;
+}
+
+// AuthReencrypt holds one of the possible authentication proofs for a reencryption request. Each
+// authentication proof must hold the secret to be reencrypted, the ephemeral key, as well
+// as the proof itself that the request is valid. For each of the authentication
+// schemes, this proof will be different.
+message AuthReencrypt {
+  required bytes ephemeral = 1;
+  optional AuthReencryptByzCoin byzcoin = 2;
+  optional AuthReencryptX509Cert x509cert = 3;
+}
+
+// AuthReencryptByzCoin holds the proof of the write instance, holding the secret itself.
+// The proof of the read instance holds the ephemeral key. Both proofs can be
+// verified using one of the stored ByzCoinIDs.
+message AuthReencryptByzCoin {
+  // Write is the proof containing the write request.
+  required bytes write = 1;
+  // Read is the proof that he has been accepted to read the secret.
+  required bytes read = 2;
+  // Ephemeral can be non-nil to point to a key to which the data needs to be
+  // re-encrypted to, but then Signature also needs to be non-nil.
+  required bytes ephemeral = 3;
+  // If Ephemeral si non-nil, it must be signed by the darc responsible for the
+  // Read instance to make sure it's a valid reencryption-request.
+  optional darc.Signature signature = 4;
+}
+
+// AuthReencryptX509Cert holds the proof that at least a threshold number of clients
+// accepted the reencryption.
+// For each client, there must exist a certificate that can be verified by the
+// CA certificate from X509Cert. Additionally, each client must sign the
+// following message:
+//   sha256( Secret | Ephemeral | Time )
+message AuthReencryptX509Cert {
+  required bytes u = 1;
+  repeated bytes certificates = 2;
+}
+
+// AuthReshare holds the proof that at least a threshold number of clients accepted the
+// request to reshare the secret key. The authentication must hold the new roster, as
+// well as the proof that the new roster should be applied to a given OCS.
+message AuthReshare {
+  optional AuthReshareByzCoin byzcoin = 1;
+  optional AuthReshareX509Cert x509cert = 2;
+}
+
+// AuthReshareByzCoin holds the byzcoin-proof that contains the latest OCS-instance
+// which includes the roster. The OCS-nodes will make sure that the version of the
+// OCS-instance is bigger than the current version.
+message AuthReshareByzCoin {
+  required bytes reshare = 1;
+}
+
+// AuthReshareX509Cert holds the X509 proof that the new roster is valid.
+message AuthReshareX509Cert {
+  repeated bytes certificates = 1;
+}
+
+// OCSProof can be used to proof
+message OCSProof {
+  required bytes ocsid = 1;
+  required onet.Roster roster = 2;
+  required Policy policyreencrypt = 3;
+  required Policy policyreshare = 4;
+  repeated bytes signatures = 5;
+}
diff --git a/go.mod b/go.mod
index e63f065896..afb1ee0021 100644
--- a/go.mod
+++ b/go.mod
@@ -4,21 +4,24 @@ require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/bford/golang-x-crypto v0.0.0-20160518072526-27db609c9d03
 	github.com/coreos/go-oidc v2.0.0+incompatible
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prataprc/goparsec v0.0.0-20180806094145-2600a2a4a410
 	github.com/qantik/qrgo v0.0.0-20160917134849-0c6b902c59f6
 	github.com/satori/go.uuid v1.2.0
 	github.com/stretchr/testify v1.3.0
-	go.dedis.ch/kyber/v3 v3.0.0
-	go.dedis.ch/onet/v3 v3.0.2
+	go.dedis.ch/fixbuf v1.0.3
+	go.dedis.ch/kyber/v3 v3.0.2
+	go.dedis.ch/onet/v3 v3.0.5
 	go.dedis.ch/protobuf v1.0.6
-	go.etcd.io/bbolt v1.3.0
+	go.etcd.io/bbolt v1.3.2
+	golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576
 	golang.org/x/oauth2 v0.0.0-20190115181402-5dab4167f31c
-	golang.org/x/sys v0.0.0-20190124100055-b90733256f2e
+	golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc
 	golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 // indirect
 	gopkg.in/satori/go.uuid.v1 v1.2.0
 	gopkg.in/square/go-jose.v2 v2.2.2 // indirect
 	gopkg.in/urfave/cli.v1 v1.20.0
 )
+
+replace go.dedis.ch/kyber/v3 => ./kyber
diff --git a/go.sum b/go.sum
index f49c71aa56..21489750ec 100644
--- a/go.sum
+++ b/go.sum
@@ -43,6 +43,7 @@ github.com/qantik/qrgo v0.0.0-20160917134849-0c6b902c59f6/go.mod h1:if1RdEJ8j9Pb
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 go.dedis.ch/fixbuf v1.0.3 h1:hGcV9Cd/znUxlusJ64eAlExS+5cJDIyTyEG+otu5wQs=
@@ -51,15 +52,23 @@ go.dedis.ch/kyber/v3 v3.0.0-pre2 h1:ezviD36AEOytXJn91tsvQeR+rEzo3UOh75P/PzSisRo=
 go.dedis.ch/kyber/v3 v3.0.0-pre2/go.mod h1:OzvaEnPvKlyrWyp3kGXlFdp7ap1VC6RkZDTaPikqhsQ=
 go.dedis.ch/kyber/v3 v3.0.0 h1:XuefPFGJKPyfPBD6kXctbLb4smT9Il5HmUn303JRr08=
 go.dedis.ch/kyber/v3 v3.0.0/go.mod h1:OzvaEnPvKlyrWyp3kGXlFdp7ap1VC6RkZDTaPikqhsQ=
+go.dedis.ch/kyber/v3 v3.0.2 h1:dhYLJksmOau7TYf1JS0iTpW6Bus+mtqxJBbM0Q/E9HU=
+go.dedis.ch/kyber/v3 v3.0.2/go.mod h1:OzvaEnPvKlyrWyp3kGXlFdp7ap1VC6RkZDTaPikqhsQ=
 go.dedis.ch/onet/v3 v3.0.2 h1:+jBLnoQBHMDJ1lVgkcbmkKNWqXma8n9R/5/7VZ1wZls=
 go.dedis.ch/onet/v3 v3.0.2/go.mod h1:xqmP2+NvxeNzgmNj/4hf56EZm3KT0Qksz98miZw5G3A=
+go.dedis.ch/onet/v3 v3.0.5 h1:Ysm96KuRt1OavrRpa1Vi09DqljXBCDwaiur34DTvra8=
+go.dedis.ch/onet/v3 v3.0.5/go.mod h1:0wrof0zfyD+Qfw9Pfhu9jW+bTbwwWBzC1hMuV/c8v2w=
 go.dedis.ch/protobuf v1.0.5/go.mod h1:eIV4wicvi6JK0q/QnfIEGeSFNG0ZeB24kzut5+HaRLo=
 go.dedis.ch/protobuf v1.0.6 h1:E61p2XjYbYrTf3WeXE8M8Ui5WA3hX/NgbHHi5D0FLxI=
 go.dedis.ch/protobuf v1.0.6/go.mod h1:YHYXW6dQ9p2iJ3f+2fxKnOpjGx0MvL4cwpg1RVNXaV8=
 go.etcd.io/bbolt v1.3.0 h1:oY10fI923Q5pVCVt1GBTZMn8LHo5M+RCInFpeMnV4QI=
 go.etcd.io/bbolt v1.3.0/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b h1:Elez2XeF2p9uyVj0yEUDqQ56NFcDtcBNkYP7yv8YbUE=
 golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576 h1:aUX/1G2gFSs4AsJJg2cL3HuoRhCSCz733FE5GUSuaT4=
+golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3 h1:ulvT7fqt0yHWzpJwI57MezWnYDVpCAYBVuYst/L+fAY=
@@ -70,6 +79,9 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FY
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190124100055-b90733256f2e h1:3GIlrlVLfkoipSReOMNAgApI0ajnalyLa/EZHHca/XI=
 golang.org/x/sys v0.0.0-20190124100055-b90733256f2e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc h1:4gbWbmmPFp4ySWICouJl6emP0MyS31yy9SrTlAGFT+g=
+golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To=
diff --git a/kyber/.gitattributes b/kyber/.gitattributes
new file mode 100644
index 0000000000..a5e27ec9a0
--- /dev/null
+++ b/kyber/.gitattributes
@@ -0,0 +1,2 @@
+go.mod    linguist-generated=false
+go.sum    linguist-generated=false
diff --git a/kyber/.gitignore b/kyber/.gitignore
new file mode 100644
index 0000000000..f615171a7b
--- /dev/null
+++ b/kyber/.gitignore
@@ -0,0 +1,18 @@
+*.iml
+*.o
+*.pyc
+*.swp
+*~
+moc_*
+ext/
+dissent
+docs/html
+test.log
+libdissent.so*
+keygen
+*.moc
+entry_tunnel
+exit_tunnel
+.DS_Store
+*.cov
+profile.tmp
\ No newline at end of file
diff --git a/kyber/.travis.yml b/kyber/.travis.yml
new file mode 100644
index 0000000000..7a6cc36875
--- /dev/null
+++ b/kyber/.travis.yml
@@ -0,0 +1,21 @@
+language: go
+
+go:
+  - "1.11.x"
+
+go_import_path: go.dedis.ch/kyber/v3
+
+install:
+  - go get github.com/dedis/Coding || true
+
+script:
+  - env GO111MODULE=on make test
+
+notifications:
+  email: false
+
+# https://restic.net/blog/2018-09-02/travis-build-cache
+cache:
+  directories:
+    - $HOME/.cache/go-build
+    - $GOPATH/pkg/mod
diff --git a/kyber/LICENSE b/kyber/LICENSE
new file mode 100644
index 0000000000..411d65a24c
--- /dev/null
+++ b/kyber/LICENSE
@@ -0,0 +1,375 @@
+This code is (c) by DEDIS/EPFL 2017 under the MPL v2 or later version.
+
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
\ No newline at end of file
diff --git a/kyber/Makefile b/kyber/Makefile
new file mode 100644
index 0000000000..01cfb50918
--- /dev/null
+++ b/kyber/Makefile
@@ -0,0 +1,38 @@
+all: test
+
+gopath=$(shell go env GOPATH)
+CODING = $(gopath)/src/github.com/dedis/Coding/bin
+
+test_fmt:
+	@echo Checking correct formatting of files
+	@{ \
+		files=$$( go fmt ./... ); \
+		if [ -n "$$files" ]; then \
+		echo "Files not properly formatted: $$files"; \
+		exit 1; \
+		fi; \
+		if ! go vet ./...; then \
+		exit 1; \
+		fi \
+	}
+
+test_lint:
+	@echo Checking linting of files
+	@{ \
+		go get -u github.com/golang/lint/golint; \
+		lintfiles=$$( golint ./... | egrep -v _test.go ); \
+		if [ -n "$$lintfiles" ]; then \
+		echo "Lint errors:"; \
+		echo "$$lintfiles"; \
+		exit 1; \
+		fi \
+	}
+
+test_goveralls:
+	go get github.com/mattn/goveralls
+	$(CODING)/coveralls.sh $(EXCLUDE_TEST)
+	$(gopath)/bin/goveralls -coverprofile=profile.cov -service=travis-ci || true
+
+test: test_fmt test_lint test_goveralls
+
+
diff --git a/kyber/README.md b/kyber/README.md
new file mode 100644
index 0000000000..30de55e640
--- /dev/null
+++ b/kyber/README.md
@@ -0,0 +1,72 @@
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://godoc.org/go.dedis.ch/kyber)
+[![Build Status](https://travis-ci.org/dedis/kyber.svg?branch=master)](https://travis-ci.org/dedis/kyber)
+
+DEDIS Advanced Crypto Library for Go
+====================================
+
+This package provides a toolbox of advanced cryptographic primitives for Go,
+targeting applications like [Cothority](https://go.dedis.ch/cothority)
+that need more than straightforward signing and encryption.
+Please see the
+[Godoc documentation for this package](https://godoc.org/go.dedis.ch/kyber)
+for details on the library's purpose and API functionality.
+
+This package includes a mix of variable time and constant time
+implementations. If your application is sensitive to timing-based attacks
+and you need to constrain Kyber to offering only constant time implementations,
+you should use the [suites.RequireConstantTime()](https://godoc.org/go.dedis.ch/kyber/suites#RequireConstantTime)
+function in the `init()` function of your `main` package.
+
+Versioning - Development
+------------------------
+
+We use the following versioning model:
+
+* crypto.v0 was the first semi-stable version. See [migration notes](https://github.com/dedis/kyber/wiki/Migration-from-gopkg.in-dedis-crypto.v0).
+* kyber.v1 never existed, in order to keep kyber, onet and cothorithy versions linked
+* gopkg.in/dedis/kyber.v2 was the last stable version
+* Starting with v3.0.0, kyber is a Go module, and we respect [semantic versioning](https://golang.org/cmd/go/#hdr-Module_compatibility_and_semantic_versioning).
+
+So if you depend on the master branch, you can expect breakages from time
+to time. If you need something that doesn't change in a backward-compatible
+way you should use have a `go.mod` file in the directory where your
+main package is.
+
+Installing
+----------
+
+First make sure you have [Go](https://golang.org) version 1.11 or newer installed.
+
+The basic crypto library requires only Go and a few
+third-party Go-language dependencies that can be installed automatically
+as follows:
+
+	go get go.dedis.ch/kyber
+
+You can recursively test all the packages in the library as follows:
+
+	go test -v ./...
+
+A note on deriving shared secrets
+---------------------------------
+
+Traditionally, ECDH (Elliptic curve Diffie-Hellman) derives the shared secret
+from the x point only. In this framework, you can either manually retrieve the
+value or use the MarshalBinary method to take the combined (x, y) value as the
+shared secret. We recommend the latter process for new softare/protocols using
+this framework as it is cleaner and generalizes across different types of groups
+(e.g., both integer and elliptic curves), although it will likely be
+incompatible with other implementations of ECDH. See [the Wikipedia
+page](http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman) on
+ECDH.
+
+Reporting security problems
+---------------------------
+
+This library is offered as-is, and without a guarantee. It will need an
+independent security review before it should be considered ready for use in
+security-critical applications. If you integrate Kyber into your application it
+is YOUR RESPONSIBILITY to arrange for that audit.
+
+If you notice a possible security problem, please report it
+to dedis-security@epfl.ch.
diff --git a/kyber/doc.go b/kyber/doc.go
new file mode 100644
index 0000000000..b20959ef64
--- /dev/null
+++ b/kyber/doc.go
@@ -0,0 +1,123 @@
+/*
+Package kyber provides a toolbox of advanced cryptographic primitives,
+for applications that need more than straightforward signing and encryption.
+This top level package defines the interfaces to cryptographic primitives
+designed to be independent of specific cryptographic algorithms,
+to facilitate upgrading applications to new cryptographic algorithms
+or switching to alternative algorithms for experimentation purposes.
+
+Abstract Groups
+
+This toolkits public-key crypto API includes a kyber.Group interface
+supporting a broad class of group-based public-key primitives
+including DSA-style integer residue groups and elliptic curve groups. Users of
+this API can write higher-level crypto algorithms such as zero-knowledge
+proofs without knowing or caring exactly what kind of group, let alone which
+precise security parameters or elliptic curves, are being used. The kyber.Group
+interface supports the standard algebraic operations on group elements and
+scalars that nontrivial public-key algorithms tend to rely on. The interface
+uses additive group terminology typical for elliptic curves, such that point
+addition is homomorphically equivalent to adding their (potentially secret)
+scalar multipliers. But the API and its operations apply equally well to
+DSA-style integer groups.
+
+As a trivial example, generating a public/private keypair is as simple as:
+
+    suite := suites.MustFind("Ed25519")		// Use the edwards25519-curve
+	a := suite.Scalar().Pick(suite.RandomStream()) // Alice's private key
+	A := suite.Point().Mul(a, nil)          // Alice's public key
+
+The first statement picks a private key (Scalar) from a the suites's source of
+cryptographic random or pseudo-random bits, while the second performs elliptic
+curve scalar multiplication of the curve's standard base point (indicated by the
+'nil' argument to Mul) by the scalar private key 'a'. Similarly, computing a
+Diffie-Hellman shared secret using Alice's private key 'a' and Bob's public key
+'B' can be done via:
+
+	S := suite.Point().Mul(a, B)		// Shared Diffie-Hellman secret
+
+Note that we use 'Mul' rather than 'Exp' here because the library uses
+the additive-group terminology common for elliptic curve crypto,
+rather than the multiplicative-group terminology of traditional
+integer groups - but the two are semantically equivalent and the
+interface itself works for both elliptic curve and integer groups.
+
+Higher-level Building Blocks
+
+Various sub-packages provide several specific
+implementations of these cryptographic interfaces.
+In particular, the 'group/mod' sub-package provides implementations
+of modular integer groups underlying conventional DSA-style algorithms.
+The `group/nist` package provides NIST-standardized elliptic curves built on
+the Go crypto library.
+The 'group/edwards25519' sub-package provides the kyber.Group interface
+using the popular Ed25519 curve.
+
+Other sub-packages build more interesting high-level cryptographic tools
+atop these primitive interfaces, including:
+
+- share: Polynomial commitment and verifiable Shamir secret splitting
+for implementing verifiable 't-of-n' threshold cryptographic schemes.
+This can be used to encrypt a message so that any 2 out of 3 receivers
+must work together to decrypt it, for example.
+
+- proof: An implementation of the general Camenisch/Stadler framework
+for discrete logarithm knowledge proofs.
+This system supports both interactive and non-interactive proofs
+of a wide variety of statements such as,
+"I know the secret x associated with public key X
+or I know the secret y associated with public key Y",
+without revealing anything about either secret
+or even which branch of the "or" clause is true.
+
+- sign: The sign directory contains different signature schemes.
+
+- sign/anon provides anonymous and pseudonymous public-key encryption and signing,
+where the sender of a signed message or the receiver of an encrypted message
+is defined as an explicit anonymity set containing several public keys
+rather than just one. For example, a member of an organization's board of trustees
+might prove to be a member of the board without revealing which member she is.
+
+- sign/cosi provides collective signature algorithm, where a bunch of signers create a
+unique, compact and efficiently verifiable signature using the Schnorr signature as a basis.
+
+- sign/eddsa provides a kyber-native implementation of the EdDSA signature scheme.
+
+- sign/schnorr provides a basic vanilla Schnorr signature scheme implementation.
+
+- shuffle: Verifiable cryptographic shuffles of ElGamal ciphertexts,
+which can be used to implement (for example) voting or auction schemes
+that keep the sources of individual votes or bids private
+without anyone having to trust more than one of the shuffler(s) to shuffle
+votes/bids honestly.
+
+Target Use-cases
+
+As should be obvious, this library is intended to be used by
+developers who are at least moderately knowledgeable about
+cryptography. If you want a crypto library that makes it easy to
+implement "basic crypto" functionality correctly - i.e., plain
+public-key encryption and signing - then
+[NaCl secretbox](https://godoc.org/golang.org/x/crypto/nacl/secretbox)
+may be a better choice. This toolkit's purpose is to make it possible
+- and preferably easy - to do slightly more interesting things that
+most current crypto libraries don't support effectively. The one
+existing crypto library that this toolkit is probably most comparable
+to is the Charm rapid prototyping library for Python
+(https://charm-crypto.com/category/charm).
+
+This library incorporates and/or builds on existing code from a variety of
+sources, as documented in the relevant sub-packages.
+
+Reporting Security Problems
+
+This library is offered as-is, and without a guarantee. It will need an
+independent security review before it should be considered ready for use in
+security-critical applications. If you integrate Kyber into your application it
+is YOUR RESPONSIBILITY to arrange for that audit.
+
+If you notice a possible security problem, please report it
+to dedis-security@epfl.ch.
+
+*/
+package kyber
diff --git a/kyber/encoding.go b/kyber/encoding.go
new file mode 100644
index 0000000000..3b927733d0
--- /dev/null
+++ b/kyber/encoding.go
@@ -0,0 +1,49 @@
+package kyber
+
+import (
+	"encoding"
+	"io"
+)
+
+/*
+Marshaling is a basic interface representing fixed-length (or known-length)
+cryptographic objects or structures having a built-in binary encoding.
+Implementors must ensure that calls to these methods do not modify
+the underlying object so that other users of the object can access
+it concurrently.
+*/
+type Marshaling interface {
+	encoding.BinaryMarshaler
+	encoding.BinaryUnmarshaler
+
+	// String returns the human readable string representation of the object.
+	String() string
+
+	// Encoded length of this object in bytes.
+	MarshalSize() int
+
+	// Encode the contents of this object and write it to an io.Writer.
+	MarshalTo(w io.Writer) (int, error)
+
+	// Decode the content of this object by reading from an io.Reader.
+	// If r is an XOF, it uses r to pick a valid object pseudo-randomly,
+	// which may entail reading more than Len bytes due to retries.
+	UnmarshalFrom(r io.Reader) (int, error)
+}
+
+// Encoding represents an abstract interface to an encoding/decoding that can be
+// used to marshal/unmarshal objects to and from streams. Different Encodings
+// will have different constraints, of course. Two implementations are
+// available:
+//
+//   1. The protobuf encoding using the variable length Google Protobuf encoding
+//      scheme. The library is available at https://go.dedis.ch/protobuf
+//   2. The fixbuf encoding, a fixed length binary encoding of arbitrary
+//      structures. The library is available at https://go.dedis.ch/fixbuf.
+type Encoding interface {
+	// Encode and write objects to an io.Writer.
+	Write(w io.Writer, objs ...interface{}) error
+
+	// Read and decode objects from an io.Reader.
+	Read(r io.Reader, objs ...interface{}) error
+}
diff --git a/kyber/encrypt/ecies/ecies.go b/kyber/encrypt/ecies/ecies.go
new file mode 100644
index 0000000000..eabc28f7a1
--- /dev/null
+++ b/kyber/encrypt/ecies/ecies.go
@@ -0,0 +1,126 @@
+// Package ecies implements the Elliptic Curve Integrated Encryption Scheme (ECIES).
+package ecies
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"errors"
+	"hash"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/random"
+	"golang.org/x/crypto/hkdf"
+)
+
+// Encrypt first computes a shared DH key using the given public key, then
+// HKDF-derives a symmetric key (and nonce) from that, and finally uses these
+// values to encrypt the given message via AES-GCM. If the hash input parameter
+// is nil then SHA256 is used as a default. Encrypt returns a byte slice
+// containing the ephemeral elliptic curve point of the DH key exchange and the
+// ciphertext or an error.
+func Encrypt(group kyber.Group, public kyber.Point, message []byte, hash func() hash.Hash) ([]byte, error) {
+	if hash == nil {
+		hash = sha256.New
+	}
+
+	// Generate an ephemeral elliptic curve scalar and point
+	r := group.Scalar().Pick(random.New())
+	R := group.Point().Mul(r, nil)
+
+	// Compute shared DH key
+	dh := group.Point().Mul(r, public)
+
+	// Derive symmetric key and nonce via HKDF (NOTE: Since we use a new
+	// ephemeral key for every ECIES encryption and thus have a fresh
+	// HKDF-derived key for AES-GCM, the nonce for AES-GCM can be an arbitrary
+	// (even static) value. We derive it here simply via HKDF as well.)
+	len := 32 + 12
+	buf, err := deriveKey(hash, dh, len)
+	if err != nil {
+		return nil, err
+	}
+	key := buf[:32]
+	nonce := buf[32:len]
+
+	// Encrypt message using AES-GCM
+	aes, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	aesgcm, err := cipher.NewGCM(aes)
+	if err != nil {
+		return nil, err
+	}
+	c := aesgcm.Seal(nil, nonce, message, nil)
+
+	// Serialize ephemeral elliptic curve point and ciphertext
+	var ctx bytes.Buffer
+	_, err = R.MarshalTo(&ctx)
+	if err != nil {
+		return nil, err
+	}
+	_, err = ctx.Write(c)
+	if err != nil {
+		return nil, err
+	}
+	return ctx.Bytes(), nil
+}
+
+// Decrypt first computes a shared DH key using the received ephemeral elliptic
+// curve point (stored in the first part of ctx), then HKDF-derives a symmetric
+// key (and nonce) from that, and finally uses these values to decrypt the
+// given ciphertext (stored in the second part of ctx) via AES-GCM. If the hash
+// input parameter is nil then SHA256 is used as a default. Decrypt returns the
+// plaintext message or an error.
+func Decrypt(group kyber.Group, private kyber.Scalar, ctx []byte, hash func() hash.Hash) ([]byte, error) {
+	if hash == nil {
+		hash = sha256.New
+	}
+
+	// Reconstruct the ephemeral elliptic curve point
+	R := group.Point()
+	l := group.PointLen()
+	if err := R.UnmarshalBinary(ctx[:l]); err != nil {
+		return nil, err
+	}
+
+	// Compute shared DH key and derive the symmetric key and nonce via HKDF
+	dh := group.Point().Mul(private, R)
+	len := 32 + 12
+	buf, err := deriveKey(hash, dh, len)
+	if err != nil {
+		return nil, err
+	}
+	key := buf[:32]
+	nonce := buf[32:len]
+
+	// Decrypt message using AES-GCM
+	aes, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	aesgcm, err := cipher.NewGCM(aes)
+	if err != nil {
+		return nil, err
+	}
+	return aesgcm.Open(nil, nonce, ctx[l:], nil)
+}
+
+func deriveKey(hash func() hash.Hash, dh kyber.Point, len int) ([]byte, error) {
+	dhb, err := dh.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	hkdf := hkdf.New(hash, dhb, nil, nil)
+	key := make([]byte, len, len)
+	n, err := hkdf.Read(key)
+	if err != nil {
+		return nil, err
+	}
+	if n < len {
+		return nil, errors.New("ecies: hkdf-derived key too short")
+	}
+	return key, nil
+}
diff --git a/kyber/encrypt/ecies/ecies_test.go b/kyber/encrypt/ecies/ecies_test.go
new file mode 100644
index 0000000000..9668a6e34f
--- /dev/null
+++ b/kyber/encrypt/ecies/ecies_test.go
@@ -0,0 +1,46 @@
+package ecies
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+func TestECIES(t *testing.T) {
+	message := []byte("Hello ECIES")
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	private := suite.Scalar().Pick(random.New())
+	public := suite.Point().Mul(private, nil)
+	ciphertext, err := Encrypt(suite, public, message, suite.Hash)
+	require.Nil(t, err)
+	plaintext, err := Decrypt(suite, private, ciphertext, suite.Hash)
+	require.Nil(t, err)
+	require.Equal(t, message, plaintext)
+}
+
+func TestECIESFailPoint(t *testing.T) {
+	message := []byte("Hello ECIES")
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	private := suite.Scalar().Pick(random.New())
+	public := suite.Point().Mul(private, nil)
+	ciphertext, err := Encrypt(suite, public, message, nil)
+	require.Nil(t, err)
+	ciphertext[0] ^= 0xff
+	_, err = Decrypt(suite, private, ciphertext, nil)
+	require.NotNil(t, err)
+}
+
+func TestECIESFailCiphertext(t *testing.T) {
+	message := []byte("Hello ECIES")
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	private := suite.Scalar().Pick(random.New())
+	public := suite.Point().Mul(private, nil)
+	ciphertext, err := Encrypt(suite, public, message, nil)
+	require.Nil(t, err)
+	l := suite.PointLen()
+	ciphertext[l] ^= 0xff
+	_, err = Decrypt(suite, private, ciphertext, nil)
+	require.NotNil(t, err)
+}
diff --git a/kyber/examples/dh_test.go b/kyber/examples/dh_test.go
new file mode 100644
index 0000000000..7e47b53cd1
--- /dev/null
+++ b/kyber/examples/dh_test.go
@@ -0,0 +1,49 @@
+package examples
+
+import (
+	"fmt"
+
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+/*
+This example illustrates how to use the crypto toolkit's kyber.group API
+to perform basic Diffie-Hellman key exchange calculations,
+using the NIST-standard P256 elliptic curve in this case.
+Any other suitable elliptic curve or other cryptographic group may be used
+simply by changing the first line that picks the suite.
+*/
+func Example_diffieHellman() {
+	// A pseudo RNG which makes this code repeatable for testing.
+	rng := blake2xb.New(nil)
+
+	// Crypto setup: NIST-standardized P256 curve with AES-128 and SHA-256
+	// For production code, simply use edwards25519.NewBlakeSHA256Ed25519().
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(rng)
+
+	// Alice's public/private keypair
+	a := suite.Scalar().Pick(rng)  // Alice's private key
+	A := suite.Point().Mul(a, nil) // Alice's public key
+
+	// Bob's public/private keypair
+	b := suite.Scalar().Pick(rng)  // Alice's private key
+	B := suite.Point().Mul(b, nil) // Alice's public key
+
+	// Assume Alice and Bob have securely obtained each other's public keys.
+
+	// Alice computes their shared secret using Bob's public key.
+	SA := suite.Point().Mul(a, B)
+
+	// Bob computes their shared secret using Alice's public key.
+	SB := suite.Point().Mul(b, A)
+
+	// They had better be the same!
+	if !SA.Equal(SB) {
+		panic("Diffie-Hellman key exchange didn't work")
+	}
+	fmt.Println("Shared secret: " + SA.String())
+
+	// Output:
+	// Shared secret: 80ea238cacfdab279626970bba18c69083c7751865dec4c6434bff4351282847
+}
diff --git a/kyber/examples/enc_test.go b/kyber/examples/enc_test.go
new file mode 100644
index 0000000000..701820a1ac
--- /dev/null
+++ b/kyber/examples/enc_test.go
@@ -0,0 +1,87 @@
+package examples
+
+import (
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+func ElGamalEncrypt(group kyber.Group, pubkey kyber.Point, message []byte) (
+	K, C kyber.Point, remainder []byte) {
+
+	// Embed the message (or as much of it as will fit) into a curve point.
+	M := group.Point().Embed(message, random.New())
+	max := group.Point().EmbedLen()
+	if max > len(message) {
+		max = len(message)
+	}
+	remainder = message[max:]
+	// ElGamal-encrypt the point to produce ciphertext (K,C).
+	k := group.Scalar().Pick(random.New()) // ephemeral private key
+	K = group.Point().Mul(k, nil)          // ephemeral DH public key
+	S := group.Point().Mul(k, pubkey)      // ephemeral DH shared secret
+	C = S.Add(S, M)                        // message blinded with secret
+	return
+}
+
+func ElGamalDecrypt(group kyber.Group, prikey kyber.Scalar, K, C kyber.Point) (
+	message []byte, err error) {
+
+	// ElGamal-decrypt the ciphertext (K,C) to reproduce the message.
+	S := group.Point().Mul(prikey, K) // regenerate shared secret
+	M := group.Point().Sub(C, S)      // use to un-blind the message
+	message, err = M.Data()           // extract the embedded data
+	return
+}
+
+/*
+This example illustrates how the crypto toolkit may be used
+to perform "pure" ElGamal encryption,
+in which the message to be encrypted is small enough to be embedded
+directly within a group element (e.g., in an elliptic curve point).
+For basic background on ElGamal encryption see for example
+http://en.wikipedia.org/wiki/ElGamal_encryption.
+
+Most public-key crypto libraries tend not to support embedding data in points,
+in part because for "vanilla" public-key encryption you don't need it:
+one would normally just generate an ephemeral Diffie-Hellman secret
+and use that to seed a symmetric-key crypto algorithm such as AES,
+which is much more efficient per bit and works for arbitrary-length messages.
+However, in many advanced public-key crypto algorithms it is often useful
+to be able to embedded data directly into points and compute with them:
+as just one of many examples,
+the proactively verifiable anonymous messaging scheme prototyped in Verdict
+(see http://dedis.cs.yale.edu/dissent/papers/verdict-abs).
+
+For fancier versions of ElGamal encryption implemented in this toolkit
+see for example anon.Encrypt, which encrypts a message for
+one of several possible receivers forming an explicit anonymity set.
+*/
+func Example_elGamalEncryption() {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+
+	// Create a public/private keypair
+	a := suite.Scalar().Pick(suite.RandomStream()) // Alice's private key
+	A := suite.Point().Mul(a, nil)                 // Alice's public key
+
+	// ElGamal-encrypt a message using the public key.
+	m := []byte("The quick brown fox")
+	K, C, _ := ElGamalEncrypt(suite, A, m)
+
+	// Decrypt it using the corresponding private key.
+	mm, err := ElGamalDecrypt(suite, a, K, C)
+
+	// Make sure it worked!
+	if err != nil {
+		fmt.Println("decryption failed: " + err.Error())
+	}
+	if string(mm) != string(m) {
+		fmt.Println("decryption produced wrong output: " + string(mm))
+	}
+	fmt.Println("Decryption succeeded: " + string(mm))
+
+	// Output:
+	// Decryption succeeded: The quick brown fox
+}
diff --git a/kyber/examples/main.go b/kyber/examples/main.go
new file mode 100644
index 0000000000..e55adcc024
--- /dev/null
+++ b/kyber/examples/main.go
@@ -0,0 +1,4 @@
+// Package examples provides a suite of tests showing how to use the different
+// abstraction and protocols provided by the kyber library. To run the
+// tests, simply do `go test -v` in this directory.
+package examples
diff --git a/kyber/examples/sig_test.go b/kyber/examples/sig_test.go
new file mode 100644
index 0000000000..34878c9624
--- /dev/null
+++ b/kyber/examples/sig_test.go
@@ -0,0 +1,121 @@
+package examples
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"encoding/hex"
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+)
+
+type Suite interface {
+	kyber.Group
+	kyber.Encoding
+	kyber.XOFFactory
+}
+
+// A basic, verifiable signature
+type basicSig struct {
+	C kyber.Scalar // challenge
+	R kyber.Scalar // response
+}
+
+// Returns a secret that depends on on a message and a point
+func hashSchnorr(suite Suite, message []byte, p kyber.Point) kyber.Scalar {
+	pb, _ := p.MarshalBinary()
+	c := suite.XOF(pb)
+	c.Write(message)
+	return suite.Scalar().Pick(c)
+}
+
+// This simplified implementation of Schnorr Signatures is based on
+// crypto/anon/sig.go
+// The ring structure is removed and
+// The anonimity set is reduced to one public key = no anonimity
+func SchnorrSign(suite Suite, random cipher.Stream, message []byte,
+	privateKey kyber.Scalar) []byte {
+
+	// Create random secret v and public point commitment T
+	v := suite.Scalar().Pick(random)
+	T := suite.Point().Mul(v, nil)
+
+	// Create challenge c based on message and T
+	c := hashSchnorr(suite, message, T)
+
+	// Compute response r = v - x*c
+	r := suite.Scalar()
+	r.Mul(privateKey, c).Sub(v, r)
+
+	// Return verifiable signature {c, r}
+	// Verifier will be able to compute v = r + x*c
+	// And check that hashElgamal for T and the message == c
+	buf := bytes.Buffer{}
+	sig := basicSig{c, r}
+	_ = suite.Write(&buf, &sig)
+	return buf.Bytes()
+}
+
+func SchnorrVerify(suite Suite, message []byte, publicKey kyber.Point,
+	signatureBuffer []byte) error {
+
+	// Decode the signature
+	buf := bytes.NewBuffer(signatureBuffer)
+	sig := basicSig{}
+	if err := suite.Read(buf, &sig); err != nil {
+		return err
+	}
+	r := sig.R
+	c := sig.C
+
+	// Compute base**(r + x*c) == T
+	var P, T kyber.Point
+	P = suite.Point()
+	T = suite.Point()
+	T.Add(T.Mul(r, nil), P.Mul(c, publicKey))
+
+	// Verify that the hash based on the message and T
+	// matches the challange c from the signature
+	c = hashSchnorr(suite, message, T)
+	if !c.Equal(sig.C) {
+		return errors.New("invalid signature")
+	}
+
+	return nil
+}
+
+// This example shows how to perform a simple Schnorr signature. Please, use this
+// example as a reference to understand the abstraction only. There is a
+// `sign/schnorr` package which provides Schnorr signatures functionality in a
+// more secure manner.
+func Example_schnorr() {
+	// Crypto setup
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	rand := suite.XOF([]byte("example"))
+
+	// Create a public/private keypair (X,x)
+	x := suite.Scalar().Pick(rand) // create a private key x
+	X := suite.Point().Mul(x, nil) // corresponding public key X
+
+	// Generate the signature
+	M := []byte("Hello World!") // message we want to sign
+	sig := SchnorrSign(suite, rand, M, x)
+	fmt.Print("Signature:\n" + hex.Dump(sig))
+
+	// Verify the signature against the correct message
+	err := SchnorrVerify(suite, M, X, sig)
+	if err != nil {
+		panic(err.Error())
+	}
+	fmt.Println("Signature verified against correct message.")
+
+	// Output:
+	// Signature:
+	// 00000000  67 3f 25 fe d1 51 5d 1e  64 3a f7 79 2f 55 53 7c  |g?%..Q].d:.y/US||
+	// 00000010  f6 8a 5a 73 d5 c7 db f4  07 58 37 cc 1c b8 bf 02  |..Zs.....X7.....|
+	// 00000020  5f 0b a0 ef 0e 3e 9d 2e  08 10 69 b9 82 5f 65 b3  |_....>....i.._e.|
+	// 00000030  51 f8 b8 59 9b 72 d1 d0  12 f0 c6 ac 00 2a 09 0f  |Q..Y.r.......*..|
+	// Signature verified against correct message.
+}
diff --git a/kyber/go.mod b/kyber/go.mod
new file mode 100644
index 0000000000..4e80f19763
--- /dev/null
+++ b/kyber/go.mod
@@ -0,0 +1,9 @@
+module go.dedis.ch/kyber/v3
+
+require (
+	github.com/stretchr/testify v1.3.0
+	go.dedis.ch/fixbuf v1.0.3
+	go.dedis.ch/protobuf v1.0.5
+	golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b
+	golang.org/x/sys v0.0.0-20190124100055-b90733256f2e
+)
diff --git a/kyber/go.sum b/kyber/go.sum
new file mode 100644
index 0000000000..08a7035346
--- /dev/null
+++ b/kyber/go.sum
@@ -0,0 +1,15 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+go.dedis.ch/fixbuf v1.0.3 h1:hGcV9Cd/znUxlusJ64eAlExS+5cJDIyTyEG+otu5wQs=
+go.dedis.ch/fixbuf v1.0.3/go.mod h1:yzJMt34Wa5xD37V5RTdmp38cz3QhMagdGoem9anUalw=
+go.dedis.ch/protobuf v1.0.5 h1:EbF1czEKICxf5KY8Tm7wMF28hcOQbB6yk4IybIFWTYE=
+go.dedis.ch/protobuf v1.0.5/go.mod h1:eIV4wicvi6JK0q/QnfIEGeSFNG0ZeB24kzut5+HaRLo=
+golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b h1:Elez2XeF2p9uyVj0yEUDqQ56NFcDtcBNkYP7yv8YbUE=
+golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/sys v0.0.0-20190124100055-b90733256f2e h1:3GIlrlVLfkoipSReOMNAgApI0ajnalyLa/EZHHca/XI=
+golang.org/x/sys v0.0.0-20190124100055-b90733256f2e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
diff --git a/kyber/group.go b/kyber/group.go
new file mode 100644
index 0000000000..09612c7518
--- /dev/null
+++ b/kyber/group.go
@@ -0,0 +1,165 @@
+package kyber
+
+import (
+	"crypto/cipher"
+)
+
+// Scalar represents a scalar value by which
+// a Point (group element) may be encrypted to produce another Point.
+// This is an exponent in DSA-style groups,
+// in which security is based on the Discrete Logarithm assumption,
+// and a scalar multiplier in elliptic curve groups.
+type Scalar interface {
+	Marshaling
+
+	// Equality test for two Scalars derived from the same Group.
+	Equal(s2 Scalar) bool
+
+	// Set sets the receiver equal to another Scalar a.
+	Set(a Scalar) Scalar
+
+	// Clone creates a new Scalar with the same value.
+	Clone() Scalar
+
+	// SetInt64 sets the receiver to a small integer value.
+	SetInt64(v int64) Scalar
+
+	// Set to the additive identity (0).
+	Zero() Scalar
+
+	// Set to the modular sum of scalars a and b.
+	Add(a, b Scalar) Scalar
+
+	// Set to the modular difference a - b.
+	Sub(a, b Scalar) Scalar
+
+	// Set to the modular negation of scalar a.
+	Neg(a Scalar) Scalar
+
+	// Set to the multiplicative identity (1).
+	One() Scalar
+
+	// Set to the modular product of scalars a and b.
+	Mul(a, b Scalar) Scalar
+
+	// Set to the modular division of scalar a by scalar b.
+	Div(a, b Scalar) Scalar
+
+	// Set to the modular inverse of scalar a.
+	Inv(a Scalar) Scalar
+
+	// Set to a fresh random or pseudo-random scalar.
+	Pick(rand cipher.Stream) Scalar
+
+	// SetBytes sets the scalar from a byte-slice,
+	// reducing if necessary to the appropriate modulus.
+	// The endianess of the byte-slice is determined by the
+	// implementation.
+	SetBytes([]byte) Scalar
+}
+
+// Point represents an element of a public-key cryptographic Group.
+// For example,
+// this is a number modulo the prime P in a DSA-style Schnorr group,
+// or an (x, y) point on an elliptic curve.
+// A Point can contain a Diffie-Hellman public key, an ElGamal ciphertext, etc.
+type Point interface {
+	Marshaling
+
+	// Equality test for two Points derived from the same Group.
+	Equal(s2 Point) bool
+
+	// Null sets the receiver to the neutral identity element.
+	Null() Point
+
+	// Base sets the receiver to this group's standard base point.
+	Base() Point
+
+	// Pick sets the receiver to a fresh random or pseudo-random Point.
+	Pick(rand cipher.Stream) Point
+
+	// Set sets the receiver equal to another Point p.
+	Set(p Point) Point
+
+	// Clone clones the underlying point.
+	Clone() Point
+
+	// Maximum number of bytes that can be embedded in a single
+	// group element via Pick().
+	EmbedLen() int
+
+	// Embed encodes a limited amount of specified data in the
+	// Point, using r as a source of cryptographically secure
+	// random data.  Implementations only embed the first EmbedLen
+	// bytes of the given data.
+	Embed(data []byte, r cipher.Stream) Point
+
+	// Extract data embedded in a point chosen via Embed().
+	// Returns an error if doesn't represent valid embedded data.
+	Data() ([]byte, error)
+
+	// Add points so that their scalars add homomorphically.
+	Add(a, b Point) Point
+
+	// Subtract points so that their scalars subtract homomorphically.
+	Sub(a, b Point) Point
+
+	// Set to the negation of point a.
+	Neg(a Point) Point
+
+	// Multiply point p by the scalar s.
+	// If p == nil, multiply with the standard base point Base().
+	Mul(s Scalar, p Point) Point
+}
+
+// AllowsVarTime allows callers to determine if a given kyber.Scalar
+// or kyber.Point supports opting-in to variable time operations. If
+// an object implements AllowsVarTime, then the caller can use
+// AllowVarTime(true) in order to allow variable time operations on
+// that object until AllowVarTime(false) is called. Variable time
+// operations may be faster, but also risk leaking information via a
+// timing side channel. Thus they are only safe to use on public
+// Scalars and Points, never on secret ones.
+type AllowsVarTime interface {
+	AllowVarTime(bool)
+}
+
+// Group interface represents a mathematical group
+// usable for Diffie-Hellman key exchange, ElGamal encryption,
+// and the related body of public-key cryptographic algorithms
+// and zero-knowledge proof methods.
+// The Group interface is designed in particular to be a generic front-end
+// to both traditional DSA-style modular arithmetic groups
+// and ECDSA-style elliptic curves:
+// the caller of this interface's methods
+// need not know or care which specific mathematical construction
+// underlies the interface.
+//
+// The Group interface is essentially just a "constructor" interface
+// enabling the caller to generate the two particular types of objects
+// relevant to DSA-style public-key cryptography;
+// we call these objects Points and Scalars.
+// The caller must explicitly initialize or set a new Point or Scalar object
+// to some value before using it as an input to some other operation
+// involving Point and/or Scalar objects.
+// For example, to compare a point P against the neutral (identity) element,
+// you might use P.Equal(suite.Point().Null()),
+// but not just P.Equal(suite.Point()).
+//
+// It is expected that any implementation of this interface
+// should satisfy suitable hardness assumptions for the applicable group:
+// e.g., that it is cryptographically hard for an adversary to
+// take an encrypted Point and the known generator it was based on,
+// and derive the Scalar with which the Point was encrypted.
+// Any implementation is also expected to satisfy
+// the standard homomorphism properties that Diffie-Hellman
+// and the associated body of public-key cryptography are based on.
+type Group interface {
+	String() string
+
+	ScalarLen() int // Max length of scalars in bytes
+	Scalar() Scalar // Create new scalar
+
+	PointLen() int // Max length of point in bytes
+	Point() Point  // Create new point
+}
diff --git a/kyber/group/curve25519/basic.go b/kyber/group/curve25519/basic.go
new file mode 100644
index 0000000000..9eefb431ea
--- /dev/null
+++ b/kyber/group/curve25519/basic.go
@@ -0,0 +1,213 @@
+// +build experimental
+
+package curve25519
+
+import (
+	"crypto/cipher"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/group/mod"
+)
+
+type basicPoint struct {
+	x, y mod.Int
+	c    *BasicCurve
+}
+
+func (P *basicPoint) initXY(x, y *big.Int, c kyber.Group) {
+	P.c = c.(*BasicCurve)
+	P.x.Init(x, &P.c.P)
+	P.y.Init(y, &P.c.P)
+}
+
+func (P *basicPoint) getXY() (x, y *mod.Int) {
+	return &P.x, &P.y
+}
+
+func (P *basicPoint) String() string {
+	return P.c.pointString(&P.x, &P.y)
+}
+
+// coord creates a new ModInt representing a coordinate on this curve,
+// with a given int64 integer value for constant-initialization convenience.
+func (P *basicPoint) coord(v int64) *mod.Int {
+	return mod.NewInt64(v, &P.c.P)
+}
+
+func (P *basicPoint) MarshalSize() int {
+	return (P.y.M.BitLen() + 7 + 1) / 8
+}
+
+// MarshalBinary encodew an Edwards curve point.
+func (P *basicPoint) MarshalBinary() ([]byte, error) {
+	return P.c.encodePoint(&P.x, &P.y), nil
+}
+
+// UnmarshalBinary decodes an Edwards curve point.
+func (P *basicPoint) UnmarshalBinary(b []byte) error {
+	return P.c.decodePoint(b, &P.x, &P.y)
+}
+
+func (P *basicPoint) MarshalTo(w io.Writer) (int, error) {
+	return marshalling.PointMarshalTo(P, w)
+}
+
+func (P *basicPoint) UnmarshalFrom(r io.Reader) (int, error) {
+	return marshalling.PointUnmarshalFrom(P, r)
+}
+
+// Equal tests for two Points on the same curve
+func (P *basicPoint) Equal(P2 kyber.Point) bool {
+	E2 := P2.(*basicPoint)
+	return P.x.Equal(&E2.x) && P.y.Equal(&E2.y)
+}
+
+// Set point to be equal to P2.
+func (P *basicPoint) Set(P2 kyber.Point) kyber.Point {
+	E2 := P2.(*basicPoint)
+	P.c = E2.c
+	P.x.Set(&E2.x)
+	P.y.Set(&E2.y)
+	return P
+}
+
+// Clone returns the given point
+func (P *basicPoint) Clone() kyber.Point {
+	p2 := new(basicPoint)
+	p2.Set(P)
+	return p2
+}
+
+// Null sets to the neutral element, which is (0,1) for twisted Edwards curves.
+func (P *basicPoint) Null() kyber.Point {
+	P.Set(&P.c.null)
+	return P
+}
+
+// Base sets to the standard base point for this curve
+func (P *basicPoint) Base() kyber.Point {
+	P.Set(&P.c.base)
+	return P
+}
+
+func (P *basicPoint) EmbedLen() int {
+	return P.c.embedLen()
+}
+
+func (P *basicPoint) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	P.c.embed(P, data, rand)
+	return P
+}
+
+func (P *basicPoint) Pick(rand cipher.Stream) kyber.Point {
+	return P.Embed(nil, rand)
+}
+
+// Data extracts embedded data from a point group element
+func (P *basicPoint) Data() ([]byte, error) {
+	return P.c.data(&P.x, &P.y)
+}
+
+// Add two points using the basic unified addition laws for Edwards curves:
+//
+//	x' = ((x1*y2 + x2*y1) / (1 + d*x1*x2*y1*y2))
+//	y' = ((y1*y2 - a*x1*x2) / (1 - d*x1*x2*y1*y2))
+//
+func (P *basicPoint) Add(P1, P2 kyber.Point) kyber.Point {
+	E1 := P1.(*basicPoint)
+	E2 := P2.(*basicPoint)
+	x1, y1 := E1.x, E1.y
+	x2, y2 := E2.x, E2.y
+
+	var t1, t2, dm, nx, dx, ny, dy mod.Int
+
+	// Reused part of denominator: dm = d*x1*x2*y1*y2
+	dm.Mul(&P.c.d, &x1).Mul(&dm, &x2).Mul(&dm, &y1).Mul(&dm, &y2)
+
+	// x' numerator/denominator
+	nx.Add(t1.Mul(&x1, &y2), t2.Mul(&x2, &y1))
+	dx.Add(&P.c.one, &dm)
+
+	// y' numerator/denominator
+	ny.Sub(t1.Mul(&y1, &y2), t2.Mul(&x1, &x2).Mul(&P.c.a, &t2))
+	dy.Sub(&P.c.one, &dm)
+
+	// result point
+	P.x.Div(&nx, &dx)
+	P.y.Div(&ny, &dy)
+	return P
+}
+
+// Point doubling, which for Edwards curves can be accomplished
+// simply by adding a point to itself (no exceptions for equal input points).
+func (P *basicPoint) double() kyber.Point {
+	return P.Add(P, P)
+}
+
+// Subtract points so that their scalars subtract homomorphically
+func (P *basicPoint) Sub(A, B kyber.Point) kyber.Point {
+	var nB basicPoint
+	return P.Add(A, nB.Neg(B))
+}
+
+// Find the negative of point A.
+// For Edwards curves, the negative of (x,y) is (-x,y).
+func (P *basicPoint) Neg(A kyber.Point) kyber.Point {
+	E := A.(*basicPoint)
+	P.c = E.c
+	P.x.Neg(&E.x)
+	P.y.Set(&E.y)
+	return P
+}
+
+// Multiply point p by scalar s using the repeated doubling method.
+func (P *basicPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point {
+	v := s.(*mod.Int).V
+	if G == nil {
+		return P.Base().Mul(s, P)
+	}
+	T := P
+	if G == P { // Must use temporary in case G == P
+		T = &basicPoint{}
+	}
+	T.Set(&P.c.null) // Initialize to identity element (0,1)
+	for i := v.BitLen() - 1; i >= 0; i-- {
+		T.double()
+		if v.Bit(i) != 0 {
+			T.Add(T, G)
+		}
+	}
+	if T != P {
+		P.Set(T)
+	}
+	return P
+}
+
+// Basic unoptimized reference implementation of Twisted Edwards curves.
+// This reference implementation is mainly intended for testing, debugging,
+// and instructional uses, and not for production use.
+// The projective coordinates implementation (ProjectiveCurve)
+// is just as general and much faster.
+//
+type BasicCurve struct {
+	curve            // generic Edwards curve functionality
+	null  basicPoint // Neutral/identity point (0,1)
+	base  basicPoint // Standard base point
+}
+
+// Create a new Point on this curve.
+func (c *BasicCurve) Point() kyber.Point {
+	P := new(basicPoint)
+	P.c = c
+	P.Set(&c.null)
+	return P
+}
+
+// Initialize the curve with given parameters.
+func (c *BasicCurve) Init(p *Param, fullGroup bool) *BasicCurve {
+	c.curve.init(c, p, fullGroup, &c.null, &c.base)
+	return c
+}
diff --git a/kyber/group/curve25519/basic_test.go b/kyber/group/curve25519/basic_test.go
new file mode 100644
index 0000000000..7667de15a2
--- /dev/null
+++ b/kyber/group/curve25519/basic_test.go
@@ -0,0 +1,72 @@
+// +build experimental
+
+package curve25519
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3/util/test"
+)
+
+// Test the basic implementation of the Ed25519 curve.
+
+func TestBasic25519(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	} else {
+		test.GroupTest(t, new(BasicCurve).Init(Param25519(), false))
+	}
+}
+
+// Test ProjectiveCurve versus BasicCurve implementations
+
+func TestCompareBasicProjective25519(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	} else {
+		test.CompareGroups(t, testSuite.XOF,
+			new(BasicCurve).Init(Param25519(), false),
+			new(ProjectiveCurve).Init(Param25519(), false))
+	}
+}
+
+func TestCompareBasicProjectiveE382(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	} else {
+		test.CompareGroups(t, testSuite.XOF,
+			new(BasicCurve).Init(ParamE382(), false),
+			new(ProjectiveCurve).Init(ParamE382(), false))
+	}
+}
+
+func TestCompareBasicProjective41417(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	} else {
+		test.CompareGroups(t, testSuite.XOF,
+			new(BasicCurve).Init(Param41417(), false),
+			new(ProjectiveCurve).Init(Param41417(), false))
+	}
+}
+
+func TestCompareBasicProjectiveE521(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	} else {
+		test.CompareGroups(t, testSuite.XOF,
+			new(BasicCurve).Init(ParamE521(), false),
+			new(ProjectiveCurve).Init(ParamE521(), false))
+	}
+}
+
+// Benchmark contrasting implementations of the Ed25519 curve
+
+var basicBench = test.NewGroupBench(new(BasicCurve).Init(Param25519(), false))
+
+func BenchmarkPointAddBasic(b *testing.B)     { basicBench.PointAdd(b.N) }
+func BenchmarkPointMulBasic(b *testing.B)     { basicBench.PointMul(b.N) }
+func BenchmarkPointBaseMulBasic(b *testing.B) { basicBench.PointBaseMul(b.N) }
+func BenchmarkPointEncodeBasic(b *testing.B)  { basicBench.PointEncode(b.N) }
+func BenchmarkPointDecodeBasic(b *testing.B)  { basicBench.PointDecode(b.N) }
+func BenchmarkPointPickBasic(b *testing.B)    { basicBench.PointPick(b.N) }
diff --git a/kyber/group/curve25519/curve.go b/kyber/group/curve25519/curve.go
new file mode 100644
index 0000000000..4333cf92db
--- /dev/null
+++ b/kyber/group/curve25519/curve.go
@@ -0,0 +1,396 @@
+package curve25519
+
+import (
+	"crypto/cipher"
+	"crypto/sha512"
+	"errors"
+	"fmt"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/mod"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+var zero = big.NewInt(0)
+var one = big.NewInt(1)
+
+// Extension of Point interface for elliptic curve X,Y coordinate access
+type point interface {
+	kyber.Point
+
+	initXY(x, y *big.Int, curve kyber.Group)
+
+	getXY() (x, y *mod.Int)
+}
+
+// Generic "kyber.base class" for Edwards curves,
+// embodying functionality independent of internal Point representation.
+type curve struct {
+	self      kyber.Group // "Self pointer" for derived class
+	Param                 // Twisted Edwards curve parameters
+	zero, one mod.Int     // Constant ModInts with correct modulus
+	a, d      mod.Int     // Curve equation parameters as ModInts
+	full      bool        // True if we're using the full group
+
+	order  mod.Int // Order of appropriate subgroup as a ModInt
+	cofact mod.Int // Group's cofactor as a ModInt
+
+	null kyber.Point // Identity point for this group
+}
+
+func (c *curve) String() string {
+	if c.full {
+		return c.Param.String() + "-full"
+	}
+	return c.Param.String()
+}
+
+func (c *curve) IsPrimeOrder() bool {
+	return !c.full
+}
+
+// Returns the size in bytes of an encoded Scalar for this curve.
+func (c *curve) ScalarLen() int {
+	return (c.order.V.BitLen() + 7) / 8
+}
+
+// Create a new Scalar for this curve.
+func (c *curve) Scalar() kyber.Scalar {
+	return mod.NewInt64(0, &c.order.V)
+}
+
+// Returns the size in bytes of an encoded Point on this curve.
+// Uses compressed representation consisting of the y-coordinate
+// and only the sign bit of the x-coordinate.
+func (c *curve) PointLen() int {
+	return (c.P.BitLen() + 7 + 1) / 8
+}
+
+// NewKey returns a formatted curve25519 key (avoiding subgroup attack by requiring
+// it to be a multiple of 8). NewKey implements the kyber/util/key.Generator interface.
+func (c *curve) NewKey(stream cipher.Stream) kyber.Scalar {
+	var buffer [32]byte
+	random.Bytes(buffer[:], stream)
+	scalar := sha512.Sum512(buffer[:])
+	scalar[0] &= 248
+	scalar[31] &= 127
+	scalar[31] |= 64
+
+	secret := c.Scalar().SetBytes(scalar[:32])
+	return secret
+}
+
+// Initialize a twisted Edwards curve with given parameters.
+// Caller passes pointers to null and base point prototypes to be initialized.
+func (c *curve) init(self kyber.Group, p *Param, fullGroup bool,
+	null, base point) *curve {
+	c.self = self
+	c.Param = *p
+	c.full = fullGroup
+	c.null = null
+
+	// Edwards curve parameters as ModInts for convenience
+	c.a.Init(&p.A, &p.P)
+	c.d.Init(&p.D, &p.P)
+
+	// Cofactor
+	c.cofact.Init64(int64(p.R), &c.P)
+
+	// Determine the modulus for scalars on this curve.
+	// Note that we do NOT initialize c.order with Init(),
+	// as that would normalize to the modulus, resulting in zero.
+	// Just to be sure it's never used, we leave c.order.M set to nil.
+	// We want it to be in a ModInt so we can pass it to P.Mul(),
+	// but the scalar's modulus isn't needed for point multiplication.
+	if fullGroup {
+		// Scalar modulus is prime-order times the ccofactor
+		c.order.V.SetInt64(int64(p.R)).Mul(&c.order.V, &p.Q)
+	} else {
+		c.order.V.Set(&p.Q) // Prime-order subgroup
+	}
+
+	// Useful ModInt constants for this curve
+	c.zero.Init64(0, &c.P)
+	c.one.Init64(1, &c.P)
+
+	// Identity element is (0,1)
+	null.initXY(zero, one, self)
+
+	// Base point B
+	var bx, by *big.Int
+	if !fullGroup {
+		bx, by = &p.PBX, &p.PBY
+	} else {
+		bx, by = &p.FBX, &p.FBY
+		base.initXY(&p.FBX, &p.FBY, self)
+	}
+	if by.Sign() == 0 {
+		// No standard base point was defined, so pick one.
+		// Find the lowest-numbered y-coordinate that works.
+		//println("Picking base point:")
+		var x, y mod.Int
+		for y.Init64(2, &c.P); ; y.Add(&y, &c.one) {
+			if !c.solveForX(&x, &y) {
+				continue // try another y
+			}
+			if c.coordSign(&x) != 0 {
+				x.Neg(&x) // try positive x first
+			}
+			base.initXY(&x.V, &y.V, self)
+			if c.validPoint(base) {
+				break // got one
+			}
+			x.Neg(&x) // try -bx
+			if c.validPoint(base) {
+				break // got one
+			}
+		}
+		//println("BX: "+x.V.String())
+		//println("BY: "+y.V.String())
+		bx, by = &x.V, &y.V
+	}
+	base.initXY(bx, by, self)
+
+	// Sanity checks
+	if !c.validPoint(null) {
+		panic("invalid identity point " + null.String())
+	}
+	if !c.validPoint(base) {
+		panic("invalid base point " + base.String())
+	}
+
+	return c
+}
+
+// Test the sign of an x or y coordinate.
+// We use the least-significant bit of the coordinate as the sign bit.
+func (c *curve) coordSign(i *mod.Int) uint {
+	return i.V.Bit(0)
+}
+
+// Convert a point to string representation.
+func (c *curve) pointString(x, y *mod.Int) string {
+	return fmt.Sprintf("(%s,%s)", x.String(), y.String())
+}
+
+// Encode an Edwards curve point.
+// We use little-endian encoding for consistency with Ed25519.
+func (c *curve) encodePoint(x, y *mod.Int) []byte {
+
+	// Encode the y-coordinate
+	b, _ := y.MarshalBinary()
+
+	// Encode the sign of the x-coordinate.
+	if y.M.BitLen()&7 == 0 {
+		// No unused bits at the top of y-coordinate encoding,
+		// so we must prepend a whole byte.
+		b = append(make([]byte, 1), b...)
+	}
+	if c.coordSign(x) != 0 {
+		b[0] |= 0x80
+	}
+
+	// Convert to little-endian
+	reverse(b, b)
+	return b
+}
+
+// Decode an Edwards curve point into the given x,y coordinates.
+// Returns an error if the input does not denote a valid curve point.
+// Note that this does NOT check if the point is in the prime-order subgroup:
+// an adversary could create an encoding denoting a point
+// on the twist of the curve, or in a larger subgroup.
+// However, the "safecurves" criteria (http://safecurves.cr.yp.to)
+// ensure that none of these other subgroups are small
+// other than the tiny ones represented by the cofactor;
+// hence Diffie-Hellman exchange can be done without subgroup checking
+// without exposing more than the least-significant bits of the scalar.
+func (c *curve) decodePoint(bb []byte, x, y *mod.Int) error {
+
+	// Convert from little-endian
+	//fmt.Printf("decoding:\n%s\n", hex.Dump(bb))
+	b := make([]byte, len(bb))
+	reverse(b, bb)
+
+	// Extract the sign of the x-coordinate
+	xsign := uint(b[0] >> 7)
+	b[0] &^= 0x80
+
+	// Extract the y-coordinate
+	y.V.SetBytes(b)
+	y.M = &c.P
+
+	// Compute the corresponding x-coordinate
+	if !c.solveForX(x, y) {
+		return errors.New("invalid elliptic curve point")
+	}
+	if c.coordSign(x) != xsign {
+		x.Neg(x)
+	}
+
+	return nil
+}
+
+// Given a y-coordinate, solve for the x-coordinate on the curve,
+// using the characteristic equation rewritten as:
+//
+//	x^2 = (1 - y^2)/(a - d*y^2)
+//
+// Returns true on success,
+// false if there is no x-coordinate corresponding to the chosen y-coordinate.
+//
+func (c *curve) solveForX(x, y *mod.Int) bool {
+	var yy, t1, t2 mod.Int
+
+	yy.Mul(y, y)                     // yy = y^2
+	t1.Sub(&c.one, &yy)              // t1 = 1 - y^-2
+	t2.Mul(&c.d, &yy).Sub(&c.a, &t2) // t2 = a - d*y^2
+	t2.Div(&t1, &t2)                 // t2 = x^2
+	return x.Sqrt(&t2)               // may fail if not a square
+}
+
+// Test if a supposed point is on the curve,
+// by checking the characteristic equation for Edwards curves:
+//
+//	a*x^2 + y^2 = 1 + d*x^2*y^2
+//
+func (c *curve) onCurve(x, y *mod.Int) bool {
+	var xx, yy, l, r mod.Int
+
+	xx.Mul(x, x) // xx = x^2
+	yy.Mul(y, y) // yy = y^2
+
+	l.Mul(&c.a, &xx).Add(&l, &yy) // l = a*x^2 + y^2
+	r.Mul(&c.d, &xx).Mul(&r, &yy).Add(&c.one, &r)
+	// r = 1 + d*x^2*y^2
+	return l.Equal(&r)
+}
+
+// Sanity-check a point to ensure that it is on the curve
+// and within the appropriate subgroup.
+func (c *curve) validPoint(P point) bool {
+
+	// Check on-curve
+	x, y := P.getXY()
+	if !c.onCurve(x, y) {
+		return false
+	}
+
+	// Check in-subgroup by multiplying by subgroup order
+	Q := c.self.Point()
+	Q.Mul(&c.order, P)
+	if !Q.Equal(c.null) {
+		return false
+	}
+
+	return true
+}
+
+// Return number of bytes that can be embedded into points on this curve.
+func (c *curve) embedLen() int {
+	// Reserve at least 8 most-significant bits for randomness,
+	// and the least-significant 8 bits for embedded data length.
+	// (Hopefully it's unlikely we'll need >=2048-bit curves soon.)
+	return (c.P.BitLen() - 8 - 8) / 8
+}
+
+// Pick a [pseudo-]random curve point with optional embedded data,
+// filling in the point's x,y coordinates
+func (c *curve) embed(P point, data []byte, rand cipher.Stream) {
+
+	// How much data to embed?
+	dl := c.embedLen()
+	if dl > len(data) {
+		dl = len(data)
+	}
+
+	// Retry until we find a valid point
+	var x, y mod.Int
+	var Q kyber.Point
+	for {
+		// Get random bits the size of a compressed Point encoding,
+		// in which the topmost bit is reserved for the x-coord sign.
+		l := c.PointLen()
+		b := make([]byte, l)
+		rand.XORKeyStream(b, b) // Interpret as little-endian
+		if data != nil {
+			b[0] = byte(dl)       // Encode length in low 8 bits
+			copy(b[1:1+dl], data) // Copy in data to embed
+		}
+		reverse(b, b) // Convert to big-endian form
+
+		xsign := b[0] >> 7                    // save x-coordinate sign bit
+		b[0] &^= 0xff << uint(c.P.BitLen()&7) // clear high bits
+
+		y.M = &c.P // set y-coordinate
+		y.SetBytes(b)
+
+		if !c.solveForX(&x, &y) { // Corresponding x-coordinate?
+			continue // none, retry
+		}
+
+		// Pick a random sign for the x-coordinate
+		if c.coordSign(&x) != uint(xsign) {
+			x.Neg(&x)
+		}
+
+		// Initialize the point
+		P.initXY(&x.V, &y.V, c.self)
+		if c.full {
+			// If we're using the full group,
+			// we just need any point on the curve, so we're done.
+			return
+		}
+
+		// We're using the prime-order subgroup,
+		// so we need to make sure the point is in that subgroup.
+		// If we're not trying to embed data,
+		// we can convert our point into one in the subgroup
+		// simply by multiplying it by the cofactor.
+		if data == nil {
+			P.Mul(&c.cofact, P) // multiply by cofactor
+			if P.Equal(c.null) {
+				continue // unlucky; try again
+			}
+			return
+		}
+
+		// Since we need the point's y-coordinate to make sense,
+		// we must simply check if the point is in the subgroup
+		// and retry point generation until it is.
+		if Q == nil {
+			Q = c.self.Point()
+		}
+		Q.Mul(&c.order, P)
+		if Q.Equal(c.null) {
+			return
+		}
+
+		// Keep trying...
+	}
+}
+
+// Extract embedded data from a point group element,
+// or an error if embedded data is invalid or not present.
+func (c *curve) data(x, y *mod.Int) ([]byte, error) {
+	b := c.encodePoint(x, y)
+	dl := int(b[0])
+	if dl > c.embedLen() {
+		return nil, errors.New("invalid embedded data length")
+	}
+	return b[1 : 1+dl], nil
+}
+
+// reverse copies src into dst in byte-reversed order and returns dst,
+// such that src[0] goes into dst[len-1] and vice versa.
+// dst and src may be the same slice but otherwise must not overlap.
+func reverse(dst, src []byte) []byte {
+	l := len(dst)
+	for i, j := 0, l-1; i < (l+1)/2; {
+		dst[i], dst[j] = src[j], src[i]
+		i++
+		j--
+	}
+	return dst
+}
diff --git a/kyber/group/curve25519/curve_test.go b/kyber/group/curve25519/curve_test.go
new file mode 100644
index 0000000000..033274823e
--- /dev/null
+++ b/kyber/group/curve25519/curve_test.go
@@ -0,0 +1,143 @@
+package curve25519
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/test"
+)
+
+var testSuite = NewBlakeSHA256Curve25519(false)
+
+// Test each curve implementation of the Ed25519 curve.
+
+func TestProjective25519(t *testing.T) {
+	test.GroupTest(t, new(ProjectiveCurve).Init(Param25519(), false))
+}
+
+func TestExtended25519(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param25519(), false))
+}
+
+func TestEd25519(t *testing.T) {
+	test.GroupTest(t, new(edwards25519.Curve))
+}
+
+// Test the Extended coordinates implementation of each curve.
+
+func Test1174(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param1174(), false))
+}
+
+func Test25519(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param25519(), false))
+}
+
+func TestE382(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(ParamE382(), false))
+}
+
+func Test4147(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param41417(), false))
+}
+
+func TestE521(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(ParamE521(), false))
+}
+
+func TestSetBytesBE(t *testing.T) {
+	g := new(ExtendedCurve).Init(ParamE521(), false)
+	s := g.Scalar()
+	s.SetBytes([]byte{0, 1, 2, 3})
+	// 010203 because initial 0 is trimmed in String(), and 03 (last byte of BE) ends up
+	// in the LSB of the bigint.
+	if s.String() != "010203" {
+		t.Fatal("unexpected result from String():", s.String())
+	}
+}
+
+// Test the full-group-order Extended coordinates versions of each curve
+// for which a full-group-order base point is defined.
+
+func TestFullOrder1174(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param1174(), true))
+}
+
+func TestFullOrder25519(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param25519(), true))
+}
+
+func TestFullOrderE382(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(ParamE382(), true))
+}
+
+func TestFullOrder4147(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(Param41417(), true))
+}
+
+func TestFullOrderE521(t *testing.T) {
+	test.GroupTest(t, new(ExtendedCurve).Init(ParamE521(), true))
+}
+
+// Test ExtendedCurve versus ProjectiveCurve implementations
+
+func TestCompareProjectiveExtended25519(t *testing.T) {
+	test.CompareGroups(t, testSuite.XOF,
+		new(ProjectiveCurve).Init(Param25519(), false),
+		new(ExtendedCurve).Init(Param25519(), false))
+}
+
+func TestCompareProjectiveExtendedE382(t *testing.T) {
+	test.CompareGroups(t, testSuite.XOF,
+		new(ProjectiveCurve).Init(ParamE382(), false),
+		new(ExtendedCurve).Init(ParamE382(), false))
+}
+
+func TestCompareProjectiveExtended41417(t *testing.T) {
+	test.CompareGroups(t, testSuite.XOF,
+		new(ProjectiveCurve).Init(Param41417(), false),
+		new(ExtendedCurve).Init(Param41417(), false))
+}
+
+func TestCompareProjectiveExtendedE521(t *testing.T) {
+	test.CompareGroups(t, testSuite.XOF,
+		new(ProjectiveCurve).Init(ParamE521(), false),
+		new(ExtendedCurve).Init(ParamE521(), false))
+}
+
+// Test Ed25519 versus ExtendedCurve implementations of Curve25519.
+func TestCompareEd25519(t *testing.T) {
+	test.CompareGroups(t, testSuite.XOF,
+		new(ExtendedCurve).Init(Param25519(), false),
+		new(edwards25519.Curve))
+}
+
+// Benchmark contrasting implementations of the Ed25519 curve
+
+var projBench = test.NewGroupBench(new(ProjectiveCurve).Init(Param25519(), false))
+var extBench = test.NewGroupBench(new(ExtendedCurve).Init(Param25519(), false))
+var optBench = test.NewGroupBench(new(edwards25519.Curve))
+
+func BenchmarkPointAddProjective(b *testing.B) { projBench.PointAdd(b.N) }
+func BenchmarkPointAddExtended(b *testing.B)   { extBench.PointAdd(b.N) }
+func BenchmarkPointAddOptimized(b *testing.B)  { optBench.PointAdd(b.N) }
+
+func BenchmarkPointMulProjective(b *testing.B) { projBench.PointMul(b.N) }
+func BenchmarkPointMulExtended(b *testing.B)   { extBench.PointMul(b.N) }
+func BenchmarkPointMulOptimized(b *testing.B)  { optBench.PointMul(b.N) }
+
+func BenchmarkPointBaseMulProjective(b *testing.B) { projBench.PointBaseMul(b.N) }
+func BenchmarkPointBaseMulExtended(b *testing.B)   { extBench.PointBaseMul(b.N) }
+func BenchmarkPointBaseMulOptimized(b *testing.B)  { optBench.PointBaseMul(b.N) }
+
+func BenchmarkPointEncodeProjective(b *testing.B) { projBench.PointEncode(b.N) }
+func BenchmarkPointEncodeExtended(b *testing.B)   { extBench.PointEncode(b.N) }
+func BenchmarkPointEncodeOptimized(b *testing.B)  { optBench.PointEncode(b.N) }
+
+func BenchmarkPointDecodeProjective(b *testing.B) { projBench.PointDecode(b.N) }
+func BenchmarkPointDecodeExtended(b *testing.B)   { extBench.PointDecode(b.N) }
+func BenchmarkPointDecodeOptimized(b *testing.B)  { optBench.PointDecode(b.N) }
+
+func BenchmarkPointPickProjective(b *testing.B) { projBench.PointPick(b.N) }
+func BenchmarkPointPickExtended(b *testing.B)   { extBench.PointPick(b.N) }
+func BenchmarkPointPickOptimized(b *testing.B)  { optBench.PointPick(b.N) }
diff --git a/kyber/group/curve25519/ext.go b/kyber/group/curve25519/ext.go
new file mode 100644
index 0000000000..c3bd0d17a2
--- /dev/null
+++ b/kyber/group/curve25519/ext.go
@@ -0,0 +1,294 @@
+package curve25519
+
+import (
+	"crypto/cipher"
+	"encoding/hex"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/group/mod"
+)
+
+type extPoint struct {
+	X, Y, Z, T mod.Int
+	c          *ExtendedCurve
+}
+
+func (P *extPoint) initXY(x, y *big.Int, c kyber.Group) {
+	P.c = c.(*ExtendedCurve)
+	P.X.Init(x, &P.c.P)
+	P.Y.Init(y, &P.c.P)
+	P.Z.Init64(1, &P.c.P)
+	P.T.Mul(&P.X, &P.Y)
+}
+
+func (P *extPoint) getXY() (x, y *mod.Int) {
+	P.normalize()
+	return &P.X, &P.Y
+}
+
+func (P *extPoint) String() string {
+	P.normalize()
+	//return P.c.pointString(&P.X,&P.Y)
+	buf, _ := P.MarshalBinary()
+	return hex.EncodeToString(buf)
+}
+
+func (P *extPoint) MarshalSize() int {
+	return P.c.PointLen()
+}
+
+func (P *extPoint) MarshalBinary() ([]byte, error) {
+	P.normalize()
+	return P.c.encodePoint(&P.X, &P.Y), nil
+}
+
+func (P *extPoint) UnmarshalBinary(b []byte) error {
+	if err := P.c.decodePoint(b, &P.X, &P.Y); err != nil {
+		return err
+	}
+	P.Z.Init64(1, &P.c.P)
+	P.T.Mul(&P.X, &P.Y)
+	return nil
+}
+
+func (P *extPoint) MarshalTo(w io.Writer) (int, error) {
+	return marshalling.PointMarshalTo(P, w)
+}
+
+func (P *extPoint) UnmarshalFrom(r io.Reader) (int, error) {
+	return marshalling.PointUnmarshalFrom(P, r)
+}
+
+// Equality test for two Points on the same curve.
+// We can avoid inversions here because:
+//
+//	(X1/Z1,Y1/Z1) == (X2/Z2,Y2/Z2)
+//		iff
+//	(X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1)
+//
+func (P *extPoint) Equal(CP2 kyber.Point) bool {
+	P2 := CP2.(*extPoint)
+	var t1, t2 mod.Int
+	xeq := t1.Mul(&P.X, &P2.Z).Equal(t2.Mul(&P2.X, &P.Z))
+	yeq := t1.Mul(&P.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &P.Z))
+	return xeq && yeq
+}
+
+func (P *extPoint) Set(CP2 kyber.Point) kyber.Point {
+	P2 := CP2.(*extPoint)
+	P.c = P2.c
+	P.X.Set(&P2.X)
+	P.Y.Set(&P2.Y)
+	P.Z.Set(&P2.Z)
+	P.T.Set(&P2.T)
+	return P
+}
+
+func (P *extPoint) Clone() kyber.Point {
+	P2 := extPoint{}
+	P2.c = P.c
+	P2.X.Set(&P.X)
+	P2.Y.Set(&P.Y)
+	P2.Z.Set(&P.Z)
+	P2.T.Set(&P.T)
+	return &P2
+}
+
+func (P *extPoint) Null() kyber.Point {
+	P.Set(&P.c.null)
+	return P
+}
+
+func (P *extPoint) Base() kyber.Point {
+	P.Set(&P.c.base)
+	return P
+}
+
+func (P *extPoint) EmbedLen() int {
+	return P.c.embedLen()
+}
+
+// Normalize the point's representation to Z=1.
+func (P *extPoint) normalize() {
+	P.Z.Inv(&P.Z)
+	P.X.Mul(&P.X, &P.Z)
+	P.Y.Mul(&P.Y, &P.Z)
+	P.Z.V.SetInt64(1)
+	P.T.Mul(&P.X, &P.Y)
+}
+
+// Check the validity of the T coordinate
+func (P *extPoint) checkT() {
+	var t1, t2 mod.Int
+	if !t1.Mul(&P.X, &P.Y).Equal(t2.Mul(&P.Z, &P.T)) {
+		panic("oops")
+	}
+}
+
+func (P *extPoint) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	P.c.embed(P, data, rand)
+	return P
+}
+
+func (P *extPoint) Pick(rand cipher.Stream) kyber.Point {
+	P.c.embed(P, nil, rand)
+	return P
+}
+
+// Extract embedded data from a point group element
+func (P *extPoint) Data() ([]byte, error) {
+	P.normalize()
+	return P.c.data(&P.X, &P.Y)
+}
+
+// Add two points using optimized extended coordinate addition formulas.
+func (P *extPoint) Add(CP1, CP2 kyber.Point) kyber.Point {
+	P1 := CP1.(*extPoint)
+	P2 := CP2.(*extPoint)
+	X1, Y1, Z1, T1 := &P1.X, &P1.Y, &P1.Z, &P1.T
+	X2, Y2, Z2, T2 := &P2.X, &P2.Y, &P2.Z, &P2.T
+	X3, Y3, Z3, T3 := &P.X, &P.Y, &P.Z, &P.T
+	var A, B, C, D, E, F, G, H mod.Int
+
+	A.Mul(X1, X2)
+	B.Mul(Y1, Y2)
+	C.Mul(T1, T2).Mul(&C, &P.c.d)
+	D.Mul(Z1, Z2)
+	E.Add(X1, Y1).Mul(&E, F.Add(X2, Y2)).Sub(&E, &A).Sub(&E, &B)
+	F.Sub(&D, &C)
+	G.Add(&D, &C)
+	H.Mul(&P.c.a, &A).Sub(&B, &H)
+	X3.Mul(&E, &F)
+	Y3.Mul(&G, &H)
+	T3.Mul(&E, &H)
+	Z3.Mul(&F, &G)
+	return P
+}
+
+// Subtract points.
+func (P *extPoint) Sub(CP1, CP2 kyber.Point) kyber.Point {
+	P1 := CP1.(*extPoint)
+	P2 := CP2.(*extPoint)
+	X1, Y1, Z1, T1 := &P1.X, &P1.Y, &P1.Z, &P1.T
+	X2, Y2, Z2, T2 := &P2.X, &P2.Y, &P2.Z, &P2.T
+	X3, Y3, Z3, T3 := &P.X, &P.Y, &P.Z, &P.T
+	var A, B, C, D, E, F, G, H mod.Int
+
+	A.Mul(X1, X2)
+	B.Mul(Y1, Y2)
+	C.Mul(T1, T2).Mul(&C, &P.c.d)
+	D.Mul(Z1, Z2)
+	E.Add(X1, Y1).Mul(&E, F.Sub(Y2, X2)).Add(&E, &A).Sub(&E, &B)
+	F.Add(&D, &C)
+	G.Sub(&D, &C)
+	H.Mul(&P.c.a, &A).Add(&B, &H)
+	X3.Mul(&E, &F)
+	Y3.Mul(&G, &H)
+	T3.Mul(&E, &H)
+	Z3.Mul(&F, &G)
+	return P
+}
+
+// Find the negative of point A.
+// For Edwards curves, the negative of (x,y) is (-x,y).
+func (P *extPoint) Neg(CA kyber.Point) kyber.Point {
+	A := CA.(*extPoint)
+	P.c = A.c
+	P.X.Neg(&A.X)
+	P.Y.Set(&A.Y)
+	P.Z.Set(&A.Z)
+	P.T.Neg(&A.T)
+	return P
+}
+
+// Optimized point doubling for use in scalar multiplication.
+// Uses the formulae in section 3.3 of:
+// https://www.iacr.org/archive/asiacrypt2008/53500329/53500329.pdf
+func (P *extPoint) double() {
+	X1, Y1, Z1, T1 := &P.X, &P.Y, &P.Z, &P.T
+	var A, B, C, D, E, F, G, H mod.Int
+
+	A.Mul(X1, X1)
+	B.Mul(Y1, Y1)
+	C.Mul(Z1, Z1).Add(&C, &C)
+	D.Mul(&P.c.a, &A)
+	E.Add(X1, Y1).Mul(&E, &E).Sub(&E, &A).Sub(&E, &B)
+	G.Add(&D, &B)
+	F.Sub(&G, &C)
+	H.Sub(&D, &B)
+	X1.Mul(&E, &F)
+	Y1.Mul(&G, &H)
+	T1.Mul(&E, &H)
+	Z1.Mul(&F, &G)
+}
+
+// Multiply point p by scalar s using the repeated doubling method.
+//
+// Currently doesn't implement the optimization of
+// switching between projective and extended coordinates during
+// scalar multiplication.
+//
+func (P *extPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point {
+	v := s.(*mod.Int).V
+	if G == nil {
+		return P.Base().Mul(s, P)
+	}
+	T := P
+	if G == P { // Must use temporary for in-place multiply
+		T = &extPoint{}
+	}
+	T.Set(&P.c.null) // Initialize to identity element (0,1)
+	for i := v.BitLen() - 1; i >= 0; i-- {
+		T.double()
+		if v.Bit(i) != 0 {
+			T.Add(T, G)
+		}
+	}
+	if T != P {
+		P.Set(T)
+	}
+	return P
+}
+
+// ExtendedCurve implements Twisted Edwards curves
+// using projective coordinate representation (X:Y:Z),
+// satisfying the identities x = X/Z, y = Y/Z.
+// This representation still supports all Twisted Edwards curves
+// and avoids expensive modular inversions on the critical paths.
+// Uses the projective arithmetic formulas in:
+// http://cr.yp.to/newelliptic/newelliptic-20070906.pdf
+//
+
+// ExtendedCurve implements Twisted Edwards curves
+// using the Extended Coordinate representation specified in:
+// Hisil et al, "Twisted Edwards Curves Revisited",
+// http://eprint.iacr.org/2008/522
+//
+// This implementation is designed to work with all Twisted Edwards curves,
+// foregoing the further optimizations that are available for the
+// special case with curve parameter a=-1.
+// We leave the task of hyperoptimization to curve-specific implementations
+// such as the ed25519 package.
+//
+type ExtendedCurve struct {
+	curve          // generic Edwards curve functionality
+	null  extPoint // Constant identity/null point (0,1)
+	base  extPoint // Standard base point
+}
+
+// Point creates a new Point on this curve.
+func (c *ExtendedCurve) Point() kyber.Point {
+	P := new(extPoint)
+	P.c = c
+	//P.Set(&c.null)
+	return P
+}
+
+// Init initializes the curve with given parameters.
+func (c *ExtendedCurve) Init(p *Param, fullGroup bool) *ExtendedCurve {
+	c.curve.init(c, p, fullGroup, &c.null, &c.base)
+	return c
+}
diff --git a/kyber/group/curve25519/param.go b/kyber/group/curve25519/param.go
new file mode 100644
index 0000000000..f59624e296
--- /dev/null
+++ b/kyber/group/curve25519/param.go
@@ -0,0 +1,159 @@
+// Package curve25519 contains several implementations of Twisted Edwards Curves,
+// from general and unoptimized to highly specialized and optimized.
+//
+// Twisted Edwards curves are elliptic curves satisfying the equation:
+//
+//	ax^2 + y^2 = c^2(1 + dx^2y^2)
+//
+// for some scalars c, d over some field K. We assume K is a (finite) prime field for a
+// large prime p. We also assume c == 1 because all curves in the generalized form
+// are isomorphic to curves having c == 1.
+//
+// For details see Bernstein et al, "Twisted Edwards Curves", http://eprint.iacr.org/2008/013.pdf
+package curve25519
+
+import (
+	"math/big"
+
+	"go.dedis.ch/kyber/v3/group/mod"
+)
+
+// Param defines a Twisted Edwards curve (TEC).
+type Param struct {
+	Name string // Name of curve
+
+	P big.Int // Prime defining the underlying field
+	Q big.Int // Order of the prime-order base point
+	R int     // Cofactor: Q*R is the total size of the curve
+
+	A, D big.Int // Edwards curve equation parameters
+
+	FBX, FBY big.Int // Standard base point for full group
+	PBX, PBY big.Int // Standard base point for prime-order subgroup
+
+	Elligator1s big.Int // Optional s parameter for Elligator 1
+	Elligator2u big.Int // Optional u parameter for Elligator 2
+}
+
+// Return the name of this curve.
+func (p *Param) String() string {
+	return p.Name
+}
+
+// Param1174 defines Curve1174, as specified in:
+// Bernstein et al, "Elligator: Elliptic-curve points indistinguishable
+// from uniform random strings"
+// http://elligator.cr.yp.to/elligator-20130828.pdf
+//
+func Param1174() *Param {
+	var p Param
+	var mi mod.Int
+
+	p.Name = "Curve1174"
+	p.P.SetBit(zero, 251, 1).Sub(&p.P, big.NewInt(9))
+	p.Q.SetString("45330879683285730139092453152713398835", 10)
+	p.Q.Sub(&p.P, &p.Q).Div(&p.Q, big.NewInt(4))
+	p.R = 4
+	p.A.SetInt64(1)
+	p.D.SetInt64(-1174)
+
+	// Full-group generator is (4/V,3/5)
+	mi.InitString("4", "19225777642111670230408712442205514783403012708409058383774613284963344096", 10, &p.P)
+	p.FBX.Set(&mi.V)
+	mi.InitString("3", "5", 10, &p.P)
+	p.FBY.Set(&mi.V)
+
+	// Elligator1 parameter s for Curve1174 (Elligator paper section 4.1)
+	p.Elligator1s.SetString("1806494121122717992522804053500797229648438766985538871240722010849934886421", 10)
+
+	return &p
+}
+
+// Param25519 defines the Edwards version of Curve25519, as specified in:
+// Bernstein et al, "High-speed high-security signatures",
+// http://ed25519.cr.yp.to/ed25519-20110926.pdf
+//
+func Param25519() *Param {
+	var p Param
+	var qs big.Int
+	p.Name = "Curve25519"
+	p.P.SetBit(zero, 255, 1).Sub(&p.P, big.NewInt(19))
+	qs.SetString("27742317777372353535851937790883648493", 10)
+	p.Q.SetBit(zero, 252, 1).Add(&p.Q, &qs)
+	p.R = 8
+	p.A.SetInt64(-1).Add(&p.P, &p.A)
+	p.D.SetString("37095705934669439343138083508754565189542113879843219016388785533085940283555", 10)
+
+	p.PBX.SetString("15112221349535400772501151409588531511454012693041857206046113283949847762202", 10)
+	p.PBY.SetString("46316835694926478169428394003475163141307993866256225615783033603165251855960", 10)
+
+	// Non-square u for Elligator2
+	p.Elligator2u.SetInt64(2)
+
+	return &p
+}
+
+// ParamE382 defines the E-382 curve specified in:
+// Aranha et al, "A note on high-security general-purpose elliptic curves",
+// http://eprint.iacr.org/2013/647.pdf
+//
+// and more recently in:
+//
+// "Additional Elliptic Curves for IETF protocols"
+// http://tools.ietf.org/html/draft-ladd-safecurves-02
+// (this I-D is now expired)
+func ParamE382() *Param {
+	var p Param
+	var qs big.Int
+	p.Name = "E-382"
+	p.P.SetBit(zero, 382, 1).Sub(&p.P, big.NewInt(105)) // p = 2^382-105
+	qs.SetString("1030303207694556153926491950732314247062623204330168346855", 10)
+	p.Q.SetBit(zero, 380, 1).Sub(&p.Q, &qs)
+	p.R = 8
+	p.A.SetInt64(1)
+	p.D.SetInt64(-67254)
+	p.PBX.SetString("3914921414754292646847594472454013487047137431784830634731377862923477302047857640522480241298429278603678181725699", 10)
+	p.PBY.SetString("17", 10)
+	return &p
+}
+
+// Param41417 defines the Curve41417 curve, as specified in:
+// Bernstein et al, "Curve41417: Karatsuba revisited",
+// http://eprint.iacr.org/2014/526.pdf
+func Param41417() *Param {
+	var p Param
+	var qs big.Int
+	p.Name = "Curve41417"
+	p.P.SetBit(zero, 414, 1).Sub(&p.P, big.NewInt(17))
+	qs.SetString("33364140863755142520810177694098385178984727200411208589594759", 10)
+	p.Q.SetBit(zero, 411, 1).Sub(&p.Q, &qs)
+	p.R = 8
+	p.A.SetInt64(1)
+	p.D.SetInt64(3617)
+	p.PBX.SetString("17319886477121189177719202498822615443556957307604340815256226171904769976866975908866528699294134494857887698432266169206165", 10)
+	p.PBY.SetString("34", 10)
+	return &p
+}
+
+// ParamE521 defines the E-521 curve specified in:
+// Aranha et al, "A note on high-security general-purpose elliptic curves",
+// http://eprint.iacr.org/2013/647.pdf
+//
+// and more recently included in:
+// "Additional Elliptic Curves for IETF protocols"
+// http://tools.ietf.org/html/draft-ladd-safecurves-02
+//
+func ParamE521() *Param {
+	var p Param
+	var qs big.Int
+	p.Name = "E-521"
+	p.P.SetBit(zero, 521, 1).Sub(&p.P, one)
+	qs.SetString("337554763258501705789107630418782636071904961214051226618635150085779108655765", 10)
+	p.Q.SetBit(zero, 519, 1).Sub(&p.Q, &qs)
+	p.R = 8
+	p.A.SetInt64(1)
+	p.D.SetInt64(-376014)
+	p.PBX.SetString("1571054894184995387535939749894317568645297350402905821437625181152304994381188529632591196067604100772673927915114267193389905003276673749012051148356041324", 10)
+	p.PBY.SetString("12", 10)
+	return &p
+}
diff --git a/kyber/group/curve25519/proj.go b/kyber/group/curve25519/proj.go
new file mode 100644
index 0000000000..4efee7f6ce
--- /dev/null
+++ b/kyber/group/curve25519/proj.go
@@ -0,0 +1,262 @@
+package curve25519
+
+import (
+	"crypto/cipher"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/group/mod"
+)
+
+type projPoint struct {
+	X, Y, Z mod.Int
+	c       *ProjectiveCurve
+}
+
+func (P *projPoint) initXY(x, y *big.Int, c kyber.Group) {
+	P.c = c.(*ProjectiveCurve)
+	P.X.Init(x, &P.c.P)
+	P.Y.Init(y, &P.c.P)
+	P.Z.Init64(1, &P.c.P)
+}
+
+func (P *projPoint) getXY() (x, y *mod.Int) {
+	P.normalize()
+	return &P.X, &P.Y
+}
+
+func (P *projPoint) String() string {
+	P.normalize()
+	return P.c.pointString(&P.X, &P.Y)
+}
+
+func (P *projPoint) MarshalSize() int {
+	return P.c.PointLen()
+}
+
+func (P *projPoint) MarshalBinary() ([]byte, error) {
+	P.normalize()
+	return P.c.encodePoint(&P.X, &P.Y), nil
+}
+
+func (P *projPoint) UnmarshalBinary(b []byte) error {
+	P.Z.Init64(1, &P.c.P)
+	return P.c.decodePoint(b, &P.X, &P.Y)
+}
+
+func (P *projPoint) MarshalTo(w io.Writer) (int, error) {
+	return marshalling.PointMarshalTo(P, w)
+}
+
+func (P *projPoint) UnmarshalFrom(r io.Reader) (int, error) {
+	return marshalling.PointUnmarshalFrom(P, r)
+}
+
+// Equality test for two Points on the same curve.
+// We can avoid inversions here because:
+//
+//	(X1/Z1,Y1/Z1) == (X2/Z2,Y2/Z2)
+//		iff
+//	(X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1)
+//
+func (P *projPoint) Equal(CP2 kyber.Point) bool {
+	P2 := CP2.(*projPoint)
+	var t1, t2 mod.Int
+	xeq := t1.Mul(&P.X, &P2.Z).Equal(t2.Mul(&P2.X, &P.Z))
+	yeq := t1.Mul(&P.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &P.Z))
+	return xeq && yeq
+}
+
+func (P *projPoint) Set(CP2 kyber.Point) kyber.Point {
+	P2 := CP2.(*projPoint)
+	P.c = P2.c
+	P.X.Set(&P2.X)
+	P.Y.Set(&P2.Y)
+	P.Z.Set(&P2.Z)
+	return P
+}
+
+func (P *projPoint) Clone() kyber.Point {
+	P2 := projPoint{}
+	P2.c = P.c
+	P2.X.Set(&P.X)
+	P2.Y.Set(&P.Y)
+	P2.Z.Set(&P.Z)
+	return &P2
+}
+
+func (P *projPoint) Null() kyber.Point {
+	P.Set(&P.c.null)
+	return P
+}
+
+func (P *projPoint) Base() kyber.Point {
+	P.Set(&P.c.base)
+	return P
+}
+
+func (P *projPoint) EmbedLen() int {
+	return P.c.embedLen()
+}
+
+// Normalize the point's representation to Z=1.
+func (P *projPoint) normalize() {
+	P.Z.Inv(&P.Z)
+	P.X.Mul(&P.X, &P.Z)
+	P.Y.Mul(&P.Y, &P.Z)
+	P.Z.V.SetInt64(1)
+}
+
+func (P *projPoint) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	P.c.embed(P, data, rand)
+	return P
+}
+
+func (P *projPoint) Pick(rand cipher.Stream) kyber.Point {
+	return P.Embed(nil, rand)
+}
+
+// Extract embedded data from a point group element
+func (P *projPoint) Data() ([]byte, error) {
+	P.normalize()
+	return P.c.data(&P.X, &P.Y)
+}
+
+// Add two points using optimized projective coordinate addition formulas.
+// Formulas taken from:
+//
+//	http://eprint.iacr.org/2008/013.pdf
+//	https://hyperelliptic.org/EFD/g1p/auto-twisted-projective.html
+//
+func (P *projPoint) Add(CP1, CP2 kyber.Point) kyber.Point {
+	P1 := CP1.(*projPoint)
+	P2 := CP2.(*projPoint)
+	X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z
+	X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z
+	var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int
+
+	A.Mul(Z1, Z2)
+	B.Mul(&A, &A)
+	C.Mul(X1, X2)
+	D.Mul(Y1, Y2)
+	E.Mul(&C, &D).Mul(&P.c.d, &E)
+	F.Sub(&B, &E)
+	G.Add(&B, &E)
+	X3.Add(X1, Y1).Mul(&X3, Z3.Add(X2, Y2)).Sub(&X3, &C).Sub(&X3, &D).
+		Mul(&F, &X3).Mul(&A, &X3)
+	Y3.Mul(&P.c.a, &C).Sub(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3)
+	Z3.Mul(&F, &G)
+
+	P.c = P1.c
+	P.X.Set(&X3)
+	P.Y.Set(&Y3)
+	P.Z.Set(&Z3)
+	return P
+}
+
+// Subtract points so that their scalars subtract homomorphically
+func (P *projPoint) Sub(CP1, CP2 kyber.Point) kyber.Point {
+	P1 := CP1.(*projPoint)
+	P2 := CP2.(*projPoint)
+	X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z
+	X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z
+	var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int
+
+	A.Mul(Z1, Z2)
+	B.Mul(&A, &A)
+	C.Mul(X1, X2)
+	D.Mul(Y1, Y2)
+	E.Mul(&C, &D).Mul(&P.c.d, &E)
+	F.Add(&B, &E)
+	G.Sub(&B, &E)
+	X3.Add(X1, Y1).Mul(&X3, Z3.Sub(Y2, X2)).Add(&X3, &C).Sub(&X3, &D).
+		Mul(&F, &X3).Mul(&A, &X3)
+	Y3.Mul(&P.c.a, &C).Add(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3)
+	Z3.Mul(&F, &G)
+
+	P.c = P1.c
+	P.X.Set(&X3)
+	P.Y.Set(&Y3)
+	P.Z.Set(&Z3)
+	return P
+}
+
+// Find the negative of point A.
+// For Edwards curves, the negative of (x,y) is (-x,y).
+func (P *projPoint) Neg(CA kyber.Point) kyber.Point {
+	A := CA.(*projPoint)
+	P.c = A.c
+	P.X.Neg(&A.X)
+	P.Y.Set(&A.Y)
+	P.Z.Set(&A.Z)
+	return P
+}
+
+// Optimized point doubling for use in scalar multiplication.
+func (P *projPoint) double() {
+	var B, C, D, E, F, H, J mod.Int
+
+	B.Add(&P.X, &P.Y).Mul(&B, &B)
+	C.Mul(&P.X, &P.X)
+	D.Mul(&P.Y, &P.Y)
+	E.Mul(&P.c.a, &C)
+	F.Add(&E, &D)
+	H.Mul(&P.Z, &P.Z)
+	J.Add(&H, &H).Sub(&F, &J)
+	P.X.Sub(&B, &C).Sub(&P.X, &D).Mul(&P.X, &J)
+	P.Y.Sub(&E, &D).Mul(&F, &P.Y)
+	P.Z.Mul(&F, &J)
+}
+
+// Multiply point p by scalar s using the repeated doubling method.
+func (P *projPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point {
+	v := s.(*mod.Int).V
+	if G == nil {
+		return P.Base().Mul(s, P)
+	}
+	T := P
+	if G == P { // Must use temporary for in-place multiply
+		T = &projPoint{}
+	}
+	T.Set(&P.c.null) // Initialize to identity element (0,1)
+	for i := v.BitLen() - 1; i >= 0; i-- {
+		T.double()
+		if v.Bit(i) != 0 {
+			T.Add(T, G)
+		}
+	}
+	if T != P {
+		P.Set(T)
+	}
+	return P
+}
+
+// ProjectiveCurve implements Twisted Edwards curves
+// using projective coordinate representation (X:Y:Z),
+// satisfying the identities x = X/Z, y = Y/Z.
+// This representation still supports all Twisted Edwards curves
+// and avoids expensive modular inversions on the critical paths.
+// Uses the projective arithmetic formulas in:
+// http://cr.yp.to/newelliptic/newelliptic-20070906.pdf
+//
+type ProjectiveCurve struct {
+	curve           // generic Edwards curve functionality
+	null  projPoint // Constant identity/null point (0,1)
+	base  projPoint // Standard base point
+}
+
+// Point creates a new Point on this curve.
+func (c *ProjectiveCurve) Point() kyber.Point {
+	P := new(projPoint)
+	P.c = c
+	//P.Set(&c.null)
+	return P
+}
+
+// Init initializes the curve with given parameters.
+func (c *ProjectiveCurve) Init(p *Param, fullGroup bool) *ProjectiveCurve {
+	c.curve.init(c, p, fullGroup, &c.null, &c.base)
+	return c
+}
diff --git a/kyber/group/curve25519/suite.go b/kyber/group/curve25519/suite.go
new file mode 100644
index 0000000000..4b0249e1da
--- /dev/null
+++ b/kyber/group/curve25519/suite.go
@@ -0,0 +1,63 @@
+package curve25519
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"reflect"
+
+	"go.dedis.ch/fixbuf"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// SuiteCurve25519 is the suite for the 25519 curve
+type SuiteCurve25519 struct {
+	ProjectiveCurve
+}
+
+// Hash returns the instance associated with the suite
+func (s *SuiteCurve25519) Hash() hash.Hash {
+	return sha256.New()
+}
+
+// XOF creates the XOF associated with the suite
+func (s *SuiteCurve25519) XOF(seed []byte) kyber.XOF {
+	return blake2xb.New(seed)
+}
+
+func (s *SuiteCurve25519) Read(r io.Reader, objs ...interface{}) error {
+	return fixbuf.Read(r, s, objs)
+}
+
+func (s *SuiteCurve25519) Write(w io.Writer, objs ...interface{}) error {
+	return fixbuf.Write(w, objs)
+}
+
+// New implements the kyber.encoding interface
+func (s *SuiteCurve25519) New(t reflect.Type) interface{} {
+	return marshalling.GroupNew(s, t)
+}
+
+// RandomStream returns a cipher.Stream that returns a key stream
+// from crypto/rand.
+func (s *SuiteCurve25519) RandomStream() cipher.Stream {
+	return random.New()
+}
+
+// NewBlakeSHA256Curve25519 returns a cipher suite based on package
+// go.dedis.ch/kyber/v3/xof/blake2xb, SHA-256, and Curve25519.
+//
+// If fullGroup is false, then the group is the prime-order subgroup.
+//
+// The scalars created by this group implement kyber.Scalar's SetBytes
+// method, interpreting the bytes as a big-endian integer, so as to be
+// compatible with the Go standard library's big.Int type.
+func NewBlakeSHA256Curve25519(fullGroup bool) *SuiteCurve25519 {
+	suite := new(SuiteCurve25519)
+	suite.Init(Param25519(), fullGroup)
+	return suite
+}
diff --git a/kyber/group/edwards25519/LICENSE b/kyber/group/edwards25519/LICENSE
new file mode 100644
index 0000000000..67697bb743
--- /dev/null
+++ b/kyber/group/edwards25519/LICENSE
@@ -0,0 +1,29 @@
+This directory is under the go-license:
+
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/kyber/group/edwards25519/allowvt_test.go b/kyber/group/edwards25519/allowvt_test.go
new file mode 100644
index 0000000000..54955b76dd
--- /dev/null
+++ b/kyber/group/edwards25519/allowvt_test.go
@@ -0,0 +1,20 @@
+package edwards25519
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+func TestVartime(t *testing.T) {
+	p := tSuite.Point()
+	if pvt, ok := p.(kyber.AllowsVarTime); ok {
+		// Try both settings
+		pvt.AllowVarTime(false)
+		p.Mul(one, p)
+		pvt.AllowVarTime(true)
+		p.Mul(one, p)
+	} else {
+		t.Fatal("expected Point to allow var time")
+	}
+}
diff --git a/kyber/group/edwards25519/const.go b/kyber/group/edwards25519/const.go
new file mode 100644
index 0000000000..bfa2ab4d35
--- /dev/null
+++ b/kyber/group/edwards25519/const.go
@@ -0,0 +1,1446 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import (
+	"math/big"
+)
+
+// prime modulus of underlying field = 2^255 - 19
+var prime, _ = new(big.Int).SetString("57896044618658097711785492504343953926634992332820282019728792003956564819949", 10)
+
+// prime order of base Point = 2^252 + 27742317777372353535851937790883648493
+var primeOrder, _ = new(big.Int).SetString("7237005577332262213973186563042994240857116359379907606001950938285454250989", 10)
+
+// `l_minus_2` is the order of base Point minus two, i.e. 2^252 +
+// 27742317777372353535851937790883648493 - 2, in little-endian form
+// This is needed to compute constant time modular inversion of scalars.
+var lMinus2, _ = new(big.Int).SetString("7237005577332262213973186563042994240857116359379907606001950938285454250987", 10)
+
+// cofactor of the curve, as a ModInt
+var cofactor = new(big.Int).SetInt64(8)
+
+// order of the full group including the cofactor
+var fullOrder = new(big.Int).Mul(primeOrder, cofactor)
+
+// scalar versions of these, usable for multiplication
+var primeOrderScalar = newScalarInt(primeOrder)
+var cofactorScalar = newScalarInt(cofactor)
+
+// identity Point
+var nullPoint = new(Point).Null()
+
+var d = fieldElement{
+	-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116,
+}
+
+var d2 = fieldElement{
+	-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199,
+}
+
+var sqrtM1 = fieldElement{
+	-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
+}
+
+var paramA = fieldElement{
+	486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+}
+
+var baseext = extendedGroupElement{
+	fieldElement{25485296, 5318399, 8791791, -8299916, -14349720, 6939349, -3324311, -7717049, 7287234, -6577708},
+	fieldElement{-758052, -1832720, 13046421, -4857925, 6576754, 14371947, -13139572, 6845540, -2198883, -4003719},
+	fieldElement{-947565, 6097708, -469190, 10704810, -8556274, -15589498, -16424464, -16608899, 14028613, -5004649},
+	fieldElement{6966464, -2456167, 7033433, 6781840, 28785542, 12262365, -2659449, 13959020, -21013759, -5262166},
+}
+
+var bi = [8]preComputedGroupElement{
+	{
+		fieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
+		fieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
+		fieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
+	},
+	{
+		fieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
+		fieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
+		fieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
+	},
+	{
+		fieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
+		fieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
+		fieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
+	},
+	{
+		fieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
+		fieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
+		fieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
+	},
+	{
+		fieldElement{-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
+		fieldElement{-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
+		fieldElement{4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
+	},
+	{
+		fieldElement{-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
+		fieldElement{25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
+		fieldElement{23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
+	},
+	{
+		fieldElement{-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
+		fieldElement{-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
+		fieldElement{-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
+	},
+	{
+		fieldElement{-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
+		fieldElement{-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
+		fieldElement{-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
+	},
+}
+
+var base = [32][8]preComputedGroupElement{
+	{
+		{
+			fieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
+			fieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
+			fieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
+		},
+		{
+			fieldElement{-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303},
+			fieldElement{-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081},
+			fieldElement{26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697},
+		},
+		{
+			fieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
+			fieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
+			fieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
+		},
+		{
+			fieldElement{-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540},
+			fieldElement{23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397},
+			fieldElement{7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325},
+		},
+		{
+			fieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
+			fieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
+			fieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
+		},
+		{
+			fieldElement{-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777},
+			fieldElement{-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737},
+			fieldElement{-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652},
+		},
+		{
+			fieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
+			fieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
+			fieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
+		},
+		{
+			fieldElement{14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726},
+			fieldElement{-7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955},
+			fieldElement{27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425},
+		},
+	},
+	{
+		{
+			fieldElement{-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171},
+			fieldElement{27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510},
+			fieldElement{17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660},
+		},
+		{
+			fieldElement{-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639},
+			fieldElement{29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963},
+			fieldElement{5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950},
+		},
+		{
+			fieldElement{-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568},
+			fieldElement{12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335},
+			fieldElement{25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628},
+		},
+		{
+			fieldElement{-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007},
+			fieldElement{-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772},
+			fieldElement{-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653},
+		},
+		{
+			fieldElement{2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567},
+			fieldElement{13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686},
+			fieldElement{21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372},
+		},
+		{
+			fieldElement{-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887},
+			fieldElement{-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954},
+			fieldElement{-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953},
+		},
+		{
+			fieldElement{24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833},
+			fieldElement{-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532},
+			fieldElement{-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876},
+		},
+		{
+			fieldElement{2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268},
+			fieldElement{33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214},
+			fieldElement{1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038},
+		},
+	},
+	{
+		{
+			fieldElement{6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800},
+			fieldElement{4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645},
+			fieldElement{-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664},
+		},
+		{
+			fieldElement{1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933},
+			fieldElement{-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182},
+			fieldElement{-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222},
+		},
+		{
+			fieldElement{-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991},
+			fieldElement{20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880},
+			fieldElement{9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092},
+		},
+		{
+			fieldElement{-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295},
+			fieldElement{19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788},
+			fieldElement{8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553},
+		},
+		{
+			fieldElement{-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026},
+			fieldElement{11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347},
+			fieldElement{-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033},
+		},
+		{
+			fieldElement{-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395},
+			fieldElement{-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278},
+			fieldElement{1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890},
+		},
+		{
+			fieldElement{32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995},
+			fieldElement{-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596},
+			fieldElement{-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891},
+		},
+		{
+			fieldElement{31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060},
+			fieldElement{11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608},
+			fieldElement{-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606},
+		},
+	},
+	{
+		{
+			fieldElement{7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389},
+			fieldElement{-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016},
+			fieldElement{-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341},
+		},
+		{
+			fieldElement{-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505},
+			fieldElement{14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553},
+			fieldElement{-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655},
+		},
+		{
+			fieldElement{15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220},
+			fieldElement{12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631},
+			fieldElement{-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099},
+		},
+		{
+			fieldElement{26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556},
+			fieldElement{14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749},
+			fieldElement{236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930},
+		},
+		{
+			fieldElement{1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391},
+			fieldElement{5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253},
+			fieldElement{20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066},
+		},
+		{
+			fieldElement{24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958},
+			fieldElement{-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082},
+			fieldElement{-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383},
+		},
+		{
+			fieldElement{-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521},
+			fieldElement{-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807},
+			fieldElement{23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948},
+		},
+		{
+			fieldElement{9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134},
+			fieldElement{-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455},
+			fieldElement{27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629},
+		},
+	},
+	{
+		{
+			fieldElement{-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069},
+			fieldElement{-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746},
+			fieldElement{24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919},
+		},
+		{
+			fieldElement{11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837},
+			fieldElement{8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906},
+			fieldElement{-28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771},
+		},
+		{
+			fieldElement{-25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817},
+			fieldElement{10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098},
+			fieldElement{10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409},
+		},
+		{
+			fieldElement{-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504},
+			fieldElement{-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727},
+			fieldElement{28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420},
+		},
+		{
+			fieldElement{-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003},
+			fieldElement{-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605},
+			fieldElement{-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384},
+		},
+		{
+			fieldElement{-26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701},
+			fieldElement{-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683},
+			fieldElement{29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708},
+		},
+		{
+			fieldElement{-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563},
+			fieldElement{-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260},
+			fieldElement{-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387},
+		},
+		{
+			fieldElement{-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672},
+			fieldElement{23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686},
+			fieldElement{-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665},
+		},
+	},
+	{
+		{
+			fieldElement{11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182},
+			fieldElement{-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277},
+			fieldElement{14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628},
+		},
+		{
+			fieldElement{-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474},
+			fieldElement{-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539},
+			fieldElement{-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822},
+		},
+		{
+			fieldElement{-10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970},
+			fieldElement{19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756},
+			fieldElement{-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508},
+		},
+		{
+			fieldElement{-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683},
+			fieldElement{-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655},
+			fieldElement{-20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158},
+		},
+		{
+			fieldElement{-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125},
+			fieldElement{-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839},
+			fieldElement{-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664},
+		},
+		{
+			fieldElement{27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294},
+			fieldElement{-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899},
+			fieldElement{-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070},
+		},
+		{
+			fieldElement{3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294},
+			fieldElement{-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949},
+			fieldElement{-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083},
+		},
+		{
+			fieldElement{31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420},
+			fieldElement{-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940},
+			fieldElement{29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396},
+		},
+	},
+	{
+		{
+			fieldElement{-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567},
+			fieldElement{20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127},
+			fieldElement{-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294},
+		},
+		{
+			fieldElement{-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887},
+			fieldElement{22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964},
+			fieldElement{16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195},
+		},
+		{
+			fieldElement{9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244},
+			fieldElement{24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999},
+			fieldElement{-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762},
+		},
+		{
+			fieldElement{-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274},
+			fieldElement{-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236},
+			fieldElement{-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605},
+		},
+		{
+			fieldElement{-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761},
+			fieldElement{-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884},
+			fieldElement{-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482},
+		},
+		{
+			fieldElement{-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638},
+			fieldElement{-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490},
+			fieldElement{-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170},
+		},
+		{
+			fieldElement{5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736},
+			fieldElement{10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124},
+			fieldElement{-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392},
+		},
+		{
+			fieldElement{8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029},
+			fieldElement{6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048},
+			fieldElement{28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958},
+		},
+	},
+	{
+		{
+			fieldElement{24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593},
+			fieldElement{26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071},
+			fieldElement{-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692},
+		},
+		{
+			fieldElement{11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687},
+			fieldElement{-160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441},
+			fieldElement{-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001},
+		},
+		{
+			fieldElement{-938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460},
+			fieldElement{-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007},
+			fieldElement{-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762},
+		},
+		{
+			fieldElement{15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005},
+			fieldElement{-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674},
+			fieldElement{4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035},
+		},
+		{
+			fieldElement{7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590},
+			fieldElement{-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957},
+			fieldElement{-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812},
+		},
+		{
+			fieldElement{33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740},
+			fieldElement{-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122},
+			fieldElement{-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158},
+		},
+		{
+			fieldElement{8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885},
+			fieldElement{26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140},
+			fieldElement{19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857},
+		},
+		{
+			fieldElement{801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155},
+			fieldElement{19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260},
+			fieldElement{19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483},
+		},
+	},
+	{
+		{
+			fieldElement{-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677},
+			fieldElement{32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815},
+			fieldElement{22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751},
+		},
+		{
+			fieldElement{-16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203},
+			fieldElement{-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208},
+			fieldElement{1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230},
+		},
+		{
+			fieldElement{16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850},
+			fieldElement{-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389},
+			fieldElement{-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968},
+		},
+		{
+			fieldElement{-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689},
+			fieldElement{14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880},
+			fieldElement{5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304},
+		},
+		{
+			fieldElement{30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632},
+			fieldElement{-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412},
+			fieldElement{20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566},
+		},
+		{
+			fieldElement{-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038},
+			fieldElement{-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232},
+			fieldElement{-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943},
+		},
+		{
+			fieldElement{17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856},
+			fieldElement{23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738},
+			fieldElement{15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971},
+		},
+		{
+			fieldElement{-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718},
+			fieldElement{-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697},
+			fieldElement{-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883},
+		},
+	},
+	{
+		{
+			fieldElement{5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912},
+			fieldElement{-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358},
+			fieldElement{3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849},
+		},
+		{
+			fieldElement{29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307},
+			fieldElement{-14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977},
+			fieldElement{-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335},
+		},
+		{
+			fieldElement{-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644},
+			fieldElement{-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616},
+			fieldElement{-27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735},
+		},
+		{
+			fieldElement{-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099},
+			fieldElement{29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341},
+			fieldElement{-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336},
+		},
+		{
+			fieldElement{-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646},
+			fieldElement{31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425},
+			fieldElement{-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388},
+		},
+		{
+			fieldElement{-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743},
+			fieldElement{-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822},
+			fieldElement{-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462},
+		},
+		{
+			fieldElement{18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985},
+			fieldElement{9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702},
+			fieldElement{-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797},
+		},
+		{
+			fieldElement{21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293},
+			fieldElement{27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100},
+			fieldElement{19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688},
+		},
+	},
+	{
+		{
+			fieldElement{12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186},
+			fieldElement{2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610},
+			fieldElement{-2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707},
+		},
+		{
+			fieldElement{7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220},
+			fieldElement{915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025},
+			fieldElement{32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044},
+		},
+		{
+			fieldElement{32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992},
+			fieldElement{-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027},
+			fieldElement{21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197},
+		},
+		{
+			fieldElement{8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901},
+			fieldElement{31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952},
+			fieldElement{19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878},
+		},
+		{
+			fieldElement{-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390},
+			fieldElement{32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730},
+			fieldElement{2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730},
+		},
+		{
+			fieldElement{-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180},
+			fieldElement{-30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272},
+			fieldElement{-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715},
+		},
+		{
+			fieldElement{-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970},
+			fieldElement{-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772},
+			fieldElement{-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865},
+		},
+		{
+			fieldElement{15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750},
+			fieldElement{20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373},
+			fieldElement{32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348},
+		},
+	},
+	{
+		{
+			fieldElement{9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144},
+			fieldElement{-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195},
+			fieldElement{5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086},
+		},
+		{
+			fieldElement{-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684},
+			fieldElement{-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518},
+			fieldElement{-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233},
+		},
+		{
+			fieldElement{-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793},
+			fieldElement{-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794},
+			fieldElement{580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435},
+		},
+		{
+			fieldElement{23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921},
+			fieldElement{13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518},
+			fieldElement{2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563},
+		},
+		{
+			fieldElement{14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278},
+			fieldElement{-27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024},
+			fieldElement{4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030},
+		},
+		{
+			fieldElement{10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783},
+			fieldElement{27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717},
+			fieldElement{6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844},
+		},
+		{
+			fieldElement{14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333},
+			fieldElement{16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048},
+			fieldElement{22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760},
+		},
+		{
+			fieldElement{-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760},
+			fieldElement{-15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757},
+			fieldElement{-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112},
+		},
+	},
+	{
+		{
+			fieldElement{-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468},
+			fieldElement{3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184},
+			fieldElement{10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289},
+		},
+		{
+			fieldElement{15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066},
+			fieldElement{24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882},
+			fieldElement{13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226},
+		},
+		{
+			fieldElement{16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101},
+			fieldElement{29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279},
+			fieldElement{-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811},
+		},
+		{
+			fieldElement{27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709},
+			fieldElement{20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714},
+			fieldElement{-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121},
+		},
+		{
+			fieldElement{9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464},
+			fieldElement{12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847},
+			fieldElement{13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400},
+		},
+		{
+			fieldElement{4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414},
+			fieldElement{-15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158},
+			fieldElement{17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045},
+		},
+		{
+			fieldElement{-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415},
+			fieldElement{-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459},
+			fieldElement{-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079},
+		},
+		{
+			fieldElement{21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412},
+			fieldElement{-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743},
+			fieldElement{-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836},
+		},
+	},
+	{
+		{
+			fieldElement{12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022},
+			fieldElement{18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429},
+			fieldElement{-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065},
+		},
+		{
+			fieldElement{30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861},
+			fieldElement{10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000},
+			fieldElement{-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101},
+		},
+		{
+			fieldElement{32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815},
+			fieldElement{29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642},
+			fieldElement{10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966},
+		},
+		{
+			fieldElement{25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574},
+			fieldElement{-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742},
+			fieldElement{-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689},
+		},
+		{
+			fieldElement{12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020},
+			fieldElement{-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772},
+			fieldElement{3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982},
+		},
+		{
+			fieldElement{-14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953},
+			fieldElement{-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218},
+			fieldElement{-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265},
+		},
+		{
+			fieldElement{29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073},
+			fieldElement{-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325},
+			fieldElement{-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798},
+		},
+		{
+			fieldElement{-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870},
+			fieldElement{-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863},
+			fieldElement{-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927},
+		},
+	},
+	{
+		{
+			fieldElement{-2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267},
+			fieldElement{-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663},
+			fieldElement{22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862},
+		},
+		{
+			fieldElement{-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673},
+			fieldElement{15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943},
+			fieldElement{15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020},
+		},
+		{
+			fieldElement{-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238},
+			fieldElement{11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064},
+			fieldElement{14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795},
+		},
+		{
+			fieldElement{15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052},
+			fieldElement{-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904},
+			fieldElement{29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531},
+		},
+		{
+			fieldElement{-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979},
+			fieldElement{-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841},
+			fieldElement{10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431},
+		},
+		{
+			fieldElement{10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324},
+			fieldElement{-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940},
+			fieldElement{10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320},
+		},
+		{
+			fieldElement{-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184},
+			fieldElement{14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114},
+			fieldElement{30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878},
+		},
+		{
+			fieldElement{12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784},
+			fieldElement{-2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091},
+			fieldElement{-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585},
+		},
+	},
+	{
+		{
+			fieldElement{-8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208},
+			fieldElement{10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864},
+			fieldElement{17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661},
+		},
+		{
+			fieldElement{7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233},
+			fieldElement{26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212},
+			fieldElement{-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525},
+		},
+		{
+			fieldElement{-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068},
+			fieldElement{9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397},
+			fieldElement{-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988},
+		},
+		{
+			fieldElement{5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889},
+			fieldElement{32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038},
+			fieldElement{14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697},
+		},
+		{
+			fieldElement{20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875},
+			fieldElement{-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905},
+			fieldElement{-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656},
+		},
+		{
+			fieldElement{11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818},
+			fieldElement{27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714},
+			fieldElement{10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203},
+		},
+		{
+			fieldElement{20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931},
+			fieldElement{-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024},
+			fieldElement{-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084},
+		},
+		{
+			fieldElement{-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204},
+			fieldElement{20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817},
+			fieldElement{27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667},
+		},
+	},
+	{
+		{
+			fieldElement{11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504},
+			fieldElement{-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768},
+			fieldElement{-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255},
+		},
+		{
+			fieldElement{6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790},
+			fieldElement{1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438},
+			fieldElement{-22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333},
+		},
+		{
+			fieldElement{17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971},
+			fieldElement{31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905},
+			fieldElement{29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409},
+		},
+		{
+			fieldElement{12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409},
+			fieldElement{6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499},
+			fieldElement{-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363},
+		},
+		{
+			fieldElement{28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664},
+			fieldElement{-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324},
+			fieldElement{-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940},
+		},
+		{
+			fieldElement{13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990},
+			fieldElement{-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914},
+			fieldElement{-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290},
+		},
+		{
+			fieldElement{24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257},
+			fieldElement{-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433},
+			fieldElement{-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236},
+		},
+		{
+			fieldElement{-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045},
+			fieldElement{11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093},
+			fieldElement{-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347},
+		},
+	},
+	{
+		{
+			fieldElement{-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191},
+			fieldElement{-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507},
+			fieldElement{-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906},
+		},
+		{
+			fieldElement{3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018},
+			fieldElement{-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109},
+			fieldElement{-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926},
+		},
+		{
+			fieldElement{-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528},
+			fieldElement{8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625},
+			fieldElement{-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286},
+		},
+		{
+			fieldElement{2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033},
+			fieldElement{27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866},
+			fieldElement{21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896},
+		},
+		{
+			fieldElement{30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075},
+			fieldElement{26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347},
+			fieldElement{-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437},
+		},
+		{
+			fieldElement{-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165},
+			fieldElement{-18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588},
+			fieldElement{-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193},
+		},
+		{
+			fieldElement{-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017},
+			fieldElement{-28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883},
+			fieldElement{21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961},
+		},
+		{
+			fieldElement{8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043},
+			fieldElement{29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663},
+			fieldElement{-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362},
+		},
+	},
+	{
+		{
+			fieldElement{-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860},
+			fieldElement{2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466},
+			fieldElement{-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063},
+		},
+		{
+			fieldElement{-26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997},
+			fieldElement{-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295},
+			fieldElement{-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369},
+		},
+		{
+			fieldElement{9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385},
+			fieldElement{18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109},
+			fieldElement{2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906},
+		},
+		{
+			fieldElement{4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424},
+			fieldElement{-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185},
+			fieldElement{7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962},
+		},
+		{
+			fieldElement{-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325},
+			fieldElement{10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593},
+			fieldElement{696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404},
+		},
+		{
+			fieldElement{-11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644},
+			fieldElement{17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801},
+			fieldElement{26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804},
+		},
+		{
+			fieldElement{-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884},
+			fieldElement{-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577},
+			fieldElement{-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849},
+		},
+		{
+			fieldElement{32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473},
+			fieldElement{-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644},
+			fieldElement{-2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319},
+		},
+	},
+	{
+		{
+			fieldElement{-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599},
+			fieldElement{-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768},
+			fieldElement{-27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084},
+		},
+		{
+			fieldElement{-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328},
+			fieldElement{-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369},
+			fieldElement{20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920},
+		},
+		{
+			fieldElement{12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815},
+			fieldElement{-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025},
+			fieldElement{-21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397},
+		},
+		{
+			fieldElement{-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448},
+			fieldElement{6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981},
+			fieldElement{30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165},
+		},
+		{
+			fieldElement{32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501},
+			fieldElement{17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073},
+			fieldElement{-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861},
+		},
+		{
+			fieldElement{14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845},
+			fieldElement{-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211},
+			fieldElement{18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870},
+		},
+		{
+			fieldElement{10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096},
+			fieldElement{33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803},
+			fieldElement{-32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168},
+		},
+		{
+			fieldElement{30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965},
+			fieldElement{-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505},
+			fieldElement{18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598},
+		},
+	},
+	{
+		{
+			fieldElement{5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782},
+			fieldElement{5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900},
+			fieldElement{-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479},
+		},
+		{
+			fieldElement{-12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208},
+			fieldElement{8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232},
+			fieldElement{17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719},
+		},
+		{
+			fieldElement{16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271},
+			fieldElement{-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326},
+			fieldElement{-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132},
+		},
+		{
+			fieldElement{14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300},
+			fieldElement{8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570},
+			fieldElement{15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670},
+		},
+		{
+			fieldElement{-2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994},
+			fieldElement{-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913},
+			fieldElement{31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317},
+		},
+		{
+			fieldElement{-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730},
+			fieldElement{842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096},
+			fieldElement{-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078},
+		},
+		{
+			fieldElement{-15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411},
+			fieldElement{-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905},
+			fieldElement{-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654},
+		},
+		{
+			fieldElement{-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870},
+			fieldElement{-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498},
+			fieldElement{12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579},
+		},
+	},
+	{
+		{
+			fieldElement{14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677},
+			fieldElement{10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647},
+			fieldElement{-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743},
+		},
+		{
+			fieldElement{-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468},
+			fieldElement{21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375},
+			fieldElement{-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155},
+		},
+		{
+			fieldElement{6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725},
+			fieldElement{-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612},
+			fieldElement{-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943},
+		},
+		{
+			fieldElement{-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944},
+			fieldElement{30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928},
+			fieldElement{9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406},
+		},
+		{
+			fieldElement{22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139},
+			fieldElement{-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963},
+			fieldElement{-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693},
+		},
+		{
+			fieldElement{1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734},
+			fieldElement{-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680},
+			fieldElement{-24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410},
+		},
+		{
+			fieldElement{-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931},
+			fieldElement{-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654},
+			fieldElement{22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710},
+		},
+		{
+			fieldElement{29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180},
+			fieldElement{-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684},
+			fieldElement{-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895},
+		},
+	},
+	{
+		{
+			fieldElement{22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501},
+			fieldElement{-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413},
+			fieldElement{6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880},
+		},
+		{
+			fieldElement{-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874},
+			fieldElement{22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962},
+			fieldElement{-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899},
+		},
+		{
+			fieldElement{21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152},
+			fieldElement{9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063},
+			fieldElement{7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080},
+		},
+		{
+			fieldElement{-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146},
+			fieldElement{-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183},
+			fieldElement{-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133},
+		},
+		{
+			fieldElement{-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421},
+			fieldElement{-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622},
+			fieldElement{-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197},
+		},
+		{
+			fieldElement{2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663},
+			fieldElement{31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753},
+			fieldElement{4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755},
+		},
+		{
+			fieldElement{-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862},
+			fieldElement{-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118},
+			fieldElement{26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171},
+		},
+		{
+			fieldElement{15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380},
+			fieldElement{16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824},
+			fieldElement{28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270},
+		},
+	},
+	{
+		{
+			fieldElement{-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438},
+			fieldElement{-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584},
+			fieldElement{-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562},
+		},
+		{
+			fieldElement{30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471},
+			fieldElement{18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610},
+			fieldElement{19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269},
+		},
+		{
+			fieldElement{-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650},
+			fieldElement{14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369},
+			fieldElement{19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461},
+		},
+		{
+			fieldElement{30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462},
+			fieldElement{-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793},
+			fieldElement{-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218},
+		},
+		{
+			fieldElement{-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226},
+			fieldElement{18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019},
+			fieldElement{-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037},
+		},
+		{
+			fieldElement{31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171},
+			fieldElement{-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132},
+			fieldElement{-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841},
+		},
+		{
+			fieldElement{21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181},
+			fieldElement{-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210},
+			fieldElement{-1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040},
+		},
+		{
+			fieldElement{3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935},
+			fieldElement{24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105},
+			fieldElement{-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814},
+		},
+	},
+	{
+		{
+			fieldElement{793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852},
+			fieldElement{5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581},
+			fieldElement{-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646},
+		},
+		{
+			fieldElement{10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844},
+			fieldElement{10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025},
+			fieldElement{27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453},
+		},
+		{
+			fieldElement{-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068},
+			fieldElement{4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192},
+			fieldElement{-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921},
+		},
+		{
+			fieldElement{-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259},
+			fieldElement{-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426},
+			fieldElement{-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072},
+		},
+		{
+			fieldElement{-17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305},
+			fieldElement{13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832},
+			fieldElement{28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943},
+		},
+		{
+			fieldElement{-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011},
+			fieldElement{24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447},
+			fieldElement{17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494},
+		},
+		{
+			fieldElement{-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245},
+			fieldElement{-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859},
+			fieldElement{28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915},
+		},
+		{
+			fieldElement{16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707},
+			fieldElement{10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848},
+			fieldElement{-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224},
+		},
+	},
+	{
+		{
+			fieldElement{-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391},
+			fieldElement{15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215},
+			fieldElement{-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101},
+		},
+		{
+			fieldElement{23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713},
+			fieldElement{21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849},
+			fieldElement{-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930},
+		},
+		{
+			fieldElement{-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940},
+			fieldElement{-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031},
+			fieldElement{-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404},
+		},
+		{
+			fieldElement{-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243},
+			fieldElement{-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116},
+			fieldElement{-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525},
+		},
+		{
+			fieldElement{-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509},
+			fieldElement{-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883},
+			fieldElement{15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865},
+		},
+		{
+			fieldElement{-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660},
+			fieldElement{4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273},
+			fieldElement{-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138},
+		},
+		{
+			fieldElement{-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560},
+			fieldElement{-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135},
+			fieldElement{2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941},
+		},
+		{
+			fieldElement{-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739},
+			fieldElement{18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756},
+			fieldElement{-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819},
+		},
+	},
+	{
+		{
+			fieldElement{-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347},
+			fieldElement{-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028},
+			fieldElement{21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075},
+		},
+		{
+			fieldElement{16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799},
+			fieldElement{-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609},
+			fieldElement{-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817},
+		},
+		{
+			fieldElement{-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989},
+			fieldElement{-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523},
+			fieldElement{4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278},
+		},
+		{
+			fieldElement{31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045},
+			fieldElement{19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377},
+			fieldElement{24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480},
+		},
+		{
+			fieldElement{17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016},
+			fieldElement{510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426},
+			fieldElement{18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525},
+		},
+		{
+			fieldElement{13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396},
+			fieldElement{9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080},
+			fieldElement{12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892},
+		},
+		{
+			fieldElement{15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275},
+			fieldElement{11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074},
+			fieldElement{20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140},
+		},
+		{
+			fieldElement{-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717},
+			fieldElement{-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101},
+			fieldElement{24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127},
+		},
+	},
+	{
+		{
+			fieldElement{-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632},
+			fieldElement{-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415},
+			fieldElement{-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160},
+		},
+		{
+			fieldElement{31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876},
+			fieldElement{22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625},
+			fieldElement{-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478},
+		},
+		{
+			fieldElement{27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164},
+			fieldElement{26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595},
+			fieldElement{-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248},
+		},
+		{
+			fieldElement{-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858},
+			fieldElement{15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193},
+			fieldElement{8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184},
+		},
+		{
+			fieldElement{-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942},
+			fieldElement{-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635},
+			fieldElement{21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948},
+		},
+		{
+			fieldElement{11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935},
+			fieldElement{-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415},
+			fieldElement{-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416},
+		},
+		{
+			fieldElement{-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018},
+			fieldElement{4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778},
+			fieldElement{366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659},
+		},
+		{
+			fieldElement{-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385},
+			fieldElement{18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503},
+			fieldElement{476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329},
+		},
+	},
+	{
+		{
+			fieldElement{20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056},
+			fieldElement{-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838},
+			fieldElement{24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948},
+		},
+		{
+			fieldElement{-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691},
+			fieldElement{-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118},
+			fieldElement{-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517},
+		},
+		{
+			fieldElement{-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269},
+			fieldElement{-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904},
+			fieldElement{-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589},
+		},
+		{
+			fieldElement{-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193},
+			fieldElement{-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910},
+			fieldElement{-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930},
+		},
+		{
+			fieldElement{-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667},
+			fieldElement{25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481},
+			fieldElement{-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876},
+		},
+		{
+			fieldElement{22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640},
+			fieldElement{-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278},
+			fieldElement{-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112},
+		},
+		{
+			fieldElement{26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272},
+			fieldElement{17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012},
+			fieldElement{-10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221},
+		},
+		{
+			fieldElement{30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046},
+			fieldElement{13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345},
+			fieldElement{-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310},
+		},
+	},
+	{
+		{
+			fieldElement{19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937},
+			fieldElement{31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636},
+			fieldElement{-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008},
+		},
+		{
+			fieldElement{-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429},
+			fieldElement{-15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576},
+			fieldElement{31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066},
+		},
+		{
+			fieldElement{-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490},
+			fieldElement{-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104},
+			fieldElement{33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053},
+		},
+		{
+			fieldElement{31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275},
+			fieldElement{-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511},
+			fieldElement{22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095},
+		},
+		{
+			fieldElement{-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439},
+			fieldElement{23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939},
+			fieldElement{-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424},
+		},
+		{
+			fieldElement{2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310},
+			fieldElement{3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608},
+			fieldElement{-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079},
+		},
+		{
+			fieldElement{-23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101},
+			fieldElement{21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418},
+			fieldElement{18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576},
+		},
+		{
+			fieldElement{30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356},
+			fieldElement{9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996},
+			fieldElement{-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099},
+		},
+	},
+	{
+		{
+			fieldElement{-26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728},
+			fieldElement{-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658},
+			fieldElement{-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242},
+		},
+		{
+			fieldElement{-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001},
+			fieldElement{-4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766},
+			fieldElement{18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373},
+		},
+		{
+			fieldElement{26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458},
+			fieldElement{-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628},
+			fieldElement{-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657},
+		},
+		{
+			fieldElement{-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062},
+			fieldElement{25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616},
+			fieldElement{31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014},
+		},
+		{
+			fieldElement{24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383},
+			fieldElement{-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814},
+			fieldElement{-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718},
+		},
+		{
+			fieldElement{30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417},
+			fieldElement{2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222},
+			fieldElement{33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444},
+		},
+		{
+			fieldElement{-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597},
+			fieldElement{23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970},
+			fieldElement{1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799},
+		},
+		{
+			fieldElement{-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647},
+			fieldElement{13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511},
+			fieldElement{-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032},
+		},
+	},
+	{
+		{
+			fieldElement{9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834},
+			fieldElement{-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461},
+			fieldElement{29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062},
+		},
+		{
+			fieldElement{-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516},
+			fieldElement{-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547},
+			fieldElement{-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240},
+		},
+		{
+			fieldElement{-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038},
+			fieldElement{-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741},
+			fieldElement{16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103},
+		},
+		{
+			fieldElement{-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747},
+			fieldElement{-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323},
+			fieldElement{31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016},
+		},
+		{
+			fieldElement{-14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373},
+			fieldElement{15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228},
+			fieldElement{-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141},
+		},
+		{
+			fieldElement{16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399},
+			fieldElement{11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831},
+			fieldElement{-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376},
+		},
+		{
+			fieldElement{-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313},
+			fieldElement{-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958},
+			fieldElement{-6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577},
+		},
+		{
+			fieldElement{-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743},
+			fieldElement{29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684},
+			fieldElement{-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476},
+		},
+	},
+}
diff --git a/kyber/group/edwards25519/curve.go b/kyber/group/edwards25519/curve.go
new file mode 100644
index 0000000000..0620a708a0
--- /dev/null
+++ b/kyber/group/edwards25519/curve.go
@@ -0,0 +1,60 @@
+package edwards25519
+
+import (
+	"crypto/cipher"
+	"crypto/sha512"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+// Curve represents the Ed25519 group.
+// There are no parameters and no initialization is required
+// because it supports only this one specific curve.
+type Curve struct {
+}
+
+// Return the name of the curve, "Ed25519".
+func (c *Curve) String() string {
+	return "Ed25519"
+}
+
+// ScalarLen returns 32, the size in bytes of an encoded Scalar
+// for the Ed25519 curve.
+func (c *Curve) ScalarLen() int {
+	return 32
+}
+
+// Scalar creates a new Scalar for the prime-order subgroup of the Ed25519 curve.
+// The scalars in this package implement kyber.Scalar's SetBytes
+// method, interpreting the bytes as a little-endian integer, in order to remain
+// compatible with other Ed25519 implementations, and with the standard implementation
+// of the EdDSA signature.
+func (c *Curve) Scalar() kyber.Scalar {
+	return &scalar{}
+}
+
+// PointLen returns 32, the size in bytes of an encoded Point on the Ed25519 curve.
+func (c *Curve) PointLen() int {
+	return 32
+}
+
+// Point creates a new Point on the Ed25519 curve.
+func (c *Curve) Point() kyber.Point {
+	P := new(Point)
+	return P
+}
+
+// NewKey returns a formatted Ed25519 key (avoiding subgroup attack by requiring
+// it to be a multiple of 8). NewKey implements the kyber/util/key.Generator interface.
+func (c *Curve) NewKey(stream cipher.Stream) kyber.Scalar {
+	var buffer [32]byte
+	random.Bytes(buffer[:], stream)
+	scalar := sha512.Sum512(buffer[:])
+	scalar[0] &= 0xf8
+	scalar[31] &= 0x7f
+	scalar[31] |= 0x40
+
+	secret := c.Scalar().SetBytes(scalar[:32])
+	return secret
+}
diff --git a/kyber/group/edwards25519/curve_test.go b/kyber/group/edwards25519/curve_test.go
new file mode 100644
index 0000000000..2ffb66d695
--- /dev/null
+++ b/kyber/group/edwards25519/curve_test.go
@@ -0,0 +1,31 @@
+package edwards25519
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3/util/test"
+)
+
+var tSuite = NewBlakeSHA256Ed25519()
+var groupBench = test.NewGroupBench(tSuite)
+
+func TestSuite(t *testing.T) { test.SuiteTest(t, tSuite) }
+
+func BenchmarkScalarAdd(b *testing.B)    { groupBench.ScalarAdd(b.N) }
+func BenchmarkScalarSub(b *testing.B)    { groupBench.ScalarSub(b.N) }
+func BenchmarkScalarNeg(b *testing.B)    { groupBench.ScalarNeg(b.N) }
+func BenchmarkScalarMul(b *testing.B)    { groupBench.ScalarMul(b.N) }
+func BenchmarkScalarDiv(b *testing.B)    { groupBench.ScalarDiv(b.N) }
+func BenchmarkScalarInv(b *testing.B)    { groupBench.ScalarInv(b.N) }
+func BenchmarkScalarPick(b *testing.B)   { groupBench.ScalarPick(b.N) }
+func BenchmarkScalarEncode(b *testing.B) { groupBench.ScalarEncode(b.N) }
+func BenchmarkScalarDecode(b *testing.B) { groupBench.ScalarDecode(b.N) }
+
+func BenchmarkPointAdd(b *testing.B)     { groupBench.PointAdd(b.N) }
+func BenchmarkPointSub(b *testing.B)     { groupBench.PointSub(b.N) }
+func BenchmarkPointNeg(b *testing.B)     { groupBench.PointNeg(b.N) }
+func BenchmarkPointMul(b *testing.B)     { groupBench.PointMul(b.N) }
+func BenchmarkPointBaseMul(b *testing.B) { groupBench.PointBaseMul(b.N) }
+func BenchmarkPointPick(b *testing.B)    { groupBench.PointPick(b.N) }
+func BenchmarkPointEncode(b *testing.B)  { groupBench.PointEncode(b.N) }
+func BenchmarkPointDecode(b *testing.B)  { groupBench.PointDecode(b.N) }
diff --git a/kyber/group/edwards25519/fe.go b/kyber/group/edwards25519/fe.go
new file mode 100644
index 0000000000..53565ad0b7
--- /dev/null
+++ b/kyber/group/edwards25519/fe.go
@@ -0,0 +1,986 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import (
+	"fmt"
+)
+
+// This code is a port of the public domain, "ref10" implementation of ed25519
+// from SUPERCOP.
+
+// fieldElement represents an element of the field GF(2^255 - 19).  An element
+// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
+// t[3]+2^102 t[4]+...+2^230 t[9].  Bounds on each t[i] vary depending on
+// context.
+type fieldElement [10]int32
+
+func feZero(fe *fieldElement) {
+	for i := range fe {
+		fe[i] = 0
+	}
+}
+
+func feOne(fe *fieldElement) {
+	feZero(fe)
+	fe[0] = 1
+}
+
+func feAdd(dst, a, b *fieldElement) {
+	for i := range dst {
+		dst[i] = a[i] + b[i]
+	}
+}
+
+func feSub(dst, a, b *fieldElement) {
+	for i := range dst {
+		dst[i] = a[i] - b[i]
+	}
+}
+
+func feCopy(dst, src *fieldElement) {
+	for i := range dst {
+		dst[i] = src[i]
+	}
+}
+
+// Replace (f,g) with (g,g) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
+func feCMove(f, g *fieldElement, b int32) {
+	var x fieldElement
+	b = -b
+	for i := range x {
+		x[i] = b & (f[i] ^ g[i])
+	}
+	for i := range f {
+		f[i] ^= x[i]
+	}
+}
+
+func load3(in []byte) int64 {
+	r := int64(in[0])
+	r |= int64(in[1]) << 8
+	r |= int64(in[2]) << 16
+	return r
+}
+
+func load4(in []byte) int64 {
+	r := int64(in[0])
+	r |= int64(in[1]) << 8
+	r |= int64(in[2]) << 16
+	r |= int64(in[3]) << 24
+	return r
+}
+
+func feFromBytes(dst *fieldElement, src []byte) {
+	h0 := load4(src[:])
+	h1 := load3(src[4:]) << 6
+	h2 := load3(src[7:]) << 5
+	h3 := load3(src[10:]) << 3
+	h4 := load3(src[13:]) << 2
+	h5 := load4(src[16:])
+	h6 := load3(src[20:]) << 7
+	h7 := load3(src[23:]) << 5
+	h8 := load3(src[26:]) << 4
+	h9 := (load3(src[29:]) & 8388607) << 2
+
+	var carry [10]int64
+	carry[9] = (h9 + 1<<24) >> 25
+	h0 += carry[9] * 19
+	h9 -= carry[9] << 25
+	carry[1] = (h1 + 1<<24) >> 25
+	h2 += carry[1]
+	h1 -= carry[1] << 25
+	carry[3] = (h3 + 1<<24) >> 25
+	h4 += carry[3]
+	h3 -= carry[3] << 25
+	carry[5] = (h5 + 1<<24) >> 25
+	h6 += carry[5]
+	h5 -= carry[5] << 25
+	carry[7] = (h7 + 1<<24) >> 25
+	h8 += carry[7]
+	h7 -= carry[7] << 25
+
+	carry[0] = (h0 + 1<<25) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+	carry[2] = (h2 + 1<<25) >> 26
+	h3 += carry[2]
+	h2 -= carry[2] << 26
+	carry[4] = (h4 + 1<<25) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+	carry[6] = (h6 + 1<<25) >> 26
+	h7 += carry[6]
+	h6 -= carry[6] << 26
+	carry[8] = (h8 + 1<<25) >> 26
+	h9 += carry[8]
+	h8 -= carry[8] << 26
+
+	dst[0] = int32(h0)
+	dst[1] = int32(h1)
+	dst[2] = int32(h2)
+	dst[3] = int32(h3)
+	dst[4] = int32(h4)
+	dst[5] = int32(h5)
+	dst[6] = int32(h6)
+	dst[7] = int32(h7)
+	dst[8] = int32(h8)
+	dst[9] = int32(h9)
+}
+
+// feToBytes marshals h to s.
+// Preconditions:
+//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Write p=2^255-19; q=floor(h/p).
+// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
+//
+// Proof:
+//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
+//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
+//
+//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
+//   Then 0> 25
+	q = (h[0] + q) >> 26
+	q = (h[1] + q) >> 25
+	q = (h[2] + q) >> 26
+	q = (h[3] + q) >> 25
+	q = (h[4] + q) >> 26
+	q = (h[5] + q) >> 25
+	q = (h[6] + q) >> 26
+	q = (h[7] + q) >> 25
+	q = (h[8] + q) >> 26
+	q = (h[9] + q) >> 25
+
+	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
+	h[0] += 19 * q
+	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
+
+	carry[0] = h[0] >> 26
+	h[1] += carry[0]
+	h[0] -= carry[0] << 26
+	carry[1] = h[1] >> 25
+	h[2] += carry[1]
+	h[1] -= carry[1] << 25
+	carry[2] = h[2] >> 26
+	h[3] += carry[2]
+	h[2] -= carry[2] << 26
+	carry[3] = h[3] >> 25
+	h[4] += carry[3]
+	h[3] -= carry[3] << 25
+	carry[4] = h[4] >> 26
+	h[5] += carry[4]
+	h[4] -= carry[4] << 26
+	carry[5] = h[5] >> 25
+	h[6] += carry[5]
+	h[5] -= carry[5] << 25
+	carry[6] = h[6] >> 26
+	h[7] += carry[6]
+	h[6] -= carry[6] << 26
+	carry[7] = h[7] >> 25
+	h[8] += carry[7]
+	h[7] -= carry[7] << 25
+	carry[8] = h[8] >> 26
+	h[9] += carry[8]
+	h[8] -= carry[8] << 26
+	carry[9] = h[9] >> 25
+	h[9] -= carry[9] << 25
+	// h10 = carry9
+
+	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
+	// evidently 2^255 h10-2^255 q = 0.
+	// Goal: Output h[0]+...+2^230 h[9].
+
+	s[0] = byte(h[0] >> 0)
+	s[1] = byte(h[0] >> 8)
+	s[2] = byte(h[0] >> 16)
+	s[3] = byte((h[0] >> 24) | (h[1] << 2))
+	s[4] = byte(h[1] >> 6)
+	s[5] = byte(h[1] >> 14)
+	s[6] = byte((h[1] >> 22) | (h[2] << 3))
+	s[7] = byte(h[2] >> 5)
+	s[8] = byte(h[2] >> 13)
+	s[9] = byte((h[2] >> 21) | (h[3] << 5))
+	s[10] = byte(h[3] >> 3)
+	s[11] = byte(h[3] >> 11)
+	s[12] = byte((h[3] >> 19) | (h[4] << 6))
+	s[13] = byte(h[4] >> 2)
+	s[14] = byte(h[4] >> 10)
+	s[15] = byte(h[4] >> 18)
+	s[16] = byte(h[5] >> 0)
+	s[17] = byte(h[5] >> 8)
+	s[18] = byte(h[5] >> 16)
+	s[19] = byte((h[5] >> 24) | (h[6] << 1))
+	s[20] = byte(h[6] >> 7)
+	s[21] = byte(h[6] >> 15)
+	s[22] = byte((h[6] >> 23) | (h[7] << 3))
+	s[23] = byte(h[7] >> 5)
+	s[24] = byte(h[7] >> 13)
+	s[25] = byte((h[7] >> 21) | (h[8] << 4))
+	s[26] = byte(h[8] >> 4)
+	s[27] = byte(h[8] >> 12)
+	s[28] = byte((h[8] >> 20) | (h[9] << 6))
+	s[29] = byte(h[9] >> 2)
+	s[30] = byte(h[9] >> 10)
+	s[31] = byte(h[9] >> 18)
+}
+
+func feIsNegative(f *fieldElement) byte {
+	var s [32]byte
+	feToBytes(&s, f)
+	return s[0] & 1
+}
+
+func feIsNonZero(f *fieldElement) int32 {
+	var s [32]byte
+	feToBytes(&s, f)
+	var x uint8
+	for _, b := range s {
+		x |= b
+	}
+	x |= x >> 4
+	x |= x >> 2
+	x |= x >> 1
+	return int32(x & 1)
+}
+
+// feNeg sets h = -f
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+func feNeg(h, f *fieldElement) {
+	for i := range h {
+		h[i] = -f[i]
+	}
+}
+
+// feMul calculates h = f * g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Notes on implementation strategy:
+//
+// Using schoolbook multiplication.
+// Karatsuba would save a little in some cost models.
+//
+// Most multiplications by 2 and 19 are 32-bit precomputations;
+// cheaper than 64-bit postcomputations.
+//
+// There is one remaining multiplication by 19 in the carry chain;
+// one *19 precomputation can be merged into this,
+// but the resulting data flow is considerably less clean.
+//
+// There are 12 carries below.
+// 10 of them are 2-way parallelizable and vectorizable.
+// Can get away with 11 carries, but then data flow is much deeper.
+//
+// With tighter constraints on inputs can squeeze carries into int32.
+func feMul(h, f, g *fieldElement) {
+	f0 := f[0]
+	f1 := f[1]
+	f2 := f[2]
+	f3 := f[3]
+	f4 := f[4]
+	f5 := f[5]
+	f6 := f[6]
+	f7 := f[7]
+	f8 := f[8]
+	f9 := f[9]
+	g0 := g[0]
+	g1 := g[1]
+	g2 := g[2]
+	g3 := g[3]
+	g4 := g[4]
+	g5 := g[5]
+	g6 := g[6]
+	g7 := g[7]
+	g8 := g[8]
+	g9 := g[9]
+	g1_19 := 19 * g1 /* 1.4*2^29 */
+	g2_19 := 19 * g2 /* 1.4*2^30; still ok */
+	g3_19 := 19 * g3
+	g4_19 := 19 * g4
+	g5_19 := 19 * g5
+	g6_19 := 19 * g6
+	g7_19 := 19 * g7
+	g8_19 := 19 * g8
+	g9_19 := 19 * g9
+	f1_2 := 2 * f1
+	f3_2 := 2 * f3
+	f5_2 := 2 * f5
+	f7_2 := 2 * f7
+	f9_2 := 2 * f9
+	f0g0 := int64(f0) * int64(g0)
+	f0g1 := int64(f0) * int64(g1)
+	f0g2 := int64(f0) * int64(g2)
+	f0g3 := int64(f0) * int64(g3)
+	f0g4 := int64(f0) * int64(g4)
+	f0g5 := int64(f0) * int64(g5)
+	f0g6 := int64(f0) * int64(g6)
+	f0g7 := int64(f0) * int64(g7)
+	f0g8 := int64(f0) * int64(g8)
+	f0g9 := int64(f0) * int64(g9)
+	f1g0 := int64(f1) * int64(g0)
+	f1g1_2 := int64(f1_2) * int64(g1)
+	f1g2 := int64(f1) * int64(g2)
+	f1g3_2 := int64(f1_2) * int64(g3)
+	f1g4 := int64(f1) * int64(g4)
+	f1g5_2 := int64(f1_2) * int64(g5)
+	f1g6 := int64(f1) * int64(g6)
+	f1g7_2 := int64(f1_2) * int64(g7)
+	f1g8 := int64(f1) * int64(g8)
+	f1g9_38 := int64(f1_2) * int64(g9_19)
+	f2g0 := int64(f2) * int64(g0)
+	f2g1 := int64(f2) * int64(g1)
+	f2g2 := int64(f2) * int64(g2)
+	f2g3 := int64(f2) * int64(g3)
+	f2g4 := int64(f2) * int64(g4)
+	f2g5 := int64(f2) * int64(g5)
+	f2g6 := int64(f2) * int64(g6)
+	f2g7 := int64(f2) * int64(g7)
+	f2g8_19 := int64(f2) * int64(g8_19)
+	f2g9_19 := int64(f2) * int64(g9_19)
+	f3g0 := int64(f3) * int64(g0)
+	f3g1_2 := int64(f3_2) * int64(g1)
+	f3g2 := int64(f3) * int64(g2)
+	f3g3_2 := int64(f3_2) * int64(g3)
+	f3g4 := int64(f3) * int64(g4)
+	f3g5_2 := int64(f3_2) * int64(g5)
+	f3g6 := int64(f3) * int64(g6)
+	f3g7_38 := int64(f3_2) * int64(g7_19)
+	f3g8_19 := int64(f3) * int64(g8_19)
+	f3g9_38 := int64(f3_2) * int64(g9_19)
+	f4g0 := int64(f4) * int64(g0)
+	f4g1 := int64(f4) * int64(g1)
+	f4g2 := int64(f4) * int64(g2)
+	f4g3 := int64(f4) * int64(g3)
+	f4g4 := int64(f4) * int64(g4)
+	f4g5 := int64(f4) * int64(g5)
+	f4g6_19 := int64(f4) * int64(g6_19)
+	f4g7_19 := int64(f4) * int64(g7_19)
+	f4g8_19 := int64(f4) * int64(g8_19)
+	f4g9_19 := int64(f4) * int64(g9_19)
+	f5g0 := int64(f5) * int64(g0)
+	f5g1_2 := int64(f5_2) * int64(g1)
+	f5g2 := int64(f5) * int64(g2)
+	f5g3_2 := int64(f5_2) * int64(g3)
+	f5g4 := int64(f5) * int64(g4)
+	f5g5_38 := int64(f5_2) * int64(g5_19)
+	f5g6_19 := int64(f5) * int64(g6_19)
+	f5g7_38 := int64(f5_2) * int64(g7_19)
+	f5g8_19 := int64(f5) * int64(g8_19)
+	f5g9_38 := int64(f5_2) * int64(g9_19)
+	f6g0 := int64(f6) * int64(g0)
+	f6g1 := int64(f6) * int64(g1)
+	f6g2 := int64(f6) * int64(g2)
+	f6g3 := int64(f6) * int64(g3)
+	f6g4_19 := int64(f6) * int64(g4_19)
+	f6g5_19 := int64(f6) * int64(g5_19)
+	f6g6_19 := int64(f6) * int64(g6_19)
+	f6g7_19 := int64(f6) * int64(g7_19)
+	f6g8_19 := int64(f6) * int64(g8_19)
+	f6g9_19 := int64(f6) * int64(g9_19)
+	f7g0 := int64(f7) * int64(g0)
+	f7g1_2 := int64(f7_2) * int64(g1)
+	f7g2 := int64(f7) * int64(g2)
+	f7g3_38 := int64(f7_2) * int64(g3_19)
+	f7g4_19 := int64(f7) * int64(g4_19)
+	f7g5_38 := int64(f7_2) * int64(g5_19)
+	f7g6_19 := int64(f7) * int64(g6_19)
+	f7g7_38 := int64(f7_2) * int64(g7_19)
+	f7g8_19 := int64(f7) * int64(g8_19)
+	f7g9_38 := int64(f7_2) * int64(g9_19)
+	f8g0 := int64(f8) * int64(g0)
+	f8g1 := int64(f8) * int64(g1)
+	f8g2_19 := int64(f8) * int64(g2_19)
+	f8g3_19 := int64(f8) * int64(g3_19)
+	f8g4_19 := int64(f8) * int64(g4_19)
+	f8g5_19 := int64(f8) * int64(g5_19)
+	f8g6_19 := int64(f8) * int64(g6_19)
+	f8g7_19 := int64(f8) * int64(g7_19)
+	f8g8_19 := int64(f8) * int64(g8_19)
+	f8g9_19 := int64(f8) * int64(g9_19)
+	f9g0 := int64(f9) * int64(g0)
+	f9g1_38 := int64(f9_2) * int64(g1_19)
+	f9g2_19 := int64(f9) * int64(g2_19)
+	f9g3_38 := int64(f9_2) * int64(g3_19)
+	f9g4_19 := int64(f9) * int64(g4_19)
+	f9g5_38 := int64(f9_2) * int64(g5_19)
+	f9g6_19 := int64(f9) * int64(g6_19)
+	f9g7_38 := int64(f9_2) * int64(g7_19)
+	f9g8_19 := int64(f9) * int64(g8_19)
+	f9g9_38 := int64(f9_2) * int64(g9_19)
+	h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
+	h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
+	h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
+	h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
+	h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
+	h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
+	h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
+	h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
+	h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
+	h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
+	var carry [10]int64
+
+	/*
+	  |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
+	    i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
+	  |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
+	    i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
+	*/
+
+	carry[0] = (h0 + (1 << 25)) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+	carry[4] = (h4 + (1 << 25)) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+	/* |h0| <= 2^25 */
+	/* |h4| <= 2^25 */
+	/* |h1| <= 1.51*2^58 */
+	/* |h5| <= 1.51*2^58 */
+
+	carry[1] = (h1 + (1 << 24)) >> 25
+	h2 += carry[1]
+	h1 -= carry[1] << 25
+	carry[5] = (h5 + (1 << 24)) >> 25
+	h6 += carry[5]
+	h5 -= carry[5] << 25
+	/* |h1| <= 2^24; from now on fits into int32 */
+	/* |h5| <= 2^24; from now on fits into int32 */
+	/* |h2| <= 1.21*2^59 */
+	/* |h6| <= 1.21*2^59 */
+
+	carry[2] = (h2 + (1 << 25)) >> 26
+	h3 += carry[2]
+	h2 -= carry[2] << 26
+	carry[6] = (h6 + (1 << 25)) >> 26
+	h7 += carry[6]
+	h6 -= carry[6] << 26
+	/* |h2| <= 2^25; from now on fits into int32 unchanged */
+	/* |h6| <= 2^25; from now on fits into int32 unchanged */
+	/* |h3| <= 1.51*2^58 */
+	/* |h7| <= 1.51*2^58 */
+
+	carry[3] = (h3 + (1 << 24)) >> 25
+	h4 += carry[3]
+	h3 -= carry[3] << 25
+	carry[7] = (h7 + (1 << 24)) >> 25
+	h8 += carry[7]
+	h7 -= carry[7] << 25
+	/* |h3| <= 2^24; from now on fits into int32 unchanged */
+	/* |h7| <= 2^24; from now on fits into int32 unchanged */
+	/* |h4| <= 1.52*2^33 */
+	/* |h8| <= 1.52*2^33 */
+
+	carry[4] = (h4 + (1 << 25)) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+	carry[8] = (h8 + (1 << 25)) >> 26
+	h9 += carry[8]
+	h8 -= carry[8] << 26
+	/* |h4| <= 2^25; from now on fits into int32 unchanged */
+	/* |h8| <= 2^25; from now on fits into int32 unchanged */
+	/* |h5| <= 1.01*2^24 */
+	/* |h9| <= 1.51*2^58 */
+
+	carry[9] = (h9 + (1 << 24)) >> 25
+	h0 += carry[9] * 19
+	h9 -= carry[9] << 25
+	/* |h9| <= 2^24; from now on fits into int32 unchanged */
+	/* |h0| <= 1.8*2^37 */
+
+	carry[0] = (h0 + (1 << 25)) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+	/* |h0| <= 2^25; from now on fits into int32 unchanged */
+	/* |h1| <= 1.01*2^24 */
+
+	h[0] = int32(h0)
+	h[1] = int32(h1)
+	h[2] = int32(h2)
+	h[3] = int32(h3)
+	h[4] = int32(h4)
+	h[5] = int32(h5)
+	h[6] = int32(h6)
+	h[7] = int32(h7)
+	h[8] = int32(h8)
+	h[9] = int32(h9)
+}
+
+// feSquare calculates h = f*f. Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+func feSquare(h, f *fieldElement) {
+	f0 := f[0]
+	f1 := f[1]
+	f2 := f[2]
+	f3 := f[3]
+	f4 := f[4]
+	f5 := f[5]
+	f6 := f[6]
+	f7 := f[7]
+	f8 := f[8]
+	f9 := f[9]
+	f0_2 := 2 * f0
+	f1_2 := 2 * f1
+	f2_2 := 2 * f2
+	f3_2 := 2 * f3
+	f4_2 := 2 * f4
+	f5_2 := 2 * f5
+	f6_2 := 2 * f6
+	f7_2 := 2 * f7
+	f5_38 := 38 * f5 // 1.31*2^30
+	f6_19 := 19 * f6 // 1.31*2^30
+	f7_38 := 38 * f7 // 1.31*2^30
+	f8_19 := 19 * f8 // 1.31*2^30
+	f9_38 := 38 * f9 // 1.31*2^30
+	f0f0 := int64(f0) * int64(f0)
+	f0f1_2 := int64(f0_2) * int64(f1)
+	f0f2_2 := int64(f0_2) * int64(f2)
+	f0f3_2 := int64(f0_2) * int64(f3)
+	f0f4_2 := int64(f0_2) * int64(f4)
+	f0f5_2 := int64(f0_2) * int64(f5)
+	f0f6_2 := int64(f0_2) * int64(f6)
+	f0f7_2 := int64(f0_2) * int64(f7)
+	f0f8_2 := int64(f0_2) * int64(f8)
+	f0f9_2 := int64(f0_2) * int64(f9)
+	f1f1_2 := int64(f1_2) * int64(f1)
+	f1f2_2 := int64(f1_2) * int64(f2)
+	f1f3_4 := int64(f1_2) * int64(f3_2)
+	f1f4_2 := int64(f1_2) * int64(f4)
+	f1f5_4 := int64(f1_2) * int64(f5_2)
+	f1f6_2 := int64(f1_2) * int64(f6)
+	f1f7_4 := int64(f1_2) * int64(f7_2)
+	f1f8_2 := int64(f1_2) * int64(f8)
+	f1f9_76 := int64(f1_2) * int64(f9_38)
+	f2f2 := int64(f2) * int64(f2)
+	f2f3_2 := int64(f2_2) * int64(f3)
+	f2f4_2 := int64(f2_2) * int64(f4)
+	f2f5_2 := int64(f2_2) * int64(f5)
+	f2f6_2 := int64(f2_2) * int64(f6)
+	f2f7_2 := int64(f2_2) * int64(f7)
+	f2f8_38 := int64(f2_2) * int64(f8_19)
+	f2f9_38 := int64(f2) * int64(f9_38)
+	f3f3_2 := int64(f3_2) * int64(f3)
+	f3f4_2 := int64(f3_2) * int64(f4)
+	f3f5_4 := int64(f3_2) * int64(f5_2)
+	f3f6_2 := int64(f3_2) * int64(f6)
+	f3f7_76 := int64(f3_2) * int64(f7_38)
+	f3f8_38 := int64(f3_2) * int64(f8_19)
+	f3f9_76 := int64(f3_2) * int64(f9_38)
+	f4f4 := int64(f4) * int64(f4)
+	f4f5_2 := int64(f4_2) * int64(f5)
+	f4f6_38 := int64(f4_2) * int64(f6_19)
+	f4f7_38 := int64(f4) * int64(f7_38)
+	f4f8_38 := int64(f4_2) * int64(f8_19)
+	f4f9_38 := int64(f4) * int64(f9_38)
+	f5f5_38 := int64(f5) * int64(f5_38)
+	f5f6_38 := int64(f5_2) * int64(f6_19)
+	f5f7_76 := int64(f5_2) * int64(f7_38)
+	f5f8_38 := int64(f5_2) * int64(f8_19)
+	f5f9_76 := int64(f5_2) * int64(f9_38)
+	f6f6_19 := int64(f6) * int64(f6_19)
+	f6f7_38 := int64(f6) * int64(f7_38)
+	f6f8_38 := int64(f6_2) * int64(f8_19)
+	f6f9_38 := int64(f6) * int64(f9_38)
+	f7f7_38 := int64(f7) * int64(f7_38)
+	f7f8_38 := int64(f7_2) * int64(f8_19)
+	f7f9_76 := int64(f7_2) * int64(f9_38)
+	f8f8_19 := int64(f8) * int64(f8_19)
+	f8f9_38 := int64(f8) * int64(f9_38)
+	f9f9_38 := int64(f9) * int64(f9_38)
+	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
+	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
+	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
+	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
+	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
+	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
+	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
+	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
+	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
+	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
+	var carry [10]int64
+
+	carry[0] = (h0 + (1 << 25)) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+	carry[4] = (h4 + (1 << 25)) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+
+	carry[1] = (h1 + (1 << 24)) >> 25
+	h2 += carry[1]
+	h1 -= carry[1] << 25
+	carry[5] = (h5 + (1 << 24)) >> 25
+	h6 += carry[5]
+	h5 -= carry[5] << 25
+
+	carry[2] = (h2 + (1 << 25)) >> 26
+	h3 += carry[2]
+	h2 -= carry[2] << 26
+	carry[6] = (h6 + (1 << 25)) >> 26
+	h7 += carry[6]
+	h6 -= carry[6] << 26
+
+	carry[3] = (h3 + (1 << 24)) >> 25
+	h4 += carry[3]
+	h3 -= carry[3] << 25
+	carry[7] = (h7 + (1 << 24)) >> 25
+	h8 += carry[7]
+	h7 -= carry[7] << 25
+
+	carry[4] = (h4 + (1 << 25)) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+	carry[8] = (h8 + (1 << 25)) >> 26
+	h9 += carry[8]
+	h8 -= carry[8] << 26
+
+	carry[9] = (h9 + (1 << 24)) >> 25
+	h0 += carry[9] * 19
+	h9 -= carry[9] << 25
+
+	carry[0] = (h0 + (1 << 25)) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+
+	h[0] = int32(h0)
+	h[1] = int32(h1)
+	h[2] = int32(h2)
+	h[3] = int32(h3)
+	h[4] = int32(h4)
+	h[5] = int32(h5)
+	h[6] = int32(h6)
+	h[7] = int32(h7)
+	h[8] = int32(h8)
+	h[9] = int32(h9)
+}
+
+// feSquare2 sets h = 2 * f * f
+//
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+// See fe_mul.c for discussion of implementation strategy.
+func feSquare2(h, f *fieldElement) {
+	f0 := f[0]
+	f1 := f[1]
+	f2 := f[2]
+	f3 := f[3]
+	f4 := f[4]
+	f5 := f[5]
+	f6 := f[6]
+	f7 := f[7]
+	f8 := f[8]
+	f9 := f[9]
+	f0_2 := 2 * f0
+	f1_2 := 2 * f1
+	f2_2 := 2 * f2
+	f3_2 := 2 * f3
+	f4_2 := 2 * f4
+	f5_2 := 2 * f5
+	f6_2 := 2 * f6
+	f7_2 := 2 * f7
+	f5_38 := 38 * f5 // 1.959375*2^30
+	f6_19 := 19 * f6 // 1.959375*2^30
+	f7_38 := 38 * f7 // 1.959375*2^30
+	f8_19 := 19 * f8 // 1.959375*2^30
+	f9_38 := 38 * f9 // 1.959375*2^30
+	f0f0 := int64(f0) * int64(f0)
+	f0f1_2 := int64(f0_2) * int64(f1)
+	f0f2_2 := int64(f0_2) * int64(f2)
+	f0f3_2 := int64(f0_2) * int64(f3)
+	f0f4_2 := int64(f0_2) * int64(f4)
+	f0f5_2 := int64(f0_2) * int64(f5)
+	f0f6_2 := int64(f0_2) * int64(f6)
+	f0f7_2 := int64(f0_2) * int64(f7)
+	f0f8_2 := int64(f0_2) * int64(f8)
+	f0f9_2 := int64(f0_2) * int64(f9)
+	f1f1_2 := int64(f1_2) * int64(f1)
+	f1f2_2 := int64(f1_2) * int64(f2)
+	f1f3_4 := int64(f1_2) * int64(f3_2)
+	f1f4_2 := int64(f1_2) * int64(f4)
+	f1f5_4 := int64(f1_2) * int64(f5_2)
+	f1f6_2 := int64(f1_2) * int64(f6)
+	f1f7_4 := int64(f1_2) * int64(f7_2)
+	f1f8_2 := int64(f1_2) * int64(f8)
+	f1f9_76 := int64(f1_2) * int64(f9_38)
+	f2f2 := int64(f2) * int64(f2)
+	f2f3_2 := int64(f2_2) * int64(f3)
+	f2f4_2 := int64(f2_2) * int64(f4)
+	f2f5_2 := int64(f2_2) * int64(f5)
+	f2f6_2 := int64(f2_2) * int64(f6)
+	f2f7_2 := int64(f2_2) * int64(f7)
+	f2f8_38 := int64(f2_2) * int64(f8_19)
+	f2f9_38 := int64(f2) * int64(f9_38)
+	f3f3_2 := int64(f3_2) * int64(f3)
+	f3f4_2 := int64(f3_2) * int64(f4)
+	f3f5_4 := int64(f3_2) * int64(f5_2)
+	f3f6_2 := int64(f3_2) * int64(f6)
+	f3f7_76 := int64(f3_2) * int64(f7_38)
+	f3f8_38 := int64(f3_2) * int64(f8_19)
+	f3f9_76 := int64(f3_2) * int64(f9_38)
+	f4f4 := int64(f4) * int64(f4)
+	f4f5_2 := int64(f4_2) * int64(f5)
+	f4f6_38 := int64(f4_2) * int64(f6_19)
+	f4f7_38 := int64(f4) * int64(f7_38)
+	f4f8_38 := int64(f4_2) * int64(f8_19)
+	f4f9_38 := int64(f4) * int64(f9_38)
+	f5f5_38 := int64(f5) * int64(f5_38)
+	f5f6_38 := int64(f5_2) * int64(f6_19)
+	f5f7_76 := int64(f5_2) * int64(f7_38)
+	f5f8_38 := int64(f5_2) * int64(f8_19)
+	f5f9_76 := int64(f5_2) * int64(f9_38)
+	f6f6_19 := int64(f6) * int64(f6_19)
+	f6f7_38 := int64(f6) * int64(f7_38)
+	f6f8_38 := int64(f6_2) * int64(f8_19)
+	f6f9_38 := int64(f6) * int64(f9_38)
+	f7f7_38 := int64(f7) * int64(f7_38)
+	f7f8_38 := int64(f7_2) * int64(f8_19)
+	f7f9_76 := int64(f7_2) * int64(f9_38)
+	f8f8_19 := int64(f8) * int64(f8_19)
+	f8f9_38 := int64(f8) * int64(f9_38)
+	f9f9_38 := int64(f9) * int64(f9_38)
+	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
+	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
+	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
+	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
+	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
+	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
+	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
+	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
+	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
+	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
+	var carry [10]int64
+
+	h0 += h0
+	h1 += h1
+	h2 += h2
+	h3 += h3
+	h4 += h4
+	h5 += h5
+	h6 += h6
+	h7 += h7
+	h8 += h8
+	h9 += h9
+
+	carry[0] = (h0 + (1 << 25)) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+	carry[4] = (h4 + (1 << 25)) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+
+	carry[1] = (h1 + (1 << 24)) >> 25
+	h2 += carry[1]
+	h1 -= carry[1] << 25
+	carry[5] = (h5 + (1 << 24)) >> 25
+	h6 += carry[5]
+	h5 -= carry[5] << 25
+
+	carry[2] = (h2 + (1 << 25)) >> 26
+	h3 += carry[2]
+	h2 -= carry[2] << 26
+	carry[6] = (h6 + (1 << 25)) >> 26
+	h7 += carry[6]
+	h6 -= carry[6] << 26
+
+	carry[3] = (h3 + (1 << 24)) >> 25
+	h4 += carry[3]
+	h3 -= carry[3] << 25
+	carry[7] = (h7 + (1 << 24)) >> 25
+	h8 += carry[7]
+	h7 -= carry[7] << 25
+
+	carry[4] = (h4 + (1 << 25)) >> 26
+	h5 += carry[4]
+	h4 -= carry[4] << 26
+	carry[8] = (h8 + (1 << 25)) >> 26
+	h9 += carry[8]
+	h8 -= carry[8] << 26
+
+	carry[9] = (h9 + (1 << 24)) >> 25
+	h0 += carry[9] * 19
+	h9 -= carry[9] << 25
+
+	carry[0] = (h0 + (1 << 25)) >> 26
+	h1 += carry[0]
+	h0 -= carry[0] << 26
+
+	h[0] = int32(h0)
+	h[1] = int32(h1)
+	h[2] = int32(h2)
+	h[3] = int32(h3)
+	h[4] = int32(h4)
+	h[5] = int32(h5)
+	h[6] = int32(h6)
+	h[7] = int32(h7)
+	h[8] = int32(h8)
+	h[9] = int32(h9)
+}
+
+func feInvert(out, z *fieldElement) {
+	var t0, t1, t2, t3 fieldElement
+	var i int
+
+	feSquare(&t0, z)        // 2^1
+	feSquare(&t1, &t0)      // 2^2
+	for i = 1; i < 2; i++ { // 2^3
+		feSquare(&t1, &t1)
+	}
+	feMul(&t1, z, &t1)      // 2^3 + 2^0
+	feMul(&t0, &t0, &t1)    // 2^3 + 2^1 + 2^0
+	feSquare(&t2, &t0)      // 2^4 + 2^2 + 2^1
+	feMul(&t1, &t1, &t2)    // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
+	feSquare(&t2, &t1)      // 5,4,3,2,1
+	for i = 1; i < 5; i++ { // 9,8,7,6,5
+		feSquare(&t2, &t2)
+	}
+	feMul(&t1, &t2, &t1)     // 9,8,7,6,5,4,3,2,1,0
+	feSquare(&t2, &t1)       // 10..1
+	for i = 1; i < 10; i++ { // 19..10
+		feSquare(&t2, &t2)
+	}
+	feMul(&t2, &t2, &t1)     // 19..0
+	feSquare(&t3, &t2)       // 20..1
+	for i = 1; i < 20; i++ { // 39..20
+		feSquare(&t3, &t3)
+	}
+	feMul(&t2, &t3, &t2)     // 39..0
+	feSquare(&t2, &t2)       // 40..1
+	for i = 1; i < 10; i++ { // 49..10
+		feSquare(&t2, &t2)
+	}
+	feMul(&t1, &t2, &t1)     // 49..0
+	feSquare(&t2, &t1)       // 50..1
+	for i = 1; i < 50; i++ { // 99..50
+		feSquare(&t2, &t2)
+	}
+	feMul(&t2, &t2, &t1)      // 99..0
+	feSquare(&t3, &t2)        // 100..1
+	for i = 1; i < 100; i++ { // 199..100
+		feSquare(&t3, &t3)
+	}
+	feMul(&t2, &t3, &t2)     // 199..0
+	feSquare(&t2, &t2)       // 200..1
+	for i = 1; i < 50; i++ { // 249..50
+		feSquare(&t2, &t2)
+	}
+	feMul(&t1, &t2, &t1)    // 249..0
+	feSquare(&t1, &t1)      // 250..1
+	for i = 1; i < 5; i++ { // 254..5
+		feSquare(&t1, &t1)
+	}
+	feMul(out, &t1, &t0) // 254..5,3,1,0
+}
+
+func fePow22523(out, z *fieldElement) {
+	var t0, t1, t2 fieldElement
+	var i int
+
+	feSquare(&t0, z)
+	for i = 1; i < 1; i++ {
+		feSquare(&t0, &t0)
+	}
+	feSquare(&t1, &t0)
+	for i = 1; i < 2; i++ {
+		feSquare(&t1, &t1)
+	}
+	feMul(&t1, z, &t1)
+	feMul(&t0, &t0, &t1)
+	feSquare(&t0, &t0)
+	for i = 1; i < 1; i++ {
+		feSquare(&t0, &t0)
+	}
+	feMul(&t0, &t1, &t0)
+	feSquare(&t1, &t0)
+	for i = 1; i < 5; i++ {
+		feSquare(&t1, &t1)
+	}
+	feMul(&t0, &t1, &t0)
+	feSquare(&t1, &t0)
+	for i = 1; i < 10; i++ {
+		feSquare(&t1, &t1)
+	}
+	feMul(&t1, &t1, &t0)
+	feSquare(&t2, &t1)
+	for i = 1; i < 20; i++ {
+		feSquare(&t2, &t2)
+	}
+	feMul(&t1, &t2, &t1)
+	feSquare(&t1, &t1)
+	for i = 1; i < 10; i++ {
+		feSquare(&t1, &t1)
+	}
+	feMul(&t0, &t1, &t0)
+	feSquare(&t1, &t0)
+	for i = 1; i < 50; i++ {
+		feSquare(&t1, &t1)
+	}
+	feMul(&t1, &t1, &t0)
+	feSquare(&t2, &t1)
+	for i = 1; i < 100; i++ {
+		feSquare(&t2, &t2)
+	}
+	feMul(&t1, &t2, &t1)
+	feSquare(&t1, &t1)
+	for i = 1; i < 50; i++ {
+		feSquare(&t1, &t1)
+	}
+	feMul(&t0, &t1, &t0)
+	feSquare(&t0, &t0)
+	for i = 1; i < 2; i++ {
+		feSquare(&t0, &t0)
+	}
+	feMul(out, &t0, z)
+}
+
+func (fe *fieldElement) String() string {
+	s := "fieldElement{"
+	for i := range fe {
+		if i > 0 {
+			s += ", "
+		}
+		s += fmt.Sprintf("%d", fe[i])
+	}
+	s += "}"
+	return s
+}
diff --git a/kyber/group/edwards25519/ge.go b/kyber/group/edwards25519/ge.go
new file mode 100644
index 0000000000..1e0d11ada2
--- /dev/null
+++ b/kyber/group/edwards25519/ge.go
@@ -0,0 +1,489 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+// Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
+// y^2 where d = -121665/121666.
+//
+// Several representations are used:
+//   projectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
+//   extendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+//   completedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+//   preComputedGroupElement: (y+x,y-x,2dxy)
+
+type projectiveGroupElement struct {
+	X, Y, Z fieldElement
+}
+
+type extendedGroupElement struct {
+	X, Y, Z, T fieldElement
+}
+
+type completedGroupElement struct {
+	X, Y, Z, T fieldElement
+}
+
+type preComputedGroupElement struct {
+	yPlusX, yMinusX, xy2d fieldElement
+}
+
+type cachedGroupElement struct {
+	yPlusX, yMinusX, Z, T2d fieldElement
+}
+
+func (p *projectiveGroupElement) Zero() {
+	feZero(&p.X)
+	feOne(&p.Y)
+	feOne(&p.Z)
+}
+
+func (p *projectiveGroupElement) Double(r *completedGroupElement) {
+	var t0 fieldElement
+
+	feSquare(&r.X, &p.X)
+	feSquare(&r.Z, &p.Y)
+	feSquare2(&r.T, &p.Z)
+	feAdd(&r.Y, &p.X, &p.Y)
+	feSquare(&t0, &r.Y)
+	feAdd(&r.Y, &r.Z, &r.X)
+	feSub(&r.Z, &r.Z, &r.X)
+	feSub(&r.X, &t0, &r.Y)
+	feSub(&r.T, &r.T, &r.Z)
+}
+
+func (p *projectiveGroupElement) ToBytes(s *[32]byte) {
+	var recip, x, y fieldElement
+
+	feInvert(&recip, &p.Z)
+	feMul(&x, &p.X, &recip)
+	feMul(&y, &p.Y, &recip)
+	feToBytes(s, &y)
+	s[31] ^= feIsNegative(&x) << 7
+}
+
+func (p *extendedGroupElement) Zero() {
+	feZero(&p.X)
+	feOne(&p.Y)
+	feOne(&p.Z)
+	feZero(&p.T)
+}
+
+func (p *extendedGroupElement) Neg(s *extendedGroupElement) {
+	feNeg(&p.X, &s.X)
+	feCopy(&p.Y, &s.Y)
+	feCopy(&p.Z, &s.Z)
+	feNeg(&p.T, &s.T)
+}
+
+func (p *extendedGroupElement) Double(r *completedGroupElement) {
+	var q projectiveGroupElement
+	p.ToProjective(&q)
+	q.Double(r)
+}
+
+func (p *extendedGroupElement) ToCached(r *cachedGroupElement) {
+	feAdd(&r.yPlusX, &p.Y, &p.X)
+	feSub(&r.yMinusX, &p.Y, &p.X)
+	feCopy(&r.Z, &p.Z)
+	feMul(&r.T2d, &p.T, &d2)
+}
+
+func (p *extendedGroupElement) ToProjective(r *projectiveGroupElement) {
+	feCopy(&r.X, &p.X)
+	feCopy(&r.Y, &p.Y)
+	feCopy(&r.Z, &p.Z)
+}
+
+func (p *extendedGroupElement) ToBytes(s *[32]byte) {
+	var recip, x, y fieldElement
+
+	feInvert(&recip, &p.Z)
+	feMul(&x, &p.X, &recip)
+	feMul(&y, &p.Y, &recip)
+	feToBytes(s, &y)
+	s[31] ^= feIsNegative(&x) << 7
+}
+
+func (p *extendedGroupElement) FromBytes(s []byte) bool {
+	var u, v, v3, vxx, check fieldElement
+
+	if len(s) != 32 {
+		return false
+	}
+	feFromBytes(&p.Y, s)
+	feOne(&p.Z)
+	feSquare(&u, &p.Y)
+	feMul(&v, &u, &d)
+	feSub(&u, &u, &p.Z) // y = y^2-1
+	feAdd(&v, &v, &p.Z) // v = dy^2+1
+
+	feSquare(&v3, &v)
+	feMul(&v3, &v3, &v) // v3 = v^3
+	feSquare(&p.X, &v3)
+	feMul(&p.X, &p.X, &v)
+	feMul(&p.X, &p.X, &u) // x = uv^7
+
+	fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
+	feMul(&p.X, &p.X, &v3)
+	feMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
+
+	feSquare(&vxx, &p.X)
+	feMul(&vxx, &vxx, &v)
+	feSub(&check, &vxx, &u) // vx^2-u
+	if feIsNonZero(&check) == 1 {
+		feAdd(&check, &vxx, &u) // vx^2+u
+		if feIsNonZero(&check) == 1 {
+			return false
+		}
+		feMul(&p.X, &p.X, &sqrtM1)
+	}
+
+	if feIsNegative(&p.X) != (s[31] >> 7) {
+		feNeg(&p.X, &p.X)
+	}
+
+	feMul(&p.T, &p.X, &p.Y)
+	return true
+}
+
+func (p *extendedGroupElement) String() string {
+	return "extendedGroupElement{\n\t" +
+		p.X.String() + ",\n\t" +
+		p.Y.String() + ",\n\t" +
+		p.Z.String() + ",\n\t" +
+		p.T.String() + ",\n}"
+}
+
+// completedGroupElement methods
+
+func (c *completedGroupElement) ToProjective(r *projectiveGroupElement) {
+	feMul(&r.X, &c.X, &c.T)
+	feMul(&r.Y, &c.Y, &c.Z)
+	feMul(&r.Z, &c.Z, &c.T)
+}
+
+func (c *completedGroupElement) ToExtended(r *extendedGroupElement) {
+	feMul(&r.X, &c.X, &c.T)
+	feMul(&r.Y, &c.Y, &c.Z)
+	feMul(&r.Z, &c.Z, &c.T)
+	feMul(&r.T, &c.X, &c.Y)
+}
+
+func (p *preComputedGroupElement) Zero() {
+	feOne(&p.yPlusX)
+	feOne(&p.yMinusX)
+	feZero(&p.xy2d)
+}
+
+func (c *completedGroupElement) Add(p *extendedGroupElement, q *cachedGroupElement) {
+	var t0 fieldElement
+
+	feAdd(&c.X, &p.Y, &p.X)
+	feSub(&c.Y, &p.Y, &p.X)
+	feMul(&c.Z, &c.X, &q.yPlusX)
+	feMul(&c.Y, &c.Y, &q.yMinusX)
+	feMul(&c.T, &q.T2d, &p.T)
+	feMul(&c.X, &p.Z, &q.Z)
+	feAdd(&t0, &c.X, &c.X)
+	feSub(&c.X, &c.Z, &c.Y)
+	feAdd(&c.Y, &c.Z, &c.Y)
+	feAdd(&c.Z, &t0, &c.T)
+	feSub(&c.T, &t0, &c.T)
+}
+
+func (c *completedGroupElement) Sub(p *extendedGroupElement, q *cachedGroupElement) {
+	var t0 fieldElement
+
+	feAdd(&c.X, &p.Y, &p.X)
+	feSub(&c.Y, &p.Y, &p.X)
+	feMul(&c.Z, &c.X, &q.yMinusX)
+	feMul(&c.Y, &c.Y, &q.yPlusX)
+	feMul(&c.T, &q.T2d, &p.T)
+	feMul(&c.X, &p.Z, &q.Z)
+	feAdd(&t0, &c.X, &c.X)
+	feSub(&c.X, &c.Z, &c.Y)
+	feAdd(&c.Y, &c.Z, &c.Y)
+	feSub(&c.Z, &t0, &c.T)
+	feAdd(&c.T, &t0, &c.T)
+}
+
+func (c *completedGroupElement) MixedAdd(p *extendedGroupElement, q *preComputedGroupElement) {
+	var t0 fieldElement
+
+	feAdd(&c.X, &p.Y, &p.X)
+	feSub(&c.Y, &p.Y, &p.X)
+	feMul(&c.Z, &c.X, &q.yPlusX)
+	feMul(&c.Y, &c.Y, &q.yMinusX)
+	feMul(&c.T, &q.xy2d, &p.T)
+	feAdd(&t0, &p.Z, &p.Z)
+	feSub(&c.X, &c.Z, &c.Y)
+	feAdd(&c.Y, &c.Z, &c.Y)
+	feAdd(&c.Z, &t0, &c.T)
+	feSub(&c.T, &t0, &c.T)
+}
+
+func (c *completedGroupElement) MixedSub(p *extendedGroupElement, q *preComputedGroupElement) {
+	var t0 fieldElement
+
+	feAdd(&c.X, &p.Y, &p.X)
+	feSub(&c.Y, &p.Y, &p.X)
+	feMul(&c.Z, &c.X, &q.yMinusX)
+	feMul(&c.Y, &c.Y, &q.yPlusX)
+	feMul(&c.T, &q.xy2d, &p.T)
+	feAdd(&t0, &p.Z, &p.Z)
+	feSub(&c.X, &c.Z, &c.Y)
+	feAdd(&c.Y, &c.Z, &c.Y)
+	feSub(&c.Z, &t0, &c.T)
+	feAdd(&c.T, &t0, &c.T)
+}
+
+// preComputedGroupElement methods
+
+// Set to u conditionally based on b
+func (p *preComputedGroupElement) CMove(u *preComputedGroupElement, b int32) {
+	feCMove(&p.yPlusX, &u.yPlusX, b)
+	feCMove(&p.yMinusX, &u.yMinusX, b)
+	feCMove(&p.xy2d, &u.xy2d, b)
+}
+
+// Set to negative of t
+func (p *preComputedGroupElement) Neg(t *preComputedGroupElement) {
+	feCopy(&p.yPlusX, &t.yMinusX)
+	feCopy(&p.yMinusX, &t.yPlusX)
+	feNeg(&p.xy2d, &t.xy2d)
+}
+
+// cachedGroupElement methods
+
+func (r *cachedGroupElement) Zero() {
+	feOne(&r.yPlusX)
+	feOne(&r.yMinusX)
+	feOne(&r.Z)
+	feZero(&r.T2d)
+}
+
+// Set to u conditionally based on b
+func (r *cachedGroupElement) CMove(u *cachedGroupElement, b int32) {
+	feCMove(&r.yPlusX, &u.yPlusX, b)
+	feCMove(&r.yMinusX, &u.yMinusX, b)
+	feCMove(&r.Z, &u.Z, b)
+	feCMove(&r.T2d, &u.T2d, b)
+}
+
+// Set to negative of t
+func (r *cachedGroupElement) Neg(t *cachedGroupElement) {
+	feCopy(&r.yPlusX, &t.yMinusX)
+	feCopy(&r.yMinusX, &t.yPlusX)
+	feCopy(&r.Z, &t.Z)
+	feNeg(&r.T2d, &t.T2d)
+}
+
+// Expand the 32-byte (256-bit) exponent in slice a into
+// a sequence of 256 multipliers, one per exponent bit position.
+// Clumps nearby 1 bits into multi-bit multipliers to reduce
+// the total number of add/sub operations in a Point multiply;
+// each multiplier is either zero or an odd number between -15 and 15.
+// Assumes the target array r has been preinitialized with zeros
+// in case the input slice a is less than 32 bytes.
+func slide(r *[256]int8, a *[32]byte) {
+
+	// Explode the exponent a into a little-endian array, one bit per byte
+	for i := range a {
+		ai := int8(a[i])
+		for j := 0; j < 8; j++ {
+			r[i*8+j] = ai & 1
+			ai >>= 1
+		}
+	}
+
+	// Go through and clump sequences of 1-bits together wherever possible,
+	// while keeping r[i] in the range -15 through 15.
+	// Note that each nonzero r[i] in the result will always be odd,
+	// because clumping is triggered by the first, least-significant,
+	// 1-bit encountered in a clump, and that first bit always remains 1.
+	for i := range r {
+		if r[i] != 0 {
+			for b := 1; b <= 6 && i+b < 256; b++ {
+				if r[i+b] != 0 {
+					if r[i]+(r[i+b]<= -15 {
+						r[i] -= r[i+b] << uint(b)
+						for k := i + b; k < 256; k++ {
+							if r[k] == 0 {
+								r[k] = 1
+								break
+							}
+							r[k] = 0
+						}
+					} else {
+						break
+					}
+				}
+			}
+		}
+	}
+}
+
+// equal returns 1 if b == c and 0 otherwise.
+func equal(b, c int32) int32 {
+	x := uint32(b ^ c)
+	x--
+	return int32(x >> 31)
+}
+
+// negative returns 1 if b < 0 and 0 otherwise.
+func negative(b int32) int32 {
+	return (b >> 31) & 1
+}
+
+func selectPreComputed(t *preComputedGroupElement, pos int32, b int32) {
+	var minusT preComputedGroupElement
+	bNegative := negative(b)
+	bAbs := b - (((-bNegative) & b) << 1)
+
+	t.Zero()
+	for i := int32(0); i < 8; i++ {
+		t.CMove(&base[pos][i], equal(bAbs, i+1))
+	}
+	minusT.Neg(t)
+	t.CMove(&minusT, bNegative)
+}
+
+// geScalarMultBase computes h = a*B, where
+//   a = a[0]+256*a[1]+...+256^31 a[31]
+//   B is the Ed25519 base Point (x,4/5) with x positive.
+//
+// Preconditions:
+//   a[31] <= 127
+func geScalarMultBase(h *extendedGroupElement, a *[32]byte) {
+	var e [64]int8
+
+	for i, v := range a {
+		e[2*i] = int8(v & 15)
+		e[2*i+1] = int8((v >> 4) & 15)
+	}
+
+	// each e[i] is between 0 and 15 and e[63] is between 0 and 7.
+
+	carry := int8(0)
+	for i := 0; i < 63; i++ {
+		e[i] += carry
+		carry = (e[i] + 8) >> 4
+		e[i] -= carry << 4
+	}
+	e[63] += carry
+	// each e[i] is between -8 and 8.
+
+	h.Zero()
+	var t preComputedGroupElement
+	var r completedGroupElement
+	for i := int32(1); i < 64; i += 2 {
+		selectPreComputed(&t, i/2, int32(e[i]))
+		r.MixedAdd(h, &t)
+		r.ToExtended(h)
+	}
+
+	var s projectiveGroupElement
+
+	h.Double(&r)
+	r.ToProjective(&s)
+	s.Double(&r)
+	r.ToProjective(&s)
+	s.Double(&r)
+	r.ToProjective(&s)
+	s.Double(&r)
+	r.ToExtended(h)
+
+	for i := int32(0); i < 64; i += 2 {
+		selectPreComputed(&t, i/2, int32(e[i]))
+		r.MixedAdd(h, &t)
+		r.ToExtended(h)
+	}
+}
+
+func selectCached(c *cachedGroupElement, Ai *[8]cachedGroupElement, b int32) {
+	bNegative := negative(b)
+	bAbs := b - (((-bNegative) & b) << 1)
+
+	// in constant-time pick cached multiplier for exponent 0 through 8
+	c.Zero()
+	for i := int32(0); i < 8; i++ {
+		c.CMove(&Ai[i], equal(bAbs, i+1))
+	}
+
+	// in constant-time compute negated version, conditionally use it
+	var minusC cachedGroupElement
+	minusC.Neg(c)
+	c.CMove(&minusC, bNegative)
+}
+
+// geScalarMult computes h = a*B, where
+//   a = a[0]+256*a[1]+...+256^31 a[31]
+//   B is the Ed25519 base Point (x,4/5) with x positive.
+//
+// Preconditions:
+//   a[31] <= 127
+func geScalarMult(h *extendedGroupElement, a *[32]byte,
+	A *extendedGroupElement) {
+
+	var t completedGroupElement
+	var u extendedGroupElement
+	var r projectiveGroupElement
+	var c cachedGroupElement
+	var i int
+
+	// Break the exponent into 4-bit nybbles.
+	var e [64]int8
+	for i, v := range a {
+		e[2*i] = int8(v & 15)
+		e[2*i+1] = int8((v >> 4) & 15)
+	}
+	// each e[i] is between 0 and 15 and e[63] is between 0 and 7.
+
+	carry := int8(0)
+	for i := 0; i < 63; i++ {
+		e[i] += carry
+		carry = (e[i] + 8) >> 4
+		e[i] -= carry << 4
+	}
+	e[63] += carry
+	// each e[i] is between -8 and 8.
+
+	// compute cached array of multiples of A from 1A through 8A
+	var Ai [8]cachedGroupElement // A,1A,2A,3A,4A,5A,6A,7A
+	A.ToCached(&Ai[0])
+	for i := 0; i < 7; i++ {
+		t.Add(A, &Ai[i])
+		t.ToExtended(&u)
+		u.ToCached(&Ai[i+1])
+	}
+
+	// special case for exponent nybble i == 63
+	u.Zero()
+	selectCached(&c, &Ai, int32(e[63]))
+	t.Add(&u, &c)
+
+	for i = 62; i >= 0; i-- {
+
+		// t <<= 4
+		t.ToProjective(&r)
+		r.Double(&t)
+		t.ToProjective(&r)
+		r.Double(&t)
+		t.ToProjective(&r)
+		r.Double(&t)
+		t.ToProjective(&r)
+		r.Double(&t)
+
+		// Add next nybble
+		t.ToExtended(&u)
+		selectCached(&c, &Ai, int32(e[i]))
+		t.Add(&u, &c)
+	}
+
+	t.ToExtended(h)
+}
diff --git a/kyber/group/edwards25519/ge_mult_vartime.go b/kyber/group/edwards25519/ge_mult_vartime.go
new file mode 100644
index 0000000000..15a7d7248e
--- /dev/null
+++ b/kyber/group/edwards25519/ge_mult_vartime.go
@@ -0,0 +1,71 @@
+package edwards25519
+
+// geScalarMultVartime computes h = a*B, where
+//   a = a[0]+256*a[1]+...+256^31 a[31]
+//   B is the Ed25519 base Point (x,4/5) with x positive.
+//
+// Preconditions:
+//   a[31] <= 127
+func geScalarMultVartime(h *extendedGroupElement, a *[32]byte,
+	A *extendedGroupElement) {
+
+	var aSlide [256]int8
+	var Ai [8]cachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
+	var t completedGroupElement
+	var u, A2 extendedGroupElement
+	var r projectiveGroupElement
+	var i int
+
+	// Slide through the scalar exponent clumping sequences of bits,
+	// resulting in only zero or odd multipliers between -15 and 15.
+	slide(&aSlide, a)
+
+	// Form an array of odd multiples of A from 1A through 15A,
+	// in addition-ready cached group element form.
+	// We only need odd multiples of A because slide()
+	// produces only odd-multiple clumps of bits.
+	A.ToCached(&Ai[0])
+	A.Double(&t)
+	t.ToExtended(&A2)
+	for i := 0; i < 7; i++ {
+		t.Add(&A2, &Ai[i])
+		t.ToExtended(&u)
+		u.ToCached(&Ai[i+1])
+	}
+
+	// Process the multiplications from most-significant bit downward
+	for i = 255; ; i-- {
+		if i < 0 { // no bits set
+			h.Zero()
+			return
+		}
+		if aSlide[i] != 0 {
+			break
+		}
+	}
+
+	// first (most-significant) nonzero clump of bits
+	u.Zero()
+	if aSlide[i] > 0 {
+		t.Add(&u, &Ai[aSlide[i]/2])
+	} else if aSlide[i] < 0 {
+		t.Sub(&u, &Ai[(-aSlide[i])/2])
+	}
+	i--
+
+	// remaining bits
+	for ; i >= 0; i-- {
+		t.ToProjective(&r)
+		r.Double(&t)
+
+		if aSlide[i] > 0 {
+			t.ToExtended(&u)
+			t.Add(&u, &Ai[aSlide[i]/2])
+		} else if aSlide[i] < 0 {
+			t.ToExtended(&u)
+			t.Sub(&u, &Ai[(-aSlide[i])/2])
+		}
+	}
+
+	t.ToExtended(h)
+}
diff --git a/kyber/group/edwards25519/marshal.go b/kyber/group/edwards25519/marshal.go
new file mode 100644
index 0000000000..573f47529b
--- /dev/null
+++ b/kyber/group/edwards25519/marshal.go
@@ -0,0 +1,83 @@
+// Package marshalling provides a common implementation of (un)marshalling method using Writer and Reader.
+//
+package edwards25519
+
+import (
+	"crypto/cipher"
+	"io"
+	"reflect"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// PointMarshalTo provides a generic implementation of Point.EncodeTo
+// based on Point.Encode.
+func PointMarshalTo(p kyber.Point, w io.Writer) (int, error) {
+	buf, err := p.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+// PointUnmarshalFrom provides a generic implementation of Point.DecodeFrom,
+// based on Point.Decode, or Point.Pick if r is a Cipher or cipher.Stream.
+// The returned byte-count is valid only when decoding from a normal Reader,
+// not when picking from a pseudorandom source.
+func PointUnmarshalFrom(p kyber.Point, r io.Reader) (int, error) {
+	if strm, ok := r.(cipher.Stream); ok {
+		p.Pick(strm)
+		return -1, nil // no byte-count when picking randomly
+	}
+	buf := make([]byte, p.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, p.UnmarshalBinary(buf)
+}
+
+// ScalarMarshalTo provides a generic implementation of Scalar.EncodeTo
+// based on Scalar.Encode.
+func ScalarMarshalTo(s kyber.Scalar, w io.Writer) (int, error) {
+	buf, err := s.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+// ScalarUnmarshalFrom provides a generic implementation of Scalar.DecodeFrom,
+// based on Scalar.Decode, or Scalar.Pick if r is a Cipher or cipher.Stream.
+// The returned byte-count is valid only when decoding from a normal Reader,
+// not when picking from a pseudorandom source.
+func ScalarUnmarshalFrom(s kyber.Scalar, r io.Reader) (int, error) {
+	if strm, ok := r.(cipher.Stream); ok {
+		s.Pick(strm)
+		return -1, nil // no byte-count when picking randomly
+	}
+	buf := make([]byte, s.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, s.UnmarshalBinary(buf)
+}
+
+// Not used other than for reflect.TypeOf()
+var aScalar kyber.Scalar
+var aPoint kyber.Point
+
+var tScalar = reflect.TypeOf(&aScalar).Elem()
+var tPoint = reflect.TypeOf(&aPoint).Elem()
+
+// GroupNew is the Default implementation of reflective constructor for Group
+func GroupNew(g kyber.Group, t reflect.Type) interface{} {
+	switch t {
+	case tScalar:
+		return g.Scalar()
+	case tPoint:
+		return g.Point()
+	}
+	return nil
+}
diff --git a/kyber/group/edwards25519/point.go b/kyber/group/edwards25519/point.go
new file mode 100644
index 0000000000..f64a6467db
--- /dev/null
+++ b/kyber/group/edwards25519/point.go
@@ -0,0 +1,252 @@
+// Package edwards25519 provides an optimized Go implementation of a
+// Twisted Edwards curve that is isomorphic to Curve25519. For details see:
+// http://ed25519.cr.yp.to/.
+//
+// This code is based on Adam Langley's Go port of the public domain,
+// "ref10" implementation of the ed25519 signing scheme in C from SUPERCOP.
+// It was generalized and extended to support full kyber.Group arithmetic
+// by the DEDIS lab at Yale and EPFL.
+//
+// Due to the field element and group arithmetic optimizations
+// described in the Ed25519 paper, this implementation generally
+// performs extremely well, typically comparable to native C
+// implementations.  The tradeoff is that this code is completely
+// specialized to a single curve.
+package edwards25519
+
+import (
+	"crypto/cipher"
+	"encoding/hex"
+	"errors"
+	"io"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+var marshalPointID = [8]byte{'e', 'd', '.', 'p', 'o', 'i', 'n', 't'}
+
+type Point struct {
+	ge      extendedGroupElement
+	varTime bool
+}
+
+func (P *Point) String() string {
+	var b [32]byte
+	P.ge.ToBytes(&b)
+	return hex.EncodeToString(b[:])
+}
+
+func (P *Point) Norm() ([]byte, []byte) {
+	var recip, x, y fieldElement
+
+	feInvert(&recip, &P.ge.Z)
+	feMul(&x, &P.ge.X, &recip)
+	feMul(&y, &P.ge.Y, &recip)
+	var sx, sy [32]byte
+	feToBytes(&sx, &x)
+	feToBytes(&sy, &y)
+	return sx[:], sy[:]
+}
+
+func (P *Point) X_LE() []byte {
+	x, _ := P.Norm()
+	return x
+}
+
+func (P *Point) Y_LE() []byte {
+	_, y := P.Norm()
+	return y
+}
+
+func (P *Point) MarshalSize() int {
+	return 32
+}
+
+func (P *Point) MarshalBinary() ([]byte, error) {
+	var b [32]byte
+	P.ge.ToBytes(&b)
+	return b[:], nil
+}
+
+// MarshalID returns the type tag used in encoding/decoding
+func (P *Point) MarshalID() [8]byte {
+	return marshalPointID
+}
+
+func (P *Point) UnmarshalBinary(b []byte) error {
+	if !P.ge.FromBytes(b) {
+		return errors.New("invalid Ed25519 curve Point")
+	}
+	return nil
+}
+
+func (P *Point) MarshalTo(w io.Writer) (int, error) {
+	return PointMarshalTo(P, w)
+}
+
+func (P *Point) UnmarshalFrom(r io.Reader) (int, error) {
+	return PointUnmarshalFrom(P, r)
+}
+
+// Equality test for two Points on the same curve
+func (P *Point) Equal(P2 kyber.Point) bool {
+
+	var b1, b2 [32]byte
+	P.ge.ToBytes(&b1)
+	P2.(*Point).ge.ToBytes(&b2)
+	for i := range b1 {
+		if b1[i] != b2[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// Set Point to be equal to P2.
+func (P *Point) Set(P2 kyber.Point) kyber.Point {
+	P.ge = P2.(*Point).ge
+	return P
+}
+
+// Set Point to be equal to P2.
+func (P *Point) Clone() kyber.Point {
+	return &Point{ge: P.ge}
+}
+
+// Set to the neutral element, which is (0,1) for twisted Edwards curves.
+func (P *Point) Null() kyber.Point {
+	P.ge.Zero()
+	return P
+}
+
+// Set to the standard base Point for this curve
+func (P *Point) Base() kyber.Point {
+	P.ge = baseext
+	return P
+}
+
+func (P *Point) EmbedLen() int {
+	// Reserve the most-significant 8 bits for pseudo-randomness.
+	// Reserve the least-significant 8 bits for embedded data length.
+	// (Hopefully it's unlikely we'll need >=2048-bit curves soon.)
+	return (255 - 8 - 8) / 8
+}
+
+func (P *Point) Embed(data []byte, rand cipher.Stream) kyber.Point {
+
+	// How many bytes to embed?
+	dl := P.EmbedLen()
+	if dl > len(data) {
+		dl = len(data)
+	}
+
+	for {
+		// Pick a random Point, with optional embedded data
+		var b [32]byte
+		rand.XORKeyStream(b[:], b[:])
+		if data != nil {
+			b[0] = byte(dl)       // Encode length in low 8 bits
+			copy(b[1:1+dl], data) // Copy in data to embed
+		}
+		if !P.ge.FromBytes(b[:]) { // Try to decode
+			continue // invalid Point, retry
+		}
+
+		// If we're using the full group,
+		// we just need any Point on the curve, so we're done.
+		//		if c.full {
+		//			return P,data[dl:]
+		//		}
+
+		// We're using the prime-order subgroup,
+		// so we need to make sure the Point is in that subencoding.
+		// If we're not trying to embed data,
+		// we can convert our Point into one in the subgroup
+		// simply by multiplying it by the cofactor.
+		if data == nil {
+			P.Mul(cofactorScalar, P) // multiply by cofactor
+			if P.Equal(nullPoint) {
+				continue // unlucky; try again
+			}
+			return P // success
+		}
+
+		// Since we need the Point's y-coordinate to hold our data,
+		// we must simply check if the Point is in the subgroup
+		// and retry Point generation until it is.
+		var Q Point
+		Q.Mul(primeOrderScalar, P)
+		if Q.Equal(nullPoint) {
+			return P // success
+		}
+		// Keep trying...
+	}
+}
+
+func (P *Point) Pick(rand cipher.Stream) kyber.Point {
+	return P.Embed(nil, rand)
+}
+
+// Extract embedded data from a Point group element
+func (P *Point) Data() ([]byte, error) {
+	var b [32]byte
+	P.ge.ToBytes(&b)
+	dl := int(b[0]) // extract length byte
+	if dl > P.EmbedLen() {
+		return nil, errors.New("invalid embedded data length")
+	}
+	return b[1 : 1+dl], nil
+}
+
+func (P *Point) Add(P1, P2 kyber.Point) kyber.Point {
+	E1 := P1.(*Point)
+	E2 := P2.(*Point)
+
+	var t2 cachedGroupElement
+	var r completedGroupElement
+
+	E2.ge.ToCached(&t2)
+	r.Add(&E1.ge, &t2)
+	r.ToExtended(&P.ge)
+
+	return P
+}
+
+func (P *Point) Sub(P1, P2 kyber.Point) kyber.Point {
+	E1 := P1.(*Point)
+	E2 := P2.(*Point)
+
+	var t2 cachedGroupElement
+	var r completedGroupElement
+
+	E2.ge.ToCached(&t2)
+	r.Sub(&E1.ge, &t2)
+	r.ToExtended(&P.ge)
+
+	return P
+}
+
+// Neg finds the negative of Point A.
+// For Edwards curves, the negative of (x,y) is (-x,y).
+func (P *Point) Neg(A kyber.Point) kyber.Point {
+	P.ge.Neg(&A.(*Point).ge)
+	return P
+}
+
+// Mul multiplies Point p by scalar s using the repeated doubling method.
+func (P *Point) Mul(s kyber.Scalar, A kyber.Point) kyber.Point {
+
+	a := &s.(*scalar).v
+
+	if A == nil {
+		geScalarMultBase(&P.ge, a)
+	} else {
+		if P.varTime {
+			geScalarMultVartime(&P.ge, a, &A.(*Point).ge)
+		} else {
+			geScalarMult(&P.ge, a, &A.(*Point).ge)
+		}
+	}
+
+	return P
+}
diff --git a/kyber/group/edwards25519/point_test.go b/kyber/group/edwards25519/point_test.go
new file mode 100644
index 0000000000..3be5b8f1f0
--- /dev/null
+++ b/kyber/group/edwards25519/point_test.go
@@ -0,0 +1,13 @@
+package edwards25519
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestPoint_Marshal(t *testing.T) {
+	p := Point{}
+	require.Equal(t, "ed.Point", fmt.Sprintf("%s", p.MarshalID()))
+}
diff --git a/kyber/group/edwards25519/point_vartime.go b/kyber/group/edwards25519/point_vartime.go
new file mode 100644
index 0000000000..2c3f2af76d
--- /dev/null
+++ b/kyber/group/edwards25519/point_vartime.go
@@ -0,0 +1,9 @@
+package edwards25519
+
+// AllowVarTime sets a flag in this object which determines if a faster
+// but variable time implementation can be used. Set this only on Points
+// which represent public information. Using variable time algorithms to
+// operate on private information can result in timing side-channels.
+func (P *Point) AllowVarTime(varTime bool) {
+	P.varTime = varTime
+}
diff --git a/kyber/group/edwards25519/scalar.go b/kyber/group/edwards25519/scalar.go
new file mode 100644
index 0000000000..45949dd712
--- /dev/null
+++ b/kyber/group/edwards25519/scalar.go
@@ -0,0 +1,2231 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/hex"
+	"errors"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/mod"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+// This code is a port of the public domain, "ref10" implementation of ed25519
+// from SUPERCOP. More information at https://bench.cr.yp.to/supercop.html.
+
+// The scalars are GF(2^252 + 27742317777372353535851937790883648493).
+
+var marshalScalarID = [8]byte{'e', 'd', '.', 's', 'c', 'a', 'l', 'a'}
+
+type scalar struct {
+	v [32]byte
+}
+
+// Equality test for two Scalars derived from the same Group
+func (s *scalar) Equal(s2 kyber.Scalar) bool {
+	v1 := s.v[:]
+	v2 := s2.(*scalar).v[:]
+	return subtle.ConstantTimeCompare(v1, v2) != 0
+}
+
+// Set equal to another Scalar a
+func (s *scalar) Set(a kyber.Scalar) kyber.Scalar {
+	s.v = a.(*scalar).v
+	return s
+}
+
+// Clone returns a duplicate of the scalar s.
+func (s *scalar) Clone() kyber.Scalar {
+	s2 := *s
+	return &s2
+}
+
+func (s *scalar) setInt(i *mod.Int) kyber.Scalar {
+	b := i.LittleEndian(32, 32)
+	copy(s.v[:], b)
+	return s
+}
+
+// SetInt64 sets the scalar to a small integer value.
+func (s *scalar) SetInt64(v int64) kyber.Scalar {
+	return s.setInt(mod.NewInt64(v, primeOrder))
+}
+
+func (s *scalar) toInt() *mod.Int {
+	return mod.NewIntBytes(s.v[:], primeOrder, mod.LittleEndian)
+}
+
+// Set to the additive identity (0)
+func (s *scalar) Zero() kyber.Scalar {
+	s.v = [32]byte{0}
+	return s
+}
+
+// Set to the multiplicative identity (1)
+func (s *scalar) One() kyber.Scalar {
+	s.v = [32]byte{1}
+	return s
+}
+
+// Set to the modular sum of scalars a and b
+func (s *scalar) Add(a, b kyber.Scalar) kyber.Scalar {
+	scAdd(&s.v, &a.(*scalar).v, &b.(*scalar).v)
+	return s
+}
+
+// Set to the modular difference a - b
+func (s *scalar) Sub(a, b kyber.Scalar) kyber.Scalar {
+	scSub(&s.v, &a.(*scalar).v, &b.(*scalar).v)
+	return s
+}
+
+// Set to the modular negation of scalar a
+func (s *scalar) Neg(a kyber.Scalar) kyber.Scalar {
+	var z scalar
+	z.Zero()
+	scSub(&s.v, &z.v, &a.(*scalar).v)
+	return s
+}
+
+// Set to the modular product of scalars a and b
+func (s *scalar) Mul(a, b kyber.Scalar) kyber.Scalar {
+	scMul(&s.v, &a.(*scalar).v, &b.(*scalar).v)
+	return s
+}
+
+// Set to the modular division of scalar a by scalar b
+func (s *scalar) Div(a, b kyber.Scalar) kyber.Scalar {
+	var i scalar
+	i.Inv(b)
+	scMul(&s.v, &a.(*scalar).v, &i.v)
+	return s
+}
+
+// Set to the modular inverse of scalar a
+func (s *scalar) Inv(a kyber.Scalar) kyber.Scalar {
+	var res scalar
+	res.One()
+	ac := a.(*scalar)
+	// Modular inversion in a multiplicative group is a^(phi(m)-1) = a^-1 mod m
+	// Since m is prime, phi(m) = m - 1 => a^(m-2) = a^-1 mod m.
+	// The inverse is computed using the exponentation-and-square algorithm.
+	// Implementation is constant time regarding the value a, it only depends on
+	// the modulo.
+	for i := 255; i >= 0; i-- {
+		bit := lMinus2.Bit(i)
+		// square step
+		scMul(&res.v, &res.v, &res.v)
+		if bit == 1 {
+			// multiply step
+			scMul(&res.v, &res.v, &ac.v)
+		}
+	}
+	s.v = res.v
+	return s
+}
+
+// Set to a fresh random or pseudo-random scalar
+func (s *scalar) Pick(rand cipher.Stream) kyber.Scalar {
+	i := mod.NewInt(random.Int(primeOrder, rand), primeOrder)
+	return s.setInt(i)
+}
+
+// SetBytes s to b, interpreted as a little endian integer.
+func (s *scalar) SetBytes(b []byte) kyber.Scalar {
+	return s.setInt(mod.NewIntBytes(b, primeOrder, mod.LittleEndian))
+}
+
+// String returns the string representation of this scalar (fixed length of 32 bytes, little endian).
+func (s *scalar) String() string {
+	b, _ := s.toInt().MarshalBinary()
+	for len(b) < 32 {
+		b = append(b, 0)
+	}
+	return hex.EncodeToString(b)
+}
+
+// Encoded length of this object in bytes.
+func (s *scalar) MarshalSize() int {
+	return 32
+}
+
+// MarshalBinary returns the binary representation of this scalar.
+func (s *scalar) MarshalBinary() ([]byte, error) {
+	return s.toInt().MarshalBinary()
+}
+
+// MarshalID returns the type tag used in encoding/decoding
+func (s *scalar) MarshalID() [8]byte {
+	return marshalScalarID
+}
+
+// UnmarshalBinary reads the binary representation of a scalar.
+func (s *scalar) UnmarshalBinary(buf []byte) error {
+	if len(buf) != 32 {
+		return errors.New("wrong size buffer")
+	}
+	copy(s.v[:], buf)
+	return nil
+}
+
+// MarshalTo writes the binary representation of this scalar to the given
+// writer.
+func (s *scalar) MarshalTo(w io.Writer) (int, error) {
+	return ScalarMarshalTo(s, w)
+}
+
+// UnmarshalFrom reads the binary representation of a scalar from the given
+// reader.
+func (s *scalar) UnmarshalFrom(r io.Reader) (int, error) {
+	return ScalarUnmarshalFrom(s, r)
+}
+
+func newScalarInt(i *big.Int) *scalar {
+	s := scalar{}
+	s.setInt(mod.NewInt(i, fullOrder))
+	return &s
+}
+
+// Input:
+//   a[0]+256*a[1]+...+256^31*a[31] = a
+//   b[0]+256*b[1]+...+256^31*b[31] = b
+//   c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+func scMulAdd(s, a, b, c *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	b0 := 2097151 & load3(b[:])
+	b1 := 2097151 & (load4(b[2:]) >> 5)
+	b2 := 2097151 & (load3(b[5:]) >> 2)
+	b3 := 2097151 & (load4(b[7:]) >> 7)
+	b4 := 2097151 & (load4(b[10:]) >> 4)
+	b5 := 2097151 & (load3(b[13:]) >> 1)
+	b6 := 2097151 & (load4(b[15:]) >> 6)
+	b7 := 2097151 & (load3(b[18:]) >> 3)
+	b8 := 2097151 & load3(b[21:])
+	b9 := 2097151 & (load4(b[23:]) >> 5)
+	b10 := 2097151 & (load3(b[26:]) >> 2)
+	b11 := (load4(b[28:]) >> 7)
+	c0 := 2097151 & load3(c[:])
+	c1 := 2097151 & (load4(c[2:]) >> 5)
+	c2 := 2097151 & (load3(c[5:]) >> 2)
+	c3 := 2097151 & (load4(c[7:]) >> 7)
+	c4 := 2097151 & (load4(c[10:]) >> 4)
+	c5 := 2097151 & (load3(c[13:]) >> 1)
+	c6 := 2097151 & (load4(c[15:]) >> 6)
+	c7 := 2097151 & (load3(c[18:]) >> 3)
+	c8 := 2097151 & load3(c[21:])
+	c9 := 2097151 & (load4(c[23:]) >> 5)
+	c10 := 2097151 & (load3(c[26:]) >> 2)
+	c11 := (load4(c[28:]) >> 7)
+	var carry [23]int64
+
+	s0 := c0 + a0*b0
+	s1 := c1 + a0*b1 + a1*b0
+	s2 := c2 + a0*b2 + a1*b1 + a2*b0
+	s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
+	s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
+	s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
+	s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
+	s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
+	s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
+	s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
+	s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
+	s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
+	s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
+	s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
+	s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
+	s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
+	s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
+	s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
+	s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
+	s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
+	s20 := a9*b11 + a10*b10 + a11*b9
+	s21 := a10*b11 + a11*b10
+	s22 := a11 * b11
+	s23 := int64(0)
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+	carry[18] = (s18 + (1 << 20)) >> 21
+	s19 += carry[18]
+	s18 -= carry[18] << 21
+	carry[20] = (s20 + (1 << 20)) >> 21
+	s21 += carry[20]
+	s20 -= carry[20] << 21
+	carry[22] = (s22 + (1 << 20)) >> 21
+	s23 += carry[22]
+	s22 -= carry[22] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+	carry[17] = (s17 + (1 << 20)) >> 21
+	s18 += carry[17]
+	s17 -= carry[17] << 21
+	carry[19] = (s19 + (1 << 20)) >> 21
+	s20 += carry[19]
+	s19 -= carry[19] << 21
+	carry[21] = (s21 + (1 << 20)) >> 21
+	s22 += carry[21]
+	s21 -= carry[21] << 21
+
+	s11 += s23 * 666643
+	s12 += s23 * 470296
+	s13 += s23 * 654183
+	s14 -= s23 * 997805
+	s15 += s23 * 136657
+	s16 -= s23 * 683901
+	s23 = 0
+
+	s10 += s22 * 666643
+	s11 += s22 * 470296
+	s12 += s22 * 654183
+	s13 -= s22 * 997805
+	s14 += s22 * 136657
+	s15 -= s22 * 683901
+	s22 = 0
+
+	s9 += s21 * 666643
+	s10 += s21 * 470296
+	s11 += s21 * 654183
+	s12 -= s21 * 997805
+	s13 += s21 * 136657
+	s14 -= s21 * 683901
+	s21 = 0
+
+	s8 += s20 * 666643
+	s9 += s20 * 470296
+	s10 += s20 * 654183
+	s11 -= s20 * 997805
+	s12 += s20 * 136657
+	s13 -= s20 * 683901
+	s20 = 0
+
+	s7 += s19 * 666643
+	s8 += s19 * 470296
+	s9 += s19 * 654183
+	s10 -= s19 * 997805
+	s11 += s19 * 136657
+	s12 -= s19 * 683901
+	s19 = 0
+
+	s6 += s18 * 666643
+	s7 += s18 * 470296
+	s8 += s18 * 654183
+	s9 -= s18 * 997805
+	s10 += s18 * 136657
+	s11 -= s18 * 683901
+	s18 = 0
+
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+
+	s5 += s17 * 666643
+	s6 += s17 * 470296
+	s7 += s17 * 654183
+	s8 -= s17 * 997805
+	s9 += s17 * 136657
+	s10 -= s17 * 683901
+	s17 = 0
+
+	s4 += s16 * 666643
+	s5 += s16 * 470296
+	s6 += s16 * 654183
+	s7 -= s16 * 997805
+	s8 += s16 * 136657
+	s9 -= s16 * 683901
+	s16 = 0
+
+	s3 += s15 * 666643
+	s4 += s15 * 470296
+	s5 += s15 * 654183
+	s6 -= s15 * 997805
+	s7 += s15 * 136657
+	s8 -= s15 * 683901
+	s15 = 0
+
+	s2 += s14 * 666643
+	s3 += s14 * 470296
+	s4 += s14 * 654183
+	s5 -= s14 * 997805
+	s6 += s14 * 136657
+	s7 -= s14 * 683901
+	s14 = 0
+
+	s1 += s13 * 666643
+	s2 += s13 * 470296
+	s3 += s13 * 654183
+	s4 -= s13 * 997805
+	s5 += s13 * 136657
+	s6 -= s13 * 683901
+	s13 = 0
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[11] = s11 >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	s[0] = byte(s0 >> 0)
+	s[1] = byte(s0 >> 8)
+	s[2] = byte((s0 >> 16) | (s1 << 5))
+	s[3] = byte(s1 >> 3)
+	s[4] = byte(s1 >> 11)
+	s[5] = byte((s1 >> 19) | (s2 << 2))
+	s[6] = byte(s2 >> 6)
+	s[7] = byte((s2 >> 14) | (s3 << 7))
+	s[8] = byte(s3 >> 1)
+	s[9] = byte(s3 >> 9)
+	s[10] = byte((s3 >> 17) | (s4 << 4))
+	s[11] = byte(s4 >> 4)
+	s[12] = byte(s4 >> 12)
+	s[13] = byte((s4 >> 20) | (s5 << 1))
+	s[14] = byte(s5 >> 7)
+	s[15] = byte((s5 >> 15) | (s6 << 6))
+	s[16] = byte(s6 >> 2)
+	s[17] = byte(s6 >> 10)
+	s[18] = byte((s6 >> 18) | (s7 << 3))
+	s[19] = byte(s7 >> 5)
+	s[20] = byte(s7 >> 13)
+	s[21] = byte(s8 >> 0)
+	s[22] = byte(s8 >> 8)
+	s[23] = byte((s8 >> 16) | (s9 << 5))
+	s[24] = byte(s9 >> 3)
+	s[25] = byte(s9 >> 11)
+	s[26] = byte((s9 >> 19) | (s10 << 2))
+	s[27] = byte(s10 >> 6)
+	s[28] = byte((s10 >> 14) | (s11 << 7))
+	s[29] = byte(s11 >> 1)
+	s[30] = byte(s11 >> 9)
+	s[31] = byte(s11 >> 17)
+}
+
+// Hacky scAdd cobbled together rather sub-optimally from scMulAdd.
+//
+// Input:
+//   a[0]+256*a[1]+...+256^31*a[31] = a
+//   c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = (a+c) mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+//
+func scAdd(s, a, c *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	c0 := 2097151 & load3(c[:])
+	c1 := 2097151 & (load4(c[2:]) >> 5)
+	c2 := 2097151 & (load3(c[5:]) >> 2)
+	c3 := 2097151 & (load4(c[7:]) >> 7)
+	c4 := 2097151 & (load4(c[10:]) >> 4)
+	c5 := 2097151 & (load3(c[13:]) >> 1)
+	c6 := 2097151 & (load4(c[15:]) >> 6)
+	c7 := 2097151 & (load3(c[18:]) >> 3)
+	c8 := 2097151 & load3(c[21:])
+	c9 := 2097151 & (load4(c[23:]) >> 5)
+	c10 := 2097151 & (load3(c[26:]) >> 2)
+	c11 := (load4(c[28:]) >> 7)
+	var carry [23]int64
+
+	s0 := c0 + a0
+	s1 := c1 + a1
+	s2 := c2 + a2
+	s3 := c3 + a3
+	s4 := c4 + a4
+	s5 := c5 + a5
+	s6 := c6 + a6
+	s7 := c7 + a7
+	s8 := c8 + a8
+	s9 := c9 + a9
+	s10 := c10 + a10
+	s11 := c11 + a11
+	s12 := int64(0)
+	s13 := int64(0)
+	s14 := int64(0)
+	s15 := int64(0)
+	s16 := int64(0)
+	s17 := int64(0)
+	s18 := int64(0)
+	s19 := int64(0)
+	s20 := int64(0)
+	s21 := int64(0)
+	s22 := int64(0)
+	s23 := int64(0)
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+	carry[18] = (s18 + (1 << 20)) >> 21
+	s19 += carry[18]
+	s18 -= carry[18] << 21
+	carry[20] = (s20 + (1 << 20)) >> 21
+	s21 += carry[20]
+	s20 -= carry[20] << 21
+	carry[22] = (s22 + (1 << 20)) >> 21
+	s23 += carry[22]
+	s22 -= carry[22] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+	carry[17] = (s17 + (1 << 20)) >> 21
+	s18 += carry[17]
+	s17 -= carry[17] << 21
+	carry[19] = (s19 + (1 << 20)) >> 21
+	s20 += carry[19]
+	s19 -= carry[19] << 21
+	carry[21] = (s21 + (1 << 20)) >> 21
+	s22 += carry[21]
+	s21 -= carry[21] << 21
+
+	s11 += s23 * 666643
+	s12 += s23 * 470296
+	s13 += s23 * 654183
+	s14 -= s23 * 997805
+	s15 += s23 * 136657
+	s16 -= s23 * 683901
+	s23 = 0
+
+	s10 += s22 * 666643
+	s11 += s22 * 470296
+	s12 += s22 * 654183
+	s13 -= s22 * 997805
+	s14 += s22 * 136657
+	s15 -= s22 * 683901
+	s22 = 0
+
+	s9 += s21 * 666643
+	s10 += s21 * 470296
+	s11 += s21 * 654183
+	s12 -= s21 * 997805
+	s13 += s21 * 136657
+	s14 -= s21 * 683901
+	s21 = 0
+
+	s8 += s20 * 666643
+	s9 += s20 * 470296
+	s10 += s20 * 654183
+	s11 -= s20 * 997805
+	s12 += s20 * 136657
+	s13 -= s20 * 683901
+	s20 = 0
+
+	s7 += s19 * 666643
+	s8 += s19 * 470296
+	s9 += s19 * 654183
+	s10 -= s19 * 997805
+	s11 += s19 * 136657
+	s12 -= s19 * 683901
+	s19 = 0
+
+	s6 += s18 * 666643
+	s7 += s18 * 470296
+	s8 += s18 * 654183
+	s9 -= s18 * 997805
+	s10 += s18 * 136657
+	s11 -= s18 * 683901
+	s18 = 0
+
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+
+	s5 += s17 * 666643
+	s6 += s17 * 470296
+	s7 += s17 * 654183
+	s8 -= s17 * 997805
+	s9 += s17 * 136657
+	s10 -= s17 * 683901
+	s17 = 0
+
+	s4 += s16 * 666643
+	s5 += s16 * 470296
+	s6 += s16 * 654183
+	s7 -= s16 * 997805
+	s8 += s16 * 136657
+	s9 -= s16 * 683901
+	s16 = 0
+
+	s3 += s15 * 666643
+	s4 += s15 * 470296
+	s5 += s15 * 654183
+	s6 -= s15 * 997805
+	s7 += s15 * 136657
+	s8 -= s15 * 683901
+	s15 = 0
+
+	s2 += s14 * 666643
+	s3 += s14 * 470296
+	s4 += s14 * 654183
+	s5 -= s14 * 997805
+	s6 += s14 * 136657
+	s7 -= s14 * 683901
+	s14 = 0
+
+	s1 += s13 * 666643
+	s2 += s13 * 470296
+	s3 += s13 * 654183
+	s4 -= s13 * 997805
+	s5 += s13 * 136657
+	s6 -= s13 * 683901
+	s13 = 0
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[11] = s11 >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	s[0] = byte(s0 >> 0)
+	s[1] = byte(s0 >> 8)
+	s[2] = byte((s0 >> 16) | (s1 << 5))
+	s[3] = byte(s1 >> 3)
+	s[4] = byte(s1 >> 11)
+	s[5] = byte((s1 >> 19) | (s2 << 2))
+	s[6] = byte(s2 >> 6)
+	s[7] = byte((s2 >> 14) | (s3 << 7))
+	s[8] = byte(s3 >> 1)
+	s[9] = byte(s3 >> 9)
+	s[10] = byte((s3 >> 17) | (s4 << 4))
+	s[11] = byte(s4 >> 4)
+	s[12] = byte(s4 >> 12)
+	s[13] = byte((s4 >> 20) | (s5 << 1))
+	s[14] = byte(s5 >> 7)
+	s[15] = byte((s5 >> 15) | (s6 << 6))
+	s[16] = byte(s6 >> 2)
+	s[17] = byte(s6 >> 10)
+	s[18] = byte((s6 >> 18) | (s7 << 3))
+	s[19] = byte(s7 >> 5)
+	s[20] = byte(s7 >> 13)
+	s[21] = byte(s8 >> 0)
+	s[22] = byte(s8 >> 8)
+	s[23] = byte((s8 >> 16) | (s9 << 5))
+	s[24] = byte(s9 >> 3)
+	s[25] = byte(s9 >> 11)
+	s[26] = byte((s9 >> 19) | (s10 << 2))
+	s[27] = byte(s10 >> 6)
+	s[28] = byte((s10 >> 14) | (s11 << 7))
+	s[29] = byte(s11 >> 1)
+	s[30] = byte(s11 >> 9)
+	s[31] = byte(s11 >> 17)
+}
+
+// Hacky scSub cobbled together rather sub-optimally from scMulAdd.
+//
+// Input:
+//   a[0]+256*a[1]+...+256^31*a[31] = a
+//   c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = (a-c) mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+//
+func scSub(s, a, c *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	c0 := 2097151 & load3(c[:])
+	c1 := 2097151 & (load4(c[2:]) >> 5)
+	c2 := 2097151 & (load3(c[5:]) >> 2)
+	c3 := 2097151 & (load4(c[7:]) >> 7)
+	c4 := 2097151 & (load4(c[10:]) >> 4)
+	c5 := 2097151 & (load3(c[13:]) >> 1)
+	c6 := 2097151 & (load4(c[15:]) >> 6)
+	c7 := 2097151 & (load3(c[18:]) >> 3)
+	c8 := 2097151 & load3(c[21:])
+	c9 := 2097151 & (load4(c[23:]) >> 5)
+	c10 := 2097151 & (load3(c[26:]) >> 2)
+	c11 := (load4(c[28:]) >> 7)
+	var carry [23]int64
+
+	s0 := 1916624 - c0 + a0
+	s1 := 863866 - c1 + a1
+	s2 := 18828 - c2 + a2
+	s3 := 1284811 - c3 + a3
+	s4 := 2007799 - c4 + a4
+	s5 := 456654 - c5 + a5
+	s6 := 5 - c6 + a6
+	s7 := 0 - c7 + a7
+	s8 := 0 - c8 + a8
+	s9 := 0 - c9 + a9
+	s10 := 0 - c10 + a10
+	s11 := 0 - c11 + a11
+	s12 := int64(16)
+	s13 := int64(0)
+	s14 := int64(0)
+	s15 := int64(0)
+	s16 := int64(0)
+	s17 := int64(0)
+	s18 := int64(0)
+	s19 := int64(0)
+	s20 := int64(0)
+	s21 := int64(0)
+	s22 := int64(0)
+	s23 := int64(0)
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+	carry[18] = (s18 + (1 << 20)) >> 21
+	s19 += carry[18]
+	s18 -= carry[18] << 21
+	carry[20] = (s20 + (1 << 20)) >> 21
+	s21 += carry[20]
+	s20 -= carry[20] << 21
+	carry[22] = (s22 + (1 << 20)) >> 21
+	s23 += carry[22]
+	s22 -= carry[22] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+	carry[17] = (s17 + (1 << 20)) >> 21
+	s18 += carry[17]
+	s17 -= carry[17] << 21
+	carry[19] = (s19 + (1 << 20)) >> 21
+	s20 += carry[19]
+	s19 -= carry[19] << 21
+	carry[21] = (s21 + (1 << 20)) >> 21
+	s22 += carry[21]
+	s21 -= carry[21] << 21
+
+	s11 += s23 * 666643
+	s12 += s23 * 470296
+	s13 += s23 * 654183
+	s14 -= s23 * 997805
+	s15 += s23 * 136657
+	s16 -= s23 * 683901
+	s23 = 0
+
+	s10 += s22 * 666643
+	s11 += s22 * 470296
+	s12 += s22 * 654183
+	s13 -= s22 * 997805
+	s14 += s22 * 136657
+	s15 -= s22 * 683901
+	s22 = 0
+
+	s9 += s21 * 666643
+	s10 += s21 * 470296
+	s11 += s21 * 654183
+	s12 -= s21 * 997805
+	s13 += s21 * 136657
+	s14 -= s21 * 683901
+	s21 = 0
+
+	s8 += s20 * 666643
+	s9 += s20 * 470296
+	s10 += s20 * 654183
+	s11 -= s20 * 997805
+	s12 += s20 * 136657
+	s13 -= s20 * 683901
+	s20 = 0
+
+	s7 += s19 * 666643
+	s8 += s19 * 470296
+	s9 += s19 * 654183
+	s10 -= s19 * 997805
+	s11 += s19 * 136657
+	s12 -= s19 * 683901
+	s19 = 0
+
+	s6 += s18 * 666643
+	s7 += s18 * 470296
+	s8 += s18 * 654183
+	s9 -= s18 * 997805
+	s10 += s18 * 136657
+	s11 -= s18 * 683901
+	s18 = 0
+
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+
+	s5 += s17 * 666643
+	s6 += s17 * 470296
+	s7 += s17 * 654183
+	s8 -= s17 * 997805
+	s9 += s17 * 136657
+	s10 -= s17 * 683901
+	s17 = 0
+
+	s4 += s16 * 666643
+	s5 += s16 * 470296
+	s6 += s16 * 654183
+	s7 -= s16 * 997805
+	s8 += s16 * 136657
+	s9 -= s16 * 683901
+	s16 = 0
+
+	s3 += s15 * 666643
+	s4 += s15 * 470296
+	s5 += s15 * 654183
+	s6 -= s15 * 997805
+	s7 += s15 * 136657
+	s8 -= s15 * 683901
+	s15 = 0
+
+	s2 += s14 * 666643
+	s3 += s14 * 470296
+	s4 += s14 * 654183
+	s5 -= s14 * 997805
+	s6 += s14 * 136657
+	s7 -= s14 * 683901
+	s14 = 0
+
+	s1 += s13 * 666643
+	s2 += s13 * 470296
+	s3 += s13 * 654183
+	s4 -= s13 * 997805
+	s5 += s13 * 136657
+	s6 -= s13 * 683901
+	s13 = 0
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[11] = s11 >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	s[0] = byte(s0 >> 0)
+	s[1] = byte(s0 >> 8)
+	s[2] = byte((s0 >> 16) | (s1 << 5))
+	s[3] = byte(s1 >> 3)
+	s[4] = byte(s1 >> 11)
+	s[5] = byte((s1 >> 19) | (s2 << 2))
+	s[6] = byte(s2 >> 6)
+	s[7] = byte((s2 >> 14) | (s3 << 7))
+	s[8] = byte(s3 >> 1)
+	s[9] = byte(s3 >> 9)
+	s[10] = byte((s3 >> 17) | (s4 << 4))
+	s[11] = byte(s4 >> 4)
+	s[12] = byte(s4 >> 12)
+	s[13] = byte((s4 >> 20) | (s5 << 1))
+	s[14] = byte(s5 >> 7)
+	s[15] = byte((s5 >> 15) | (s6 << 6))
+	s[16] = byte(s6 >> 2)
+	s[17] = byte(s6 >> 10)
+	s[18] = byte((s6 >> 18) | (s7 << 3))
+	s[19] = byte(s7 >> 5)
+	s[20] = byte(s7 >> 13)
+	s[21] = byte(s8 >> 0)
+	s[22] = byte(s8 >> 8)
+	s[23] = byte((s8 >> 16) | (s9 << 5))
+	s[24] = byte(s9 >> 3)
+	s[25] = byte(s9 >> 11)
+	s[26] = byte((s9 >> 19) | (s10 << 2))
+	s[27] = byte(s10 >> 6)
+	s[28] = byte((s10 >> 14) | (s11 << 7))
+	s[29] = byte(s11 >> 1)
+	s[30] = byte(s11 >> 9)
+	s[31] = byte(s11 >> 17)
+}
+
+// Hacky scMul cobbled together rather sub-optimally from scMulAdd.
+//
+// Input:
+//   a[0]+256*a[1]+...+256^31*a[31] = a
+//   b[0]+256*b[1]+...+256^31*b[31] = b
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+func scMul(s, a, b *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	b0 := 2097151 & load3(b[:])
+	b1 := 2097151 & (load4(b[2:]) >> 5)
+	b2 := 2097151 & (load3(b[5:]) >> 2)
+	b3 := 2097151 & (load4(b[7:]) >> 7)
+	b4 := 2097151 & (load4(b[10:]) >> 4)
+	b5 := 2097151 & (load3(b[13:]) >> 1)
+	b6 := 2097151 & (load4(b[15:]) >> 6)
+	b7 := 2097151 & (load3(b[18:]) >> 3)
+	b8 := 2097151 & load3(b[21:])
+	b9 := 2097151 & (load4(b[23:]) >> 5)
+	b10 := 2097151 & (load3(b[26:]) >> 2)
+	b11 := (load4(b[28:]) >> 7)
+	c0 := int64(0)
+	c1 := int64(0)
+	c2 := int64(0)
+	c3 := int64(0)
+	c4 := int64(0)
+	c5 := int64(0)
+	c6 := int64(0)
+	c7 := int64(0)
+	c8 := int64(0)
+	c9 := int64(0)
+	c10 := int64(0)
+	c11 := int64(0)
+	var carry [23]int64
+
+	s0 := c0 + a0*b0
+	s1 := c1 + a0*b1 + a1*b0
+	s2 := c2 + a0*b2 + a1*b1 + a2*b0
+	s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
+	s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
+	s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
+	s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
+	s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
+	s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
+	s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
+	s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
+	s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
+	s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
+	s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
+	s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
+	s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
+	s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
+	s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
+	s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
+	s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
+	s20 := a9*b11 + a10*b10 + a11*b9
+	s21 := a10*b11 + a11*b10
+	s22 := a11 * b11
+	s23 := int64(0)
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+	carry[18] = (s18 + (1 << 20)) >> 21
+	s19 += carry[18]
+	s18 -= carry[18] << 21
+	carry[20] = (s20 + (1 << 20)) >> 21
+	s21 += carry[20]
+	s20 -= carry[20] << 21
+	carry[22] = (s22 + (1 << 20)) >> 21
+	s23 += carry[22]
+	s22 -= carry[22] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+	carry[17] = (s17 + (1 << 20)) >> 21
+	s18 += carry[17]
+	s17 -= carry[17] << 21
+	carry[19] = (s19 + (1 << 20)) >> 21
+	s20 += carry[19]
+	s19 -= carry[19] << 21
+	carry[21] = (s21 + (1 << 20)) >> 21
+	s22 += carry[21]
+	s21 -= carry[21] << 21
+
+	s11 += s23 * 666643
+	s12 += s23 * 470296
+	s13 += s23 * 654183
+	s14 -= s23 * 997805
+	s15 += s23 * 136657
+	s16 -= s23 * 683901
+	s23 = 0
+
+	s10 += s22 * 666643
+	s11 += s22 * 470296
+	s12 += s22 * 654183
+	s13 -= s22 * 997805
+	s14 += s22 * 136657
+	s15 -= s22 * 683901
+	s22 = 0
+
+	s9 += s21 * 666643
+	s10 += s21 * 470296
+	s11 += s21 * 654183
+	s12 -= s21 * 997805
+	s13 += s21 * 136657
+	s14 -= s21 * 683901
+	s21 = 0
+
+	s8 += s20 * 666643
+	s9 += s20 * 470296
+	s10 += s20 * 654183
+	s11 -= s20 * 997805
+	s12 += s20 * 136657
+	s13 -= s20 * 683901
+	s20 = 0
+
+	s7 += s19 * 666643
+	s8 += s19 * 470296
+	s9 += s19 * 654183
+	s10 -= s19 * 997805
+	s11 += s19 * 136657
+	s12 -= s19 * 683901
+	s19 = 0
+
+	s6 += s18 * 666643
+	s7 += s18 * 470296
+	s8 += s18 * 654183
+	s9 -= s18 * 997805
+	s10 += s18 * 136657
+	s11 -= s18 * 683901
+	s18 = 0
+
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+
+	s5 += s17 * 666643
+	s6 += s17 * 470296
+	s7 += s17 * 654183
+	s8 -= s17 * 997805
+	s9 += s17 * 136657
+	s10 -= s17 * 683901
+	s17 = 0
+
+	s4 += s16 * 666643
+	s5 += s16 * 470296
+	s6 += s16 * 654183
+	s7 -= s16 * 997805
+	s8 += s16 * 136657
+	s9 -= s16 * 683901
+	s16 = 0
+
+	s3 += s15 * 666643
+	s4 += s15 * 470296
+	s5 += s15 * 654183
+	s6 -= s15 * 997805
+	s7 += s15 * 136657
+	s8 -= s15 * 683901
+	s15 = 0
+
+	s2 += s14 * 666643
+	s3 += s14 * 470296
+	s4 += s14 * 654183
+	s5 -= s14 * 997805
+	s6 += s14 * 136657
+	s7 -= s14 * 683901
+	s14 = 0
+
+	s1 += s13 * 666643
+	s2 += s13 * 470296
+	s3 += s13 * 654183
+	s4 -= s13 * 997805
+	s5 += s13 * 136657
+	s6 -= s13 * 683901
+	s13 = 0
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[11] = s11 >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	s[0] = byte(s0 >> 0)
+	s[1] = byte(s0 >> 8)
+	s[2] = byte((s0 >> 16) | (s1 << 5))
+	s[3] = byte(s1 >> 3)
+	s[4] = byte(s1 >> 11)
+	s[5] = byte((s1 >> 19) | (s2 << 2))
+	s[6] = byte(s2 >> 6)
+	s[7] = byte((s2 >> 14) | (s3 << 7))
+	s[8] = byte(s3 >> 1)
+	s[9] = byte(s3 >> 9)
+	s[10] = byte((s3 >> 17) | (s4 << 4))
+	s[11] = byte(s4 >> 4)
+	s[12] = byte(s4 >> 12)
+	s[13] = byte((s4 >> 20) | (s5 << 1))
+	s[14] = byte(s5 >> 7)
+	s[15] = byte((s5 >> 15) | (s6 << 6))
+	s[16] = byte(s6 >> 2)
+	s[17] = byte(s6 >> 10)
+	s[18] = byte((s6 >> 18) | (s7 << 3))
+	s[19] = byte(s7 >> 5)
+	s[20] = byte(s7 >> 13)
+	s[21] = byte(s8 >> 0)
+	s[22] = byte(s8 >> 8)
+	s[23] = byte((s8 >> 16) | (s9 << 5))
+	s[24] = byte(s9 >> 3)
+	s[25] = byte(s9 >> 11)
+	s[26] = byte((s9 >> 19) | (s10 << 2))
+	s[27] = byte(s10 >> 6)
+	s[28] = byte((s10 >> 14) | (s11 << 7))
+	s[29] = byte(s11 >> 1)
+	s[30] = byte(s11 >> 9)
+	s[31] = byte(s11 >> 17)
+}
+
+// Input:
+//   s[0]+256*s[1]+...+256^63*s[63] = s
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = s mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+func scReduce(out *[32]byte, s *[64]byte) {
+	s0 := 2097151 & load3(s[:])
+	s1 := 2097151 & (load4(s[2:]) >> 5)
+	s2 := 2097151 & (load3(s[5:]) >> 2)
+	s3 := 2097151 & (load4(s[7:]) >> 7)
+	s4 := 2097151 & (load4(s[10:]) >> 4)
+	s5 := 2097151 & (load3(s[13:]) >> 1)
+	s6 := 2097151 & (load4(s[15:]) >> 6)
+	s7 := 2097151 & (load3(s[18:]) >> 3)
+	s8 := 2097151 & load3(s[21:])
+	s9 := 2097151 & (load4(s[23:]) >> 5)
+	s10 := 2097151 & (load3(s[26:]) >> 2)
+	s11 := 2097151 & (load4(s[28:]) >> 7)
+	s12 := 2097151 & (load4(s[31:]) >> 4)
+	s13 := 2097151 & (load3(s[34:]) >> 1)
+	s14 := 2097151 & (load4(s[36:]) >> 6)
+	s15 := 2097151 & (load3(s[39:]) >> 3)
+	s16 := 2097151 & load3(s[42:])
+	s17 := 2097151 & (load4(s[44:]) >> 5)
+	s18 := 2097151 & (load3(s[47:]) >> 2)
+	s19 := 2097151 & (load4(s[49:]) >> 7)
+	s20 := 2097151 & (load4(s[52:]) >> 4)
+	s21 := 2097151 & (load3(s[55:]) >> 1)
+	s22 := 2097151 & (load4(s[57:]) >> 6)
+	s23 := (load4(s[60:]) >> 3)
+
+	s11 += s23 * 666643
+	s12 += s23 * 470296
+	s13 += s23 * 654183
+	s14 -= s23 * 997805
+	s15 += s23 * 136657
+	s16 -= s23 * 683901
+	s23 = 0
+
+	s10 += s22 * 666643
+	s11 += s22 * 470296
+	s12 += s22 * 654183
+	s13 -= s22 * 997805
+	s14 += s22 * 136657
+	s15 -= s22 * 683901
+	s22 = 0
+
+	s9 += s21 * 666643
+	s10 += s21 * 470296
+	s11 += s21 * 654183
+	s12 -= s21 * 997805
+	s13 += s21 * 136657
+	s14 -= s21 * 683901
+	s21 = 0
+
+	s8 += s20 * 666643
+	s9 += s20 * 470296
+	s10 += s20 * 654183
+	s11 -= s20 * 997805
+	s12 += s20 * 136657
+	s13 -= s20 * 683901
+	s20 = 0
+
+	s7 += s19 * 666643
+	s8 += s19 * 470296
+	s9 += s19 * 654183
+	s10 -= s19 * 997805
+	s11 += s19 * 136657
+	s12 -= s19 * 683901
+	s19 = 0
+
+	s6 += s18 * 666643
+	s7 += s18 * 470296
+	s8 += s18 * 654183
+	s9 -= s18 * 997805
+	s10 += s18 * 136657
+	s11 -= s18 * 683901
+	s18 = 0
+
+	var carry [17]int64
+
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[12] = (s12 + (1 << 20)) >> 21
+	s13 += carry[12]
+	s12 -= carry[12] << 21
+	carry[14] = (s14 + (1 << 20)) >> 21
+	s15 += carry[14]
+	s14 -= carry[14] << 21
+	carry[16] = (s16 + (1 << 20)) >> 21
+	s17 += carry[16]
+	s16 -= carry[16] << 21
+
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+	carry[13] = (s13 + (1 << 20)) >> 21
+	s14 += carry[13]
+	s13 -= carry[13] << 21
+	carry[15] = (s15 + (1 << 20)) >> 21
+	s16 += carry[15]
+	s15 -= carry[15] << 21
+
+	s5 += s17 * 666643
+	s6 += s17 * 470296
+	s7 += s17 * 654183
+	s8 -= s17 * 997805
+	s9 += s17 * 136657
+	s10 -= s17 * 683901
+	s17 = 0
+
+	s4 += s16 * 666643
+	s5 += s16 * 470296
+	s6 += s16 * 654183
+	s7 -= s16 * 997805
+	s8 += s16 * 136657
+	s9 -= s16 * 683901
+	s16 = 0
+
+	s3 += s15 * 666643
+	s4 += s15 * 470296
+	s5 += s15 * 654183
+	s6 -= s15 * 997805
+	s7 += s15 * 136657
+	s8 -= s15 * 683901
+	s15 = 0
+
+	s2 += s14 * 666643
+	s3 += s14 * 470296
+	s4 += s14 * 654183
+	s5 -= s14 * 997805
+	s6 += s14 * 136657
+	s7 -= s14 * 683901
+	s14 = 0
+
+	s1 += s13 * 666643
+	s2 += s13 * 470296
+	s3 += s13 * 654183
+	s4 -= s13 * 997805
+	s5 += s13 * 136657
+	s6 -= s13 * 683901
+	s13 = 0
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = (s0 + (1 << 20)) >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[2] = (s2 + (1 << 20)) >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[4] = (s4 + (1 << 20)) >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[6] = (s6 + (1 << 20)) >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[8] = (s8 + (1 << 20)) >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[10] = (s10 + (1 << 20)) >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	carry[1] = (s1 + (1 << 20)) >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[3] = (s3 + (1 << 20)) >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[5] = (s5 + (1 << 20)) >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[7] = (s7 + (1 << 20)) >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[9] = (s9 + (1 << 20)) >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[11] = (s11 + (1 << 20)) >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+	carry[11] = s11 >> 21
+	s12 += carry[11]
+	s11 -= carry[11] << 21
+
+	s0 += s12 * 666643
+	s1 += s12 * 470296
+	s2 += s12 * 654183
+	s3 -= s12 * 997805
+	s4 += s12 * 136657
+	s5 -= s12 * 683901
+	s12 = 0
+
+	carry[0] = s0 >> 21
+	s1 += carry[0]
+	s0 -= carry[0] << 21
+	carry[1] = s1 >> 21
+	s2 += carry[1]
+	s1 -= carry[1] << 21
+	carry[2] = s2 >> 21
+	s3 += carry[2]
+	s2 -= carry[2] << 21
+	carry[3] = s3 >> 21
+	s4 += carry[3]
+	s3 -= carry[3] << 21
+	carry[4] = s4 >> 21
+	s5 += carry[4]
+	s4 -= carry[4] << 21
+	carry[5] = s5 >> 21
+	s6 += carry[5]
+	s5 -= carry[5] << 21
+	carry[6] = s6 >> 21
+	s7 += carry[6]
+	s6 -= carry[6] << 21
+	carry[7] = s7 >> 21
+	s8 += carry[7]
+	s7 -= carry[7] << 21
+	carry[8] = s8 >> 21
+	s9 += carry[8]
+	s8 -= carry[8] << 21
+	carry[9] = s9 >> 21
+	s10 += carry[9]
+	s9 -= carry[9] << 21
+	carry[10] = s10 >> 21
+	s11 += carry[10]
+	s10 -= carry[10] << 21
+
+	out[0] = byte(s0 >> 0)
+	out[1] = byte(s0 >> 8)
+	out[2] = byte((s0 >> 16) | (s1 << 5))
+	out[3] = byte(s1 >> 3)
+	out[4] = byte(s1 >> 11)
+	out[5] = byte((s1 >> 19) | (s2 << 2))
+	out[6] = byte(s2 >> 6)
+	out[7] = byte((s2 >> 14) | (s3 << 7))
+	out[8] = byte(s3 >> 1)
+	out[9] = byte(s3 >> 9)
+	out[10] = byte((s3 >> 17) | (s4 << 4))
+	out[11] = byte(s4 >> 4)
+	out[12] = byte(s4 >> 12)
+	out[13] = byte((s4 >> 20) | (s5 << 1))
+	out[14] = byte(s5 >> 7)
+	out[15] = byte((s5 >> 15) | (s6 << 6))
+	out[16] = byte(s6 >> 2)
+	out[17] = byte(s6 >> 10)
+	out[18] = byte((s6 >> 18) | (s7 << 3))
+	out[19] = byte(s7 >> 5)
+	out[20] = byte(s7 >> 13)
+	out[21] = byte(s8 >> 0)
+	out[22] = byte(s8 >> 8)
+	out[23] = byte((s8 >> 16) | (s9 << 5))
+	out[24] = byte(s9 >> 3)
+	out[25] = byte(s9 >> 11)
+	out[26] = byte((s9 >> 19) | (s10 << 2))
+	out[27] = byte(s10 >> 6)
+	out[28] = byte((s10 >> 14) | (s11 << 7))
+	out[29] = byte(s11 >> 1)
+	out[30] = byte(s11 >> 9)
+	out[31] = byte(s11 >> 17)
+}
diff --git a/kyber/group/edwards25519/scalar_test.go b/kyber/group/edwards25519/scalar_test.go
new file mode 100644
index 0000000000..0e8459c9a1
--- /dev/null
+++ b/kyber/group/edwards25519/scalar_test.go
@@ -0,0 +1,459 @@
+package edwards25519
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+// SimpleCTScalar implements the scalar operations only using `ScMulAdd` by
+// playing with the parameters.
+type SimpleCTScalar struct {
+	*scalar
+}
+
+func newSimpleCTScalar() kyber.Scalar {
+	return &SimpleCTScalar{&scalar{}}
+}
+
+var one = new(scalar).SetInt64(1).(*scalar)
+var zero = new(scalar).Zero().(*scalar)
+
+var minusOne = new(scalar).SetBytes([]byte{0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}).(*scalar)
+
+func (s *SimpleCTScalar) Add(s1, s2 kyber.Scalar) kyber.Scalar {
+	sc1 := s1.(*SimpleCTScalar)
+	sc2 := s2.(*SimpleCTScalar)
+
+	// a * b + c = a * 1 + c
+	scMulAdd(&s.v, &sc1.v, &one.v, &sc2.v)
+	return s
+}
+
+func (s *SimpleCTScalar) Mul(s1, s2 kyber.Scalar) kyber.Scalar {
+	sc1 := s1.(*SimpleCTScalar)
+	sc2 := s2.(*SimpleCTScalar)
+
+	// a * b + c = a * b + 0
+	scMulAdd(&s.v, &sc1.v, &sc2.v, &zero.v)
+	return s
+}
+
+func (s *SimpleCTScalar) Sub(s1, s2 kyber.Scalar) kyber.Scalar {
+	sc1 := s1.(*SimpleCTScalar)
+	sc2 := s2.(*SimpleCTScalar)
+
+	// a * b + c = -1 * a + c
+	scMulAdd(&s.v, &minusOne.v, &sc1.v, &sc2.v)
+	return s
+
+}
+
+func (s *SimpleCTScalar) Equal(s2 kyber.Scalar) bool {
+	return s.scalar.Equal(s2.(*SimpleCTScalar).scalar)
+}
+
+// factoredScalar implements the scalar operations using a factored version or
+// `ScReduce` at the end of each operations.
+type factoredScalar struct {
+	*scalar
+}
+
+func newFactoredScalar() kyber.Scalar {
+	return &factoredScalar{&scalar{}}
+}
+
+func (s *factoredScalar) Add(s1, s2 kyber.Scalar) kyber.Scalar {
+	sf1 := s1.(*factoredScalar)
+	sf2 := s2.(*factoredScalar)
+	scAddFact(&s.v, &sf1.v, &sf2.v)
+	return s
+}
+
+func (s *factoredScalar) Mul(s1, s2 kyber.Scalar) kyber.Scalar {
+	sf1 := s1.(*factoredScalar)
+	sf2 := s2.(*factoredScalar)
+	scMulFact(&s.v, &sf1.v, &sf2.v)
+	return s
+}
+
+func (s *factoredScalar) Sub(s1, s2 kyber.Scalar) kyber.Scalar {
+	sf1 := s1.(*factoredScalar)
+	sf2 := s2.(*factoredScalar)
+	scSubFact(&s.v, &sf1.v, &sf2.v)
+	return s
+}
+
+func (s *factoredScalar) Equal(s2 kyber.Scalar) bool {
+	return s.scalar.Equal(s2.(*factoredScalar).scalar)
+}
+
+func TestFactoredScalar(t *testing.T) {
+	testSimple(t, newFactoredScalar)
+}
+
+func TestSimpleCTScalar(t *testing.T) {
+	testSimple(t, newSimpleCTScalar)
+}
+
+func TestString(t *testing.T) {
+	// Create a scalar that would trigger #262.
+	s := new(scalar)
+	s.SetInt64(0x100)
+	s.Add(s, one)
+	if s.String() != "0101000000000000000000000000000000000000000000000000000000000000" {
+		t.Fatal("unexpected result from String():", s.String())
+	}
+}
+
+func TestScalar_Marshal(t *testing.T) {
+	s := &scalar{}
+	require.Equal(t, "ed.scala", fmt.Sprintf("%s", s.MarshalID()))
+}
+
+func TestSetBytesLE(t *testing.T) {
+	s := new(scalar)
+	s.SetBytes([]byte{0, 1, 2, 3})
+	if s.String() != "0001020300000000000000000000000000000000000000000000000000000000" {
+		t.Fatal("unexpected result from String():", s.String())
+	}
+}
+
+func testSimple(t *testing.T, new func() kyber.Scalar) {
+	s1 := new()
+	s2 := new()
+	s3 := new()
+	s1.SetInt64(2)
+	s2.Pick(random.New())
+
+	s22 := new().Add(s2, s2)
+
+	if !s3.Mul(s1, s2).Equal(s22) {
+		t.Fail()
+	}
+
+}
+
+func benchScalarAdd(b *testing.B, new func() kyber.Scalar) {
+	var seed = tSuite.XOF([]byte("hello world"))
+	s1 := new()
+	s2 := new()
+	s3 := new()
+	s1.Pick(seed)
+	s2.Pick(seed)
+
+	for i := 0; i < b.N; i++ {
+		s3.Add(s1, s2)
+	}
+}
+
+func benchScalarMul(b *testing.B, new func() kyber.Scalar) {
+	var seed = tSuite.XOF([]byte("hello world"))
+	s1 := new()
+	s2 := new()
+	s3 := new()
+	s1.Pick(seed)
+	s2.Pick(seed)
+
+	for i := 0; i < b.N; i++ {
+		s3.Mul(s1, s2)
+	}
+}
+
+func benchScalarSub(b *testing.B, new func() kyber.Scalar) {
+	var seed = tSuite.XOF([]byte("hello world"))
+	s1 := new()
+	s2 := new()
+	s3 := new()
+	s1.Pick(seed)
+	s2.Pick(seed)
+
+	for i := 0; i < b.N; i++ {
+		s3.Sub(s1, s2)
+	}
+}
+
+// addition
+
+func BenchmarkCTScalarAdd(b *testing.B) { benchScalarAdd(b, tSuite.Scalar) }
+
+func BenchmarkCTScalarSimpleAdd(b *testing.B) { benchScalarAdd(b, newSimpleCTScalar) }
+
+func BenchmarkCTScalarFactoredAdd(b *testing.B) { benchScalarAdd(b, newFactoredScalar) }
+
+// multiplication
+
+func BenchmarkCTScalarMul(b *testing.B) { benchScalarMul(b, tSuite.Scalar) }
+
+func BenchmarkCTScalarSimpleMul(b *testing.B) { benchScalarMul(b, newSimpleCTScalar) }
+
+func BenchmarkCTScalarFactoredMul(b *testing.B) { benchScalarMul(b, newFactoredScalar) }
+
+// substraction
+
+func BenchmarkCTScalarSub(b *testing.B) { benchScalarSub(b, tSuite.Scalar) }
+
+func BenchmarkCTScalarSimpleSub(b *testing.B) { benchScalarSub(b, newSimpleCTScalar) }
+
+func BenchmarkCTScalarFactoredSub(b *testing.B) { benchScalarSub(b, newFactoredScalar) }
+
+func doCarryUncentered(limbs [24]int64, i int) {
+	carry := limbs[i] >> 21
+	limbs[i+1] += carry
+	limbs[i] -= carry << 21
+}
+
+// Carry excess from the `i`-th limb into the `(i+1)`-th limb.
+// Postcondition: `-2^20 <= limbs[i] < 2^20`.
+func doCarryCentered(limbs [24]int64, i int) {
+	carry := (limbs[i] + (1 << 20)) >> 21
+	limbs[i+1] += carry
+	limbs[i] -= carry << 21
+}
+
+func doReduction(limbs [24]int64, i int) {
+	limbs[i-12] += limbs[i] * 666643
+	limbs[i-11] += limbs[i] * 470296
+	limbs[i-10] += limbs[i] * 654183
+	limbs[i-9] -= limbs[i] * 997805
+	limbs[i-8] += limbs[i] * 136657
+	limbs[i-7] -= limbs[i] * 683901
+	limbs[i] = 0
+}
+
+func scReduceLimbs(limbs [24]int64) {
+	//for i in 0..23 {
+	for i := 0; i < 23; i++ {
+		doCarryCentered(limbs, i)
+	}
+	//for i in (0..23).filter(|x| x % 2 == 1) {
+	for i := 1; i < 23; i += 2 {
+		doCarryCentered(limbs, i)
+	}
+
+	doReduction(limbs, 23)
+	doReduction(limbs, 22)
+	doReduction(limbs, 21)
+	doReduction(limbs, 20)
+	doReduction(limbs, 19)
+	doReduction(limbs, 18)
+
+	//for i in (6..18).filter(|x| x % 2 == 0) {
+	for i := 6; i < 18; i += 2 {
+		doCarryCentered(limbs, i)
+	}
+
+	//  for i in (6..16).filter(|x| x % 2 == 1) {
+	for i := 7; i < 16; i += 2 {
+		doCarryCentered(limbs, i)
+	}
+	doReduction(limbs, 17)
+	doReduction(limbs, 16)
+	doReduction(limbs, 15)
+	doReduction(limbs, 14)
+	doReduction(limbs, 13)
+	doReduction(limbs, 12)
+
+	//for i in (0..12).filter(|x| x % 2 == 0) {
+	for i := 0; i < 12; i += 2 {
+		doCarryCentered(limbs, i)
+	}
+	//for i in (0..12).filter(|x| x % 2 == 1) {
+	for i := 1; i < 12; i += 2 {
+		doCarryCentered(limbs, i)
+	}
+
+	doReduction(limbs, 12)
+
+	//for i in 0..12 {
+	for i := 0; i < 12; i++ {
+		doCarryUncentered(limbs, i)
+	}
+
+	doReduction(limbs, 12)
+
+	//for i in 0..11 {
+	for i := 0; i < 11; i++ {
+		doCarryUncentered(limbs, i)
+	}
+}
+
+func scAddFact(s, a, c *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	c0 := 2097151 & load3(c[:])
+	c1 := 2097151 & (load4(c[2:]) >> 5)
+	c2 := 2097151 & (load3(c[5:]) >> 2)
+	c3 := 2097151 & (load4(c[7:]) >> 7)
+	c4 := 2097151 & (load4(c[10:]) >> 4)
+	c5 := 2097151 & (load3(c[13:]) >> 1)
+	c6 := 2097151 & (load4(c[15:]) >> 6)
+	c7 := 2097151 & (load3(c[18:]) >> 3)
+	c8 := 2097151 & load3(c[21:])
+	c9 := 2097151 & (load4(c[23:]) >> 5)
+	c10 := 2097151 & (load3(c[26:]) >> 2)
+	c11 := (load4(c[28:]) >> 7)
+
+	var limbs [24]int64
+	limbs[0] = c0 + a0
+	limbs[1] = c1 + a1
+	limbs[2] = c2 + a2
+	limbs[3] = c3 + a3
+	limbs[4] = c4 + a4
+	limbs[5] = c5 + a5
+	limbs[6] = c6 + a6
+	limbs[7] = c7 + a7
+	limbs[8] = c8 + a8
+	limbs[9] = c9 + a9
+	limbs[10] = c10 + a10
+	limbs[11] = c11 + a11
+	limbs[12] = int64(0)
+	limbs[13] = int64(0)
+	limbs[14] = int64(0)
+	limbs[15] = int64(0)
+	limbs[16] = int64(0)
+	limbs[17] = int64(0)
+	limbs[18] = int64(0)
+	limbs[19] = int64(0)
+	limbs[20] = int64(0)
+	limbs[21] = int64(0)
+	limbs[22] = int64(0)
+	limbs[23] = int64(0)
+
+	scReduceLimbs(limbs)
+}
+
+func scMulFact(s, a, b *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	b0 := 2097151 & load3(b[:])
+	b1 := 2097151 & (load4(b[2:]) >> 5)
+	b2 := 2097151 & (load3(b[5:]) >> 2)
+	b3 := 2097151 & (load4(b[7:]) >> 7)
+	b4 := 2097151 & (load4(b[10:]) >> 4)
+	b5 := 2097151 & (load3(b[13:]) >> 1)
+	b6 := 2097151 & (load4(b[15:]) >> 6)
+	b7 := 2097151 & (load3(b[18:]) >> 3)
+	b8 := 2097151 & load3(b[21:])
+	b9 := 2097151 & (load4(b[23:]) >> 5)
+	b10 := 2097151 & (load3(b[26:]) >> 2)
+	b11 := (load4(b[28:]) >> 7)
+	c0 := int64(0)
+	c1 := int64(0)
+	c2 := int64(0)
+	c3 := int64(0)
+	c4 := int64(0)
+	c5 := int64(0)
+	c6 := int64(0)
+	c7 := int64(0)
+	c8 := int64(0)
+	c9 := int64(0)
+	c10 := int64(0)
+	c11 := int64(0)
+
+	var limbs [24]int64
+	limbs[0] = c0 + a0*b0
+	limbs[1] = c1 + a0*b1 + a1*b0
+	limbs[2] = c2 + a0*b2 + a1*b1 + a2*b0
+	limbs[3] = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
+	limbs[4] = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
+	limbs[5] = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
+	limbs[6] = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
+	limbs[7] = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
+	limbs[8] = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
+	limbs[9] = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
+	limbs[10] = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
+	limbs[11] = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
+	limbs[12] = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
+	limbs[13] = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
+	limbs[14] = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
+	limbs[15] = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
+	limbs[16] = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
+	limbs[17] = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
+	limbs[18] = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
+	limbs[19] = a8*b11 + a9*b10 + a10*b9 + a11*b8
+	limbs[20] = a9*b11 + a10*b10 + a11*b9
+	limbs[21] = a10*b11 + a11*b10
+	limbs[22] = a11 * b11
+	limbs[23] = int64(0)
+
+	scReduceLimbs(limbs)
+}
+
+func scSubFact(s, a, c *[32]byte) {
+	a0 := 2097151 & load3(a[:])
+	a1 := 2097151 & (load4(a[2:]) >> 5)
+	a2 := 2097151 & (load3(a[5:]) >> 2)
+	a3 := 2097151 & (load4(a[7:]) >> 7)
+	a4 := 2097151 & (load4(a[10:]) >> 4)
+	a5 := 2097151 & (load3(a[13:]) >> 1)
+	a6 := 2097151 & (load4(a[15:]) >> 6)
+	a7 := 2097151 & (load3(a[18:]) >> 3)
+	a8 := 2097151 & load3(a[21:])
+	a9 := 2097151 & (load4(a[23:]) >> 5)
+	a10 := 2097151 & (load3(a[26:]) >> 2)
+	a11 := (load4(a[28:]) >> 7)
+	c0 := 2097151 & load3(c[:])
+	c1 := 2097151 & (load4(c[2:]) >> 5)
+	c2 := 2097151 & (load3(c[5:]) >> 2)
+	c3 := 2097151 & (load4(c[7:]) >> 7)
+	c4 := 2097151 & (load4(c[10:]) >> 4)
+	c5 := 2097151 & (load3(c[13:]) >> 1)
+	c6 := 2097151 & (load4(c[15:]) >> 6)
+	c7 := 2097151 & (load3(c[18:]) >> 3)
+	c8 := 2097151 & load3(c[21:])
+	c9 := 2097151 & (load4(c[23:]) >> 5)
+	c10 := 2097151 & (load3(c[26:]) >> 2)
+	c11 := (load4(c[28:]) >> 7)
+
+	var limbs [24]int64
+	limbs[0] = 1916624 - c0 + a0
+	limbs[1] = 863866 - c1 + a1
+	limbs[2] = 18828 - c2 + a2
+	limbs[3] = 1284811 - c3 + a3
+	limbs[4] = 2007799 - c4 + a4
+	limbs[5] = 456654 - c5 + a5
+	limbs[6] = 5 - c6 + a6
+	limbs[7] = 0 - c7 + a7
+	limbs[8] = 0 - c8 + a8
+	limbs[9] = 0 - c9 + a9
+	limbs[10] = 0 - c10 + a10
+	limbs[11] = 0 - c11 + a11
+	limbs[12] = int64(16)
+	limbs[13] = int64(0)
+	limbs[14] = int64(0)
+	limbs[15] = int64(0)
+	limbs[16] = int64(0)
+	limbs[17] = int64(0)
+	limbs[18] = int64(0)
+	limbs[19] = int64(0)
+	limbs[20] = int64(0)
+	limbs[21] = int64(0)
+	limbs[22] = int64(0)
+	limbs[23] = int64(0)
+
+	scReduceLimbs(limbs)
+}
diff --git a/kyber/group/edwards25519/suite.go b/kyber/group/edwards25519/suite.go
new file mode 100644
index 0000000000..62e353be67
--- /dev/null
+++ b/kyber/group/edwards25519/suite.go
@@ -0,0 +1,70 @@
+package edwards25519
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"reflect"
+
+	"go.dedis.ch/fixbuf"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// SuiteEd25519 implements some basic functionalities such as Group, HashFactory,
+// and XOFFactory.
+type SuiteEd25519 struct {
+	Curve
+	r cipher.Stream
+}
+
+// Hash returns a newly instanciated sha256 hash function.
+func (s *SuiteEd25519) Hash() hash.Hash {
+	return sha256.New()
+}
+
+// XOF returns an XOF which is implemented via the Blake2b hash.
+func (s *SuiteEd25519) XOF(key []byte) kyber.XOF {
+	return blake2xb.New(key)
+}
+
+func (s *SuiteEd25519) Read(r io.Reader, objs ...interface{}) error {
+	return fixbuf.Read(r, s, objs...)
+}
+
+func (s *SuiteEd25519) Write(w io.Writer, objs ...interface{}) error {
+	return fixbuf.Write(w, objs)
+}
+
+// New implements the kyber.Encoding interface
+func (s *SuiteEd25519) New(t reflect.Type) interface{} {
+	return GroupNew(s, t)
+}
+
+// RandomStream returns a cipher.Stream that returns a key stream
+// from crypto/rand.
+func (s *SuiteEd25519) RandomStream() cipher.Stream {
+	if s.r != nil {
+		return s.r
+	}
+	return random.New()
+}
+
+// NewBlakeSHA256Ed25519 returns a cipher suite based on package
+// go.dedis.ch/kyber/v3/xof/blake2xb, SHA-256, and the Ed25519 curve.
+// It produces cryptographically random numbers via package crypto/rand.
+func NewBlakeSHA256Ed25519() *SuiteEd25519 {
+	suite := new(SuiteEd25519)
+	return suite
+}
+
+// NewBlakeSHA256Ed25519WithRand returns a cipher suite based on package
+// go.dedis.ch/kyber/v3/xof/blake2xb, SHA-256, and the Ed25519 curve.
+// It produces cryptographically random numbers via the provided stream r.
+func NewBlakeSHA256Ed25519WithRand(r cipher.Stream) *SuiteEd25519 {
+	suite := new(SuiteEd25519)
+	suite.r = r
+	return suite
+}
diff --git a/kyber/group/internal/marshalling/marshal.go b/kyber/group/internal/marshalling/marshal.go
new file mode 100644
index 0000000000..457b328db2
--- /dev/null
+++ b/kyber/group/internal/marshalling/marshal.go
@@ -0,0 +1,83 @@
+// Package marshalling provides a common implementation of (un)marshalling method using Writer and Reader.
+//
+package marshalling
+
+import (
+	"crypto/cipher"
+	"io"
+	"reflect"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// PointMarshalTo provides a generic implementation of Point.EncodeTo
+// based on Point.Encode.
+func PointMarshalTo(p kyber.Point, w io.Writer) (int, error) {
+	buf, err := p.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+// PointUnmarshalFrom provides a generic implementation of Point.DecodeFrom,
+// based on Point.Decode, or Point.Pick if r is a Cipher or cipher.Stream.
+// The returned byte-count is valid only when decoding from a normal Reader,
+// not when picking from a pseudorandom source.
+func PointUnmarshalFrom(p kyber.Point, r io.Reader) (int, error) {
+	if strm, ok := r.(cipher.Stream); ok {
+		p.Pick(strm)
+		return -1, nil // no byte-count when picking randomly
+	}
+	buf := make([]byte, p.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, p.UnmarshalBinary(buf)
+}
+
+// ScalarMarshalTo provides a generic implementation of Scalar.EncodeTo
+// based on Scalar.Encode.
+func ScalarMarshalTo(s kyber.Scalar, w io.Writer) (int, error) {
+	buf, err := s.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+// ScalarUnmarshalFrom provides a generic implementation of Scalar.DecodeFrom,
+// based on Scalar.Decode, or Scalar.Pick if r is a Cipher or cipher.Stream.
+// The returned byte-count is valid only when decoding from a normal Reader,
+// not when picking from a pseudorandom source.
+func ScalarUnmarshalFrom(s kyber.Scalar, r io.Reader) (int, error) {
+	if strm, ok := r.(cipher.Stream); ok {
+		s.Pick(strm)
+		return -1, nil // no byte-count when picking randomly
+	}
+	buf := make([]byte, s.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, s.UnmarshalBinary(buf)
+}
+
+// Not used other than for reflect.TypeOf()
+var aScalar kyber.Scalar
+var aPoint kyber.Point
+
+var tScalar = reflect.TypeOf(&aScalar).Elem()
+var tPoint = reflect.TypeOf(&aPoint).Elem()
+
+// GroupNew is the Default implementation of reflective constructor for Group
+func GroupNew(g kyber.Group, t reflect.Type) interface{} {
+	switch t {
+	case tScalar:
+		return g.Scalar()
+	case tPoint:
+		return g.Point()
+	}
+	return nil
+}
diff --git a/kyber/group/mod/int.go b/kyber/group/mod/int.go
new file mode 100644
index 0000000000..ba898f2fdd
--- /dev/null
+++ b/kyber/group/mod/int.go
@@ -0,0 +1,430 @@
+// Package mod contains a generic implementation of finite field arithmetic
+// on integer fields with a constant modulus.
+package mod
+
+import (
+	"crypto/cipher"
+	"encoding/hex"
+	"errors"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+var one = big.NewInt(1)
+var two = big.NewInt(2)
+var marshalScalarID = [8]byte{'m', 'o', 'd', '.', 'i', 'n', 't', ' '}
+
+// ByteOrder denotes the endianness of the operation.
+type ByteOrder bool
+
+const (
+	// LittleEndian endianness
+	LittleEndian ByteOrder = true
+	// BigEndian endianness
+	BigEndian ByteOrder = false
+)
+
+// Int is a generic implementation of finite field arithmetic
+// on integer finite fields with a given constant modulus,
+// built using Go's built-in big.Int package.
+// Int satisfies the kyber.Scalar interface,
+// and hence serves as a basic implementation of kyber.Scalar,
+// e.g., representing discrete-log exponents of Schnorr groups
+// or scalar multipliers for elliptic curves.
+//
+// Int offers an API similar to and compatible with big.Int,
+// but "carries around" a pointer to the relevant modulus
+// and automatically normalizes the value to that modulus
+// after all arithmetic operations, simplifying modular arithmetic.
+// Binary operations assume that the source(s)
+// have the same modulus, but do not check this assumption.
+// Unary and binary arithmetic operations may be performed on uninitialized
+// target objects, and receive the modulus of the first operand.
+// For efficiency the modulus field M is a pointer,
+// whose target is assumed never to change.
+type Int struct {
+	V  big.Int   // Integer value from 0 through M-1
+	M  *big.Int  // Modulus for finite field arithmetic
+	BO ByteOrder // Endianness which will be used on input and output
+}
+
+// NewInt creaters a new Int with a given big.Int and a big.Int modulus.
+func NewInt(v *big.Int, m *big.Int) *Int {
+	return new(Int).Init(v, m)
+}
+
+// NewInt64 creates a new Int with a given int64 value and big.Int modulus.
+func NewInt64(v int64, M *big.Int) *Int {
+	return new(Int).Init64(v, M)
+}
+
+// NewIntBytes creates a new Int with a given slice of bytes and a big.Int
+// modulus.
+func NewIntBytes(a []byte, m *big.Int, byteOrder ByteOrder) *Int {
+	return new(Int).InitBytes(a, m, byteOrder)
+}
+
+// NewIntString creates a new Int with a given string and a big.Int modulus.
+// The value is set to a rational fraction n/d in a given base.
+func NewIntString(n, d string, base int, m *big.Int) *Int {
+	return new(Int).InitString(n, d, base, m)
+}
+
+// Init a Int with a given big.Int value and modulus pointer.
+// Note that the value is copied; the modulus is not.
+func (i *Int) Init(V *big.Int, m *big.Int) *Int {
+	i.M = m
+	i.BO = BigEndian
+	i.V.Set(V).Mod(&i.V, m)
+	return i
+}
+
+// Init64 creates an Int with an int64 value and big.Int modulus.
+func (i *Int) Init64(v int64, m *big.Int) *Int {
+	i.M = m
+	i.BO = BigEndian
+	i.V.SetInt64(v).Mod(&i.V, m)
+	return i
+}
+
+// InitBytes init the Int to a number represented in a big-endian byte string.
+func (i *Int) InitBytes(a []byte, m *big.Int, byteOrder ByteOrder) *Int {
+	i.M = m
+	i.BO = byteOrder
+	i.SetBytes(a)
+	return i
+}
+
+// InitString inits the Int to a rational fraction n/d
+// specified with a pair of strings in a given base.
+func (i *Int) InitString(n, d string, base int, m *big.Int) *Int {
+	i.M = m
+	i.BO = BigEndian
+	if _, succ := i.SetString(n, d, base); !succ {
+		panic("InitString: invalid fraction representation")
+	}
+	return i
+}
+
+// Return the Int's integer value in hexadecimal string representation.
+func (i *Int) String() string {
+	return hex.EncodeToString(i.V.Bytes())
+}
+
+// SetString sets the Int to a rational fraction n/d represented by a pair of strings.
+// If d == "", then the denominator is taken to be 1.
+// Returns (i,true) on success, or
+// (nil,false) if either string fails to parse.
+func (i *Int) SetString(n, d string, base int) (*Int, bool) {
+	if _, succ := i.V.SetString(n, base); !succ {
+		return nil, false
+	}
+	if d != "" {
+		var di Int
+		di.M = i.M
+		if _, succ := di.SetString(d, "", base); !succ {
+			return nil, false
+		}
+		i.Div(i, &di)
+	}
+	return i, true
+}
+
+// Cmp compares two Ints for equality or inequality
+func (i *Int) Cmp(s2 kyber.Scalar) int {
+	return i.V.Cmp(&s2.(*Int).V)
+}
+
+// Equal returns true if the two Ints are equal
+func (i *Int) Equal(s2 kyber.Scalar) bool {
+	return i.V.Cmp(&s2.(*Int).V) == 0
+}
+
+// Nonzero returns true if the integer value is nonzero.
+func (i *Int) Nonzero() bool {
+	return i.V.Sign() != 0
+}
+
+// Set both value and modulus to be equal to another Int.
+// Since this method copies the modulus as well,
+// it may be used as an alternative to Init().
+func (i *Int) Set(a kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	i.V.Set(&ai.V)
+	i.M = ai.M
+	return i
+}
+
+// Clone returns a separate duplicate of this Int.
+func (i *Int) Clone() kyber.Scalar {
+	ni := new(Int).Init(&i.V, i.M)
+	ni.BO = i.BO
+	return ni
+}
+
+// Zero set the Int to the value 0.  The modulus must already be initialized.
+func (i *Int) Zero() kyber.Scalar {
+	i.V.SetInt64(0)
+	return i
+}
+
+// One sets the Int to the value 1.  The modulus must already be initialized.
+func (i *Int) One() kyber.Scalar {
+	i.V.SetInt64(1)
+	return i
+}
+
+// SetInt64 sets the Int to an arbitrary 64-bit "small integer" value.
+// The modulus must already be initialized.
+func (i *Int) SetInt64(v int64) kyber.Scalar {
+	i.V.SetInt64(v).Mod(&i.V, i.M)
+	return i
+}
+
+// Int64 returns the int64 representation of the value.
+// If the value is not representable in an int64 the result is undefined.
+func (i *Int) Int64() int64 {
+	return i.V.Int64()
+}
+
+// SetUint64 sets the Int to an arbitrary uint64 value.
+// The modulus must already be initialized.
+func (i *Int) SetUint64(v uint64) kyber.Scalar {
+	i.V.SetUint64(v).Mod(&i.V, i.M)
+	return i
+}
+
+// Uint64 returns the uint64 representation of the value.
+// If the value is not representable in an uint64 the result is undefined.
+func (i *Int) Uint64() uint64 {
+	return i.V.Uint64()
+}
+
+// Add sets the target to a + b mod M, where M is a's modulus..
+func (i *Int) Add(a, b kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	bi := b.(*Int)
+	i.M = ai.M
+	i.V.Add(&ai.V, &bi.V).Mod(&i.V, i.M)
+	return i
+}
+
+// Sub sets the target to a - b mod M.
+// Target receives a's modulus.
+func (i *Int) Sub(a, b kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	bi := b.(*Int)
+	i.M = ai.M
+	i.V.Sub(&ai.V, &bi.V).Mod(&i.V, i.M)
+	return i
+}
+
+// Neg sets the target to -a mod M.
+func (i *Int) Neg(a kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	i.M = ai.M
+	if ai.V.Sign() > 0 {
+		i.V.Sub(i.M, &ai.V)
+	} else {
+		i.V.SetUint64(0)
+	}
+	return i
+}
+
+// Mul sets the target to a * b mod M.
+// Target receives a's modulus.
+func (i *Int) Mul(a, b kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	bi := b.(*Int)
+	i.M = ai.M
+	i.V.Mul(&ai.V, &bi.V).Mod(&i.V, i.M)
+	return i
+}
+
+// Div sets the target to a * b^-1 mod M, where b^-1 is the modular inverse of b.
+func (i *Int) Div(a, b kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	bi := b.(*Int)
+	var t big.Int
+	i.M = ai.M
+	i.V.Mul(&ai.V, t.ModInverse(&bi.V, i.M))
+	i.V.Mod(&i.V, i.M)
+	return i
+}
+
+// Inv sets the target to the modular inverse of a with respect to modulus M.
+func (i *Int) Inv(a kyber.Scalar) kyber.Scalar {
+	ai := a.(*Int)
+	i.M = ai.M
+	i.V.ModInverse(&a.(*Int).V, i.M)
+	return i
+}
+
+// Exp sets the target to a^e mod M,
+// where e is an arbitrary big.Int exponent (not necessarily 0 <= e < M).
+func (i *Int) Exp(a kyber.Scalar, e *big.Int) kyber.Scalar {
+	ai := a.(*Int)
+	i.M = ai.M
+	// to protect against golang/go#22830
+	var tmp big.Int
+	tmp.Exp(&ai.V, e, i.M)
+	i.V = tmp
+	return i
+}
+
+// Jacobi computes the Jacobi symbol of (a/M), which indicates whether a is
+// zero (0), a positive square in M (1), or a non-square in M (-1).
+func (i *Int) Jacobi(as kyber.Scalar) kyber.Scalar {
+	ai := as.(*Int)
+	i.M = ai.M
+	i.V.SetInt64(int64(big.Jacobi(&ai.V, i.M)))
+	return i
+}
+
+// Sqrt computes some square root of a mod M of one exists.
+// Assumes the modulus M is an odd prime.
+// Returns true on success, false if input a is not a square.
+func (i *Int) Sqrt(as kyber.Scalar) bool {
+	ai := as.(*Int)
+	out := i.V.ModSqrt(&ai.V, ai.M)
+	i.M = ai.M
+	return out != nil
+}
+
+// Pick a [pseudo-]random integer modulo M
+// using bits from the given stream cipher.
+func (i *Int) Pick(rand cipher.Stream) kyber.Scalar {
+	i.V.Set(random.Int(i.M, rand))
+	return i
+}
+
+// MarshalSize returns the length in bytes of encoded integers with modulus M.
+// The length of encoded Ints depends only on the size of the modulus,
+// and not on the the value of the encoded integer,
+// making the encoding is fixed-length for simplicity and security.
+func (i *Int) MarshalSize() int {
+	return (i.M.BitLen() + 7) / 8
+}
+
+// MarshalBinary encodes the value of this Int into a byte-slice exactly Len() bytes long.
+// It uses i's ByteOrder to determine which byte order to output.
+func (i *Int) MarshalBinary() ([]byte, error) {
+	l := i.MarshalSize()
+	b := i.V.Bytes() // may be shorter than l
+	offset := l - len(b)
+
+	if i.BO == LittleEndian {
+		return i.LittleEndian(l, l), nil
+	}
+
+	if offset != 0 {
+		nb := make([]byte, l)
+		copy(nb[offset:], b)
+		b = nb
+	}
+	return b, nil
+}
+
+// MarshalID returns a unique identifier for this type
+func (i *Int) MarshalID() [8]byte {
+	return marshalScalarID
+}
+
+// UnmarshalBinary tries to decode a Int from a byte-slice buffer.
+// Returns an error if the buffer is not exactly Len() bytes long
+// or if the contents of the buffer represents an out-of-range integer.
+func (i *Int) UnmarshalBinary(buf []byte) error {
+	if len(buf) != i.MarshalSize() {
+		return errors.New("UnmarshalBinary: wrong size buffer")
+	}
+	// Still needed here because of the comparison with the modulo
+	if i.BO == LittleEndian {
+		buf = reverse(nil, buf)
+	}
+	i.V.SetBytes(buf)
+	if i.V.Cmp(i.M) >= 0 {
+		return errors.New("UnmarshalBinary: value out of range")
+	}
+	return nil
+}
+
+// MarshalTo encodes this Int to the given Writer.
+func (i *Int) MarshalTo(w io.Writer) (int, error) {
+	return marshalling.ScalarMarshalTo(i, w)
+}
+
+// UnmarshalFrom tries to decode an Int from the given Reader.
+func (i *Int) UnmarshalFrom(r io.Reader) (int, error) {
+	return marshalling.ScalarUnmarshalFrom(i, r)
+}
+
+// BigEndian encodes the value of this Int into a big-endian byte-slice
+// at least min bytes but no more than max bytes long.
+// Panics if max != 0 and the Int cannot be represented in max bytes.
+func (i *Int) BigEndian(min, max int) []byte {
+	act := i.MarshalSize()
+	pad, ofs := act, 0
+	if pad < min {
+		pad, ofs = min, min-act
+	}
+	if max != 0 && pad > max {
+		panic("Int not representable in max bytes")
+	}
+	buf := make([]byte, pad)
+	copy(buf[ofs:], i.V.Bytes())
+	return buf
+}
+
+// SetBytes set the value value to a number represented
+// by a byte string.
+// Endianness depends on the endianess set in i.
+func (i *Int) SetBytes(a []byte) kyber.Scalar {
+	var buff = a
+	if i.BO == LittleEndian {
+		buff = reverse(nil, a)
+	}
+	i.V.SetBytes(buff).Mod(&i.V, i.M)
+	return i
+}
+
+// LittleEndian encodes the value of this Int into a little-endian byte-slice
+// at least min bytes but no more than max bytes long.
+// Panics if max != 0 and the Int cannot be represented in max bytes.
+func (i *Int) LittleEndian(min, max int) []byte {
+	act := i.MarshalSize()
+	vBytes := i.V.Bytes()
+	vSize := len(vBytes)
+	if vSize < act {
+		act = vSize
+	}
+	pad := act
+	if pad < min {
+		pad = min
+	}
+	if max != 0 && pad > max {
+		panic("Int not representable in max bytes")
+	}
+	buf := make([]byte, pad)
+	reverse(buf[:act], vBytes)
+	return buf
+}
+
+// reverse copies src into dst in byte-reversed order and returns dst,
+// such that src[0] goes into dst[len-1] and vice versa.
+// dst and src may be the same slice but otherwise must not overlap.
+func reverse(dst, src []byte) []byte {
+	if dst == nil {
+		dst = make([]byte, len(src))
+	}
+	l := len(dst)
+	for i, j := 0, l-1; i < (l+1)/2; {
+		dst[i], dst[j] = src[j], src[i]
+		i++
+		j--
+	}
+	return dst
+}
diff --git a/kyber/group/mod/int_test.go b/kyber/group/mod/int_test.go
new file mode 100644
index 0000000000..472d1b62a1
--- /dev/null
+++ b/kyber/group/mod/int_test.go
@@ -0,0 +1,90 @@
+package mod
+
+import (
+	"bytes"
+	"encoding/hex"
+	"math/big"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIntEndianness(t *testing.T) {
+	modulo := big.NewInt(65535)
+	var v int64 = 65500
+	// Let's assume it is bigendian and test that
+	i := new(Int).Init64(v, modulo)
+	assert.Equal(t, i.BO, BigEndian)
+
+	buff1, err := i.MarshalBinary()
+	assert.Nil(t, err)
+	i.BO = BigEndian
+	buff2, err := i.MarshalBinary()
+	assert.Nil(t, err)
+	assert.Equal(t, buff1, buff2)
+
+	// Let's change endianness and check the result
+	i.BO = LittleEndian
+	buff3, err := i.MarshalBinary()
+	assert.NotEqual(t, buff2, buff3)
+
+	// let's try LittleEndian function
+	buff4 := i.LittleEndian(0, 32)
+	assert.Equal(t, buff3, buff4)
+	// set endianess but using littleendian should not change anything
+	i.BO = BigEndian
+	assert.Equal(t, buff4, i.LittleEndian(0, 32))
+
+	// Try to reconstruct the int from the buffer
+	i = new(Int).Init64(v, modulo)
+	i2 := NewInt64(0, modulo)
+	buff, _ := i.MarshalBinary()
+	assert.Nil(t, i2.UnmarshalBinary(buff))
+	assert.True(t, i.Equal(i2))
+
+	i.BO = LittleEndian
+	buff, _ = i.MarshalBinary()
+	i2.BO = LittleEndian
+	assert.Nil(t, i2.UnmarshalBinary(buff))
+	assert.True(t, i.Equal(i2))
+
+	i2.BO = BigEndian
+	assert.Nil(t, i2.UnmarshalBinary(buff))
+	assert.False(t, i.Equal(i2))
+}
+func TestIntEndianBytes(t *testing.T) {
+	modulo, err := hex.DecodeString("1000")
+	moduloI := new(big.Int).SetBytes(modulo)
+	assert.Nil(t, err)
+	v, err := hex.DecodeString("10")
+	assert.Nil(t, err)
+
+	i := new(Int).InitBytes(v, moduloI, BigEndian)
+
+	assert.Equal(t, 2, i.MarshalSize())
+	assert.NotPanics(t, func() { i.LittleEndian(2, 2) })
+}
+
+func TestInits(t *testing.T) {
+	i1 := NewInt64(int64(65500), big.NewInt(65535))
+	i2 := NewInt(&i1.V, i1.M)
+	assert.True(t, i1.Equal(i2))
+	b, _ := i1.MarshalBinary()
+	i3 := NewIntBytes(b, i1.M, BigEndian)
+	assert.True(t, i1.Equal(i3))
+	i4 := NewIntString(i1.String(), "", 16, i1.M)
+	assert.True(t, i1.Equal(i4))
+}
+
+func TestIntClone(t *testing.T) {
+	moduloI := new(big.Int).SetBytes([]byte{0x10, 0})
+	base := new(Int).InitBytes([]byte{0x10}, moduloI, BigEndian)
+
+	clone := base.Clone()
+	clone.Add(clone, clone)
+	b1, _ := clone.MarshalBinary()
+	b2, _ := base.MarshalBinary()
+	if bytes.Equal(b1, b2) {
+		t.Error("Should not be equal")
+	}
+}
diff --git a/kyber/group/nist/curve.go b/kyber/group/nist/curve.go
new file mode 100644
index 0000000000..6888d9fc03
--- /dev/null
+++ b/kyber/group/nist/curve.go
@@ -0,0 +1,266 @@
+package nist
+
+import (
+	"crypto/cipher"
+	"crypto/elliptic"
+	"errors"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/group/mod"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+type curvePoint struct {
+	x, y *big.Int
+	c    *curve
+}
+
+func (p *curvePoint) String() string {
+	return "(" + p.x.String() + "," + p.y.String() + ")"
+}
+
+func (p *curvePoint) Equal(p2 kyber.Point) bool {
+	cp2 := p2.(*curvePoint)
+
+	// Make sure both coordinates are normalized.
+	// Apparently Go's elliptic curve code doesn't always ensure this.
+	M := p.c.p.P
+	p.x.Mod(p.x, M)
+	p.y.Mod(p.y, M)
+	cp2.x.Mod(cp2.x, M)
+	cp2.y.Mod(cp2.y, M)
+
+	return p.x.Cmp(cp2.x) == 0 && p.y.Cmp(cp2.y) == 0
+}
+
+func (p *curvePoint) Null() kyber.Point {
+	p.x = new(big.Int).SetInt64(0)
+	p.y = new(big.Int).SetInt64(0)
+	return p
+}
+
+func (p *curvePoint) Base() kyber.Point {
+	p.x = p.c.p.Gx
+	p.y = p.c.p.Gy
+	return p
+}
+
+func (p *curvePoint) Valid() bool {
+	// The IsOnCurve function in Go's elliptic curve package
+	// doesn't consider the point-at-infinity to be "on the curve"
+	return p.c.IsOnCurve(p.x, p.y) ||
+		(p.x.Sign() == 0 && p.y.Sign() == 0)
+}
+
+// Try to generate a point on this curve from a chosen x-coordinate,
+// with a random sign.
+func (p *curvePoint) genPoint(x *big.Int, rand cipher.Stream) bool {
+
+	// Compute the corresponding Y coordinate, if any
+	y2 := new(big.Int).Mul(x, x)
+	y2.Mul(y2, x)
+	threeX := new(big.Int).Lsh(x, 1)
+	threeX.Add(threeX, x)
+	y2.Sub(y2, threeX)
+	y2.Add(y2, p.c.p.B)
+	y2.Mod(y2, p.c.p.P)
+	y := p.c.sqrt(y2)
+
+	// Pick a random sign for the y coordinate
+	b := make([]byte, 1)
+	rand.XORKeyStream(b, b)
+	if (b[0] & 0x80) != 0 {
+		y.Sub(p.c.p.P, y)
+	}
+
+	// Check that it's a valid point
+	y2t := new(big.Int).Mul(y, y)
+	y2t.Mod(y2t, p.c.p.P)
+	if y2t.Cmp(y2) != 0 {
+		return false // Doesn't yield a valid point!
+	}
+
+	p.x = x
+	p.y = y
+	return true
+}
+
+func (p *curvePoint) EmbedLen() int {
+	// Reserve at least 8 most-significant bits for randomness,
+	// and the least-significant 8 bits for embedded data length.
+	// (Hopefully it's unlikely we'll need >=2048-bit curves soon.)
+	return (p.c.p.P.BitLen() - 8 - 8) / 8
+}
+
+func (p *curvePoint) Pick(rand cipher.Stream) kyber.Point {
+	return p.Embed(nil, rand)
+}
+
+// Pick a curve point containing a variable amount of embedded data.
+// Remaining bits comprising the point are chosen randomly.
+func (p *curvePoint) Embed(data []byte, rand cipher.Stream) kyber.Point {
+
+	l := p.c.coordLen()
+	dl := p.EmbedLen()
+	if dl > len(data) {
+		dl = len(data)
+	}
+
+	for {
+		b := random.Bits(uint(p.c.p.P.BitLen()), false, rand)
+		if data != nil {
+			b[l-1] = byte(dl)         // Encode length in low 8 bits
+			copy(b[l-dl-1:l-1], data) // Copy in data to embed
+		}
+		if p.genPoint(new(big.Int).SetBytes(b), rand) {
+			return p
+		}
+	}
+}
+
+// Extract embedded data from a curve point
+func (p *curvePoint) Data() ([]byte, error) {
+	b := p.x.Bytes()
+	l := p.c.coordLen()
+	if len(b) < l { // pad leading zero bytes if necessary
+		b = append(make([]byte, l-len(b)), b...)
+	}
+	dl := int(b[l-1])
+	if dl > p.EmbedLen() {
+		return nil, errors.New("invalid embedded data length")
+	}
+	return b[l-dl-1 : l-1], nil
+}
+
+func (p *curvePoint) Add(a, b kyber.Point) kyber.Point {
+	ca := a.(*curvePoint)
+	cb := b.(*curvePoint)
+	p.x, p.y = p.c.Add(ca.x, ca.y, cb.x, cb.y)
+	return p
+}
+
+func (p *curvePoint) Sub(a, b kyber.Point) kyber.Point {
+	ca := a.(*curvePoint)
+	cb := b.(*curvePoint)
+
+	cbn := p.c.Point().Neg(cb).(*curvePoint)
+	p.x, p.y = p.c.Add(ca.x, ca.y, cbn.x, cbn.y)
+	return p
+}
+
+func (p *curvePoint) Neg(a kyber.Point) kyber.Point {
+
+	s := p.c.Scalar().One()
+	s.Neg(s)
+	return p.Mul(s, a).(*curvePoint)
+}
+
+func (p *curvePoint) Mul(s kyber.Scalar, b kyber.Point) kyber.Point {
+	cs := s.(*mod.Int)
+	if b != nil {
+		cb := b.(*curvePoint)
+		p.x, p.y = p.c.ScalarMult(cb.x, cb.y, cs.V.Bytes())
+	} else {
+		p.x, p.y = p.c.ScalarBaseMult(cs.V.Bytes())
+	}
+	return p
+}
+
+func (p *curvePoint) MarshalSize() int {
+	coordlen := (p.c.Params().BitSize + 7) >> 3
+	return 1 + 2*coordlen // uncompressed ANSI X9.62 representation
+}
+
+func (p *curvePoint) MarshalBinary() ([]byte, error) {
+	return elliptic.Marshal(p.c, p.x, p.y), nil
+}
+
+func (p *curvePoint) UnmarshalBinary(buf []byte) error {
+	// Check whether all bytes after first one are 0, so we
+	// just return the initial point. Read everything to
+	// prevent timing-leakage.
+	var c byte
+	for _, b := range buf[1:] {
+		c |= b
+	}
+	if c != 0 {
+		p.x, p.y = elliptic.Unmarshal(p.c, buf)
+		if p.x == nil || !p.Valid() {
+			return errors.New("invalid elliptic curve point")
+		}
+	} else {
+		// All bytes are 0, so we initialize x and y
+		p.x = big.NewInt(0)
+		p.y = big.NewInt(0)
+	}
+	return nil
+}
+
+func (p *curvePoint) MarshalTo(w io.Writer) (int, error) {
+	return marshalling.PointMarshalTo(p, w)
+}
+
+func (p *curvePoint) UnmarshalFrom(r io.Reader) (int, error) {
+	return marshalling.PointUnmarshalFrom(p, r)
+}
+
+// interface for curve-specifc mathematical functions
+type curveOps interface {
+	sqrt(y *big.Int) *big.Int
+}
+
+// Curve is an implementation of the kyber.Group interface
+// for NIST elliptic curves, built on Go's native elliptic curve library.
+type curve struct {
+	elliptic.Curve
+	curveOps
+	p *elliptic.CurveParams
+}
+
+// Return the number of bytes in the encoding of a Scalar for this curve.
+func (c *curve) ScalarLen() int { return (c.p.N.BitLen() + 7) / 8 }
+
+// Create a Scalar associated with this curve. The scalars created by
+// this package implement kyber.Scalar's SetBytes method, interpreting
+// the bytes as a big-endian integer, so as to be compatible with the
+// Go standard library's big.Int type.
+func (c *curve) Scalar() kyber.Scalar {
+	return mod.NewInt64(0, c.p.N)
+}
+
+// Number of bytes required to store one coordinate on this curve
+func (c *curve) coordLen() int {
+	return (c.p.BitSize + 7) / 8
+}
+
+// Return the number of bytes in the encoding of a Point for this curve.
+// Currently uses uncompressed ANSI X9.62 format with both X and Y coordinates;
+// this could change.
+func (c *curve) PointLen() int {
+	return 1 + 2*c.coordLen() // ANSI X9.62: 1 header byte plus 2 coords
+}
+
+// Create a Point associated with this curve.
+func (c *curve) Point() kyber.Point {
+	p := new(curvePoint)
+	p.c = c
+	return p
+}
+
+func (p *curvePoint) Set(P kyber.Point) kyber.Point {
+	p.x = P.(*curvePoint).x
+	p.y = P.(*curvePoint).y
+	return p
+}
+
+func (p *curvePoint) Clone() kyber.Point {
+	return &curvePoint{x: p.x, y: p.y, c: p.c}
+}
+
+// Return the order of this curve: the prime N in the curve parameters.
+func (c *curve) Order() *big.Int {
+	return c.p.N
+}
diff --git a/kyber/group/nist/doc.go b/kyber/group/nist/doc.go
new file mode 100644
index 0000000000..baf872e118
--- /dev/null
+++ b/kyber/group/nist/doc.go
@@ -0,0 +1,3 @@
+// Package nist implements cryptographic groups and ciphersuites
+// based on the NIST standards, using Go's built-in crypto library.
+package nist
diff --git a/kyber/group/nist/group_test.go b/kyber/group/nist/group_test.go
new file mode 100644
index 0000000000..e60de41985
--- /dev/null
+++ b/kyber/group/nist/group_test.go
@@ -0,0 +1,46 @@
+package nist
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3/util/test"
+)
+
+var testQR512 = NewBlakeSHA256QR512()
+
+func TestQR512(t *testing.T) { test.SuiteTest(t, testQR512) }
+
+var testP256 = NewBlakeSHA256P256()
+
+func TestP256(t *testing.T) { test.SuiteTest(t, testP256) }
+
+func TestSetBytesBE(t *testing.T) {
+	s := testP256.Scalar()
+	s.SetBytes([]byte{0, 1, 2, 3})
+	// 010203 because initial 0 is trimmed in String(), and 03 (last byte of BE) ends up
+	// in the LSB of the bigint.
+	if s.String() != "010203" {
+		t.Fatal("unexpected result from String():", s.String())
+	}
+}
+
+var benchP256 = test.NewGroupBench(testP256)
+
+func BenchmarkScalarAdd(b *testing.B)    { benchP256.ScalarAdd(b.N) }
+func BenchmarkScalarSub(b *testing.B)    { benchP256.ScalarSub(b.N) }
+func BenchmarkScalarNeg(b *testing.B)    { benchP256.ScalarNeg(b.N) }
+func BenchmarkScalarMul(b *testing.B)    { benchP256.ScalarMul(b.N) }
+func BenchmarkScalarDiv(b *testing.B)    { benchP256.ScalarDiv(b.N) }
+func BenchmarkScalarInv(b *testing.B)    { benchP256.ScalarInv(b.N) }
+func BenchmarkScalarPick(b *testing.B)   { benchP256.ScalarPick(b.N) }
+func BenchmarkScalarEncode(b *testing.B) { benchP256.ScalarEncode(b.N) }
+func BenchmarkScalarDecode(b *testing.B) { benchP256.ScalarDecode(b.N) }
+
+func BenchmarkPointAdd(b *testing.B)     { benchP256.PointAdd(b.N) }
+func BenchmarkPointSub(b *testing.B)     { benchP256.PointSub(b.N) }
+func BenchmarkPointNeg(b *testing.B)     { benchP256.PointNeg(b.N) }
+func BenchmarkPointMul(b *testing.B)     { benchP256.PointMul(b.N) }
+func BenchmarkPointBaseMul(b *testing.B) { benchP256.PointBaseMul(b.N) }
+func BenchmarkPointPick(b *testing.B)    { benchP256.PointPick(b.N) }
+func BenchmarkPointEncode(b *testing.B)  { benchP256.PointEncode(b.N) }
+func BenchmarkPointDecode(b *testing.B)  { benchP256.PointDecode(b.N) }
diff --git a/kyber/group/nist/p256.go b/kyber/group/nist/p256.go
new file mode 100644
index 0000000000..f9c072386d
--- /dev/null
+++ b/kyber/group/nist/p256.go
@@ -0,0 +1,76 @@
+package nist
+
+import (
+	"crypto/elliptic"
+	"math/big"
+)
+
+// P256 implements the kyber.Group interface
+// for the NIST P-256 elliptic curve,
+// based on Go's native elliptic curve library.
+type p256 struct {
+	curve
+}
+
+func (curve *p256) String() string {
+	return "P256"
+}
+
+// Optimized modular square root for P-256 curve, from
+// "Mathematical routines for the NIST prime elliptic curves" (April 2010)
+func (curve *p256) sqrt(c *big.Int) *big.Int {
+	m := curve.p.P
+
+	t1 := new(big.Int)
+	t1.Mul(c, c)
+	t1.Mul(t1, c) // t1 = c^(2^2-1)
+
+	p2 := new(big.Int)
+	p2.SetBit(p2, 2, 1)
+	t2 := new(big.Int)
+	t2.Exp(t1, p2, m)
+	t2.Mul(t2, t1) // t2 = c^(2^4-1)
+
+	p3 := new(big.Int)
+	p3.SetBit(p3, 4, 1)
+	t3 := new(big.Int)
+	t3.Exp(t2, p3, m)
+	t3.Mul(t3, t2) // t3 = c^(2^8-1)
+
+	p4 := new(big.Int)
+	p4.SetBit(p4, 8, 1)
+	t4 := new(big.Int)
+	t4.Exp(t3, p4, m)
+	t4.Mul(t4, t3) // t4 = c^(2^16-1)
+
+	p5 := new(big.Int)
+	p5.SetBit(p5, 16, 1)
+	r := new(big.Int)
+	r.Exp(t4, p5, m)
+	r.Mul(r, t4) // r = c^(2^32-1)
+
+	p6 := new(big.Int)
+	p6.SetBit(p6, 32, 1)
+	r.Exp(r, p6, m)
+	r.Mul(r, c) // r = c^(2^64-2^32+1)
+
+	p7 := new(big.Int)
+	p7.SetBit(p7, 96, 1)
+	r.Exp(r, p7, m)
+	r.Mul(r, c) // r = c^(2^160-2^128+2^96+1)
+
+	p8 := new(big.Int)
+	p8.SetBit(p8, 94, 1)
+	r.Exp(r, p8, m)
+
+	// r = c^(2^254-2^222+2^190+2^94) = sqrt(c) mod p256
+	return r
+}
+
+// Init initializes standard Curve instances
+func (curve *p256) Init() curve {
+	curve.curve.Curve = elliptic.P256()
+	curve.p = curve.Params()
+	curve.curveOps = curve
+	return curve.curve
+}
diff --git a/kyber/group/nist/qrsuite.go b/kyber/group/nist/qrsuite.go
new file mode 100644
index 0000000000..2b1fc91072
--- /dev/null
+++ b/kyber/group/nist/qrsuite.go
@@ -0,0 +1,67 @@
+package nist
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"math/big"
+	"reflect"
+
+	"go.dedis.ch/fixbuf"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// QrSuite is a quadratic residue suite
+type QrSuite struct {
+	ResidueGroup
+}
+
+// Hash returns the instance associated with the suite
+func (s QrSuite) Hash() hash.Hash {
+	return sha256.New()
+}
+
+// XOF creates the XOF associated with the suite
+func (s QrSuite) XOF(key []byte) kyber.XOF {
+	return blake2xb.New(key)
+}
+
+// RandomStream returns a cipher.Stream that returns a key stream
+// from crypto/rand.
+func (s QrSuite) RandomStream() cipher.Stream {
+	return random.New()
+}
+
+func (s *QrSuite) Read(r io.Reader, objs ...interface{}) error {
+	return fixbuf.Read(r, s, objs)
+}
+
+func (s *QrSuite) Write(w io.Writer, objs ...interface{}) error {
+	return fixbuf.Write(w, objs)
+}
+
+// New implements the kyber.encoding interface
+func (s *QrSuite) New(t reflect.Type) interface{} {
+	return marshalling.GroupNew(s, t)
+}
+
+// NewBlakeSHA256QR512 returns a cipher suite based on package
+// go.dedis.ch/kyber/v3/xof/blake2xb, SHA-256, and a residue group of
+// quadratic residues modulo a 512-bit prime.
+//
+// This group size should be used only for testing and experimentation.
+// 512-bit DSA-style groups are no longer considered secure.
+func NewBlakeSHA256QR512() *QrSuite {
+	p, _ := new(big.Int).SetString("10198267722357351868598076141027380280417188309231803909918464305012113541414604537422741096561285049775792035177041672305646773132014126091142862443826263", 10)
+	q, _ := new(big.Int).SetString("5099133861178675934299038070513690140208594154615901954959232152506056770707302268711370548280642524887896017588520836152823386566007063045571431221913131", 10)
+	r := new(big.Int).SetInt64(2)
+	g := new(big.Int).SetInt64(4)
+
+	suite := new(QrSuite)
+	suite.SetParams(p, q, r, g)
+	return suite
+}
diff --git a/kyber/group/nist/residue.go b/kyber/group/nist/residue.go
new file mode 100644
index 0000000000..27b845b070
--- /dev/null
+++ b/kyber/group/nist/residue.go
@@ -0,0 +1,314 @@
+package nist
+
+import (
+	"crypto/cipher"
+	"crypto/dsa"
+	"errors"
+	"fmt"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/group/mod"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+var one = big.NewInt(1)
+var two = big.NewInt(2)
+
+type residuePoint struct {
+	big.Int
+	g *ResidueGroup
+}
+
+// Steal value from DSA, which uses recommendation from FIPS 186-3
+const numMRTests = 64
+
+// Probabilistically test whether a big integer is prime.
+func isPrime(i *big.Int) bool {
+	return i.ProbablyPrime(numMRTests)
+}
+
+func (p *residuePoint) String() string { return p.Int.String() }
+
+func (p *residuePoint) Equal(p2 kyber.Point) bool {
+	return p.Int.Cmp(&p2.(*residuePoint).Int) == 0
+}
+
+func (p *residuePoint) Null() kyber.Point {
+	p.Int.SetInt64(1)
+	return p
+}
+
+func (p *residuePoint) Base() kyber.Point {
+	p.Int.Set(p.g.G)
+	return p
+}
+
+func (p *residuePoint) Set(p2 kyber.Point) kyber.Point {
+	p.g = p2.(*residuePoint).g
+	p.Int = p2.(*residuePoint).Int
+	return p
+}
+
+func (p *residuePoint) Clone() kyber.Point {
+	return &residuePoint{g: p.g, Int: p.Int}
+}
+
+func (p *residuePoint) Valid() bool {
+	return p.Int.Sign() > 0 && p.Int.Cmp(p.g.P) < 0 &&
+		new(big.Int).Exp(&p.Int, p.g.Q, p.g.P).Cmp(one) == 0
+}
+
+func (p *residuePoint) EmbedLen() int {
+	// Reserve at least 8 most-significant bits for randomness,
+	// and the least-significant 16 bits for embedded data length.
+	return (p.g.P.BitLen() - 8 - 16) / 8
+}
+
+func (p *residuePoint) Pick(rand cipher.Stream) kyber.Point {
+	return p.Embed(nil, rand)
+}
+
+// Embed the given data with some pseudo-random bits.
+// This will only work efficiently for quadratic residue groups!
+func (p *residuePoint) Embed(data []byte, rand cipher.Stream) kyber.Point {
+
+	l := p.g.PointLen()
+	dl := p.EmbedLen()
+	if dl > len(data) {
+		dl = len(data)
+	}
+
+	for {
+		b := random.Bits(uint(p.g.P.BitLen()), false, rand)
+		if data != nil {
+			b[l-1] = byte(dl) // Encode length in low 16 bits
+			b[l-2] = byte(dl >> 8)
+			copy(b[l-dl-2:l-2], data) // Copy in embedded data
+		}
+		p.Int.SetBytes(b)
+		if p.Valid() {
+			return p
+		}
+	}
+}
+
+// Extract embedded data from a Residue group element
+func (p *residuePoint) Data() ([]byte, error) {
+	b := p.Int.Bytes()
+	l := p.g.PointLen()
+	if len(b) < l { // pad leading zero bytes if necessary
+		b = append(make([]byte, l-len(b)), b...)
+	}
+	dl := int(b[l-2])<<8 + int(b[l-1])
+	if dl > p.EmbedLen() {
+		return nil, errors.New("invalid embedded data length")
+	}
+	return b[l-dl-2 : l-2], nil
+}
+
+func (p *residuePoint) Add(a, b kyber.Point) kyber.Point {
+	p.Int.Mul(&a.(*residuePoint).Int, &b.(*residuePoint).Int)
+	p.Int.Mod(&p.Int, p.g.P)
+	return p
+}
+
+func (p *residuePoint) Sub(a, b kyber.Point) kyber.Point {
+	binv := new(big.Int).ModInverse(&b.(*residuePoint).Int, p.g.P)
+	p.Int.Mul(&a.(*residuePoint).Int, binv)
+	p.Int.Mod(&p.Int, p.g.P)
+	return p
+}
+
+func (p *residuePoint) Neg(a kyber.Point) kyber.Point {
+	p.Int.ModInverse(&a.(*residuePoint).Int, p.g.P)
+	return p
+}
+
+func (p *residuePoint) Mul(s kyber.Scalar, b kyber.Point) kyber.Point {
+	if b == nil {
+		return p.Base().Mul(s, p)
+	}
+	// to protect against golang/go#22830
+	var tmp big.Int
+	tmp.Exp(&b.(*residuePoint).Int, &s.(*mod.Int).V, p.g.P)
+	p.Int = tmp
+	return p
+}
+
+func (p *residuePoint) MarshalSize() int {
+	return (p.g.P.BitLen() + 7) / 8
+}
+
+func (p *residuePoint) MarshalBinary() ([]byte, error) {
+	b := p.Int.Bytes() // may be shorter than len(buf)
+	if pre := p.MarshalSize() - len(b); pre != 0 {
+		return append(make([]byte, pre), b...), nil
+	}
+	return b, nil
+}
+
+func (p *residuePoint) UnmarshalBinary(data []byte) error {
+	p.Int.SetBytes(data)
+	if !p.Valid() {
+		return errors.New("invalid Residue group element")
+	}
+	return nil
+}
+
+func (p *residuePoint) MarshalTo(w io.Writer) (int, error) {
+	return marshalling.PointMarshalTo(p, w)
+}
+
+func (p *residuePoint) UnmarshalFrom(r io.Reader) (int, error) {
+	return marshalling.PointUnmarshalFrom(p, r)
+}
+
+/*
+A ResidueGroup represents a DSA-style modular integer arithmetic group,
+defined by two primes P and Q and an integer R, such that P = Q*R+1.
+Points in a ResidueGroup are R-residues modulo P,
+and Scalars are integer exponents modulo the group order Q.
+
+In traditional DSA groups P is typically much larger than Q,
+and hence use a large multiple R.
+This is done to minimize the computational cost of modular exponentiation
+while maximizing security against known classes of attacks:
+P must be on the order of thousands of bits long
+while for security Q is believed to require only hundreds of bits.
+Such computation-optimized groups are suitable
+for Diffie-Hellman agreement, DSA or ElGamal signatures, etc.,
+which depend on Point.Mul() and homomorphic properties.
+
+However, residue groups with large R are less suitable for
+public-key cryptographic techniques that require choosing Points
+pseudo-randomly or to contain embedded data,
+as required by ElGamal encryption for example.
+For such purposes quadratic residue groups are more suitable -
+representing the special case where R=2 and hence P=2Q+1.
+As a result, the Point.Pick() method should be expected to work efficiently
+ONLY on quadratic residue groups in which R=2.
+*/
+type ResidueGroup struct {
+	dsa.Parameters
+	R *big.Int
+}
+
+func (g *ResidueGroup) String() string {
+	return fmt.Sprintf("Residue%d", g.P.BitLen())
+}
+
+// ScalarLen returns the number of bytes in the encoding of a Scalar
+// for this Residue group.
+func (g *ResidueGroup) ScalarLen() int { return (g.Q.BitLen() + 7) / 8 }
+
+// Scalar creates a Scalar associated with this Residue group,
+// with an initial value of nil.
+func (g *ResidueGroup) Scalar() kyber.Scalar {
+	return mod.NewInt64(0, g.Q)
+}
+
+// PointLen returns the number of bytes in the encoding of a Point
+// for this Residue group.
+func (g *ResidueGroup) PointLen() int { return (g.P.BitLen() + 7) / 8 }
+
+// Point creates a Point associated with this Residue group,
+// with an initial value of nil.
+func (g *ResidueGroup) Point() kyber.Point {
+	p := new(residuePoint)
+	p.g = g
+	return p
+}
+
+// Order returns the order of this Residue group, namely the prime Q.
+func (g *ResidueGroup) Order() *big.Int {
+	return g.Q
+}
+
+// Valid validates the parameters for a Residue group,
+// checking that P and Q are prime, P=Q*R+1,
+// and that G is a valid generator for this group.
+func (g *ResidueGroup) Valid() bool {
+
+	// Make sure both P and Q are prime
+	if !isPrime(g.P) || !isPrime(g.Q) {
+		return false
+	}
+
+	// Validate the equation P = QR+1
+	n := new(big.Int)
+	n.Mul(g.Q, g.R)
+	n.Add(n, one)
+	if n.Cmp(g.P) != 0 {
+		return false
+	}
+
+	// Validate the generator G
+	if g.G.Cmp(one) <= 0 || n.Exp(g.G, g.Q, g.P).Cmp(one) != 0 {
+		return false
+	}
+
+	return true
+}
+
+// SetParams explicitly initializes a ResidueGroup with given parameters.
+func (g *ResidueGroup) SetParams(P, Q, R, G *big.Int) {
+	g.P = P
+	g.Q = Q
+	g.R = R
+	g.G = G
+	if !g.Valid() {
+		panic("SetParams: bad Residue group parameters")
+	}
+}
+
+// QuadraticResidueGroup initializes Residue group parameters for a quadratic residue group,
+// by picking primes P and Q such that P=2Q+1
+// and the smallest valid generator G for this group.
+func (g *ResidueGroup) QuadraticResidueGroup(bitlen uint, rand cipher.Stream) {
+	g.R = two
+
+	// pick primes p,q such that p = 2q+1
+	fmt.Printf("Generating %d-bit QR group", bitlen)
+	for i := 0; ; i++ {
+		if i > 1000 {
+			print(".")
+			i = 0
+		}
+
+		// First pick a prime Q
+		b := random.Bits(bitlen-1, true, rand)
+		b[len(b)-1] |= 1 // must be odd
+		g.Q = new(big.Int).SetBytes(b)
+		//println("q?",hex.EncodeToString(g.Q.Bytes()))
+		if !isPrime(g.Q) {
+			continue
+		}
+
+		// Does the corresponding P come out prime too?
+		g.P = new(big.Int)
+		g.P.Mul(g.Q, two)
+		g.P.Add(g.P, one)
+		//println("p?",hex.EncodeToString(g.P.Bytes()))
+		if uint(g.P.BitLen()) == bitlen && isPrime(g.P) {
+			break
+		}
+	}
+	println()
+	println("p", g.P.String())
+	println("q", g.Q.String())
+
+	// pick standard generator G
+	h := new(big.Int).Set(two)
+	g.G = new(big.Int)
+	for {
+		g.G.Exp(h, two, g.P)
+		if g.G.Cmp(one) != 0 {
+			break
+		}
+		h.Add(h, one)
+	}
+	println("g", g.G.String())
+}
diff --git a/kyber/group/nist/suite.go b/kyber/group/nist/suite.go
new file mode 100644
index 0000000000..04f6bdd835
--- /dev/null
+++ b/kyber/group/nist/suite.go
@@ -0,0 +1,62 @@
+package nist
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"reflect"
+
+	"go.dedis.ch/fixbuf"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/internal/marshalling"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// Suite128 is the suite for P256 curve
+type Suite128 struct {
+	p256
+}
+
+// Hash returns the instance associated with the suite
+func (s *Suite128) Hash() hash.Hash {
+	return sha256.New()
+}
+
+// XOF creates the XOF associated with the suite
+func (s *Suite128) XOF(key []byte) kyber.XOF {
+	return blake2xb.New(key)
+}
+
+// RandomStream returns a cipher.Stream that returns a key stream
+// from crypto/rand.
+func (s *Suite128) RandomStream() cipher.Stream {
+	return random.New()
+}
+
+func (s *Suite128) Read(r io.Reader, objs ...interface{}) error {
+	return fixbuf.Read(r, s, objs)
+}
+
+func (s *Suite128) Write(w io.Writer, objs ...interface{}) error {
+	return fixbuf.Write(w, objs)
+}
+
+// New implements the kyber.encoding interface
+func (s *Suite128) New(t reflect.Type) interface{} {
+	return marshalling.GroupNew(s, t)
+}
+
+// NewBlakeSHA256P256 returns a cipher suite based on package
+// go.dedis.ch/kyber/v3/xof/blake2xb, SHA-256, and the NIST P-256
+// elliptic curve. It returns random streams from Go's crypto/rand.
+//
+// The scalars created by this group implement kyber.Scalar's SetBytes
+// method, interpreting the bytes as a big-endian integer, so as to be
+// compatible with the Go standard library's big.Int type.
+func NewBlakeSHA256P256() *Suite128 {
+	suite := new(Suite128)
+	suite.p256.Init()
+	return suite
+}
diff --git a/kyber/hash.go b/kyber/hash.go
new file mode 100644
index 0000000000..5632df31af
--- /dev/null
+++ b/kyber/hash.go
@@ -0,0 +1,8 @@
+package kyber
+
+import "hash"
+
+// A HashFactory is an interface that can be mixed in to local suite definitions.
+type HashFactory interface {
+	Hash() hash.Hash
+}
diff --git a/kyber/pairing/adapter.go b/kyber/pairing/adapter.go
new file mode 100644
index 0000000000..ade840742b
--- /dev/null
+++ b/kyber/pairing/adapter.go
@@ -0,0 +1,51 @@
+package pairing
+
+import (
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/pairing/bn256"
+)
+
+// SuiteBn256 is an adapter that implements the suites.Suite interface so that
+// bn256 can be used as a common suite to generate key pairs for instance but
+// still preserves the properties of the pairing (e.g. the Pair function).
+//
+// It's important to note that the Point function will generate a point
+// compatible with public keys only (group G2) where the signature must be
+// used as a point from the group G1.
+type SuiteBn256 struct {
+	Suite
+	kyber.Group
+}
+
+// NewSuiteBn256 makes a new BN256 suite
+func NewSuiteBn256() *SuiteBn256 {
+	return &SuiteBn256{
+		Suite: bn256.NewSuite(),
+	}
+}
+
+// Point generates a point from the G2 group that can only be used
+// for public keys
+func (s *SuiteBn256) Point() kyber.Point {
+	return s.G2().Point()
+}
+
+// PointLen returns the length of a G2 point
+func (s *SuiteBn256) PointLen() int {
+	return s.G2().PointLen()
+}
+
+// Scalar generates a scalar
+func (s *SuiteBn256) Scalar() kyber.Scalar {
+	return s.G1().Scalar()
+}
+
+// ScalarLen returns the lenght of a scalar
+func (s *SuiteBn256) ScalarLen() int {
+	return s.G1().ScalarLen()
+}
+
+// String returns the name of the suite
+func (s *SuiteBn256) String() string {
+	return "bn256.adapter"
+}
diff --git a/kyber/pairing/adapter_test.go b/kyber/pairing/adapter_test.go
new file mode 100644
index 0000000000..97bbbb7283
--- /dev/null
+++ b/kyber/pairing/adapter_test.go
@@ -0,0 +1,28 @@
+package pairing
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3/util/key"
+)
+
+func TestAdapter_SuiteBn256(t *testing.T) {
+	suite := NewSuiteBn256()
+
+	pair := key.NewKeyPair(suite)
+	pubkey, err := pair.Public.MarshalBinary()
+	require.Nil(t, err)
+	privkey, err := pair.Private.MarshalBinary()
+	require.Nil(t, err)
+
+	pubhex := suite.Point()
+	err = pubhex.UnmarshalBinary(pubkey)
+	require.Nil(t, err)
+
+	privhex := suite.Scalar()
+	err = privhex.UnmarshalBinary(privkey)
+	require.Nil(t, err)
+
+	require.Equal(t, "bn256.adapter", suite.String())
+}
diff --git a/kyber/pairing/bn256/LICENSE b/kyber/pairing/bn256/LICENSE
new file mode 100644
index 0000000000..6a66aea5ea
--- /dev/null
+++ b/kyber/pairing/bn256/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/kyber/pairing/bn256/README.md b/kyber/pairing/bn256/README.md
new file mode 100644
index 0000000000..cab2ccea57
--- /dev/null
+++ b/kyber/pairing/bn256/README.md
@@ -0,0 +1,21 @@
+bn256
+-----
+
+Package bn256 implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig
+curve targeting a 128-bit security level as described in the paper 
+[New Software Speed Records for Cryptocraphic Pairings](http://cryptojedi.org/papers/dclxvi-20100714.pdf). 
+Its output is compatible with the implementation described in that paper.
+
+The basis for this package is [Cloudflare's bn256 implementation](https://github.com/cloudflare/bn256)
+which itself is an improved version of the [official bn256 package](https://golang.org/x/crypto/bn256).
+The package at hand maintains compatibility to Cloudflare's library. The biggest difference is the replacement of their
+[public API](https://github.com/cloudflare/bn256/blob/master/bn256.go) by a new
+one that is compatible to Kyber's scalar, point, group, and suite interfaces.
+
+[Bilinear groups](https://en.wikipedia.org/wiki/Pairing-based_cryptography) are
+the basis for many new cryptographic protocols that have been proposed over the
+past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there
+exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective
+group) which is called a pairing.
+
+
diff --git a/kyber/pairing/bn256/constants.go b/kyber/pairing/bn256/constants.go
new file mode 100644
index 0000000000..943751a074
--- /dev/null
+++ b/kyber/pairing/bn256/constants.go
@@ -0,0 +1,56 @@
+package bn256
+
+import (
+	"math/big"
+)
+
+func bigFromBase10(s string) *big.Int {
+	n, _ := new(big.Int).SetString(s, 10)
+	return n
+}
+
+// u is the BN parameter that determines the prime: 1868033³.
+var u = bigFromBase10("6518589491078791937")
+
+// p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.
+var p = bigFromBase10("65000549695646603732796438742359905742825358107623003571877145026864184071783")
+
+// Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.
+// order-1 = (2**5) * 3 * 5743 * 280941149 * 130979359433191 * 491513138693455212421542731357 * 6518589491078791937
+var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")
+
+// xiToPMinus1Over6 is ξ^((p-1)/6) where ξ = i+3.
+var xiToPMinus1Over6 = &gfP2{gfP{0x25af52988477cdb7, 0x3d81a455ddced86a, 0x227d012e872c2431, 0x179198d3ea65d05}, gfP{0x7407634dd9cca958, 0x36d5bd6c7afb8f26, 0xf4b1c32cebd880fa, 0x6aa7869306f455f}}
+
+// xiToPMinus1Over3 is ξ^((p-1)/3) where ξ = i+3.
+var xiToPMinus1Over3 = &gfP2{gfP{0x4f59e37c01832e57, 0xae6be39ac2bbbfe4, 0xe04ea1bb697512f8, 0x3097caa8fc40e10e}, gfP{0xf8606916d3816f2c, 0x1e5c0d7926de927e, 0xbc45f3946d81185e, 0x80752a25aa738091}}
+
+// xiToPMinus1Over2 is ξ^((p-1)/2) where ξ = i+3.
+var xiToPMinus1Over2 = &gfP2{gfP{0x19da71333653ee20, 0x7eaaf34fc6ed6019, 0xc4ba3a29a60cdd1d, 0x75281311bcc9df79}, gfP{0x18dbee03fb7708fa, 0x1e7601a602c843c7, 0x5dde0688cdb231cb, 0x86db5cf2c605a524}}
+
+// xiToPSquaredMinus1Over3 is ξ^((p²-1)/3) where ξ = i+3.
+var xiToPSquaredMinus1Over3 = &gfP{0x12d3cef5e1ada57d, 0xe2eca1463753babb, 0xca41e40ddccf750, 0x551337060397e04c}
+
+// xiTo2PSquaredMinus2Over3 is ξ^((2p²-2)/3) where ξ = i+3 (a cubic root of unity, mod p).
+var xiTo2PSquaredMinus2Over3 = &gfP{0x3642364f386c1db8, 0xe825f92d2acd661f, 0xf2aba7e846c19d14, 0x5a0bcea3dc52b7a0}
+
+// xiToPSquaredMinus1Over6 is ξ^((1p²-1)/6) where ξ = i+3 (a cubic root of -1, mod p).
+var xiToPSquaredMinus1Over6 = &gfP{0xe21a761d259c78af, 0x6358fa3f5e84f7e, 0xb7c444d01ac33f0d, 0x35a9333f6e50d058}
+
+// xiTo2PMinus2Over3 is ξ^((2p-2)/3) where ξ = i+3.
+var xiTo2PMinus2Over3 = &gfP2{gfP{0x51678e7469b3c52a, 0x4fb98f8b13319fc9, 0x29b2254db3f1df75, 0x1c044935a3d22fb2}, gfP{0x4d2ea218872f3d2c, 0x2fcb27fc4abe7b69, 0xd31d972f0e88ced9, 0x53adc04a00a73b15}}
+
+// p2 is p, represented as little-endian 64-bit words.
+var p2 = [4]uint64{0x185cac6c5e089667, 0xee5b88d120b5b59e, 0xaa6fecb86184dc21, 0x8fb501e34aa387f9}
+
+// np is the negative inverse of p, mod 2^256.
+var np = [4]uint64{0x2387f9007f17daa9, 0x734b3343ab8513c8, 0x2524282f48054c12, 0x38997ae661c3ef3c}
+
+// rN1 is R^-1 where R = 2^256 mod p.
+var rN1 = &gfP{0xcbb781e36236117d, 0xcc65f3bcec8c91b, 0x2eab68888ea1f515, 0x1fc5c0956f92f825}
+
+// r2 is R^2 where R = 2^256 mod p.
+var r2 = &gfP{0x9c21c3ff7e444f56, 0x409ed151b2efb0c2, 0xc6dc37b80fb1651, 0x7c36e0e62c2380b7}
+
+// r3 is R^3 where R = 2^256 mod p.
+var r3 = &gfP{0x2af2dfb9324a5bb8, 0x388f899054f538a4, 0xdf2ff66396b107a7, 0x24ebbbb3a2529292}
diff --git a/kyber/pairing/bn256/curve.go b/kyber/pairing/bn256/curve.go
new file mode 100644
index 0000000000..43b1ae0f2a
--- /dev/null
+++ b/kyber/pairing/bn256/curve.go
@@ -0,0 +1,243 @@
+package bn256
+
+import (
+	"fmt"
+	"math/big"
+)
+
+// curvePoint implements the elliptic curve y²=x³+3. Points are kept in Jacobian
+// form and t=z² when valid. G₁ is the set of points of this curve on GF(p).
+type curvePoint struct {
+	x, y, z, t gfP
+}
+
+var curveB = newGFp(3)
+
+// curveGen is the generator of G₁.
+var curveGen = &curvePoint{
+	x: *newGFp(1),
+	y: *newGFp(-2),
+	z: *newGFp(1),
+	t: *newGFp(1),
+}
+
+func (c *curvePoint) String() string {
+	cpy := c.Clone()
+	cpy.MakeAffine()
+	x, y := &gfP{}, &gfP{}
+	montDecode(x, &cpy.x)
+	montDecode(y, &cpy.y)
+	return fmt.Sprintf("(%s, %s)", x.String(), y.String())
+}
+
+func (c *curvePoint) Set(a *curvePoint) {
+	c.x.Set(&a.x)
+	c.y.Set(&a.y)
+	c.z.Set(&a.z)
+	c.t.Set(&a.t)
+}
+
+// IsOnCurve returns true iff c is on the curve.
+func (c *curvePoint) IsOnCurve() bool {
+	c.MakeAffine()
+	if c.IsInfinity() {
+		return true
+	}
+
+	y2, x3 := &gfP{}, &gfP{}
+	gfpMul(y2, &c.y, &c.y)
+	gfpMul(x3, &c.x, &c.x)
+	gfpMul(x3, x3, &c.x)
+	gfpAdd(x3, x3, curveB)
+
+	return *y2 == *x3
+}
+
+func (c *curvePoint) SetInfinity() {
+	c.x = gfP{0}
+	c.y = *newGFp(1)
+	c.z = gfP{0}
+	c.t = gfP{0}
+}
+
+func (c *curvePoint) IsInfinity() bool {
+	return c.z == gfP{0}
+}
+
+func (c *curvePoint) Add(a, b *curvePoint) {
+	if a.IsInfinity() {
+		c.Set(b)
+		return
+	}
+	if b.IsInfinity() {
+		c.Set(a)
+		return
+	}
+
+	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3
+
+	// Normalize the points by replacing a = [x1:y1:z1] and b = [x2:y2:z2]
+	// by [u1:s1:z1·z2] and [u2:s2:z1·z2]
+	// where u1 = x1·z2², s1 = y1·z2³ and u1 = x2·z1², s2 = y2·z1³
+	z12, z22 := &gfP{}, &gfP{}
+	gfpMul(z12, &a.z, &a.z)
+	gfpMul(z22, &b.z, &b.z)
+
+	u1, u2 := &gfP{}, &gfP{}
+	gfpMul(u1, &a.x, z22)
+	gfpMul(u2, &b.x, z12)
+
+	t, s1 := &gfP{}, &gfP{}
+	gfpMul(t, &b.z, z22)
+	gfpMul(s1, &a.y, t)
+
+	s2 := &gfP{}
+	gfpMul(t, &a.z, z12)
+	gfpMul(s2, &b.y, t)
+
+	// Compute x = (2h)²(s²-u1-u2)
+	// where s = (s2-s1)/(u2-u1) is the slope of the line through
+	// (u1,s1) and (u2,s2). The extra factor 2h = 2(u2-u1) comes from the value of z below.
+	// This is also:
+	// 4(s2-s1)² - 4h²(u1+u2) = 4(s2-s1)² - 4h³ - 4h²(2u1)
+	//                        = r² - j - 2v
+	// with the notations below.
+	h := &gfP{}
+	gfpSub(h, u2, u1)
+	xEqual := *h == gfP{0}
+
+	gfpAdd(t, h, h)
+	// i = 4h²
+	i := &gfP{}
+	gfpMul(i, t, t)
+	// j = 4h³
+	j := &gfP{}
+	gfpMul(j, h, i)
+
+	gfpSub(t, s2, s1)
+	yEqual := *t == gfP{0}
+	if xEqual && yEqual {
+		c.Double(a)
+		return
+	}
+	r := &gfP{}
+	gfpAdd(r, t, t)
+
+	v := &gfP{}
+	gfpMul(v, u1, i)
+
+	// t4 = 4(s2-s1)²
+	t4, t6 := &gfP{}, &gfP{}
+	gfpMul(t4, r, r)
+	gfpAdd(t, v, v)
+	gfpSub(t6, t4, j)
+
+	gfpSub(&c.x, t6, t)
+
+	// Set y = -(2h)³(s1 + s*(x/4h²-u1))
+	// This is also
+	// y = - 2·s1·j - (s2-s1)(2x - 2i·u1) = r(v-x) - 2·s1·j
+	gfpSub(t, v, &c.x) // t7
+	gfpMul(t4, s1, j)  // t8
+	gfpAdd(t6, t4, t4) // t9
+	gfpMul(t4, r, t)   // t10
+	gfpSub(&c.y, t4, t6)
+
+	// Set z = 2(u2-u1)·z1·z2 = 2h·z1·z2
+	gfpAdd(t, &a.z, &b.z) // t11
+	gfpMul(t4, t, t)      // t12
+	gfpSub(t, t4, z12)    // t13
+	gfpSub(t4, t, z22)    // t14
+	gfpMul(&c.z, t4, h)
+}
+
+func (c *curvePoint) Double(a *curvePoint) {
+	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3
+	A, B, C := &gfP{}, &gfP{}, &gfP{}
+	gfpMul(A, &a.x, &a.x)
+	gfpMul(B, &a.y, &a.y)
+	gfpMul(C, B, B)
+
+	t, t2 := &gfP{}, &gfP{}
+	gfpAdd(t, &a.x, B)
+	gfpMul(t2, t, t)
+	gfpSub(t, t2, A)
+	gfpSub(t2, t, C)
+
+	d, e, f := &gfP{}, &gfP{}, &gfP{}
+	gfpAdd(d, t2, t2)
+	gfpAdd(t, A, A)
+	gfpAdd(e, t, A)
+	gfpMul(f, e, e)
+
+	gfpAdd(t, d, d)
+	gfpSub(&c.x, f, t)
+
+	gfpAdd(t, C, C)
+	gfpAdd(t2, t, t)
+	gfpAdd(t, t2, t2)
+	gfpSub(&c.y, d, &c.x)
+	gfpMul(t2, e, &c.y)
+	gfpSub(&c.y, t2, t)
+
+	gfpMul(t, &a.y, &a.z)
+	gfpAdd(&c.z, t, t)
+}
+
+func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int) {
+	sum, t := &curvePoint{}, &curvePoint{}
+	sum.SetInfinity()
+
+	for i := scalar.BitLen(); i >= 0; i-- {
+		t.Double(sum)
+		if scalar.Bit(i) != 0 {
+			sum.Add(t, a)
+		} else {
+			sum.Set(t)
+		}
+	}
+
+	c.Set(sum)
+}
+
+func (c *curvePoint) MakeAffine() {
+	if c.z == *newGFp(1) {
+		return
+	} else if c.z == *newGFp(0) {
+		c.x = gfP{0}
+		c.y = *newGFp(1)
+		c.t = gfP{0}
+		return
+	}
+
+	zInv := &gfP{}
+	zInv.Invert(&c.z)
+
+	t, zInv2 := &gfP{}, &gfP{}
+	gfpMul(t, &c.y, zInv)
+	gfpMul(zInv2, zInv, zInv)
+
+	gfpMul(&c.x, &c.x, zInv2)
+	gfpMul(&c.y, t, zInv2)
+
+	c.z = *newGFp(1)
+	c.t = *newGFp(1)
+}
+
+func (c *curvePoint) Neg(a *curvePoint) {
+	c.x.Set(&a.x)
+	gfpNeg(&c.y, &a.y)
+	c.z.Set(&a.z)
+	c.t = gfP{0}
+}
+
+// Clone makes a hard copy of the curve point
+func (c *curvePoint) Clone() *curvePoint {
+	n := &curvePoint{}
+	copy(n.x[:], c.x[:])
+	copy(n.y[:], c.y[:])
+	copy(n.z[:], c.z[:])
+	copy(n.t[:], c.t[:])
+
+	return n
+}
diff --git a/kyber/pairing/bn256/gfp.go b/kyber/pairing/bn256/gfp.go
new file mode 100644
index 0000000000..aee0bbcaec
--- /dev/null
+++ b/kyber/pairing/bn256/gfp.go
@@ -0,0 +1,69 @@
+package bn256
+
+import (
+	"fmt"
+)
+
+type gfP [4]uint64
+
+func newGFp(x int64) (out *gfP) {
+	if x >= 0 {
+		out = &gfP{uint64(x)}
+	} else {
+		out = &gfP{uint64(-x)}
+		gfpNeg(out, out)
+	}
+
+	montEncode(out, out)
+	return out
+}
+
+func (e *gfP) String() string {
+	return fmt.Sprintf("%16.16x%16.16x%16.16x%16.16x", e[3], e[2], e[1], e[0])
+}
+
+func (e *gfP) Set(f *gfP) {
+	e[0] = f[0]
+	e[1] = f[1]
+	e[2] = f[2]
+	e[3] = f[3]
+}
+
+func (e *gfP) Invert(f *gfP) {
+	bits := [4]uint64{0x185cac6c5e089665, 0xee5b88d120b5b59e, 0xaa6fecb86184dc21, 0x8fb501e34aa387f9}
+
+	sum, power := &gfP{}, &gfP{}
+	sum.Set(rN1)
+	power.Set(f)
+
+	for word := 0; word < 4; word++ {
+		for bit := uint(0); bit < 64; bit++ {
+			if (bits[word]>>bit)&1 == 1 {
+				gfpMul(sum, sum, power)
+			}
+			gfpMul(power, power, power)
+		}
+	}
+
+	gfpMul(sum, sum, r3)
+	e.Set(sum)
+}
+
+func (e *gfP) Marshal(out []byte) {
+	for w := uint(0); w < 4; w++ {
+		for b := uint(0); b < 8; b++ {
+			out[8*w+b] = byte(e[3-w] >> (56 - 8*b))
+		}
+	}
+}
+
+func (e *gfP) Unmarshal(in []byte) {
+	for w := uint(0); w < 4; w++ {
+		for b := uint(0); b < 8; b++ {
+			e[3-w] += uint64(in[8*w+b]) << (56 - 8*b)
+		}
+	}
+}
+
+func montEncode(c, a *gfP) { gfpMul(c, a, r2) }
+func montDecode(c, a *gfP) { gfpMul(c, a, &gfP{1}) }
diff --git a/kyber/pairing/bn256/gfp.h b/kyber/pairing/bn256/gfp.h
new file mode 100644
index 0000000000..66f5a4d07d
--- /dev/null
+++ b/kyber/pairing/bn256/gfp.h
@@ -0,0 +1,32 @@
+#define storeBlock(a0,a1,a2,a3, r) \
+	MOVQ a0,  0+r \
+	MOVQ a1,  8+r \
+	MOVQ a2, 16+r \
+	MOVQ a3, 24+r
+
+#define loadBlock(r, a0,a1,a2,a3) \
+	MOVQ  0+r, a0 \
+	MOVQ  8+r, a1 \
+	MOVQ 16+r, a2 \
+	MOVQ 24+r, a3
+
+#define gfpCarry(a0,a1,a2,a3,a4, b0,b1,b2,b3,b4) \
+	\ // b = a-p
+	MOVQ a0, b0 \
+	MOVQ a1, b1 \
+	MOVQ a2, b2 \
+	MOVQ a3, b3 \
+	MOVQ a4, b4 \
+	\
+	SUBQ ·p2+0(SB), b0 \
+	SBBQ ·p2+8(SB), b1 \
+	SBBQ ·p2+16(SB), b2 \
+	SBBQ ·p2+24(SB), b3 \
+	SBBQ $0, b4 \
+	\
+	\ // if b is negative then return a
+	\ // else return b
+	CMOVQCC b0, a0 \
+	CMOVQCC b1, a1 \
+	CMOVQCC b2, a2 \
+	CMOVQCC b3, a3
diff --git a/kyber/pairing/bn256/gfp12.go b/kyber/pairing/bn256/gfp12.go
new file mode 100644
index 0000000000..8835d11ec2
--- /dev/null
+++ b/kyber/pairing/bn256/gfp12.go
@@ -0,0 +1,231 @@
+package bn256
+
+// For details of the algorithms used, see "Multiplication and Squaring on
+// Pairing-Friendly Fields, Devegili et al.
+// http://eprint.iacr.org/2006/471.pdf.
+
+import (
+	"math/big"
+)
+
+// gfP12 implements the field of size p¹² as a quadratic extension of gfP6
+// where ω²=τ.
+type gfP12 struct {
+	x, y gfP6 // value is xω + y
+}
+
+var gfP12Gen = &gfP12{
+	x: gfP6{
+		x: gfP2{
+			x: gfP{0x62d608d6bb67a4fb, 0x9a66ec93f0c2032f, 0x5391628e924e1a34, 0x2162dbf7de801d0e},
+			y: gfP{0x3e0c1a72bf08eb4f, 0x4972ec05990a5ecc, 0xf7b9a407ead8007e, 0x3ca04c613572ce49},
+		},
+		y: gfP2{
+			x: gfP{0xace536a5607c910e, 0xda93774a941ddd40, 0x5de0e9853b7593ad, 0xe05bb926f513153},
+			y: gfP{0x3f4c99f8abaf1a22, 0x66d5f6121f86dc33, 0x8e0a82f68a50abba, 0x819927d1eebd0695},
+		},
+		z: gfP2{
+			x: gfP{0x7cdef49c5477faa, 0x40eb71ffedaa199d, 0xbc896661f17c9b8f, 0x3144462983c38c02},
+			y: gfP{0xcd09ee8dd8418013, 0xf8d050d05faa9b11, 0x589e90a555507ee1, 0x58e4ab25f9c49c15},
+		},
+	},
+	y: gfP6{
+		x: gfP2{
+			x: gfP{0x7e76809b142d020b, 0xd9949d1b2822e995, 0x3de93d974f84b076, 0x144523477028928d},
+			y: gfP{0x79952799f9ef4b0, 0x4102c47aa3df01c6, 0xfa82a633c53da2e1, 0x54c3f0392f9f7e0e},
+		},
+		y: gfP2{
+			x: gfP{0xd3432a335533272b, 0xa008fbbdc7d74f4a, 0x68e3c81eb7295ed9, 0x17fe34c21fdecef2},
+			y: gfP{0xfb0bc4c0ef6df55f, 0x8bdc585b70bc2120, 0x17d498d2cb720def, 0x2a368248319b899c},
+		},
+		z: gfP2{
+			x: gfP{0xf8487d81cb354c6c, 0x7421be69f1522caa, 0x6940c778b9fb2d54, 0x7da4b04e102bb621},
+			y: gfP{0x97b91989993e7be4, 0x8526545356eab684, 0xb050073022eb1892, 0x658b432ad09939c0},
+		},
+	},
+}
+
+var gfP12Inf = &gfP12{
+	x: gfP6{
+		x: gfP2{
+			x: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+			y: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+		},
+		y: gfP2{
+			x: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+			y: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+		},
+		z: gfP2{
+			x: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+			y: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+		},
+	},
+	y: gfP6{
+		x: gfP2{
+			x: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+			y: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+		},
+		y: gfP2{
+			x: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+			y: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+		},
+		z: gfP2{
+			x: gfP{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000},
+			y: gfP{0xe7a35393a1f76999, 0x11a4772edf4a4a61, 0x559013479e7b23de, 0x704afe1cb55c7806},
+		},
+	},
+}
+
+func (e *gfP12) String() string {
+	return "(" + e.x.String() + "," + e.y.String() + ")"
+}
+
+func (e *gfP12) Set(a *gfP12) *gfP12 {
+	e.x.Set(&a.x)
+	e.y.Set(&a.y)
+	return e
+}
+
+func (e *gfP12) SetZero() *gfP12 {
+	e.x.SetZero()
+	e.y.SetZero()
+	return e
+}
+
+func (e *gfP12) SetOne() *gfP12 {
+	e.x.SetZero()
+	e.y.SetOne()
+	return e
+}
+
+func (e *gfP12) IsZero() bool {
+	return e.x.IsZero() && e.y.IsZero()
+}
+
+func (e *gfP12) IsOne() bool {
+	return e.x.IsZero() && e.y.IsOne()
+}
+
+func (e *gfP12) Conjugate(a *gfP12) *gfP12 {
+	e.x.Neg(&a.x)
+	e.y.Set(&a.y)
+	return e
+}
+
+func (e *gfP12) Neg(a *gfP12) *gfP12 {
+	e.x.Neg(&a.x)
+	e.y.Neg(&a.y)
+	return e
+}
+
+// Frobenius computes (xω+y)^p = x^p ω·ξ^((p-1)/6) + y^p
+func (e *gfP12) Frobenius(a *gfP12) *gfP12 {
+	e.x.Frobenius(&a.x)
+	e.y.Frobenius(&a.y)
+	e.x.MulScalar(&e.x, xiToPMinus1Over6)
+	return e
+}
+
+// FrobeniusP2 computes (xω+y)^p² = x^p² ω·ξ^((p²-1)/6) + y^p²
+func (e *gfP12) FrobeniusP2(a *gfP12) *gfP12 {
+	e.x.FrobeniusP2(&a.x)
+	e.x.MulGFP(&e.x, xiToPSquaredMinus1Over6)
+	e.y.FrobeniusP2(&a.y)
+	return e
+}
+
+func (e *gfP12) FrobeniusP4(a *gfP12) *gfP12 {
+	e.x.FrobeniusP4(&a.x)
+	e.x.MulGFP(&e.x, xiToPSquaredMinus1Over3)
+	e.y.FrobeniusP4(&a.y)
+	return e
+}
+
+func (e *gfP12) Add(a, b *gfP12) *gfP12 {
+	e.x.Add(&a.x, &b.x)
+	e.y.Add(&a.y, &b.y)
+	return e
+}
+
+func (e *gfP12) Sub(a, b *gfP12) *gfP12 {
+	e.x.Sub(&a.x, &b.x)
+	e.y.Sub(&a.y, &b.y)
+	return e
+}
+
+func (e *gfP12) Mul(a, b *gfP12) *gfP12 {
+	tx := (&gfP6{}).Mul(&a.x, &b.y)
+	t := (&gfP6{}).Mul(&b.x, &a.y)
+	tx.Add(tx, t)
+
+	ty := (&gfP6{}).Mul(&a.y, &b.y)
+	t.Mul(&a.x, &b.x).MulTau(t)
+
+	e.x.Set(tx)
+	e.y.Add(ty, t)
+	return e
+}
+
+func (e *gfP12) MulScalar(a *gfP12, b *gfP6) *gfP12 {
+	e.x.Mul(&e.x, b)
+	e.y.Mul(&e.y, b)
+	return e
+}
+
+func (e *gfP12) Exp(a *gfP12, power *big.Int) *gfP12 {
+	sum := (&gfP12{}).SetOne()
+	t := &gfP12{}
+
+	for i := power.BitLen() - 1; i >= 0; i-- {
+		t.Square(sum)
+		if power.Bit(i) != 0 {
+			sum.Mul(t, a)
+		} else {
+			sum.Set(t)
+		}
+	}
+
+	e.Set(sum)
+	return e
+}
+
+func (e *gfP12) Square(a *gfP12) *gfP12 {
+	// Complex squaring algorithm
+	v0 := (&gfP6{}).Mul(&a.x, &a.y)
+
+	t := (&gfP6{}).MulTau(&a.x)
+	t.Add(&a.y, t)
+	ty := (&gfP6{}).Add(&a.x, &a.y)
+	ty.Mul(ty, t).Sub(ty, v0)
+	t.MulTau(v0)
+	ty.Sub(ty, t)
+
+	e.x.Add(v0, v0)
+	e.y.Set(ty)
+	return e
+}
+
+func (e *gfP12) Invert(a *gfP12) *gfP12 {
+	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
+	// ftp://136.206.11.249/pub/crypto/pairings.pdf
+	t1, t2 := &gfP6{}, &gfP6{}
+
+	t1.Square(&a.x)
+	t2.Square(&a.y)
+	t1.MulTau(t1).Sub(t2, t1)
+	t2.Invert(t1)
+
+	e.x.Neg(&a.x)
+	e.y.Set(&a.y)
+	e.MulScalar(e, t2)
+	return e
+}
+
+// Clone makes a hard copy of the field
+func (e *gfP12) Clone() *gfP12 {
+	n := &gfP12{}
+	n.x = e.x.Clone()
+	n.y = e.y.Clone()
+
+	return n
+}
diff --git a/kyber/pairing/bn256/gfp2.go b/kyber/pairing/bn256/gfp2.go
new file mode 100644
index 0000000000..5fa0ae2b4c
--- /dev/null
+++ b/kyber/pairing/bn256/gfp2.go
@@ -0,0 +1,159 @@
+package bn256
+
+// For details of the algorithms used, see "Multiplication and Squaring on
+// Pairing-Friendly Fields, Devegili et al.
+// http://eprint.iacr.org/2006/471.pdf.
+
+// gfP2 implements a field of size p² as a quadratic extension of the base field
+// where i²=-1.
+type gfP2 struct {
+	x, y gfP // value is xi+y.
+}
+
+func gfP2Decode(in *gfP2) *gfP2 {
+	out := &gfP2{}
+	montDecode(&out.x, &in.x)
+	montDecode(&out.y, &in.y)
+	return out
+}
+
+func (e *gfP2) String() string {
+	return "(" + e.x.String() + ", " + e.y.String() + ")"
+}
+
+func (e *gfP2) Set(a *gfP2) *gfP2 {
+	e.x.Set(&a.x)
+	e.y.Set(&a.y)
+	return e
+}
+
+func (e *gfP2) SetZero() *gfP2 {
+	e.x = gfP{0}
+	e.y = gfP{0}
+	return e
+}
+
+func (e *gfP2) SetOne() *gfP2 {
+	e.x = gfP{0}
+	e.y = *newGFp(1)
+	return e
+}
+
+func (e *gfP2) IsZero() bool {
+	zero := gfP{0}
+	return e.x == zero && e.y == zero
+}
+
+func (e *gfP2) IsOne() bool {
+	zero, one := gfP{0}, *newGFp(1)
+	return e.x == zero && e.y == one
+}
+
+func (e *gfP2) Conjugate(a *gfP2) *gfP2 {
+	e.y.Set(&a.y)
+	gfpNeg(&e.x, &a.x)
+	return e
+}
+
+func (e *gfP2) Neg(a *gfP2) *gfP2 {
+	gfpNeg(&e.x, &a.x)
+	gfpNeg(&e.y, &a.y)
+	return e
+}
+
+func (e *gfP2) Add(a, b *gfP2) *gfP2 {
+	gfpAdd(&e.x, &a.x, &b.x)
+	gfpAdd(&e.y, &a.y, &b.y)
+	return e
+}
+
+func (e *gfP2) Sub(a, b *gfP2) *gfP2 {
+	gfpSub(&e.x, &a.x, &b.x)
+	gfpSub(&e.y, &a.y, &b.y)
+	return e
+}
+
+// See "Multiplication and Squaring in Pairing-Friendly Fields",
+// http://eprint.iacr.org/2006/471.pdf
+func (e *gfP2) Mul(a, b *gfP2) *gfP2 {
+	tx, t := &gfP{}, &gfP{}
+	gfpMul(tx, &a.x, &b.y)
+	gfpMul(t, &b.x, &a.y)
+	gfpAdd(tx, tx, t)
+
+	ty := &gfP{}
+	gfpMul(ty, &a.y, &b.y)
+	gfpMul(t, &a.x, &b.x)
+	gfpSub(ty, ty, t)
+
+	e.x.Set(tx)
+	e.y.Set(ty)
+	return e
+}
+
+func (e *gfP2) MulScalar(a *gfP2, b *gfP) *gfP2 {
+	gfpMul(&e.x, &a.x, b)
+	gfpMul(&e.y, &a.y, b)
+	return e
+}
+
+// MulXi sets e=ξa where ξ=i+3 and then returns e.
+func (e *gfP2) MulXi(a *gfP2) *gfP2 {
+	// (xi+y)(i+3) = (3x+y)i+(3y-x)
+	tx := &gfP{}
+	gfpAdd(tx, &a.x, &a.x)
+	gfpAdd(tx, tx, &a.x)
+	gfpAdd(tx, tx, &a.y)
+
+	ty := &gfP{}
+	gfpAdd(ty, &a.y, &a.y)
+	gfpAdd(ty, ty, &a.y)
+	gfpSub(ty, ty, &a.x)
+
+	e.x.Set(tx)
+	e.y.Set(ty)
+	return e
+}
+
+func (e *gfP2) Square(a *gfP2) *gfP2 {
+	// Complex squaring algorithm:
+	// (xi+y)² = (x+y)(y-x) + 2*i*x*y
+	tx, ty := &gfP{}, &gfP{}
+	gfpSub(tx, &a.y, &a.x)
+	gfpAdd(ty, &a.x, &a.y)
+	gfpMul(ty, tx, ty)
+
+	gfpMul(tx, &a.x, &a.y)
+	gfpAdd(tx, tx, tx)
+
+	e.x.Set(tx)
+	e.y.Set(ty)
+	return e
+}
+
+func (e *gfP2) Invert(a *gfP2) *gfP2 {
+	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
+	// ftp://136.206.11.249/pub/crypto/pairings.pdf
+	t1, t2 := &gfP{}, &gfP{}
+	gfpMul(t1, &a.x, &a.x)
+	gfpMul(t2, &a.y, &a.y)
+	gfpAdd(t1, t1, t2)
+
+	inv := &gfP{}
+	inv.Invert(t1)
+
+	gfpNeg(t1, &a.x)
+
+	gfpMul(&e.x, t1, inv)
+	gfpMul(&e.y, &a.y, inv)
+	return e
+}
+
+// Clone makes a hard copy of the field
+func (e *gfP2) Clone() gfP2 {
+	n := gfP2{}
+	copy(n.x[:], e.x[:])
+	copy(n.y[:], e.y[:])
+
+	return n
+}
diff --git a/kyber/pairing/bn256/gfp6.go b/kyber/pairing/bn256/gfp6.go
new file mode 100644
index 0000000000..782e8f17f0
--- /dev/null
+++ b/kyber/pairing/bn256/gfp6.go
@@ -0,0 +1,224 @@
+package bn256
+
+// For details of the algorithms used, see "Multiplication and Squaring on
+// Pairing-Friendly Fields, Devegili et al.
+// http://eprint.iacr.org/2006/471.pdf.
+
+// gfP6 implements the field of size p⁶ as a cubic extension of gfP2 where τ³=ξ
+// and ξ=i+3.
+type gfP6 struct {
+	x, y, z gfP2 // value is xτ² + yτ + z
+}
+
+func (e *gfP6) String() string {
+	return "(" + e.x.String() + ", " + e.y.String() + ", " + e.z.String() + ")"
+}
+
+func (e *gfP6) Set(a *gfP6) *gfP6 {
+	e.x.Set(&a.x)
+	e.y.Set(&a.y)
+	e.z.Set(&a.z)
+	return e
+}
+
+func (e *gfP6) SetZero() *gfP6 {
+	e.x.SetZero()
+	e.y.SetZero()
+	e.z.SetZero()
+	return e
+}
+
+func (e *gfP6) SetOne() *gfP6 {
+	e.x.SetZero()
+	e.y.SetZero()
+	e.z.SetOne()
+	return e
+}
+
+func (e *gfP6) IsZero() bool {
+	return e.x.IsZero() && e.y.IsZero() && e.z.IsZero()
+}
+
+func (e *gfP6) IsOne() bool {
+	return e.x.IsZero() && e.y.IsZero() && e.z.IsOne()
+}
+
+func (e *gfP6) Neg(a *gfP6) *gfP6 {
+	e.x.Neg(&a.x)
+	e.y.Neg(&a.y)
+	e.z.Neg(&a.z)
+	return e
+}
+
+func (e *gfP6) Frobenius(a *gfP6) *gfP6 {
+	e.x.Conjugate(&a.x)
+	e.y.Conjugate(&a.y)
+	e.z.Conjugate(&a.z)
+
+	e.x.Mul(&e.x, xiTo2PMinus2Over3)
+	e.y.Mul(&e.y, xiToPMinus1Over3)
+	return e
+}
+
+// FrobeniusP2 computes (xτ²+yτ+z)^(p²) = xτ^(2p²) + yτ^(p²) + z
+func (e *gfP6) FrobeniusP2(a *gfP6) *gfP6 {
+	// τ^(2p²) = τ²τ^(2p²-2) = τ²ξ^((2p²-2)/3)
+	e.x.MulScalar(&a.x, xiTo2PSquaredMinus2Over3)
+	// τ^(p²) = ττ^(p²-1) = τξ^((p²-1)/3)
+	e.y.MulScalar(&a.y, xiToPSquaredMinus1Over3)
+	e.z.Set(&a.z)
+	return e
+}
+
+func (e *gfP6) FrobeniusP4(a *gfP6) *gfP6 {
+	e.x.MulScalar(&a.x, xiToPSquaredMinus1Over3)
+	e.y.MulScalar(&a.y, xiTo2PSquaredMinus2Over3)
+	e.z.Set(&a.z)
+	return e
+}
+
+func (e *gfP6) Add(a, b *gfP6) *gfP6 {
+	e.x.Add(&a.x, &b.x)
+	e.y.Add(&a.y, &b.y)
+	e.z.Add(&a.z, &b.z)
+	return e
+}
+
+func (e *gfP6) Sub(a, b *gfP6) *gfP6 {
+	e.x.Sub(&a.x, &b.x)
+	e.y.Sub(&a.y, &b.y)
+	e.z.Sub(&a.z, &b.z)
+	return e
+}
+
+func (e *gfP6) Mul(a, b *gfP6) *gfP6 {
+	// "Multiplication and Squaring on Pairing-Friendly Fields"
+	// Section 4, Karatsuba method.
+	// http://eprint.iacr.org/2006/471.pdf
+	v0 := (&gfP2{}).Mul(&a.z, &b.z)
+	v1 := (&gfP2{}).Mul(&a.y, &b.y)
+	v2 := (&gfP2{}).Mul(&a.x, &b.x)
+
+	t0 := (&gfP2{}).Add(&a.x, &a.y)
+	t1 := (&gfP2{}).Add(&b.x, &b.y)
+	tz := (&gfP2{}).Mul(t0, t1)
+	tz.Sub(tz, v1).Sub(tz, v2).MulXi(tz).Add(tz, v0)
+
+	t0.Add(&a.y, &a.z)
+	t1.Add(&b.y, &b.z)
+	ty := (&gfP2{}).Mul(t0, t1)
+	t0.MulXi(v2)
+	ty.Sub(ty, v0).Sub(ty, v1).Add(ty, t0)
+
+	t0.Add(&a.x, &a.z)
+	t1.Add(&b.x, &b.z)
+	tx := (&gfP2{}).Mul(t0, t1)
+	tx.Sub(tx, v0).Add(tx, v1).Sub(tx, v2)
+
+	e.x.Set(tx)
+	e.y.Set(ty)
+	e.z.Set(tz)
+	return e
+}
+
+func (e *gfP6) MulScalar(a *gfP6, b *gfP2) *gfP6 {
+	e.x.Mul(&a.x, b)
+	e.y.Mul(&a.y, b)
+	e.z.Mul(&a.z, b)
+	return e
+}
+
+func (e *gfP6) MulGFP(a *gfP6, b *gfP) *gfP6 {
+	e.x.MulScalar(&a.x, b)
+	e.y.MulScalar(&a.y, b)
+	e.z.MulScalar(&a.z, b)
+	return e
+}
+
+// MulTau computes τ·(aτ²+bτ+c) = bτ²+cτ+aξ
+func (e *gfP6) MulTau(a *gfP6) *gfP6 {
+	tz := (&gfP2{}).MulXi(&a.x)
+	ty := (&gfP2{}).Set(&a.y)
+
+	e.y.Set(&a.z)
+	e.x.Set(ty)
+	e.z.Set(tz)
+	return e
+}
+
+func (e *gfP6) Square(a *gfP6) *gfP6 {
+	v0 := (&gfP2{}).Square(&a.z)
+	v1 := (&gfP2{}).Square(&a.y)
+	v2 := (&gfP2{}).Square(&a.x)
+
+	c0 := (&gfP2{}).Add(&a.x, &a.y)
+	c0.Square(c0).Sub(c0, v1).Sub(c0, v2).MulXi(c0).Add(c0, v0)
+
+	c1 := (&gfP2{}).Add(&a.y, &a.z)
+	c1.Square(c1).Sub(c1, v0).Sub(c1, v1)
+	xiV2 := (&gfP2{}).MulXi(v2)
+	c1.Add(c1, xiV2)
+
+	c2 := (&gfP2{}).Add(&a.x, &a.z)
+	c2.Square(c2).Sub(c2, v0).Add(c2, v1).Sub(c2, v2)
+
+	e.x.Set(c2)
+	e.y.Set(c1)
+	e.z.Set(c0)
+	return e
+}
+
+func (e *gfP6) Invert(a *gfP6) *gfP6 {
+	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
+	// ftp://136.206.11.249/pub/crypto/pairings.pdf
+
+	// Here we can give a short explanation of how it works: let j be a cubic root of
+	// unity in GF(p²) so that 1+j+j²=0.
+	// Then (xτ² + yτ + z)(xj²τ² + yjτ + z)(xjτ² + yj²τ + z)
+	// = (xτ² + yτ + z)(Cτ²+Bτ+A)
+	// = (x³ξ²+y³ξ+z³-3ξxyz) = F is an element of the base field (the norm).
+	//
+	// On the other hand (xj²τ² + yjτ + z)(xjτ² + yj²τ + z)
+	// = τ²(y²-ξxz) + τ(ξx²-yz) + (z²-ξxy)
+	//
+	// So that's why A = (z²-ξxy), B = (ξx²-yz), C = (y²-ξxz)
+	t1 := (&gfP2{}).Mul(&a.x, &a.y)
+	t1.MulXi(t1)
+
+	A := (&gfP2{}).Square(&a.z)
+	A.Sub(A, t1)
+
+	B := (&gfP2{}).Square(&a.x)
+	B.MulXi(B)
+	t1.Mul(&a.y, &a.z)
+	B.Sub(B, t1)
+
+	C := (&gfP2{}).Square(&a.y)
+	t1.Mul(&a.x, &a.z)
+	C.Sub(C, t1)
+
+	F := (&gfP2{}).Mul(C, &a.y)
+	F.MulXi(F)
+	t1.Mul(A, &a.z)
+	F.Add(F, t1)
+	t1.Mul(B, &a.x).MulXi(t1)
+	F.Add(F, t1)
+
+	F.Invert(F)
+
+	e.x.Mul(C, F)
+	e.y.Mul(B, F)
+	e.z.Mul(A, F)
+	return e
+}
+
+// Clone makes a hard copy of the field
+func (e *gfP6) Clone() gfP6 {
+	n := gfP6{
+		x: e.x.Clone(),
+		y: e.y.Clone(),
+		z: e.z.Clone(),
+	}
+
+	return n
+}
diff --git a/kyber/pairing/bn256/gfp_amd64.s b/kyber/pairing/bn256/gfp_amd64.s
new file mode 100644
index 0000000000..bdb4ffb787
--- /dev/null
+++ b/kyber/pairing/bn256/gfp_amd64.s
@@ -0,0 +1,129 @@
+// +build amd64,!generic
+
+#define storeBlock(a0,a1,a2,a3, r) \
+	MOVQ a0,  0+r \
+	MOVQ a1,  8+r \
+	MOVQ a2, 16+r \
+	MOVQ a3, 24+r
+
+#define loadBlock(r, a0,a1,a2,a3) \
+	MOVQ  0+r, a0 \
+	MOVQ  8+r, a1 \
+	MOVQ 16+r, a2 \
+	MOVQ 24+r, a3
+
+#define gfpCarry(a0,a1,a2,a3,a4, b0,b1,b2,b3,b4) \
+	\ // b = a-p
+	MOVQ a0, b0 \
+	MOVQ a1, b1 \
+	MOVQ a2, b2 \
+	MOVQ a3, b3 \
+	MOVQ a4, b4 \
+	\
+	SUBQ ·p2+0(SB), b0 \
+	SBBQ ·p2+8(SB), b1 \
+	SBBQ ·p2+16(SB), b2 \
+	SBBQ ·p2+24(SB), b3 \
+	SBBQ $0, b4 \
+	\
+	\ // if b is negative then return a
+	\ // else return b
+	CMOVQCC b0, a0 \
+	CMOVQCC b1, a1 \
+	CMOVQCC b2, a2 \
+	CMOVQCC b3, a3
+
+#include "mul_amd64.h"
+#include "mul_bmi2_amd64.h"
+
+TEXT ·gfpNeg(SB),0,$0-16
+	MOVQ ·p2+0(SB), R8
+	MOVQ ·p2+8(SB), R9
+	MOVQ ·p2+16(SB), R10
+	MOVQ ·p2+24(SB), R11
+
+	MOVQ a+8(FP), DI
+	SUBQ 0(DI), R8
+	SBBQ 8(DI), R9
+	SBBQ 16(DI), R10
+	SBBQ 24(DI), R11
+
+	MOVQ $0, AX
+	gfpCarry(R8,R9,R10,R11,AX, R12,R13,R14,R15,BX)
+
+	MOVQ c+0(FP), DI
+	storeBlock(R8,R9,R10,R11, 0(DI))
+	RET
+
+TEXT ·gfpAdd(SB),0,$0-24
+	MOVQ a+8(FP), DI
+	MOVQ b+16(FP), SI
+
+	loadBlock(0(DI), R8,R9,R10,R11)
+	MOVQ $0, R12
+
+	ADDQ  0(SI), R8
+	ADCQ  8(SI), R9
+	ADCQ 16(SI), R10
+	ADCQ 24(SI), R11
+	ADCQ $0, R12
+
+	gfpCarry(R8,R9,R10,R11,R12, R13,R14,R15,AX,BX)
+
+	MOVQ c+0(FP), DI
+	storeBlock(R8,R9,R10,R11, 0(DI))
+	RET
+
+TEXT ·gfpSub(SB),0,$0-24
+	MOVQ a+8(FP), DI
+	MOVQ b+16(FP), SI
+
+	loadBlock(0(DI), R8,R9,R10,R11)
+
+	MOVQ ·p2+0(SB), R12
+	MOVQ ·p2+8(SB), R13
+	MOVQ ·p2+16(SB), R14
+	MOVQ ·p2+24(SB), R15
+	MOVQ $0, AX
+
+	SUBQ  0(SI), R8
+	SBBQ  8(SI), R9
+	SBBQ 16(SI), R10
+	SBBQ 24(SI), R11
+
+	CMOVQCC AX, R12
+	CMOVQCC AX, R13
+	CMOVQCC AX, R14
+	CMOVQCC AX, R15
+
+	ADDQ R12, R8
+	ADCQ R13, R9
+	ADCQ R14, R10
+	ADCQ R15, R11
+
+	MOVQ c+0(FP), DI
+	storeBlock(R8,R9,R10,R11, 0(DI))
+	RET
+
+TEXT ·gfpMul(SB),0,$160-24
+	MOVQ a+8(FP), DI
+	MOVQ b+16(FP), SI
+
+	// Jump to a slightly different implementation if MULX isn't supported.
+	CMPB ·hasBMI2(SB), $0
+	JE   nobmi2Mul
+
+	mulBMI2(0(DI),8(DI),16(DI),24(DI), 0(SI))
+	storeBlock( R8, R9,R10,R11,  0(SP))
+	storeBlock(R12,R13,R14,R15, 32(SP))
+	gfpReduceBMI2()
+	JMP end
+
+nobmi2Mul:
+	mul(0(DI),8(DI),16(DI),24(DI), 0(SI), 0(SP))
+	gfpReduce(0(SP))
+
+end:
+	MOVQ c+0(FP), DI
+	storeBlock(R12,R13,R14,R15, 0(DI))
+	RET
diff --git a/kyber/pairing/bn256/gfp_arm64.s b/kyber/pairing/bn256/gfp_arm64.s
new file mode 100644
index 0000000000..c65e80168c
--- /dev/null
+++ b/kyber/pairing/bn256/gfp_arm64.s
@@ -0,0 +1,113 @@
+// +build arm64,!generic
+
+#define storeBlock(a0,a1,a2,a3, r) \
+	MOVD a0,  0+r \
+	MOVD a1,  8+r \
+	MOVD a2, 16+r \
+	MOVD a3, 24+r
+
+#define loadBlock(r, a0,a1,a2,a3) \
+	MOVD  0+r, a0 \
+	MOVD  8+r, a1 \
+	MOVD 16+r, a2 \
+	MOVD 24+r, a3
+
+#define loadModulus(p0,p1,p2,p3) \
+	MOVD ·p2+0(SB), p0 \
+	MOVD ·p2+8(SB), p1 \
+	MOVD ·p2+16(SB), p2 \
+	MOVD ·p2+24(SB), p3
+
+#include "mul_arm64.h"
+
+TEXT ·gfpNeg(SB),0,$0-16
+	MOVD a+8(FP), R0
+	loadBlock(0(R0), R1,R2,R3,R4)
+	loadModulus(R5,R6,R7,R8)
+
+	SUBS R1, R5, R1
+	SBCS R2, R6, R2
+	SBCS R3, R7, R3
+	SBCS R4, R8, R4
+
+	SUBS R5, R1, R5
+	SBCS R6, R2, R6
+	SBCS R7, R3, R7
+	SBCS R8, R4, R8
+
+	CSEL CS, R5, R1, R1
+	CSEL CS, R6, R2, R2
+	CSEL CS, R7, R3, R3
+	CSEL CS, R8, R4, R4
+
+	MOVD c+0(FP), R0
+	storeBlock(R1,R2,R3,R4, 0(R0))
+	RET
+
+TEXT ·gfpAdd(SB),0,$0-24
+	MOVD a+8(FP), R0
+	loadBlock(0(R0), R1,R2,R3,R4)
+	MOVD b+16(FP), R0
+	loadBlock(0(R0), R5,R6,R7,R8)
+	loadModulus(R9,R10,R11,R12)
+	MOVD ZR, R0
+
+	ADDS R5, R1
+	ADCS R6, R2
+	ADCS R7, R3
+	ADCS R8, R4
+	ADCS ZR, R0
+
+	SUBS  R9, R1, R5
+	SBCS R10, R2, R6
+	SBCS R11, R3, R7
+	SBCS R12, R4, R8
+	SBCS  ZR, R0, R0
+
+	CSEL CS, R5, R1, R1
+	CSEL CS, R6, R2, R2
+	CSEL CS, R7, R3, R3
+	CSEL CS, R8, R4, R4
+
+	MOVD c+0(FP), R0
+	storeBlock(R1,R2,R3,R4, 0(R0))
+	RET
+
+TEXT ·gfpSub(SB),0,$0-24
+	MOVD a+8(FP), R0
+	loadBlock(0(R0), R1,R2,R3,R4)
+	MOVD b+16(FP), R0
+	loadBlock(0(R0), R5,R6,R7,R8)
+	loadModulus(R9,R10,R11,R12)
+
+	SUBS R5, R1
+	SBCS R6, R2
+	SBCS R7, R3
+	SBCS R8, R4
+
+	CSEL CS, ZR,  R9,  R9
+	CSEL CS, ZR, R10, R10
+	CSEL CS, ZR, R11, R11
+	CSEL CS, ZR, R12, R12
+
+	ADDS  R9, R1
+	ADCS R10, R2
+	ADCS R11, R3
+	ADCS R12, R4
+
+	MOVD c+0(FP), R0
+	storeBlock(R1,R2,R3,R4, 0(R0))
+	RET
+
+TEXT ·gfpMul(SB),0,$0-24
+	MOVD a+8(FP), R0
+	loadBlock(0(R0), R1,R2,R3,R4)
+	MOVD b+16(FP), R0
+	loadBlock(0(R0), R5,R6,R7,R8)
+
+	mul(R9,R10,R11,R12,R13,R14,R15,R16)
+	gfpReduce()
+
+	MOVD c+0(FP), R0
+	storeBlock(R1,R2,R3,R4, 0(R0))
+	RET
diff --git a/kyber/pairing/bn256/gfp_decl.go b/kyber/pairing/bn256/gfp_decl.go
new file mode 100644
index 0000000000..be1b809063
--- /dev/null
+++ b/kyber/pairing/bn256/gfp_decl.go
@@ -0,0 +1,24 @@
+// +build amd64,!generic arm64,!generic
+
+package bn256
+
+// This file contains forward declarations for the architecture-specific
+// assembly implementations of these functions, provided that they exist.
+
+import (
+	"golang.org/x/sys/cpu"
+)
+
+var hasBMI2 = cpu.X86.HasBMI2
+
+// go:noescape
+func gfpNeg(c, a *gfP)
+
+//go:noescape
+func gfpAdd(c, a, b *gfP)
+
+//go:noescape
+func gfpSub(c, a, b *gfP)
+
+//go:noescape
+func gfpMul(c, a, b *gfP)
diff --git a/kyber/pairing/bn256/gfp_generic.go b/kyber/pairing/bn256/gfp_generic.go
new file mode 100644
index 0000000000..8e6be95961
--- /dev/null
+++ b/kyber/pairing/bn256/gfp_generic.go
@@ -0,0 +1,173 @@
+// +build !amd64,!arm64 generic
+
+package bn256
+
+func gfpCarry(a *gfP, head uint64) {
+	b := &gfP{}
+
+	var carry uint64
+	for i, pi := range p2 {
+		ai := a[i]
+		bi := ai - pi - carry
+		b[i] = bi
+		carry = (pi&^ai | (pi|^ai)&bi) >> 63
+	}
+	carry = carry &^ head
+
+	// If b is negative, then return a.
+	// Else return b.
+	carry = -carry
+	ncarry := ^carry
+	for i := 0; i < 4; i++ {
+		a[i] = (a[i] & carry) | (b[i] & ncarry)
+	}
+}
+
+func gfpNeg(c, a *gfP) {
+	var carry uint64
+	for i, pi := range p2 {
+		ai := a[i]
+		ci := pi - ai - carry
+		c[i] = ci
+		carry = (ai&^pi | (ai|^pi)&ci) >> 63
+	}
+	gfpCarry(c, 0)
+}
+
+func gfpAdd(c, a, b *gfP) {
+	var carry uint64
+	for i, ai := range a {
+		bi := b[i]
+		ci := ai + bi + carry
+		c[i] = ci
+		carry = (ai&bi | (ai|bi)&^ci) >> 63
+	}
+	gfpCarry(c, carry)
+}
+
+func gfpSub(c, a, b *gfP) {
+	t := &gfP{}
+
+	var carry uint64
+	for i, pi := range p2 {
+		bi := b[i]
+		ti := pi - bi - carry
+		t[i] = ti
+		carry = (bi&^pi | (bi|^pi)&ti) >> 63
+	}
+
+	carry = 0
+	for i, ai := range a {
+		ti := t[i]
+		ci := ai + ti + carry
+		c[i] = ci
+		carry = (ai&ti | (ai|ti)&^ci) >> 63
+	}
+	gfpCarry(c, carry)
+}
+
+func mul(a, b [4]uint64) [8]uint64 {
+	const (
+		mask16 uint64 = 0x0000ffff
+		mask32 uint64 = 0xffffffff
+	)
+
+	var buff [32]uint64
+	for i, ai := range a {
+		a0, a1, a2, a3 := ai&mask16, (ai>>16)&mask16, (ai>>32)&mask16, ai>>48
+
+		for j, bj := range b {
+			b0, b2 := bj&mask32, bj>>32
+
+			off := 4 * (i + j)
+			buff[off+0] += a0 * b0
+			buff[off+1] += a1 * b0
+			buff[off+2] += a2*b0 + a0*b2
+			buff[off+3] += a3*b0 + a1*b2
+			buff[off+4] += a2 * b2
+			buff[off+5] += a3 * b2
+		}
+	}
+
+	for i := uint(1); i < 4; i++ {
+		shift := 16 * i
+
+		var head, carry uint64
+		for j := uint(0); j < 8; j++ {
+			block := 4 * j
+
+			xi := buff[block]
+			yi := (buff[block+i] << shift) + head
+			zi := xi + yi + carry
+			buff[block] = zi
+			carry = (xi&yi | (xi|yi)&^zi) >> 63
+
+			head = buff[block+i] >> (64 - shift)
+		}
+	}
+
+	return [8]uint64{buff[0], buff[4], buff[8], buff[12], buff[16], buff[20], buff[24], buff[28]}
+}
+
+func halfMul(a, b [4]uint64) [4]uint64 {
+	const (
+		mask16 uint64 = 0x0000ffff
+		mask32 uint64 = 0xffffffff
+	)
+
+	var buff [18]uint64
+	for i, ai := range a {
+		a0, a1, a2, a3 := ai&mask16, (ai>>16)&mask16, (ai>>32)&mask16, ai>>48
+
+		for j, bj := range b {
+			if i+j > 3 {
+				break
+			}
+			b0, b2 := bj&mask32, bj>>32
+
+			off := 4 * (i + j)
+			buff[off+0] += a0 * b0
+			buff[off+1] += a1 * b0
+			buff[off+2] += a2*b0 + a0*b2
+			buff[off+3] += a3*b0 + a1*b2
+			buff[off+4] += a2 * b2
+			buff[off+5] += a3 * b2
+		}
+	}
+
+	for i := uint(1); i < 4; i++ {
+		shift := 16 * i
+
+		var head, carry uint64
+		for j := uint(0); j < 4; j++ {
+			block := 4 * j
+
+			xi := buff[block]
+			yi := (buff[block+i] << shift) + head
+			zi := xi + yi + carry
+			buff[block] = zi
+			carry = (xi&yi | (xi|yi)&^zi) >> 63
+
+			head = buff[block+i] >> (64 - shift)
+		}
+	}
+
+	return [4]uint64{buff[0], buff[4], buff[8], buff[12]}
+}
+
+func gfpMul(c, a, b *gfP) {
+	T := mul(*a, *b)
+	m := halfMul([4]uint64{T[0], T[1], T[2], T[3]}, np)
+	t := mul([4]uint64{m[0], m[1], m[2], m[3]}, p2)
+
+	var carry uint64
+	for i, Ti := range T {
+		ti := t[i]
+		zi := Ti + ti + carry
+		T[i] = zi
+		carry = (Ti&ti | (Ti|ti)&^zi) >> 63
+	}
+
+	*c = gfP{T[4], T[5], T[6], T[7]}
+	gfpCarry(c, carry)
+}
diff --git a/kyber/pairing/bn256/group.go b/kyber/pairing/bn256/group.go
new file mode 100644
index 0000000000..9ed3039cd2
--- /dev/null
+++ b/kyber/pairing/bn256/group.go
@@ -0,0 +1,78 @@
+package bn256
+
+import (
+	"crypto/cipher"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/mod"
+)
+
+type groupG1 struct {
+	common
+	*commonSuite
+}
+
+func (g *groupG1) String() string {
+	return "bn256.G1"
+}
+
+func (g *groupG1) PointLen() int {
+	return newPointG1().MarshalSize()
+}
+
+func (g *groupG1) Point() kyber.Point {
+	return newPointG1()
+}
+
+type groupG2 struct {
+	common
+	*commonSuite
+}
+
+func (g *groupG2) String() string {
+	return "bn256.G2"
+}
+
+func (g *groupG2) PointLen() int {
+	return newPointG2().MarshalSize()
+}
+
+func (g *groupG2) Point() kyber.Point {
+	return newPointG2()
+}
+
+type groupGT struct {
+	common
+	*commonSuite
+}
+
+func (g *groupGT) String() string {
+	return "bn256.GT"
+}
+
+func (g *groupGT) PointLen() int {
+	return newPointGT().MarshalSize()
+}
+
+func (g *groupGT) Point() kyber.Point {
+	return newPointGT()
+}
+
+// common functionalities across G1, G2, and GT
+type common struct{}
+
+func (c *common) ScalarLen() int {
+	return mod.NewInt64(0, Order).MarshalSize()
+}
+
+func (c *common) Scalar() kyber.Scalar {
+	return mod.NewInt64(0, Order)
+}
+
+func (c *common) PrimeOrder() bool {
+	return true
+}
+
+func (c *common) NewKey(rand cipher.Stream) kyber.Scalar {
+	return mod.NewInt64(0, Order).Pick(rand)
+}
diff --git a/kyber/pairing/bn256/mul_amd64.h b/kyber/pairing/bn256/mul_amd64.h
new file mode 100644
index 0000000000..bab5da8313
--- /dev/null
+++ b/kyber/pairing/bn256/mul_amd64.h
@@ -0,0 +1,181 @@
+#define mul(a0,a1,a2,a3, rb, stack) \
+	MOVQ a0, AX \
+	MULQ 0+rb \
+	MOVQ AX, R8 \
+	MOVQ DX, R9 \
+	MOVQ a0, AX \
+	MULQ 8+rb \
+	ADDQ AX, R9 \
+	ADCQ $0, DX \
+	MOVQ DX, R10 \
+	MOVQ a0, AX \
+	MULQ 16+rb \
+	ADDQ AX, R10 \
+	ADCQ $0, DX \
+	MOVQ DX, R11 \
+	MOVQ a0, AX \
+	MULQ 24+rb \
+	ADDQ AX, R11 \
+	ADCQ $0, DX \
+	MOVQ DX, R12 \
+	\
+	storeBlock(R8,R9,R10,R11, 0+stack) \
+	MOVQ R12, 32+stack \
+	\
+	MOVQ a1, AX \
+	MULQ 0+rb \
+	MOVQ AX, R8 \
+	MOVQ DX, R9 \
+	MOVQ a1, AX \
+	MULQ 8+rb \
+	ADDQ AX, R9 \
+	ADCQ $0, DX \
+	MOVQ DX, R10 \
+	MOVQ a1, AX \
+	MULQ 16+rb \
+	ADDQ AX, R10 \
+	ADCQ $0, DX \
+	MOVQ DX, R11 \
+	MOVQ a1, AX \
+	MULQ 24+rb \
+	ADDQ AX, R11 \
+	ADCQ $0, DX \
+	MOVQ DX, R12 \
+	\
+	ADDQ 8+stack, R8 \
+	ADCQ 16+stack, R9 \
+	ADCQ 24+stack, R10 \
+	ADCQ 32+stack, R11 \
+	ADCQ $0, R12 \
+	storeBlock(R8,R9,R10,R11, 8+stack) \
+	MOVQ R12, 40+stack \
+	\
+	MOVQ a2, AX \
+	MULQ 0+rb \
+	MOVQ AX, R8 \
+	MOVQ DX, R9 \
+	MOVQ a2, AX \
+	MULQ 8+rb \
+	ADDQ AX, R9 \
+	ADCQ $0, DX \
+	MOVQ DX, R10 \
+	MOVQ a2, AX \
+	MULQ 16+rb \
+	ADDQ AX, R10 \
+	ADCQ $0, DX \
+	MOVQ DX, R11 \
+	MOVQ a2, AX \
+	MULQ 24+rb \
+	ADDQ AX, R11 \
+	ADCQ $0, DX \
+	MOVQ DX, R12 \
+	\
+	ADDQ 16+stack, R8 \
+	ADCQ 24+stack, R9 \
+	ADCQ 32+stack, R10 \
+	ADCQ 40+stack, R11 \
+	ADCQ $0, R12 \
+	storeBlock(R8,R9,R10,R11, 16+stack) \
+	MOVQ R12, 48+stack \
+	\
+	MOVQ a3, AX \
+	MULQ 0+rb \
+	MOVQ AX, R8 \
+	MOVQ DX, R9 \
+	MOVQ a3, AX \
+	MULQ 8+rb \
+	ADDQ AX, R9 \
+	ADCQ $0, DX \
+	MOVQ DX, R10 \
+	MOVQ a3, AX \
+	MULQ 16+rb \
+	ADDQ AX, R10 \
+	ADCQ $0, DX \
+	MOVQ DX, R11 \
+	MOVQ a3, AX \
+	MULQ 24+rb \
+	ADDQ AX, R11 \
+	ADCQ $0, DX \
+	MOVQ DX, R12 \
+	\
+	ADDQ 24+stack, R8 \
+	ADCQ 32+stack, R9 \
+	ADCQ 40+stack, R10 \
+	ADCQ 48+stack, R11 \
+	ADCQ $0, R12 \
+	storeBlock(R8,R9,R10,R11, 24+stack) \
+	MOVQ R12, 56+stack
+
+#define gfpReduce(stack) \
+	\ // m = (T * N') mod R, store m in R8:R9:R10:R11
+	MOVQ ·np+0(SB), AX \
+	MULQ 0+stack \
+	MOVQ AX, R8 \
+	MOVQ DX, R9 \
+	MOVQ ·np+0(SB), AX \
+	MULQ 8+stack \
+	ADDQ AX, R9 \
+	ADCQ $0, DX \
+	MOVQ DX, R10 \
+	MOVQ ·np+0(SB), AX \
+	MULQ 16+stack \
+	ADDQ AX, R10 \
+	ADCQ $0, DX \
+	MOVQ DX, R11 \
+	MOVQ ·np+0(SB), AX \
+	MULQ 24+stack \
+	ADDQ AX, R11 \
+	\
+	MOVQ ·np+8(SB), AX \
+	MULQ 0+stack \
+	MOVQ AX, R12 \
+	MOVQ DX, R13 \
+	MOVQ ·np+8(SB), AX \
+	MULQ 8+stack \
+	ADDQ AX, R13 \
+	ADCQ $0, DX \
+	MOVQ DX, R14 \
+	MOVQ ·np+8(SB), AX \
+	MULQ 16+stack \
+	ADDQ AX, R14 \
+	\
+	ADDQ R12, R9 \
+	ADCQ R13, R10 \
+	ADCQ R14, R11 \
+	\
+	MOVQ ·np+16(SB), AX \
+	MULQ 0+stack \
+	MOVQ AX, R12 \
+	MOVQ DX, R13 \
+	MOVQ ·np+16(SB), AX \
+	MULQ 8+stack \
+	ADDQ AX, R13 \
+	\
+	ADDQ R12, R10 \
+	ADCQ R13, R11 \
+	\
+	MOVQ ·np+24(SB), AX \
+	MULQ 0+stack \
+	ADDQ AX, R11 \
+	\
+	storeBlock(R8,R9,R10,R11, 64+stack) \
+	\
+	\ // m * N
+	mul(·p2+0(SB),·p2+8(SB),·p2+16(SB),·p2+24(SB), 64+stack, 96+stack) \
+	\
+	\ // Add the 512-bit intermediate to m*N
+	loadBlock(96+stack, R8,R9,R10,R11) \
+	loadBlock(128+stack, R12,R13,R14,R15) \
+	\
+	MOVQ $0, AX \
+	ADDQ 0+stack, R8 \
+	ADCQ 8+stack, R9 \
+	ADCQ 16+stack, R10 \
+	ADCQ 24+stack, R11 \
+	ADCQ 32+stack, R12 \
+	ADCQ 40+stack, R13 \
+	ADCQ 48+stack, R14 \
+	ADCQ 56+stack, R15 \
+	ADCQ $0, AX \
+	\
+	gfpCarry(R12,R13,R14,R15,AX, R8,R9,R10,R11,BX)
diff --git a/kyber/pairing/bn256/mul_arm64.h b/kyber/pairing/bn256/mul_arm64.h
new file mode 100644
index 0000000000..065a9c2b89
--- /dev/null
+++ b/kyber/pairing/bn256/mul_arm64.h
@@ -0,0 +1,133 @@
+#define mul(c0,c1,c2,c3,c4,c5,c6,c7) \
+	MUL R1, R5, c0 \
+	UMULH R1, R5, c1 \
+	MUL R1, R6, R0 \
+	ADDS R0, c1 \
+	UMULH R1, R6, c2 \
+	MUL R1, R7, R0 \
+	ADCS R0, c2 \
+	UMULH R1, R7, c3 \
+	MUL R1, R8, R0 \
+	ADCS R0, c3 \
+	UMULH R1, R8, c4 \
+	ADCS ZR, c4 \
+	\
+	MUL R2, R5, R1 \
+	UMULH R2, R5, R26 \
+	MUL R2, R6, R0 \
+	ADDS R0, R26 \
+	UMULH R2, R6, R27 \
+	MUL R2, R7, R0 \
+	ADCS R0, R27 \
+	UMULH R2, R7, R29 \
+	MUL R2, R8, R0 \
+	ADCS R0, R29 \
+	UMULH R2, R8, c5 \
+	ADCS ZR, c5 \
+	ADDS R1, c1 \
+	ADCS R26, c2 \
+	ADCS R27, c3 \
+	ADCS R29, c4 \
+	ADCS  ZR, c5 \
+	\
+	MUL R3, R5, R1 \
+	UMULH R3, R5, R26 \
+	MUL R3, R6, R0 \
+	ADDS R0, R26 \
+	UMULH R3, R6, R27 \
+	MUL R3, R7, R0 \
+	ADCS R0, R27 \
+	UMULH R3, R7, R29 \
+	MUL R3, R8, R0 \
+	ADCS R0, R29 \
+	UMULH R3, R8, c6 \
+	ADCS ZR, c6 \
+	ADDS R1, c2 \
+	ADCS R26, c3 \
+	ADCS R27, c4 \
+	ADCS R29, c5 \
+	ADCS  ZR, c6 \
+	\
+	MUL R4, R5, R1 \
+	UMULH R4, R5, R26 \
+	MUL R4, R6, R0 \
+	ADDS R0, R26 \
+	UMULH R4, R6, R27 \
+	MUL R4, R7, R0 \
+	ADCS R0, R27 \
+	UMULH R4, R7, R29 \
+	MUL R4, R8, R0 \
+	ADCS R0, R29 \
+	UMULH R4, R8, c7 \
+	ADCS ZR, c7 \
+	ADDS R25, c3 \
+	ADCS R26, c4 \
+	ADCS R27, c5 \
+	ADCS R29, c6 \
+	ADCS  ZR, c7
+
+#define gfpReduce() \
+	\ // m = (T * N') mod R, store m in R1:R2:R3:R4
+	MOVD ·np+0(SB), R17 \
+	MOVD ·np+8(SB), R25 \
+	MOVD ·np+16(SB), R19 \
+	MOVD ·np+24(SB), R20 \
+	\
+	MUL R9, R17, R1 \
+	UMULH R9, R17, R2 \
+	MUL R9, R25, R0 \
+	ADDS R0, R2 \
+	UMULH R9, R25, R3 \
+	MUL R9, R19, R0 \
+	ADCS R0, R3 \
+	UMULH R9, R19, R4 \
+	MUL R9, R20, R0 \
+	ADCS R0, R4 \
+	\
+	MUL R10, R17, R21 \
+	UMULH R10, R17, R22 \
+	MUL R10, R25, R0 \
+	ADDS R0, R22 \
+	UMULH R10, R25, R23 \
+	MUL R10, R19, R0 \
+	ADCS R0, R23 \
+	ADDS R21, R2 \
+	ADCS R22, R3 \
+	ADCS R23, R4 \
+	\
+	MUL R11, R17, R21 \
+	UMULH R11, R17, R22 \
+	MUL R11, R25, R0 \
+	ADDS R0, R22 \
+	ADDS R21, R3 \
+	ADCS R22, R4 \
+	\
+	MUL R12, R17, R21 \
+	ADDS R21, R4 \
+	\
+	\ // m * N
+	loadModulus(R5,R6,R7,R8) \
+	mul(R17,R25,R19,R20,R21,R22,R23,R24) \
+	\
+	\ // Add the 512-bit intermediate to m*N
+	MOVD  ZR, R0 \
+	ADDS  R9, R17 \
+	ADCS R10, R25 \
+	ADCS R11, R19 \
+	ADCS R12, R20 \
+	ADCS R13, R21 \
+	ADCS R14, R22 \
+	ADCS R15, R23 \
+	ADCS R16, R24 \
+	ADCS  ZR, R0 \
+	\
+	\ // Our output is R21:R22:R23:R24. Reduce mod p if necessary.
+	SUBS R5, R21, R10 \
+	SBCS R6, R22, R11 \
+	SBCS R7, R23, R12 \
+	SBCS R8, R24, R13 \
+	\
+	CSEL CS, R10, R21, R1 \
+	CSEL CS, R11, R22, R2 \
+	CSEL CS, R12, R23, R3 \
+	CSEL CS, R13, R24, R4
diff --git a/kyber/pairing/bn256/mul_bmi2_amd64.h b/kyber/pairing/bn256/mul_bmi2_amd64.h
new file mode 100644
index 0000000000..71ad0499af
--- /dev/null
+++ b/kyber/pairing/bn256/mul_bmi2_amd64.h
@@ -0,0 +1,112 @@
+#define mulBMI2(a0,a1,a2,a3, rb) \
+	MOVQ a0, DX \
+	MOVQ $0, R13 \
+	MULXQ 0+rb, R8, R9 \
+	MULXQ 8+rb, AX, R10 \
+	ADDQ AX, R9 \
+	MULXQ 16+rb, AX, R11 \
+	ADCQ AX, R10 \
+	MULXQ 24+rb, AX, R12 \
+	ADCQ AX, R11 \
+	ADCQ $0, R12 \
+	ADCQ $0, R13 \
+	\
+	MOVQ a1, DX \
+	MOVQ $0, R14 \
+	MULXQ 0+rb, AX, BX \
+	ADDQ AX, R9 \
+	ADCQ BX, R10 \
+	MULXQ 16+rb, AX, BX \
+	ADCQ AX, R11 \
+	ADCQ BX, R12 \
+	ADCQ $0, R13 \
+	MULXQ 8+rb, AX, BX \
+	ADDQ AX, R10 \
+	ADCQ BX, R11 \
+	MULXQ 24+rb, AX, BX \
+	ADCQ AX, R12 \
+	ADCQ BX, R13 \
+	ADCQ $0, R14 \
+	\
+	MOVQ a2, DX \
+	MOVQ $0, R15 \
+	MULXQ 0+rb, AX, BX \
+	ADDQ AX, R10 \
+	ADCQ BX, R11 \
+	MULXQ 16+rb, AX, BX \
+	ADCQ AX, R12 \
+	ADCQ BX, R13 \
+	ADCQ $0, R14 \
+	MULXQ 8+rb, AX, BX \
+	ADDQ AX, R11 \
+	ADCQ BX, R12 \
+	MULXQ 24+rb, AX, BX \
+	ADCQ AX, R13 \
+	ADCQ BX, R14 \
+	ADCQ $0, R15 \
+	\
+	MOVQ a3, DX \
+	MULXQ 0+rb, AX, BX \
+	ADDQ AX, R11 \
+	ADCQ BX, R12 \
+	MULXQ 16+rb, AX, BX \
+	ADCQ AX, R13 \
+	ADCQ BX, R14 \
+	ADCQ $0, R15 \
+	MULXQ 8+rb, AX, BX \
+	ADDQ AX, R12 \
+	ADCQ BX, R13 \
+	MULXQ 24+rb, AX, BX \
+	ADCQ AX, R14 \
+	ADCQ BX, R15
+
+#define gfpReduceBMI2() \
+	\ // m = (T * N') mod R, store m in R8:R9:R10:R11
+	MOVQ ·np+0(SB), DX \
+	MULXQ 0(SP), R8, R9 \
+	MULXQ 8(SP), AX, R10 \
+	ADDQ AX, R9 \
+	MULXQ 16(SP), AX, R11 \
+	ADCQ AX, R10 \
+	MULXQ 24(SP), AX, BX \
+	ADCQ AX, R11 \
+	\
+	MOVQ ·np+8(SB), DX \
+	MULXQ 0(SP), AX, BX \
+	ADDQ AX, R9 \
+	ADCQ BX, R10 \
+	MULXQ 16(SP), AX, BX \
+	ADCQ AX, R11 \
+	MULXQ 8(SP), AX, BX \
+	ADDQ AX, R10 \
+	ADCQ BX, R11 \
+	\
+	MOVQ ·np+16(SB), DX \
+	MULXQ 0(SP), AX, BX \
+	ADDQ AX, R10 \
+	ADCQ BX, R11 \
+	MULXQ 8(SP), AX, BX \
+	ADDQ AX, R11 \
+	\
+	MOVQ ·np+24(SB), DX \
+	MULXQ 0(SP), AX, BX \
+	ADDQ AX, R11 \
+	\
+	storeBlock(R8,R9,R10,R11, 64(SP)) \
+	\
+	\ // m * N
+	mulBMI2(·p2+0(SB),·p2+8(SB),·p2+16(SB),·p2+24(SB), 64(SP)) \
+	\
+	\ // Add the 512-bit intermediate to m*N
+	MOVQ $0, AX \
+	ADDQ 0(SP), R8 \
+	ADCQ 8(SP), R9 \
+	ADCQ 16(SP), R10 \
+	ADCQ 24(SP), R11 \
+	ADCQ 32(SP), R12 \
+	ADCQ 40(SP), R13 \
+	ADCQ 48(SP), R14 \
+	ADCQ 56(SP), R15 \
+	ADCQ $0, AX \
+	\
+	gfpCarry(R12,R13,R14,R15,AX, R8,R9,R10,R11,BX)
diff --git a/kyber/pairing/bn256/optate.go b/kyber/pairing/bn256/optate.go
new file mode 100644
index 0000000000..126c64ca6c
--- /dev/null
+++ b/kyber/pairing/bn256/optate.go
@@ -0,0 +1,268 @@
+package bn256
+
+func lineFunctionAdd(r, p *twistPoint, q *curvePoint, r2 *gfP2) (a, b, c *gfP2, rOut *twistPoint) {
+	// See the mixed addition algorithm from "Faster Computation of the
+	// Tate Pairing", http://arxiv.org/pdf/0904.0854v3.pdf
+	B := (&gfP2{}).Mul(&p.x, &r.t)
+
+	D := (&gfP2{}).Add(&p.y, &r.z)
+	D.Square(D).Sub(D, r2).Sub(D, &r.t).Mul(D, &r.t)
+
+	H := (&gfP2{}).Sub(B, &r.x)
+	I := (&gfP2{}).Square(H)
+
+	E := (&gfP2{}).Add(I, I)
+	E.Add(E, E)
+
+	J := (&gfP2{}).Mul(H, E)
+
+	L1 := (&gfP2{}).Sub(D, &r.y)
+	L1.Sub(L1, &r.y)
+
+	V := (&gfP2{}).Mul(&r.x, E)
+
+	rOut = &twistPoint{}
+	rOut.x.Square(L1).Sub(&rOut.x, J).Sub(&rOut.x, V).Sub(&rOut.x, V)
+
+	rOut.z.Add(&r.z, H).Square(&rOut.z).Sub(&rOut.z, &r.t).Sub(&rOut.z, I)
+
+	t := (&gfP2{}).Sub(V, &rOut.x)
+	t.Mul(t, L1)
+	t2 := (&gfP2{}).Mul(&r.y, J)
+	t2.Add(t2, t2)
+	rOut.y.Sub(t, t2)
+
+	rOut.t.Square(&rOut.z)
+
+	t.Add(&p.y, &rOut.z).Square(t).Sub(t, r2).Sub(t, &rOut.t)
+
+	t2.Mul(L1, &p.x)
+	t2.Add(t2, t2)
+	a = (&gfP2{}).Sub(t2, t)
+
+	c = (&gfP2{}).MulScalar(&rOut.z, &q.y)
+	c.Add(c, c)
+
+	b = (&gfP2{}).Neg(L1)
+	b.MulScalar(b, &q.x).Add(b, b)
+
+	return
+}
+
+func lineFunctionDouble(r *twistPoint, q *curvePoint) (a, b, c *gfP2, rOut *twistPoint) {
+	// See the doubling algorithm for a=0 from "Faster Computation of the
+	// Tate Pairing", http://arxiv.org/pdf/0904.0854v3.pdf
+	A := (&gfP2{}).Square(&r.x)
+	B := (&gfP2{}).Square(&r.y)
+	C := (&gfP2{}).Square(B)
+
+	D := (&gfP2{}).Add(&r.x, B)
+	D.Square(D).Sub(D, A).Sub(D, C).Add(D, D)
+
+	E := (&gfP2{}).Add(A, A)
+	E.Add(E, A)
+
+	G := (&gfP2{}).Square(E)
+
+	rOut = &twistPoint{}
+	rOut.x.Sub(G, D).Sub(&rOut.x, D)
+
+	rOut.z.Add(&r.y, &r.z).Square(&rOut.z).Sub(&rOut.z, B).Sub(&rOut.z, &r.t)
+
+	rOut.y.Sub(D, &rOut.x).Mul(&rOut.y, E)
+	t := (&gfP2{}).Add(C, C)
+	t.Add(t, t).Add(t, t)
+	rOut.y.Sub(&rOut.y, t)
+
+	rOut.t.Square(&rOut.z)
+
+	t.Mul(E, &r.t).Add(t, t)
+	b = (&gfP2{}).Neg(t)
+	b.MulScalar(b, &q.x)
+
+	a = (&gfP2{}).Add(&r.x, E)
+	a.Square(a).Sub(a, A).Sub(a, G)
+	t.Add(B, B).Add(t, t)
+	a.Sub(a, t)
+
+	c = (&gfP2{}).Mul(&rOut.z, &r.t)
+	c.Add(c, c).MulScalar(c, &q.y)
+
+	return
+}
+
+func mulLine(ret *gfP12, a, b, c *gfP2) {
+	a2 := &gfP6{}
+	a2.y.Set(a)
+	a2.z.Set(b)
+	a2.Mul(a2, &ret.x)
+	t3 := (&gfP6{}).MulScalar(&ret.y, c)
+
+	t := (&gfP2{}).Add(b, c)
+	t2 := &gfP6{}
+	t2.y.Set(a)
+	t2.z.Set(t)
+	ret.x.Add(&ret.x, &ret.y)
+
+	ret.y.Set(t3)
+
+	ret.x.Mul(&ret.x, t2).Sub(&ret.x, a2).Sub(&ret.x, &ret.y)
+	a2.MulTau(a2)
+	ret.y.Add(&ret.y, a2)
+}
+
+// sixuPlus2NAF is 6u+2 in non-adjacent form.
+var sixuPlus2NAF = []int8{0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, -1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 1, 0, -1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, 0, 0, 0, 1, 0, 0, 0, 1}
+
+// miller implements the Miller loop for calculating the Optimal Ate pairing.
+// See algorithm 1 from http://cryptojedi.org/papers/dclxvi-20100714.pdf
+func miller(q *twistPoint, p *curvePoint) *gfP12 {
+	ret := (&gfP12{}).SetOne()
+
+	aAffine := &twistPoint{}
+	aAffine.Set(q)
+	aAffine.MakeAffine()
+
+	bAffine := &curvePoint{}
+	bAffine.Set(p)
+	bAffine.MakeAffine()
+
+	minusA := &twistPoint{}
+	minusA.Neg(aAffine)
+
+	r := &twistPoint{}
+	r.Set(aAffine)
+
+	r2 := (&gfP2{}).Square(&aAffine.y)
+
+	for i := len(sixuPlus2NAF) - 1; i > 0; i-- {
+		a, b, c, newR := lineFunctionDouble(r, bAffine)
+		if i != len(sixuPlus2NAF)-1 {
+			ret.Square(ret)
+		}
+
+		mulLine(ret, a, b, c)
+		r = newR
+
+		switch sixuPlus2NAF[i-1] {
+		case 1:
+			a, b, c, newR = lineFunctionAdd(r, aAffine, bAffine, r2)
+		case -1:
+			a, b, c, newR = lineFunctionAdd(r, minusA, bAffine, r2)
+		default:
+			continue
+		}
+
+		mulLine(ret, a, b, c)
+		r = newR
+	}
+
+	// In order to calculate Q1 we have to convert q from the sextic twist
+	// to the full GF(p^12) group, apply the Frobenius there, and convert
+	// back.
+	//
+	// The twist isomorphism is (x', y') -> (xω², yω³). If we consider just
+	// x for a moment, then after applying the Frobenius, we have x̄ω^(2p)
+	// where x̄ is the conjugate of x. If we are going to apply the inverse
+	// isomorphism we need a value with a single coefficient of ω² so we
+	// rewrite this as x̄ω^(2p-2)ω². ξ⁶ = ω and, due to the construction of
+	// p, 2p-2 is a multiple of six. Therefore we can rewrite as
+	// x̄ξ^((p-1)/3)ω² and applying the inverse isomorphism eliminates the
+	// ω².
+	//
+	// A similar argument can be made for the y value.
+
+	q1 := &twistPoint{}
+	q1.x.Conjugate(&aAffine.x).Mul(&q1.x, xiToPMinus1Over3)
+	q1.y.Conjugate(&aAffine.y).Mul(&q1.y, xiToPMinus1Over2)
+	q1.z.SetOne()
+	q1.t.SetOne()
+
+	// For Q2 we are applying the p² Frobenius. The two conjugations cancel
+	// out and we are left only with the factors from the isomorphism. In
+	// the case of x, we end up with a pure number which is why
+	// xiToPSquaredMinus1Over3 is ∈ GF(p). With y we get a factor of -1. We
+	// ignore this to end up with -Q2.
+
+	minusQ2 := &twistPoint{}
+	minusQ2.x.MulScalar(&aAffine.x, xiToPSquaredMinus1Over3)
+	minusQ2.y.Set(&aAffine.y)
+	minusQ2.z.SetOne()
+	minusQ2.t.SetOne()
+
+	r2.Square(&q1.y)
+	a, b, c, newR := lineFunctionAdd(r, q1, bAffine, r2)
+	mulLine(ret, a, b, c)
+	r = newR
+
+	r2.Square(&minusQ2.y)
+	a, b, c, newR = lineFunctionAdd(r, minusQ2, bAffine, r2)
+	mulLine(ret, a, b, c)
+	r = newR
+
+	return ret
+}
+
+// finalExponentiation computes the (p¹²-1)/Order-th power of an element of
+// GF(p¹²) to obtain an element of GT (steps 13-15 of algorithm 1 from
+// http://cryptojedi.org/papers/dclxvi-20100714.pdf)
+func finalExponentiation(in *gfP12) *gfP12 {
+	t1 := &gfP12{}
+
+	// This is the p^6-Frobenius
+	t1.x.Neg(&in.x)
+	t1.y.Set(&in.y)
+
+	inv := &gfP12{}
+	inv.Invert(in)
+	t1.Mul(t1, inv)
+
+	t2 := (&gfP12{}).FrobeniusP2(t1)
+	t1.Mul(t1, t2)
+
+	fp := (&gfP12{}).Frobenius(t1)
+	fp2 := (&gfP12{}).FrobeniusP2(t1)
+	fp3 := (&gfP12{}).Frobenius(fp2)
+
+	fu := (&gfP12{}).Exp(t1, u)
+	fu2 := (&gfP12{}).Exp(fu, u)
+	fu3 := (&gfP12{}).Exp(fu2, u)
+
+	y3 := (&gfP12{}).Frobenius(fu)
+	fu2p := (&gfP12{}).Frobenius(fu2)
+	fu3p := (&gfP12{}).Frobenius(fu3)
+	y2 := (&gfP12{}).FrobeniusP2(fu2)
+
+	y0 := &gfP12{}
+	y0.Mul(fp, fp2).Mul(y0, fp3)
+
+	y1 := (&gfP12{}).Conjugate(t1)
+	y5 := (&gfP12{}).Conjugate(fu2)
+	y3.Conjugate(y3)
+	y4 := (&gfP12{}).Mul(fu, fu2p)
+	y4.Conjugate(y4)
+
+	y6 := (&gfP12{}).Mul(fu3, fu3p)
+	y6.Conjugate(y6)
+
+	t0 := (&gfP12{}).Square(y6)
+	t0.Mul(t0, y4).Mul(t0, y5)
+	t1.Mul(y3, y5).Mul(t1, t0)
+	t0.Mul(t0, y2)
+	t1.Square(t1).Mul(t1, t0).Square(t1)
+	t0.Mul(t1, y1)
+	t1.Mul(t1, y0)
+	t0.Square(t0).Mul(t0, t1)
+
+	return t0
+}
+
+func optimalAte(a *twistPoint, b *curvePoint) *gfP12 {
+	e := miller(a, b)
+	ret := finalExponentiation(e)
+
+	if a.IsInfinity() || b.IsInfinity() {
+		ret.SetOne()
+	}
+	return ret
+}
diff --git a/kyber/pairing/bn256/point.go b/kyber/pairing/bn256/point.go
new file mode 100644
index 0000000000..28316b6a2e
--- /dev/null
+++ b/kyber/pairing/bn256/point.go
@@ -0,0 +1,647 @@
+package bn256
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"crypto/subtle"
+	"errors"
+	"io"
+	"math/big"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/mod"
+)
+
+var marshalPointID1 = [8]byte{'b', 'n', '2', '5', '6', '.', 'g', '1'}
+var marshalPointID2 = [8]byte{'b', 'n', '2', '5', '6', '.', 'g', '2'}
+var marshalPointIDT = [8]byte{'b', 'n', '2', '5', '6', '.', 'g', 't'}
+
+type pointG1 struct {
+	g *curvePoint
+}
+
+func newPointG1() *pointG1 {
+	p := &pointG1{g: &curvePoint{}}
+	return p
+}
+
+func (p *pointG1) Equal(q kyber.Point) bool {
+	x, _ := p.MarshalBinary()
+	y, _ := q.MarshalBinary()
+	return subtle.ConstantTimeCompare(x, y) == 1
+}
+
+func (p *pointG1) Null() kyber.Point {
+	p.g.SetInfinity()
+	return p
+}
+
+func (p *pointG1) Base() kyber.Point {
+	p.g.Set(curveGen)
+	return p
+}
+
+func (p *pointG1) Pick(rand cipher.Stream) kyber.Point {
+	s := mod.NewInt64(0, Order).Pick(rand)
+	p.Base()
+	p.g.Mul(p.g, &s.(*mod.Int).V)
+	return p
+}
+
+func (p *pointG1) Set(q kyber.Point) kyber.Point {
+	x := q.(*pointG1).g
+	p.g.Set(x)
+	return p
+}
+
+// Clone makes a hard copy of the point
+func (p *pointG1) Clone() kyber.Point {
+	q := newPointG1()
+	q.g = p.g.Clone()
+	return q
+}
+
+func (p *pointG1) EmbedLen() int {
+	panic("bn256.G1: unsupported operation")
+}
+
+func (p *pointG1) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	// XXX: An approach to implement this is:
+	// - Encode data as the x-coordinate of a point on y²=x³+3 where len(data)
+	//   is stored in the least significant byte of x and the rest is being
+	//   filled with random values, i.e., x = rand || data || len(data).
+	// - Use the Tonelli-Shanks algorithm to compute the y-coordinate.
+	// - Convert the new point to Jacobian coordinates and set it as p.
+	panic("bn256.G1: unsupported operation")
+}
+
+func (p *pointG1) Data() ([]byte, error) {
+	panic("bn256.G1: unsupported operation")
+}
+
+func (p *pointG1) Add(a, b kyber.Point) kyber.Point {
+	x := a.(*pointG1).g
+	y := b.(*pointG1).g
+	p.g.Add(x, y) // p = a + b
+	return p
+}
+
+func (p *pointG1) Sub(a, b kyber.Point) kyber.Point {
+	q := newPointG1()
+	return p.Add(a, q.Neg(b))
+}
+
+func (p *pointG1) Neg(q kyber.Point) kyber.Point {
+	x := q.(*pointG1).g
+	p.g.Neg(x)
+	return p
+}
+
+func (p *pointG1) Mul(s kyber.Scalar, q kyber.Point) kyber.Point {
+	if q == nil {
+		q = newPointG1().Base()
+	}
+	t := s.(*mod.Int).V
+	r := q.(*pointG1).g
+	p.g.Mul(r, &t)
+	return p
+}
+
+func (p *pointG1) MarshalBinary() ([]byte, error) {
+	// Clone is required as we change the point
+	p = p.Clone().(*pointG1)
+
+	n := p.ElementSize()
+	// Take a copy so that p is not written to, so calls to MarshalBinary
+	// are threadsafe.
+	pgtemp := *p.g
+	pgtemp.MakeAffine()
+	ret := make([]byte, p.MarshalSize())
+	if pgtemp.IsInfinity() {
+		return ret, nil
+	}
+	tmp := &gfP{}
+	montDecode(tmp, &pgtemp.x)
+	tmp.Marshal(ret)
+	montDecode(tmp, &pgtemp.y)
+	tmp.Marshal(ret[n:])
+	return ret, nil
+}
+
+func (p *pointG1) MarshalID() [8]byte {
+	return marshalPointID1
+}
+
+func (p *pointG1) MarshalTo(w io.Writer) (int, error) {
+	buf, err := p.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+func (p *pointG1) UnmarshalBinary(buf []byte) error {
+	n := p.ElementSize()
+	if len(buf) < p.MarshalSize() {
+		return errors.New("bn256.G1: not enough data")
+	}
+	if p.g == nil {
+		p.g = &curvePoint{}
+	} else {
+		p.g.x, p.g.y = gfP{0}, gfP{0}
+	}
+
+	p.g.x.Unmarshal(buf)
+	p.g.y.Unmarshal(buf[n:])
+	montEncode(&p.g.x, &p.g.x)
+	montEncode(&p.g.y, &p.g.y)
+
+	zero := gfP{0}
+	if p.g.x == zero && p.g.y == zero {
+		// This is the point at infinity
+		p.g.y = *newGFp(1)
+		p.g.z = gfP{0}
+		p.g.t = gfP{0}
+	} else {
+		p.g.z = *newGFp(1)
+		p.g.t = *newGFp(1)
+	}
+
+	if !p.g.IsOnCurve() {
+		return errors.New("bn256.G1: malformed point")
+	}
+
+	return nil
+}
+
+func (p *pointG1) UnmarshalFrom(r io.Reader) (int, error) {
+	buf := make([]byte, p.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, p.UnmarshalBinary(buf)
+}
+
+func (p *pointG1) MarshalSize() int {
+	return 2 * p.ElementSize()
+}
+
+func (p *pointG1) ElementSize() int {
+	return 256 / 8
+}
+
+func (p *pointG1) String() string {
+	return "bn256.G1:" + p.g.String()
+}
+
+func (p *pointG1) Hash(m []byte) kyber.Point {
+	leftPad32 := func(in []byte) []byte {
+		if len(in) > 32 {
+			panic("input cannot be more than 32 bytes")
+		}
+
+		out := make([]byte, 32)
+		copy(out[32-len(in):], in)
+		return out
+	}
+
+	bigX, bigY := hashToPoint(m)
+	if p.g == nil {
+		p.g = new(curvePoint)
+	}
+
+	x, y := new(gfP), new(gfP)
+	x.Unmarshal(leftPad32(bigX.Bytes()))
+	y.Unmarshal(leftPad32(bigY.Bytes()))
+	montEncode(x, x)
+	montEncode(y, y)
+
+	p.g.Set(&curvePoint{*x, *y, *newGFp(1), *newGFp(1)})
+	return p
+}
+
+// hashes a byte slice into two points on a curve represented by big.Int
+// ideally we want to do this using gfP, but gfP doesn't have a ModSqrt function
+func hashToPoint(m []byte) (*big.Int, *big.Int) {
+	// we need to convert curveB into a bigInt for our computation
+	intCurveB := new(big.Int)
+	{
+		decodedCurveB := new(gfP)
+		montDecode(decodedCurveB, curveB)
+		bufCurveB := make([]byte, 32)
+		decodedCurveB.Marshal(bufCurveB)
+		intCurveB.SetBytes(bufCurveB)
+	}
+
+	h := sha256.Sum256(m)
+	x := new(big.Int).SetBytes(h[:])
+	x.Mod(x, p)
+
+	for {
+		xxx := new(big.Int).Mul(x, x)
+		xxx.Mul(xxx, x)
+		xxx.Mod(xxx, p)
+
+		t := new(big.Int).Add(xxx, intCurveB)
+		y := new(big.Int).ModSqrt(t, p)
+		if y != nil {
+			return x, y
+		}
+
+		x.Add(x, big.NewInt(1))
+	}
+}
+
+type pointG2 struct {
+	g *twistPoint
+}
+
+func newPointG2() *pointG2 {
+	p := &pointG2{g: &twistPoint{}}
+	return p
+}
+
+func (p *pointG2) Equal(q kyber.Point) bool {
+	x, _ := p.MarshalBinary()
+	y, _ := q.MarshalBinary()
+	return subtle.ConstantTimeCompare(x, y) == 1
+}
+
+func (p *pointG2) Null() kyber.Point {
+	p.g.SetInfinity()
+	return p
+}
+
+func (p *pointG2) Base() kyber.Point {
+	p.g.Set(twistGen)
+	return p
+}
+
+func (p *pointG2) Pick(rand cipher.Stream) kyber.Point {
+	s := mod.NewInt64(0, Order).Pick(rand)
+	p.Base()
+	p.g.Mul(p.g, &s.(*mod.Int).V)
+	return p
+}
+
+func (p *pointG2) Set(q kyber.Point) kyber.Point {
+	x := q.(*pointG2).g
+	p.g.Set(x)
+	return p
+}
+
+// Clone makes a hard copy of the field
+func (p *pointG2) Clone() kyber.Point {
+	q := newPointG2()
+	q.g = p.g.Clone()
+	return q
+}
+
+func (p *pointG2) EmbedLen() int {
+	panic("bn256.G2: unsupported operation")
+}
+
+func (p *pointG2) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	panic("bn256.G2: unsupported operation")
+}
+
+func (p *pointG2) Data() ([]byte, error) {
+	panic("bn256.G2: unsupported operation")
+}
+
+func (p *pointG2) Add(a, b kyber.Point) kyber.Point {
+	x := a.(*pointG2).g
+	y := b.(*pointG2).g
+	p.g.Add(x, y) // p = a + b
+	return p
+}
+
+func (p *pointG2) Sub(a, b kyber.Point) kyber.Point {
+	q := newPointG2()
+	return p.Add(a, q.Neg(b))
+}
+
+func (p *pointG2) Neg(q kyber.Point) kyber.Point {
+	x := q.(*pointG2).g
+	p.g.Neg(x)
+	return p
+}
+
+func (p *pointG2) Mul(s kyber.Scalar, q kyber.Point) kyber.Point {
+	if q == nil {
+		q = newPointG2().Base()
+	}
+	t := s.(*mod.Int).V
+	r := q.(*pointG2).g
+	p.g.Mul(r, &t)
+	return p
+}
+
+func (p *pointG2) MarshalBinary() ([]byte, error) {
+	// Clone is required as we change the point during the operation
+	p = p.Clone().(*pointG2)
+
+	n := p.ElementSize()
+	if p.g == nil {
+		p.g = &twistPoint{}
+	}
+
+	p.g.MakeAffine()
+
+	ret := make([]byte, p.MarshalSize())
+	if p.g.IsInfinity() {
+		return ret, nil
+	}
+
+	temp := &gfP{}
+	montDecode(temp, &p.g.x.x)
+	temp.Marshal(ret[0*n:])
+	montDecode(temp, &p.g.x.y)
+	temp.Marshal(ret[1*n:])
+	montDecode(temp, &p.g.y.x)
+	temp.Marshal(ret[2*n:])
+	montDecode(temp, &p.g.y.y)
+	temp.Marshal(ret[3*n:])
+
+	return ret, nil
+}
+
+func (p *pointG2) MarshalID() [8]byte {
+	return marshalPointID2
+}
+
+func (p *pointG2) MarshalTo(w io.Writer) (int, error) {
+	buf, err := p.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+func (p *pointG2) UnmarshalBinary(buf []byte) error {
+	n := p.ElementSize()
+	if p.g == nil {
+		p.g = &twistPoint{}
+	}
+
+	if len(buf) < p.MarshalSize() {
+		return errors.New("bn256.G2: not enough data")
+	}
+
+	p.g.x.x.Unmarshal(buf[0*n:])
+	p.g.x.y.Unmarshal(buf[1*n:])
+	p.g.y.x.Unmarshal(buf[2*n:])
+	p.g.y.y.Unmarshal(buf[3*n:])
+	montEncode(&p.g.x.x, &p.g.x.x)
+	montEncode(&p.g.x.y, &p.g.x.y)
+	montEncode(&p.g.y.x, &p.g.y.x)
+	montEncode(&p.g.y.y, &p.g.y.y)
+
+	if p.g.x.IsZero() && p.g.y.IsZero() {
+		// This is the point at infinity.
+		p.g.y.SetOne()
+		p.g.z.SetZero()
+		p.g.t.SetZero()
+	} else {
+		p.g.z.SetOne()
+		p.g.t.SetOne()
+
+		if !p.g.IsOnCurve() {
+			return errors.New("bn256.G2: malformed point")
+		}
+	}
+	return nil
+}
+
+func (p *pointG2) UnmarshalFrom(r io.Reader) (int, error) {
+	buf := make([]byte, p.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, p.UnmarshalBinary(buf)
+}
+
+func (p *pointG2) MarshalSize() int {
+	return 4 * p.ElementSize()
+}
+
+func (p *pointG2) ElementSize() int {
+	return 256 / 8
+}
+
+func (p *pointG2) String() string {
+	return "bn256.G2:" + p.g.String()
+}
+
+type pointGT struct {
+	g *gfP12
+}
+
+func newPointGT() *pointGT {
+	p := &pointGT{g: &gfP12{}}
+	return p
+}
+
+func (p *pointGT) Equal(q kyber.Point) bool {
+	x, _ := p.MarshalBinary()
+	y, _ := q.MarshalBinary()
+	return subtle.ConstantTimeCompare(x, y) == 1
+}
+
+func (p *pointGT) Null() kyber.Point {
+	p.g.Set(gfP12Inf)
+	return p
+}
+
+func (p *pointGT) Base() kyber.Point {
+	p.g.Set(gfP12Gen)
+	return p
+}
+
+func (p *pointGT) Pick(rand cipher.Stream) kyber.Point {
+	s := mod.NewInt64(0, Order).Pick(rand)
+	p.Base()
+	p.g.Exp(p.g, &s.(*mod.Int).V)
+	return p
+}
+
+func (p *pointGT) Set(q kyber.Point) kyber.Point {
+	x := q.(*pointGT).g
+	p.g.Set(x)
+	return p
+}
+
+// Clone makes a hard copy of the point
+func (p *pointGT) Clone() kyber.Point {
+	q := newPointGT()
+	q.g = p.g.Clone()
+	return q
+}
+
+func (p *pointGT) EmbedLen() int {
+	panic("bn256.GT: unsupported operation")
+}
+
+func (p *pointGT) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	panic("bn256.GT: unsupported operation")
+}
+
+func (p *pointGT) Data() ([]byte, error) {
+	panic("bn256.GT: unsupported operation")
+}
+
+func (p *pointGT) Add(a, b kyber.Point) kyber.Point {
+	x := a.(*pointGT).g
+	y := b.(*pointGT).g
+	p.g.Mul(x, y)
+	return p
+}
+
+func (p *pointGT) Sub(a, b kyber.Point) kyber.Point {
+	q := newPointGT()
+	return p.Add(a, q.Neg(b))
+}
+
+func (p *pointGT) Neg(q kyber.Point) kyber.Point {
+	x := q.(*pointGT).g
+	p.g.Conjugate(x)
+	return p
+}
+
+func (p *pointGT) Mul(s kyber.Scalar, q kyber.Point) kyber.Point {
+	if q == nil {
+		q = newPointGT().Base()
+	}
+	t := s.(*mod.Int).V
+	r := q.(*pointGT).g
+	p.g.Exp(r, &t)
+	return p
+}
+
+func (p *pointGT) MarshalBinary() ([]byte, error) {
+	n := p.ElementSize()
+	ret := make([]byte, p.MarshalSize())
+	temp := &gfP{}
+
+	montDecode(temp, &p.g.x.x.x)
+	temp.Marshal(ret[0*n:])
+	montDecode(temp, &p.g.x.x.y)
+	temp.Marshal(ret[1*n:])
+	montDecode(temp, &p.g.x.y.x)
+	temp.Marshal(ret[2*n:])
+	montDecode(temp, &p.g.x.y.y)
+	temp.Marshal(ret[3*n:])
+	montDecode(temp, &p.g.x.z.x)
+	temp.Marshal(ret[4*n:])
+	montDecode(temp, &p.g.x.z.y)
+	temp.Marshal(ret[5*n:])
+	montDecode(temp, &p.g.y.x.x)
+	temp.Marshal(ret[6*n:])
+	montDecode(temp, &p.g.y.x.y)
+	temp.Marshal(ret[7*n:])
+	montDecode(temp, &p.g.y.y.x)
+	temp.Marshal(ret[8*n:])
+	montDecode(temp, &p.g.y.y.y)
+	temp.Marshal(ret[9*n:])
+	montDecode(temp, &p.g.y.z.x)
+	temp.Marshal(ret[10*n:])
+	montDecode(temp, &p.g.y.z.y)
+	temp.Marshal(ret[11*n:])
+
+	return ret, nil
+}
+
+func (p *pointGT) MarshalID() [8]byte {
+	return marshalPointIDT
+}
+
+func (p *pointGT) MarshalTo(w io.Writer) (int, error) {
+	buf, err := p.MarshalBinary()
+	if err != nil {
+		return 0, err
+	}
+	return w.Write(buf)
+}
+
+func (p *pointGT) UnmarshalBinary(buf []byte) error {
+	n := p.ElementSize()
+	if len(buf) < p.MarshalSize() {
+		return errors.New("bn256.GT: not enough data")
+	}
+
+	if p.g == nil {
+		p.g = &gfP12{}
+	}
+
+	p.g.x.x.x.Unmarshal(buf[0*n:])
+	p.g.x.x.y.Unmarshal(buf[1*n:])
+	p.g.x.y.x.Unmarshal(buf[2*n:])
+	p.g.x.y.y.Unmarshal(buf[3*n:])
+	p.g.x.z.x.Unmarshal(buf[4*n:])
+	p.g.x.z.y.Unmarshal(buf[5*n:])
+	p.g.y.x.x.Unmarshal(buf[6*n:])
+	p.g.y.x.y.Unmarshal(buf[7*n:])
+	p.g.y.y.x.Unmarshal(buf[8*n:])
+	p.g.y.y.y.Unmarshal(buf[9*n:])
+	p.g.y.z.x.Unmarshal(buf[10*n:])
+	p.g.y.z.y.Unmarshal(buf[11*n:])
+	montEncode(&p.g.x.x.x, &p.g.x.x.x)
+	montEncode(&p.g.x.x.y, &p.g.x.x.y)
+	montEncode(&p.g.x.y.x, &p.g.x.y.x)
+	montEncode(&p.g.x.y.y, &p.g.x.y.y)
+	montEncode(&p.g.x.z.x, &p.g.x.z.x)
+	montEncode(&p.g.x.z.y, &p.g.x.z.y)
+	montEncode(&p.g.y.x.x, &p.g.y.x.x)
+	montEncode(&p.g.y.x.y, &p.g.y.x.y)
+	montEncode(&p.g.y.y.x, &p.g.y.y.x)
+	montEncode(&p.g.y.y.y, &p.g.y.y.y)
+	montEncode(&p.g.y.z.x, &p.g.y.z.x)
+	montEncode(&p.g.y.z.y, &p.g.y.z.y)
+
+	// TODO: check if point is on curve
+
+	return nil
+}
+
+func (p *pointGT) UnmarshalFrom(r io.Reader) (int, error) {
+	buf := make([]byte, p.MarshalSize())
+	n, err := io.ReadFull(r, buf)
+	if err != nil {
+		return n, err
+	}
+	return n, p.UnmarshalBinary(buf)
+}
+
+func (p *pointGT) MarshalSize() int {
+	return 12 * p.ElementSize()
+}
+
+func (p *pointGT) ElementSize() int {
+	return 256 / 8
+}
+
+func (p *pointGT) String() string {
+	return "bn256.GT:" + p.g.String()
+}
+
+func (p *pointGT) Finalize() kyber.Point {
+	buf := finalExponentiation(p.g)
+	p.g.Set(buf)
+	return p
+}
+
+func (p *pointGT) Miller(p1, p2 kyber.Point) kyber.Point {
+	a := p1.(*pointG1).g
+	b := p2.(*pointG2).g
+	p.g.Set(miller(b, a))
+	return p
+}
+
+func (p *pointGT) Pair(p1, p2 kyber.Point) kyber.Point {
+	a := p1.(*pointG1).g
+	b := p2.(*pointG2).g
+	p.g.Set(optimalAte(b, a))
+	return p
+}
diff --git a/kyber/pairing/bn256/point_test.go b/kyber/pairing/bn256/point_test.go
new file mode 100644
index 0000000000..93450852cc
--- /dev/null
+++ b/kyber/pairing/bn256/point_test.go
@@ -0,0 +1,41 @@
+package bn256
+
+import (
+	"bytes"
+	"encoding/hex"
+	"testing"
+)
+
+func TestPointG1_HashToPoint(t *testing.T) {
+	// reference test 1
+	p := new(pointG1).Hash([]byte("abc"))
+	pBuf, err := p.MarshalBinary()
+	if err != nil {
+		t.Error(err)
+	}
+	refBuf, err := hex.DecodeString("2ac314dc445e47f096d15425fc294601c1a7d8d27561c4fe9bb452f593f77f4705230e9663123b93c06ce0cd49a893619a92019566f326829a39d6f5ce10579d")
+	if err != nil {
+		t.Error(err)
+	}
+	if !bytes.Equal(pBuf, refBuf) {
+		t.Error("hash does not match reference")
+	}
+
+	// reference test 2
+	buf2, err := hex.DecodeString("e0a05cbb37fd6c159732a8c57b981773f7480695328b674d8a9cc083377f1811")
+	if err != nil {
+		t.Error(err)
+	}
+	p2 := new(pointG1).Hash(buf2)
+	p2Buf, err := p2.MarshalBinary()
+	if err != nil {
+		t.Error(err)
+	}
+	refBuf2, err := hex.DecodeString("1444853e16a3f959e9ff1da9c226958f9ee4067f82451bcf88ecc5980cf2c4d50095605d82d456fbb24b21f283842746935e0c42c7f7a8f579894d9bccede5ae")
+	if err != nil {
+		t.Error(err)
+	}
+	if !bytes.Equal(p2Buf, refBuf2) {
+		t.Error("hash does not match reference")
+	}
+}
diff --git a/kyber/pairing/bn256/suite.go b/kyber/pairing/bn256/suite.go
new file mode 100644
index 0000000000..40655c9cb1
--- /dev/null
+++ b/kyber/pairing/bn256/suite.go
@@ -0,0 +1,162 @@
+package bn256
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"reflect"
+
+	"go.dedis.ch/fixbuf"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// Suite implements the pairing.Suite interface for the BN256 bilinear pairing.
+type Suite struct {
+	*commonSuite
+	g1 *groupG1
+	g2 *groupG2
+	gt *groupGT
+}
+
+// NewSuite generates and returns a new BN256 pairing suite.
+func NewSuite() *Suite {
+	s := &Suite{commonSuite: &commonSuite{}}
+	s.g1 = &groupG1{commonSuite: s.commonSuite}
+	s.g2 = &groupG2{commonSuite: s.commonSuite}
+	s.gt = &groupGT{commonSuite: s.commonSuite}
+	return s
+}
+
+// NewSuiteG1 returns a G1 suite.
+func NewSuiteG1() *Suite {
+	s := NewSuite()
+	s.commonSuite.Group = &groupG1{commonSuite: &commonSuite{}}
+	return s
+}
+
+// NewSuiteG2 returns a G2 suite.
+func NewSuiteG2() *Suite {
+	s := NewSuite()
+	s.commonSuite.Group = &groupG2{commonSuite: &commonSuite{}}
+	return s
+}
+
+// NewSuiteGT returns a GT suite.
+func NewSuiteGT() *Suite {
+	s := NewSuite()
+	s.commonSuite.Group = &groupGT{commonSuite: &commonSuite{}}
+	return s
+}
+
+// NewSuiteRand generates and returns a new BN256 suite seeded by the
+// given cipher stream.
+func NewSuiteRand(rand cipher.Stream) *Suite {
+	s := &Suite{commonSuite: &commonSuite{s: rand}}
+	s.g1 = &groupG1{commonSuite: s.commonSuite}
+	s.g2 = &groupG2{commonSuite: s.commonSuite}
+	s.gt = &groupGT{commonSuite: s.commonSuite}
+	return s
+}
+
+// G1 returns the group G1 of the BN256 pairing.
+func (s *Suite) G1() kyber.Group {
+	return s.g1
+}
+
+// G2 returns the group G2 of the BN256 pairing.
+func (s *Suite) G2() kyber.Group {
+	return s.g2
+}
+
+// GT returns the group GT of the BN256 pairing.
+func (s *Suite) GT() kyber.Group {
+	return s.gt
+}
+
+// Pair takes the points p1 and p2 in groups G1 and G2, respectively, as input
+// and computes their pairing in GT.
+func (s *Suite) Pair(p1 kyber.Point, p2 kyber.Point) kyber.Point {
+	return s.GT().Point().(*pointGT).Pair(p1, p2)
+}
+
+// Not used other than for reflect.TypeOf()
+var aScalar kyber.Scalar
+var aPoint kyber.Point
+var aPointG1 pointG1
+var aPointG2 pointG2
+var aPointGT pointGT
+
+var tScalar = reflect.TypeOf(&aScalar).Elem()
+var tPoint = reflect.TypeOf(&aPoint).Elem()
+var tPointG1 = reflect.TypeOf(&aPointG1).Elem()
+var tPointG2 = reflect.TypeOf(&aPointG2).Elem()
+var tPointGT = reflect.TypeOf(&aPointGT).Elem()
+
+type commonSuite struct {
+	s cipher.Stream
+	// kyber.Group is only set if we have a combined Suite
+	kyber.Group
+}
+
+// New implements the kyber.Encoding interface.
+func (c *commonSuite) New(t reflect.Type) interface{} {
+	if c.Group == nil {
+		panic("cannot create Point from NewGroup - please use bn256.NewGroupG1")
+	}
+	switch t {
+	case tScalar:
+		return c.Scalar()
+	case tPoint:
+		return c.Point()
+	case tPointG1:
+		g1 := groupG1{}
+		return g1.Point()
+	case tPointG2:
+		g2 := groupG2{}
+		return g2.Point()
+	case tPointGT:
+		gt := groupGT{}
+		return gt.Point()
+	}
+	return nil
+}
+
+// Read is the default implementation of kyber.Encoding interface Read.
+func (c *commonSuite) Read(r io.Reader, objs ...interface{}) error {
+	return fixbuf.Read(r, c, objs...)
+}
+
+// Write is the default implementation of kyber.Encoding interface Write.
+func (c *commonSuite) Write(w io.Writer, objs ...interface{}) error {
+	return fixbuf.Write(w, objs)
+}
+
+// Hash returns a newly instantiated sha256 hash function.
+func (c *commonSuite) Hash() hash.Hash {
+	return sha256.New()
+}
+
+// XOF returns a newlly instantiated blake2xb XOF function.
+func (c *commonSuite) XOF(seed []byte) kyber.XOF {
+	return blake2xb.New(seed)
+}
+
+// RandomStream returns a cipher.Stream which corresponds to a key stream from
+// crypto/rand.
+func (c *commonSuite) RandomStream() cipher.Stream {
+	if c.s != nil {
+		return c.s
+	}
+	return random.New()
+}
+
+// String returns a recognizable string that this is a combined suite.
+func (c commonSuite) String() string {
+	if c.Group != nil {
+		return c.Group.String()
+	}
+	return "bn256"
+}
diff --git a/kyber/pairing/bn256/suite_test.go b/kyber/pairing/bn256/suite_test.go
new file mode 100644
index 0000000000..e1494b621f
--- /dev/null
+++ b/kyber/pairing/bn256/suite_test.go
@@ -0,0 +1,351 @@
+package bn256
+
+import (
+	"bytes"
+	"fmt"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/protobuf"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3/group/mod"
+	"go.dedis.ch/kyber/v3/util/random"
+	"golang.org/x/crypto/bn256"
+)
+
+func TestScalarMarshal(t *testing.T) {
+	suite := NewSuite()
+	a := suite.G1().Scalar().Pick(random.New())
+	b := suite.G1().Scalar()
+	am, err := a.MarshalBinary()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := b.UnmarshalBinary(am); err != nil {
+		t.Fatal(err)
+	}
+	if !a.Equal(b) {
+		t.Fatal("bn256: scalars not equal")
+	}
+}
+
+func TestScalarOps(t *testing.T) {
+	suite := NewSuite()
+	a := suite.G1().Scalar().Pick(random.New())
+	b := suite.G1().Scalar().Pick(random.New())
+	c := suite.G1().Scalar().Pick(random.New())
+	d := suite.G1().Scalar()
+	e := suite.G1().Scalar()
+	// check that (a+b)-c == (a-c)+b
+	d.Add(a, b)
+	d.Sub(d, c)
+	e.Sub(a, c)
+	e.Add(e, b)
+	require.True(t, d.Equal(e))
+	// check that (a*b)*c^-1 == (a*c^-1)*b
+	d.One()
+	e.One()
+	d.Mul(a, b)
+	d.Div(d, c)
+	e.Div(a, c)
+	e.Mul(e, b)
+	require.True(t, d.Equal(e))
+	// check that (a*b*c)^-1*(a*b*c) == 1
+	d.One()
+	e.One()
+	d.Mul(a, b)
+	d.Mul(d, c)
+	d.Inv(d)
+	e.Mul(a, b)
+	e.Mul(e, c)
+	e.Mul(e, d)
+	require.True(t, e.Equal(suite.G1().Scalar().One()))
+}
+
+func TestG1(t *testing.T) {
+	suite := NewSuite()
+	k := suite.G1().Scalar().Pick(random.New())
+	pa := suite.G1().Point().Mul(k, nil)
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+
+	pb := new(bn256.G1).ScalarBaseMult(&k.(*mod.Int).V)
+	mb := pb.Marshal()
+
+	require.Equal(t, ma, mb)
+}
+
+func TestG1Marshal(t *testing.T) {
+	suite := NewSuite()
+	k := suite.G1().Scalar().Pick(random.New())
+	pa := suite.G1().Point().Mul(k, nil)
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+
+	pb := suite.G1().Point()
+	err = pb.UnmarshalBinary(ma)
+	require.Nil(t, err)
+
+	mb, err := pb.MarshalBinary()
+	require.Nil(t, err)
+
+	require.Equal(t, ma, mb)
+}
+
+func TestG1Ops(t *testing.T) {
+	suite := NewSuite()
+	a := suite.G1().Point().Pick(random.New())
+	b := suite.G1().Point().Pick(random.New())
+	c := a.Clone()
+	a.Neg(a)
+	a.Neg(a)
+	if !a.Equal(c) {
+		t.Fatal("bn256.G1: neg failed")
+	}
+	a.Add(a, b)
+	a.Sub(a, b)
+	if !a.Equal(c) {
+		t.Fatal("bn256.G1: add sub failed")
+	}
+	a.Add(a, suite.G1().Point().Null())
+	if !a.Equal(c) {
+		t.Fatal("bn256.G1: add with neutral element failed")
+	}
+}
+
+func TestG2(t *testing.T) {
+	suite := NewSuite()
+	k := suite.G2().Scalar().Pick(random.New())
+	require.Equal(t, "mod.int ", fmt.Sprintf("%s", k.(*mod.Int).MarshalID()))
+	pa := suite.G2().Point().Mul(k, nil)
+	require.Equal(t, "bn256.g2", fmt.Sprintf("%s", pa.(*pointG2).MarshalID()))
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+	pb := new(bn256.G2).ScalarBaseMult(&k.(*mod.Int).V)
+	mb := pb.Marshal()
+	require.Equal(t, ma, mb)
+}
+
+func TestG2Marshal(t *testing.T) {
+	suite := NewSuite()
+	k := suite.G2().Scalar().Pick(random.New())
+	pa := suite.G2().Point().Mul(k, nil)
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+	pb := suite.G2().Point()
+	err = pb.UnmarshalBinary(ma)
+	require.Nil(t, err)
+	mb, err := pb.MarshalBinary()
+	require.Nil(t, err)
+	require.Equal(t, ma, mb)
+}
+
+func TestG2MarshalZero(t *testing.T) {
+	suite := NewSuite()
+	pa := suite.G2().Point()
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+	pb := suite.G2().Point()
+	err = pb.UnmarshalBinary(ma)
+	require.Nil(t, err)
+	mb, err := pb.MarshalBinary()
+	require.Nil(t, err)
+	require.Equal(t, ma, mb)
+}
+
+func TestG2Ops(t *testing.T) {
+	suite := NewSuite()
+	a := suite.G2().Point().Pick(random.New())
+	b := suite.G2().Point().Pick(random.New())
+	c := a.Clone()
+	a.Neg(a)
+	a.Neg(a)
+	if !a.Equal(c) {
+		t.Fatal("bn256.G2: neg failed")
+	}
+	a.Add(a, b)
+	a.Sub(a, b)
+	if !a.Equal(c) {
+		t.Fatal("bn256.G2: add sub failed")
+	}
+	a.Add(a, suite.G2().Point().Null())
+	if !a.Equal(c) {
+		t.Fatal("bn256.G2: add with neutral element failed")
+	}
+}
+
+func TestGT(t *testing.T) {
+	suite := NewSuite()
+	k := suite.GT().Scalar().Pick(random.New())
+	pa := suite.GT().Point().Mul(k, nil)
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+	mx, err := suite.GT().Point().Base().MarshalBinary()
+	require.Nil(t, err)
+	pb, ok := new(bn256.GT).Unmarshal(mx)
+	if !ok {
+		t.Fatal("unmarshal not ok")
+	}
+	pb.ScalarMult(pb, &k.(*mod.Int).V)
+	mb := pb.Marshal()
+	require.Equal(t, ma, mb)
+}
+
+func TestGTMarshal(t *testing.T) {
+	suite := NewSuite()
+	k := suite.GT().Scalar().Pick(random.New())
+	pa := suite.GT().Point().Mul(k, nil)
+	ma, err := pa.MarshalBinary()
+	require.Nil(t, err)
+	pb := suite.GT().Point()
+	err = pb.UnmarshalBinary(ma)
+	require.Nil(t, err)
+	mb, err := pb.MarshalBinary()
+	require.Nil(t, err)
+	require.Equal(t, ma, mb)
+}
+
+func TestGTOps(t *testing.T) {
+	suite := NewSuite()
+	a := suite.GT().Point().Pick(random.New())
+	b := suite.GT().Point().Pick(random.New())
+	c := a.Clone()
+	a.Neg(a)
+	a.Neg(a)
+	if !a.Equal(c) {
+		t.Fatal("bn256.GT: neg failed")
+	}
+	a.Add(a, b)
+	a.Sub(a, b)
+	if !a.Equal(c) {
+		t.Fatal("bn256.GT: add sub failed")
+	}
+	a.Add(a, suite.GT().Point().Null())
+	if !a.Equal(c) {
+		t.Fatal("bn256.GT: add with neutral element failed")
+	}
+}
+
+func TestBilinearity(t *testing.T) {
+	suite := NewSuite()
+	a := suite.G1().Scalar().Pick(random.New())
+	pa := suite.G1().Point().Mul(a, nil)
+	b := suite.G2().Scalar().Pick(random.New())
+	pb := suite.G2().Point().Mul(b, nil)
+	pc := suite.Pair(pa, pb)
+	pd := suite.Pair(suite.G1().Point().Base(), suite.G2().Point().Base())
+	pd = suite.GT().Point().Mul(a, pd)
+	pd = suite.GT().Point().Mul(b, pd)
+	require.Equal(t, pc, pd)
+}
+
+func TestTripartiteDiffieHellman(t *testing.T) {
+	suite := NewSuite()
+	a := suite.G1().Scalar().Pick(random.New())
+	b := suite.G1().Scalar().Pick(random.New())
+	c := suite.G1().Scalar().Pick(random.New())
+	pa, pb, pc := suite.G1().Point().Mul(a, nil), suite.G1().Point().Mul(b, nil), suite.G1().Point().Mul(c, nil)
+	qa, qb, qc := suite.G2().Point().Mul(a, nil), suite.G2().Point().Mul(b, nil), suite.G2().Point().Mul(c, nil)
+	k1 := suite.Pair(pb, qc)
+	k1 = suite.GT().Point().Mul(a, k1)
+	k2 := suite.Pair(pc, qa)
+	k2 = suite.GT().Point().Mul(b, k2)
+	k3 := suite.Pair(pa, qb)
+	k3 = suite.GT().Point().Mul(c, k3)
+	require.Equal(t, k1, k2)
+	require.Equal(t, k2, k3)
+}
+
+func TestCombined(t *testing.T) {
+	// Making sure we can do some basic arithmetic with the suites without having
+	// to extract the suite using .G1(), .G2(), .GT()
+	basicPointTest(t, NewSuiteG1())
+	basicPointTest(t, NewSuiteG2())
+	basicPointTest(t, NewSuiteGT())
+}
+
+func basicPointTest(t *testing.T, s *Suite) {
+	a := s.Scalar().Pick(random.New())
+	pa := s.Point().Mul(a, nil)
+
+	b := s.Scalar().Add(a, s.Scalar().One())
+	pb1 := s.Point().Mul(b, nil)
+	pb2 := s.Point().Add(pa, s.Point().Base())
+	require.True(t, pb1.Equal(pb2))
+
+	aBuf, err := a.MarshalBinary()
+	require.Nil(t, err)
+	aCopy := s.Scalar()
+	err = aCopy.UnmarshalBinary(aBuf)
+	require.Nil(t, err)
+	require.True(t, a.Equal(aCopy))
+
+	paBuf, err := pa.MarshalBinary()
+	require.Nil(t, err)
+	paCopy := s.Point()
+	err = paCopy.UnmarshalBinary(paBuf)
+	require.Nil(t, err)
+	require.True(t, pa.Equal(paCopy))
+}
+
+// Test that the suite.Read works correctly for suites with a defined `Point()`.
+func TestSuiteRead(t *testing.T) {
+	s := NewSuite()
+	tsr(t, NewSuiteG1(), s.G1().Point().Base())
+	tsr(t, NewSuiteG2(), s.G2().Point().Base())
+	tsr(t, NewSuiteGT(), s.GT().Point().Base())
+}
+
+// Test that the suite.Read fails for undefined `Point()`
+func TestSuiteReadFail(t *testing.T) {
+	defer func() {
+		require.NotNil(t, recover())
+	}()
+	s := NewSuite()
+	tsr(t, s, s.G1().Point().Base())
+}
+
+func tsr(t *testing.T, s *Suite, pOrig kyber.Point) {
+	var pBuf bytes.Buffer
+	err := s.Write(&pBuf, pOrig)
+	require.Nil(t, err)
+
+	var pCopy kyber.Point
+	err = s.Read(&pBuf, &pCopy)
+	require.Nil(t, err)
+	require.True(t, pCopy.Equal(pOrig))
+}
+
+type tsrPoint struct {
+	P kyber.Point
+}
+
+func TestSuiteProtobuf(t *testing.T) {
+	//bn := suites.MustFind("bn256.adapter")
+	bn1 := NewSuiteG1()
+	bn2 := NewSuiteG2()
+	bnT := NewSuiteGT()
+
+	protobuf.RegisterInterface(func() interface{} { return bn1.Point() })
+	protobuf.RegisterInterface(func() interface{} { return bn1.Scalar() })
+	protobuf.RegisterInterface(func() interface{} { return bn2.Point() })
+	protobuf.RegisterInterface(func() interface{} { return bn2.Scalar() })
+	protobuf.RegisterInterface(func() interface{} { return bnT.Point() })
+	protobuf.RegisterInterface(func() interface{} { return bnT.Scalar() })
+
+	testTsr(t, NewSuiteG1())
+	testTsr(t, NewSuiteG2())
+	testTsr(t, NewSuiteGT())
+}
+
+func testTsr(t *testing.T, s *Suite) {
+	p := s.Point().Base()
+	tp := tsrPoint{P: p}
+	tpBuf, err := protobuf.Encode(&tp)
+	require.NoError(t, err)
+
+	tpCopy := tsrPoint{}
+	err = protobuf.Decode(tpBuf, &tpCopy)
+	require.NoError(t, err)
+	require.True(t, tpCopy.P.Equal(tp.P))
+}
diff --git a/kyber/pairing/bn256/twist.go b/kyber/pairing/bn256/twist.go
new file mode 100644
index 0000000000..be6a0ab683
--- /dev/null
+++ b/kyber/pairing/bn256/twist.go
@@ -0,0 +1,212 @@
+package bn256
+
+import (
+	"math/big"
+)
+
+// twistPoint implements the elliptic curve y²=x³+3/ξ over GF(p²). Points are
+// kept in Jacobian form and t=z² when valid. The group G₂ is the set of
+// n-torsion points of this curve over GF(p²) (where n = Order)
+type twistPoint struct {
+	x, y, z, t gfP2
+}
+
+var twistB = &gfP2{
+	gfP{0x75046774386b8d71, 0x5bd0854a46d36cf8, 0x664327a1d41c8414, 0x96c9abb932eeb2f},
+	gfP{0xb94f760fb4c5ee14, 0xdae9f8f24c3b6eb4, 0x77a675d2e52f4fe4, 0x736f31b09116c66b},
+}
+
+// twistGen is the generator of group G₂.
+var twistGen = &twistPoint{
+	gfP2{
+		gfP{0x402c4ab7139e1404, 0xce1c368a183d85a4, 0xd67cf9a6cb8d3983, 0x3cf246bbc2a9fbe8},
+		gfP{0x88f9f11da7cdc184, 0x18293f95d69509d3, 0xb5ce0c55a735d5a1, 0x15134189bfd45a0},
+	},
+	gfP2{
+		gfP{0xbfac7d731e9e87a2, 0xa50bb8007962e441, 0xafe910a4e8270556, 0x5075c5429d69159a},
+		gfP{0xc2e07c1463ea9e56, 0xee4442052072ebd2, 0x561a519486036937, 0x5bd9394cc0d2cce},
+	},
+	gfP2{*newGFp(0), *newGFp(1)},
+	gfP2{*newGFp(0), *newGFp(1)},
+}
+
+func (c *twistPoint) String() string {
+	cpy := c.Clone()
+	cpy.MakeAffine()
+	x, y := gfP2Decode(&cpy.x), gfP2Decode(&cpy.y)
+	return "(" + x.String() + ", " + y.String() + ")"
+}
+
+func (c *twistPoint) Set(a *twistPoint) {
+	c.x.Set(&a.x)
+	c.y.Set(&a.y)
+	c.z.Set(&a.z)
+	c.t.Set(&a.t)
+}
+
+// IsOnCurve returns true iff c is on the curve.
+func (c *twistPoint) IsOnCurve() bool {
+	c.MakeAffine()
+	if c.IsInfinity() {
+		return true
+	}
+
+	y2, x3 := &gfP2{}, &gfP2{}
+	y2.Square(&c.y)
+	x3.Square(&c.x).Mul(x3, &c.x).Add(x3, twistB)
+
+	return *y2 == *x3
+}
+
+func (c *twistPoint) SetInfinity() {
+	c.x.SetZero()
+	c.y.SetOne()
+	c.z.SetZero()
+	c.t.SetZero()
+}
+
+func (c *twistPoint) IsInfinity() bool {
+	return c.z.IsZero()
+}
+
+func (c *twistPoint) Add(a, b *twistPoint) {
+	// For additional comments, see the same function in curve.go.
+
+	if a.IsInfinity() {
+		c.Set(b)
+		return
+	}
+	if b.IsInfinity() {
+		c.Set(a)
+		return
+	}
+
+	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3
+	z12 := (&gfP2{}).Square(&a.z)
+	z22 := (&gfP2{}).Square(&b.z)
+	u1 := (&gfP2{}).Mul(&a.x, z22)
+	u2 := (&gfP2{}).Mul(&b.x, z12)
+
+	t := (&gfP2{}).Mul(&b.z, z22)
+	s1 := (&gfP2{}).Mul(&a.y, t)
+
+	t.Mul(&a.z, z12)
+	s2 := (&gfP2{}).Mul(&b.y, t)
+
+	h := (&gfP2{}).Sub(u2, u1)
+	xEqual := h.IsZero()
+
+	t.Add(h, h)
+	i := (&gfP2{}).Square(t)
+	j := (&gfP2{}).Mul(h, i)
+
+	t.Sub(s2, s1)
+	yEqual := t.IsZero()
+	if xEqual && yEqual {
+		c.Double(a)
+		return
+	}
+	r := (&gfP2{}).Add(t, t)
+
+	v := (&gfP2{}).Mul(u1, i)
+
+	t4 := (&gfP2{}).Square(r)
+	t.Add(v, v)
+	t6 := (&gfP2{}).Sub(t4, j)
+	c.x.Sub(t6, t)
+
+	t.Sub(v, &c.x) // t7
+	t4.Mul(s1, j)  // t8
+	t6.Add(t4, t4) // t9
+	t4.Mul(r, t)   // t10
+	c.y.Sub(t4, t6)
+
+	t.Add(&a.z, &b.z) // t11
+	t4.Square(t)      // t12
+	t.Sub(t4, z12)    // t13
+	t4.Sub(t, z22)    // t14
+	c.z.Mul(t4, h)
+}
+
+func (c *twistPoint) Double(a *twistPoint) {
+	// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3
+	A := (&gfP2{}).Square(&a.x)
+	B := (&gfP2{}).Square(&a.y)
+	C := (&gfP2{}).Square(B)
+
+	t := (&gfP2{}).Add(&a.x, B)
+	t2 := (&gfP2{}).Square(t)
+	t.Sub(t2, A)
+	t2.Sub(t, C)
+	d := (&gfP2{}).Add(t2, t2)
+	t.Add(A, A)
+	e := (&gfP2{}).Add(t, A)
+	f := (&gfP2{}).Square(e)
+
+	t.Add(d, d)
+	c.x.Sub(f, t)
+
+	t.Add(C, C)
+	t2.Add(t, t)
+	t.Add(t2, t2)
+	c.y.Sub(d, &c.x)
+	t2.Mul(e, &c.y)
+	c.y.Sub(t2, t)
+
+	t.Mul(&a.y, &a.z)
+	c.z.Add(t, t)
+}
+
+func (c *twistPoint) Mul(a *twistPoint, scalar *big.Int) {
+	sum, t := &twistPoint{}, &twistPoint{}
+
+	for i := scalar.BitLen(); i >= 0; i-- {
+		t.Double(sum)
+		if scalar.Bit(i) != 0 {
+			sum.Add(t, a)
+		} else {
+			sum.Set(t)
+		}
+	}
+
+	c.Set(sum)
+}
+
+func (c *twistPoint) MakeAffine() {
+	if c.z.IsOne() {
+		return
+	} else if c.z.IsZero() {
+		c.x.SetZero()
+		c.y.SetOne()
+		c.t.SetZero()
+		return
+	}
+
+	zInv := (&gfP2{}).Invert(&c.z)
+	t := (&gfP2{}).Mul(&c.y, zInv)
+	zInv2 := (&gfP2{}).Square(zInv)
+	c.y.Mul(t, zInv2)
+	t.Mul(&c.x, zInv2)
+	c.x.Set(t)
+	c.z.SetOne()
+	c.t.SetOne()
+}
+
+func (c *twistPoint) Neg(a *twistPoint) {
+	c.x.Set(&a.x)
+	c.y.Neg(&a.y)
+	c.z.Set(&a.z)
+	c.t.SetZero()
+}
+
+// Clone makes a hard copy of the point
+func (c *twistPoint) Clone() *twistPoint {
+	n := &twistPoint{
+		x: c.x.Clone(),
+		y: c.y.Clone(),
+		z: c.z.Clone(),
+		t: c.t.Clone(),
+	}
+
+	return n
+}
diff --git a/kyber/pairing/pairing.go b/kyber/pairing/pairing.go
new file mode 100644
index 0000000000..d0e70707b3
--- /dev/null
+++ b/kyber/pairing/pairing.go
@@ -0,0 +1,17 @@
+package pairing
+
+import "go.dedis.ch/kyber/v3"
+
+// Suite interface represents a triplet of elliptic curve groups (G₁, G₂
+// and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a
+// generator of the respective group) which is called a pairing.
+type Suite interface {
+	G1() kyber.Group
+	G2() kyber.Group
+	GT() kyber.Group
+	Pair(p1, p2 kyber.Point) kyber.Point
+	kyber.Encoding
+	kyber.HashFactory
+	kyber.XOFFactory
+	kyber.Random
+}
diff --git a/kyber/proof/clique.go b/kyber/proof/clique.go
new file mode 100644
index 0000000000..0fbf1c061e
--- /dev/null
+++ b/kyber/proof/clique.go
@@ -0,0 +1,45 @@
+package proof
+
+// A clique protocol is a kyber.on for a cryptographic protocol
+// in which every participant knows about and interacts directly
+// in lock-step with every other participant in the clique.
+// Clique protocols are suitable for small-scale groups,
+// such as "boards of trustees" chosen from larger groups.
+//
+// The basic clique protocol
+// assumes that nodes are always "live" and never go offline,
+// but we can achieve availability via threshold kyber.
+
+import "go.dedis.ch/kyber/v3"
+
+// Protocol represents the role of a participant in a clique protocol.
+// A participant is represented as a higher-order function taking a StarContext,
+// which invokes the StarContext's methods to send and receive messages,
+// and finally returns once the protocol has concluded for all participants.
+// Returns a slice of success/error indicators, one for each participant.
+//
+type Protocol func(ctx Context) []error
+
+// Context represents a kyber.context for running a clique protocol.
+// A clique protocol is initiated by a leader
+// but incorporates a variable number of followers,
+// all of whom operate in lock-step under the leader's direction.
+// At each step, each follower produces one message;
+// the leader aggregates all the followers' messages for that step
+// and returns the vector of collected messages to each follower.
+// Followers can drop out or be absent at any step, in which case
+// they are seen as contributing an empty message in that step.
+type Context interface {
+
+	// A follower calls Step to provide its message for the next step,
+	// and wait for the leader to collect and distribute all messages.
+	// Returns the list of collected messages, one per participant.
+	// The returned message slice is positionally consistent across steps:
+	// each index consistently represents the same participant every step.
+	// One returned message will be the same slice as the one passed in,
+	// representing the calling participant's own slot.
+	Step(msg []byte) ([][]byte, error)
+
+	// Get a source of private cryptographic randomness.
+	Random() kyber.XOF
+}
diff --git a/kyber/proof/context.go b/kyber/proof/context.go
new file mode 100644
index 0000000000..8b1ad57937
--- /dev/null
+++ b/kyber/proof/context.go
@@ -0,0 +1,56 @@
+package proof
+
+// Prover represents the prover role in an arbitrary Sigma-protocol.
+// A prover is simply a higher-order function that takes a ProverContext,
+// runs the protocol while making calls to the ProverContext methods as needed,
+// and returns nil on success or an error once the protocol run concludes.
+// The resulting proof is embodied in the interactions with the ProverContext,
+// but HashProve() may be used to encode the proof into a non-interactive proof
+// using a hash function via the Fiat-Shamir heuristic.
+type Prover func(ctx ProverContext) error
+
+// Verifier represents the verifier role in an arbitrary Sigma-protocol.
+// A verifier is a higher-order function that takes a VerifierContext,
+// runs the protocol while making calls to VerifierContext methods as needed,
+// and returns nil on success or an error once the protocol run concludes.
+type Verifier func(ctx VerifierContext) error
+
+// ProverContext represents the kyber.environment
+// required by the prover in a Sigma protocol.
+//
+// In a basic 3-step Sigma protocol such as a standard digital signature,
+// the prover first calls Put() one or more times
+// to send commitment information to the verifier,
+// then calls PubRand() to obtain a public random challenge from the verifier,
+// and finally makes further calls to Put() to respond to the challenge.
+//
+// The prover may also call PriRand() at any time
+// to obtain any private randomness needed in the proof.
+// The prover should obtain secret randomness only from this source,
+// so that the prover may be run deterministically if desired.
+//
+// More sophisticated Sigma protocols requiring more than 3 steps,
+// such as the Neff shuffle, may also use this interface;
+// in this case the prover simply calls PubRand() multiple times.
+//
+type ProverContext interface {
+	Put(message interface{}) error        // Send message to verifier
+	PubRand(message ...interface{}) error // Get public randomness
+	PriRand(message ...interface{}) error // Get private randomness
+}
+
+// VerifierContext represents the kyber.environment
+// required by the verifier in a Sigma protocol.
+//
+// The verifier calls Get() to obtain the prover's message data,
+// interspersed with calls to PubRand() to obtain challenge data.
+// Note that the challenge itself comes from the VerifierContext,
+// not from the verifier itself as in the traditional Sigma-protocol model.
+// By separating challenge production from proof verification logic,
+// we obtain the flexibility to use a single Verifier function
+// in both non-interactive proofs (e.g., via HashProve)
+// and in interactive proofs (e.g., via DeniableProver).
+type VerifierContext interface {
+	Get(message interface{}) error        // Receive message from prover
+	PubRand(message ...interface{}) error // Get public randomness
+}
diff --git a/kyber/proof/deniable.go b/kyber/proof/deniable.go
new file mode 100644
index 0000000000..0208a393d8
--- /dev/null
+++ b/kyber/proof/deniable.go
@@ -0,0 +1,297 @@
+package proof
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// DeniableProver is a Protocol implementing an interactive Sigma-protocol
+// to prove a particular statement to the other participants.
+// Optionally the Protocol participant can also verify
+// the Sigma-protocol proofs of any or all of the other participants.
+// Different participants may produce different proofs of varying sizes,
+// and may even consist of different numbers of steps.
+func DeniableProver(suite Suite, self int, prover Prover,
+	verifiers []Verifier) Protocol {
+
+	return Protocol(func(ctx Context) []error {
+		dp := deniableProver{}
+		return dp.run(suite, self, prover, verifiers, ctx)
+	})
+}
+
+type deniableProver struct {
+	suite Suite   // Agreed-on ciphersuite for protocol
+	self  int     // Our own node number
+	sc    Context // Clique protocol context
+
+	// verifiers for other nodes' proofs
+	dv []*deniableVerifier
+
+	// per-step state
+	key  []byte        // Secret pre-challenge we committed to
+	msg  *bytes.Buffer // Buffer in which to build prover msg
+	msgs [][]byte      // All messages from last proof step
+
+	pubrand kyber.XOF
+	prirand kyber.XOF
+
+	// Error/success indicators for all participants
+	err []error
+}
+
+func (dp *deniableProver) run(suite Suite, self int, prv Prover,
+	vrf []Verifier, sc Context) []error {
+	dp.suite = suite
+	dp.self = self
+	dp.sc = sc
+	dp.prirand = sc.Random()
+
+	nnodes := len(vrf)
+	if self < 0 || self >= nnodes {
+		return []error{errors.New("out-of-range self node")}
+	}
+
+	// Initialize error slice entries to a default error indicator,
+	// so that forgetting to run a verifier won't look like "success"
+	verr := errors.New("prover or verifier not run")
+	dp.err = make([]error, nnodes)
+	for i := range dp.err {
+		if i != self {
+			dp.err[i] = verr
+		}
+	}
+
+	// Launch goroutines to run whichever verifiers the caller requested
+	dp.dv = make([]*deniableVerifier, nnodes)
+	for i := range vrf {
+		if vrf[i] != nil {
+			dv := deniableVerifier{}
+			dv.start(suite, vrf[i])
+			dp.dv[i] = &dv
+		}
+	}
+
+	// Run the prover, which will also drive the verifiers.
+	dp.initStep()
+	if err := (func(ProverContext) error)(prv)(dp); err != nil {
+		dp.err[self] = err
+	}
+
+	// Send the last prover message.
+	// Make sure the verifiers get to run to completion as well
+	for {
+		stragglers, err := dp.proofStep()
+		if err != nil {
+			dp.err[self] = err
+			break
+		}
+		if !stragglers {
+			break
+		}
+		if err = dp.challengeStep(); err != nil {
+			dp.err[self] = err
+			break
+		}
+	}
+
+	return dp.err
+}
+
+// keySize is arbitrary, make it long enough to seed the XOF
+const keySize = 128
+
+// Start the message buffer off in each step with a randomness commitment
+func (dp *deniableProver) initStep() {
+	key := make([]byte, keySize) // secret random key
+	_, _ = dp.prirand.Read(key)
+	dp.key = key
+
+	msg := make([]byte, keySize) // send commitment to it
+	xof := dp.suite.XOF(key)
+	xof.Read(msg)
+	dp.msg = bytes.NewBuffer(msg)
+
+	// The Sigma-Prover will now append its proof content to dp.msg...
+}
+
+func (dp *deniableProver) proofStep() (bool, error) {
+
+	// Send the randomness commit and accumulated message to the leader,
+	// and get all participants' commits, via our star-protocol context.
+	msgs, err := dp.sc.Step(dp.msg.Bytes())
+	if err != nil {
+		return false, err
+	}
+	if !bytes.Equal(msgs[dp.self], dp.msg.Bytes()) {
+		return false, errors.New("own messages were corrupted")
+	}
+	dp.msgs = msgs
+
+	// Distribute this step's prover messages
+	// to the relevant verifiers as well,
+	// waking them up in the process so they can proceed.
+	for i := range dp.dv {
+		dv := dp.dv[i]
+		if dv != nil && i < len(msgs) {
+			dv.inbox <- msgs[i][keySize:] // send to verifier
+		}
+	}
+
+	// Collect the verifiers' responses,
+	// collecting error indicators from verifiers that are done.
+	stragglers := false
+	for i := range dp.dv { // collect verifier responses
+		dv := dp.dv[i]
+		if dv != nil {
+			done := <-dv.done // get verifier response
+			if done {         // verifier is done
+				dp.err[i] = dv.err
+				dp.dv[i] = nil
+			} else { // verifier needs next challenge
+				stragglers = true
+			}
+		}
+	}
+	return stragglers, nil
+}
+
+func (dp *deniableProver) challengeStep() error {
+
+	// Send our challenge randomness to the leader, and collect all.
+	keys, err := dp.sc.Step(dp.key)
+	if err != nil {
+		return err
+	}
+
+	// XOR together all the participants' randomness contributions,
+	// check them against the respective commits,
+	// and ensure ours is included to ensure deniability
+	// (even if all others turn out to be maliciously generated).
+	mix := make([]byte, keySize)
+	for i := range keys {
+		com := dp.msgs[i][:keySize] // node i's randomness commitment
+		key := keys[i]              // node i's committed random key
+		if len(com) < keySize || len(key) < keySize {
+			continue // ignore participants who dropped out
+		}
+		chk := make([]byte, keySize)
+		dp.suite.XOF(key).Read(chk)
+		if !bytes.Equal(com, chk) {
+			return errors.New("wrong key for commit")
+		}
+		for j := 0; j < keySize; j++ { // mix in this key
+			mix[j] ^= key[j]
+		}
+	}
+	if len(keys) <= dp.self || !bytes.Equal(keys[dp.self], dp.key) {
+		return errors.New("our own message was corrupted")
+	}
+
+	// Use the mix to produce the public randomness needed by the prover
+	dp.pubrand = dp.suite.XOF(mix)
+
+	// Distribute the master challenge to any verifiers waiting for it
+	for i := range dp.dv {
+		dv := dp.dv[i]
+		if dv != nil {
+			dv.inbox <- mix // so send it
+		}
+	}
+
+	// Setup for the next proof step
+	dp.initStep()
+	return nil
+}
+
+func (dp *deniableProver) Put(message interface{}) error {
+	// Add onto accumulated prover message
+	return dp.suite.Write(dp.msg, message)
+}
+
+// Prover will call this after Put()ing all commits for a given step,
+// to get the master challenge to be used in its challenge/responses.
+func (dp *deniableProver) PubRand(data ...interface{}) error {
+
+	if _, err := dp.proofStep(); err != nil { // finish proof step
+		return err
+	}
+	if err := dp.challengeStep(); err != nil { // run challenge step
+		return err
+	}
+	return dp.suite.Read(dp.pubrand, data...)
+}
+
+// Get private randomness
+func (dp *deniableProver) PriRand(data ...interface{}) error {
+	if err := dp.suite.Read(dp.prirand, data...); err != nil {
+		return fmt.Errorf("error reading random stream: %v", err.Error())
+	}
+	return nil
+}
+
+// Interactive Sigma-protocol verifier context.
+// Acts as a slave to a deniableProver instance.
+type deniableVerifier struct {
+	suite Suite
+
+	inbox chan []byte   // Channel for receiving proofs and challenges
+	prbuf *bytes.Buffer // Buffer with which to read proof messages
+
+	done chan bool // Channel for sending done status indicators
+	err  error     // When done indicates verify error if non-nil
+
+	pubrand kyber.XOF
+}
+
+func (dv *deniableVerifier) start(suite Suite, vrf Verifier) {
+	dv.suite = suite
+	dv.inbox = make(chan []byte)
+	dv.done = make(chan bool)
+
+	// Launch a concurrent goroutine to run this verifier
+	go func() {
+		// Await the prover's first message
+		dv.getProof()
+
+		// Run the verifier, providing dv as its context
+		dv.err = (func(VerifierContext) error)(vrf)(dv)
+
+		// Signal verifier termination
+		dv.done <- true
+	}()
+}
+
+func (dv *deniableVerifier) getProof() {
+	// Get the next message from the prover
+	prbuf := <-dv.inbox
+	dv.prbuf = bytes.NewBuffer(prbuf)
+}
+
+// Read structured data from the proof
+func (dv *deniableVerifier) Get(message interface{}) error {
+	return dv.suite.Read(dv.prbuf, message)
+}
+
+// Get the next public random challenge.
+func (dv *deniableVerifier) PubRand(data ...interface{}) error {
+
+	// Signal that we need the next challenge
+	dv.done <- false
+
+	// Wait for it
+	chal := <-dv.inbox
+
+	// Produce the appropriate publicly random stream
+	dv.pubrand = dv.suite.XOF(chal)
+	if err := dv.suite.Read(dv.pubrand, data...); err != nil {
+		return err
+	}
+
+	// Get the next proof message
+	dv.getProof()
+	return nil
+}
diff --git a/kyber/proof/deniable_test.go b/kyber/proof/deniable_test.go
new file mode 100644
index 0000000000..d654baef92
--- /dev/null
+++ b/kyber/proof/deniable_test.go
@@ -0,0 +1,123 @@
+package proof
+
+import (
+	"bytes"
+	"fmt"
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+var testSuite = edwards25519.NewBlakeSHA256Ed25519()
+
+type node struct {
+	i    int
+	done bool
+
+	x kyber.Scalar
+	X kyber.Point
+
+	proto  Protocol
+	outbox chan []byte
+	inbox  chan [][]byte
+
+	log *bytes.Buffer
+}
+
+func (n *node) Step(msg []byte) ([][]byte, error) {
+
+	n.outbox <- msg
+	msgs := <-n.inbox
+	return msgs, nil
+}
+
+func (n *node) Random() kyber.XOF {
+	return testSuite.XOF([]byte("test seed"))
+}
+
+func runNode(n *node) {
+	errs := (func(Context) []error)(n.proto)(n)
+
+	fmt.Fprintf(n.log, "node %d finished\n", n.i)
+	for i := range errs {
+		if errs[i] == nil {
+			fmt.Fprintf(n.log, "- %d: SUCCESS\n", i)
+		} else {
+			fmt.Fprintf(n.log, "- %d: %s\n", i, errs[i])
+		}
+	}
+
+	n.done = true
+	n.outbox <- nil
+}
+
+func TestDeniable(t *testing.T) {
+	nnodes := 5
+
+	suite := testSuite
+	rand := random.New()
+	B := suite.Point().Base()
+
+	// Make some keypairs
+	nodes := make([]*node, nnodes)
+	for i := 0; i < nnodes; i++ {
+		n := &node{}
+		nodes[i] = n
+		n.i = i
+		n.x = suite.Scalar().Pick(rand)
+		n.X = suite.Point().Mul(n.x, nil)
+		n.log = &bytes.Buffer{}
+	}
+
+	// Make some provers and verifiers
+	for i := 0; i < nnodes; i++ {
+		n := nodes[i]
+		pred := Rep("X", "x", "B")
+		sval := map[string]kyber.Scalar{"x": n.x}
+		pval := map[string]kyber.Point{"B": B, "X": n.X}
+		prover := pred.Prover(suite, sval, pval, nil)
+
+		vi := (i + 2) % nnodes // which node's proof to verify
+		vrfs := make([]Verifier, nnodes)
+		vpred := Rep("X", "x", "B")
+		vpval := map[string]kyber.Point{"B": B, "X": nodes[vi].X}
+		vrfs[vi] = vpred.Verifier(suite, vpval)
+
+		n.proto = DeniableProver(suite, i, prover, vrfs)
+		n.outbox = make(chan []byte)
+		n.inbox = make(chan [][]byte)
+
+		go runNode(n)
+	}
+
+	for {
+		// Collect messages from all still-active nodes
+		msgs := make([][]byte, nnodes)
+		done := true
+		for i := range nodes {
+			n := nodes[i]
+			if n == nil {
+				continue
+			}
+			done = false
+			msgs[i] = <-n.outbox
+
+			if n.done {
+				t.Log(string(n.log.Bytes()))
+				nodes[i] = nil
+			}
+		}
+		if done {
+			break
+		}
+
+		// Distribute all messages to all still-active nodes
+		for i := range nodes {
+			if nodes[i] != nil {
+				nodes[i].inbox <- msgs
+			}
+		}
+	}
+}
diff --git a/kyber/proof/dleq/dleq.go b/kyber/proof/dleq/dleq.go
new file mode 100644
index 0000000000..e610ccc876
--- /dev/null
+++ b/kyber/proof/dleq/dleq.go
@@ -0,0 +1,134 @@
+// Package dleq provides functionality to create and verify non-interactive
+// zero-knowledge (NIZK) proofs for the equality (EQ) of discrete logarithms (DL).
+// This means, for two values xG and xH one can check that
+//   log_{G}(xG) == log_{H}(xH)
+// without revealing the secret value x.
+package dleq
+
+import (
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Suite wraps the functionalities needed by the dleq package.
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.XOFFactory
+	kyber.Random
+}
+
+var errorDifferentLengths = errors.New("inputs of different lengths")
+var errorInvalidProof = errors.New("invalid proof")
+
+// Proof represents a NIZK dlog-equality proof.
+type Proof struct {
+	C  kyber.Scalar // challenge
+	R  kyber.Scalar // response
+	VG kyber.Point  // public commitment with respect to base point G
+	VH kyber.Point  // public commitment with respect to base point H
+}
+
+// NewDLEQProof computes a new NIZK dlog-equality proof for the scalar x with
+// respect to base points G and H. It therefore randomly selects a commitment v
+// and then computes the challenge c = H(xG,xH,vG,vH) and response r = v - cx.
+// Besides the proof, this function also returns the encrypted base points xG
+// and xH.
+func NewDLEQProof(suite Suite, G kyber.Point, H kyber.Point, x kyber.Scalar) (proof *Proof, xG kyber.Point, xH kyber.Point, err error) {
+	// Encrypt base points with secret
+	xG = suite.Point().Mul(x, G)
+	xH = suite.Point().Mul(x, H)
+
+	// Commitment
+	v := suite.Scalar().Pick(suite.RandomStream())
+	vG := suite.Point().Mul(v, G)
+	vH := suite.Point().Mul(v, H)
+
+	// Challenge
+	h := suite.Hash()
+	xG.MarshalTo(h)
+	xH.MarshalTo(h)
+	vG.MarshalTo(h)
+	vH.MarshalTo(h)
+	cb := h.Sum(nil)
+	c := suite.Scalar().Pick(suite.XOF(cb))
+
+	// Response
+	r := suite.Scalar()
+	r.Mul(x, c).Sub(v, r)
+
+	return &Proof{c, r, vG, vH}, xG, xH, nil
+}
+
+// NewDLEQProofBatch computes lists of NIZK dlog-equality proofs and of
+// encrypted base points xG and xH. Note that the challenge is computed over all
+// input values.
+func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets []kyber.Scalar) (proof []*Proof, xG []kyber.Point, xH []kyber.Point, err error) {
+	if len(G) != len(H) || len(H) != len(secrets) {
+		return nil, nil, nil, errorDifferentLengths
+	}
+
+	n := len(secrets)
+	proofs := make([]*Proof, n)
+	v := make([]kyber.Scalar, n)
+	xG = make([]kyber.Point, n)
+	xH = make([]kyber.Point, n)
+	vG := make([]kyber.Point, n)
+	vH := make([]kyber.Point, n)
+
+	for i, x := range secrets {
+		// Encrypt base points with secrets
+		xG[i] = suite.Point().Mul(x, G[i])
+		xH[i] = suite.Point().Mul(x, H[i])
+
+		// Commitments
+		v[i] = suite.Scalar().Pick(suite.RandomStream())
+		vG[i] = suite.Point().Mul(v[i], G[i])
+		vH[i] = suite.Point().Mul(v[i], H[i])
+	}
+
+	// Collective challenge
+	h := suite.Hash()
+	for _, x := range xG {
+		x.MarshalTo(h)
+	}
+	for _, x := range xH {
+		x.MarshalTo(h)
+	}
+	for _, x := range vG {
+		x.MarshalTo(h)
+	}
+	for _, x := range vH {
+		x.MarshalTo(h)
+	}
+	cb := h.Sum(nil)
+
+	c := suite.Scalar().Pick(suite.XOF(cb))
+
+	// Responses
+	for i, x := range secrets {
+		r := suite.Scalar()
+		r.Mul(x, c).Sub(v[i], r)
+		proofs[i] = &Proof{c, r, vG[i], vH[i]}
+	}
+
+	return proofs, xG, xH, nil
+}
+
+// Verify examines the validity of the NIZK dlog-equality proof.
+// The proof is valid if the following two conditions hold:
+//   vG == rG + c(xG)
+//   vH == rH + c(xH)
+func (p *Proof) Verify(suite Suite, G kyber.Point, H kyber.Point, xG kyber.Point, xH kyber.Point) error {
+	rG := suite.Point().Mul(p.R, G)
+	rH := suite.Point().Mul(p.R, H)
+	cxG := suite.Point().Mul(p.C, xG)
+	cxH := suite.Point().Mul(p.C, xH)
+	a := suite.Point().Add(rG, cxG)
+	b := suite.Point().Add(rH, cxH)
+	if !(p.VG.Equal(a) && p.VH.Equal(b)) {
+		return errorInvalidProof
+	}
+	return nil
+}
diff --git a/kyber/proof/dleq/dleq_test.go b/kyber/proof/dleq/dleq_test.go
new file mode 100644
index 0000000000..e6683aa37b
--- /dev/null
+++ b/kyber/proof/dleq/dleq_test.go
@@ -0,0 +1,61 @@
+package dleq
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+var rng = random.New()
+
+func TestDLEQProof(t *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	for i := 0; i < n; i++ {
+		// Create some random secrets and base points
+		x := suite.Scalar().Pick(rng)
+		g := suite.Point().Pick(rng)
+		h := suite.Point().Pick(rng)
+		proof, xG, xH, err := NewDLEQProof(suite, g, h, x)
+		require.Equal(t, err, nil)
+		require.Nil(t, proof.Verify(suite, g, h, xG, xH))
+	}
+}
+
+func TestDLEQProofBatch(t *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	x := make([]kyber.Scalar, n)
+	g := make([]kyber.Point, n)
+	h := make([]kyber.Point, n)
+	for i := range x {
+		x[i] = suite.Scalar().Pick(rng)
+		g[i] = suite.Point().Pick(rng)
+		h[i] = suite.Point().Pick(rng)
+	}
+	proofs, xG, xH, err := NewDLEQProofBatch(suite, g, h, x)
+	require.Equal(t, err, nil)
+	for i := range proofs {
+		require.Nil(t, proofs[i].Verify(suite, g[i], h[i], xG[i], xH[i]))
+	}
+}
+
+func TestDLEQLengths(t *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	x := make([]kyber.Scalar, n)
+	g := make([]kyber.Point, n)
+	h := make([]kyber.Point, n)
+	for i := range x {
+		x[i] = suite.Scalar().Pick(rng)
+		g[i] = suite.Point().Pick(rng)
+		h[i] = suite.Point().Pick(rng)
+	}
+	// Remove an element to make the test fail
+	x = append(x[:5], x[6:]...)
+	_, _, _, err := NewDLEQProofBatch(suite, g, h, x)
+	require.Equal(t, err, errorDifferentLengths)
+}
diff --git a/kyber/proof/hash.go b/kyber/proof/hash.go
new file mode 100644
index 0000000000..8f1aa508ef
--- /dev/null
+++ b/kyber/proof/hash.go
@@ -0,0 +1,154 @@
+package proof
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"fmt"
+	"io"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Hash-based noninteractive Sigma-protocol prover context
+type hashProver struct {
+	suite   Suite
+	proof   bytes.Buffer
+	msg     bytes.Buffer
+	pubrand kyber.XOF
+	prirand io.Reader
+}
+
+// cipherStreamReader adds a Read method onto a cipher.Stream,
+// so that it can be used as an io.Reader.
+type cipherStreamReader struct {
+	cipher.Stream
+}
+
+func (s *cipherStreamReader) Read(in []byte) (int, error) {
+	x := make([]byte, len(in))
+	s.XORKeyStream(x, x)
+	copy(in, x)
+	return len(in), nil
+}
+
+func newHashProver(suite Suite, protoName string) *hashProver {
+	var sc hashProver
+	sc.suite = suite
+	sc.pubrand = suite.XOF([]byte(protoName))
+	sc.prirand = &cipherStreamReader{suite.RandomStream()}
+	return &sc
+}
+
+func (c *hashProver) Put(message interface{}) error {
+	return c.suite.Write(&c.msg, message)
+}
+
+func (c *hashProver) consumeMsg() {
+	if c.msg.Len() > 0 {
+
+		// Stir the message into the public randomness pool
+		buf := c.msg.Bytes()
+		c.pubrand.Reseed()
+		c.pubrand.Write(buf)
+
+		// Append the current message data to the proof
+		c.proof.Write(buf)
+		c.msg.Reset()
+	}
+}
+
+// Get public randomness that depends on every bit in the proof so far.
+func (c *hashProver) PubRand(data ...interface{}) error {
+	c.consumeMsg()
+	return c.suite.Read(c.pubrand, data...)
+}
+
+// Get private randomness
+func (c *hashProver) PriRand(data ...interface{}) error {
+	if err := c.suite.Read(c.prirand, data...); err != nil {
+		return fmt.Errorf("error reading random stream: %v", err.Error())
+	}
+	return nil
+}
+
+// Obtain the encoded proof once the Sigma protocol is complete.
+func (c *hashProver) Proof() []byte {
+	c.consumeMsg()
+	return c.proof.Bytes()
+}
+
+// Noninteractive Sigma-protocol verifier context
+type hashVerifier struct {
+	suite   Suite
+	proof   bytes.Buffer // Buffer with which to read the proof
+	prbuf   []byte       // Byte-slice underlying proof buffer
+	pubrand kyber.XOF
+}
+
+func newHashVerifier(suite Suite, protoName string,
+	proof []byte) (*hashVerifier, error) {
+	var c hashVerifier
+	if _, err := c.proof.Write(proof); err != nil {
+		return nil, err
+	}
+	c.suite = suite
+	c.prbuf = c.proof.Bytes()
+	c.pubrand = suite.XOF([]byte(protoName))
+	return &c, nil
+}
+
+func (c *hashVerifier) consumeMsg() {
+	l := len(c.prbuf) - c.proof.Len() // How many bytes read?
+	if l > 0 {
+		// Stir consumed bytes into the public randomness pool
+		buf := c.prbuf[:l]
+		c.pubrand.Reseed()
+		c.pubrand.Write(buf)
+
+		c.prbuf = c.proof.Bytes() // Reset to remaining bytes
+	}
+}
+
+// Read structured data from the proof
+func (c *hashVerifier) Get(message interface{}) error {
+	return c.suite.Read(&c.proof, message)
+}
+
+// Get public randomness that depends on every bit in the proof so far.
+func (c *hashVerifier) PubRand(data ...interface{}) error {
+	c.consumeMsg() // Stir in newly-read data
+	return c.suite.Read(c.pubrand, data...)
+}
+
+// HashProve runs a given Sigma-protocol prover with a ProverContext
+// that produces a non-interactive proof via the Fiat-Shamir heuristic.
+// Returns a byte-slice containing the noninteractive proof on success,
+// or an error in the case of failure.
+//
+// The optional protocolName is fed into the hash function used in the proof,
+// so that a proof generated for a particular protocolName
+// will verify successfully only if the verifier uses the same protocolName.
+//
+// The caller must provide a source of random entropy for the proof;
+// this can be random.New() to use fresh random bits, or a
+// pseudorandom stream based on a secret seed to create
+// deterministically reproducible proofs.
+func HashProve(suite Suite, protocolName string, prover Prover) ([]byte, error) {
+	ctx := newHashProver(suite, protocolName)
+	if e := (func(ProverContext) error)(prover)(ctx); e != nil {
+		return nil, e
+	}
+	return ctx.Proof(), nil
+}
+
+// HashVerify computes a hash-based noninteractive proof generated with HashProve.
+// The suite and protocolName must be the same as those given to HashProve.
+// Returns nil if the proof checks out, or an error on any failure.
+func HashVerify(suite Suite, protocolName string,
+	verifier Verifier, proof []byte) error {
+	ctx, err := newHashVerifier(suite, protocolName, proof)
+	if err != nil {
+		return err
+	}
+	return (func(VerifierContext) error)(verifier)(ctx)
+}
diff --git a/kyber/proof/hash_test.go b/kyber/proof/hash_test.go
new file mode 100644
index 0000000000..4fb355ffbb
--- /dev/null
+++ b/kyber/proof/hash_test.go
@@ -0,0 +1,167 @@
+package proof
+
+import (
+	"encoding/hex"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// This example shows how to build classic ElGamal-style digital signatures
+// using the Camenisch/Stadler proof framework and HashProver.
+func Example_hashProve1() {
+
+	// Crypto setup
+	rand := blake2xb.New([]byte("example"))
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(rand)
+	B := suite.Point().Base() // standard base point
+
+	// Create a public/private keypair (X,x)
+	x := suite.Scalar().Pick(suite.RandomStream()) // create a private key x
+	X := suite.Point().Mul(x, nil)                 // corresponding public key X
+
+	// Generate a proof that we know the discrete logarithm of X.
+	M := "Hello World!" // message we want to sign
+	rep := Rep("X", "x", "B")
+	sec := map[string]kyber.Scalar{"x": x}
+	pub := map[string]kyber.Point{"B": B, "X": X}
+	prover := rep.Prover(suite, sec, pub, nil)
+	proof, _ := HashProve(suite, M, prover)
+	fmt.Print("Signature:\n" + hex.Dump(proof))
+
+	// Verify the signature against the correct message M.
+	verifier := rep.Verifier(suite, pub)
+	err := HashVerify(suite, M, verifier, proof)
+	if err != nil {
+		fmt.Println("signature failed to verify: ", err)
+		return
+	}
+	fmt.Println("Signature verified against correct message M.")
+
+	// Now verify the signature against the WRONG message.
+	BAD := "Goodbye World!"
+	verifier = rep.Verifier(suite, pub)
+	err = HashVerify(suite, BAD, verifier, proof)
+	fmt.Println("Signature verify against wrong message: " + err.Error())
+
+	// Output:
+	// Signature:
+	// 00000000  e9 a2 da f4 9d 7c e2 25  35 be 0a 15 78 9c ea ca  |.....|.%5...x...|
+	// 00000010  a7 1e 6e d6 26 c3 40 ed  0d 3d 71 d4 a9 ef 55 3b  |..n.&.@..=q...U;|
+	// 00000020  64 76 55 7b 3c 63 20 d8  4b 29 3a 1c 7f 44 59 ad  |dvU{|
+	// 00000040  e3 bd 92 b2 f8 f5 85 97  c4 dd 39 f7 a0 b6 ef b1  |..........9.....|
+	// 00000050  65 c6 53 80 e4 78 07 52  62 a5 0b a5 f1 0b 33 2b  |e.S..x.Rb.....3+|
+	// 00000060  c8 f5 43 9b 1c bf c2 1a  4a 5b ea b0 e9 18 d1 db  |..C.....J[......|
+	// 00000070  a3 57 eb e0 5b d4 99 0e  af f2 10 d4 29 a9 0e 43  |.W..[.......)..C|
+	// 00000080  fd 20 a1 42 01 ef 68 a0  43 64 70 f4 f9 09 0f 77  |. .B..h.Cdp....w|
+	// 00000090  b3 b0 82 0a 31 8a 66 41  a8 d0 f4 5f 1e da 6e 63  |....1.fA..._..nc|
+	// 000000a0  a0 46 74 75 86 6f 3e 85  52 f0 74 6c 74 3b 00 1b  |.Ftu.o>.R.tlt;..|
+	// 000000b0  b2 4b 93 95 33 1d 9e 6a  96 43 e5 e2 30 46 6e e5  |.K..3..j.C..0Fn.|
+	// 000000c0  2b e0 be 8d 56 55 1a d1  6e 11 21 fc 20 3e 0f 5f  |+...VU..n.!. >._|
+	// 000000d0  4d 97 a9 bf 1a 28 27 6d  3b 71 04 e1 c0 86 96 08  |M....('m;q......|
+	// 000000e0  8d 0e c0 14 e3 eb 8b e9  16 40 29 60 ab bd e6 1a  |.........@)`....|
+	// 000000f0  68 54 5e 29 c8 85 05 bc  4a 27 83 d9 32 cc 74 0f  |hT^)....J'..2.t.|
+	// 00000100  5e 16 30 25 e2 d6 35 2a  d4 3e b5 07 1f d4 0a eb  |^.0%..5*.>......|
+	// 00000110  5d ef 3b 84 35 39 90 0c  3a 02 bb ee c7 9a e7 09  |].;.59..:.......|
+	// 00000120  d1 cc 1e e1 f4 3b 88 52  e5 99 ed 50 d7 66 b5 76  |.....;.R...P.f.v|
+	// 00000130  59 6c c1 66 98 07 e5 73  e7 b8 fe 48 43 a0 74 09  |Yl.f...s...HC.t.|
+	// 00000140  84 9a 7b ec 21 aa ff c7  fc 79 c6 8f f4 23 82 e7  |..{.!....y...#..|
+	// 00000150  d3 71 69 20 d6 94 27 ef  11 0b 4c a5 79 54 1f 09  |.qi ..'...L.yT..|
+	// 00000160  6b ec 50 c2 1f 98 38 ea  a7 02 da ca aa 1b 6b 39  |k.P...8.......k9|
+	// 00000170  70 b8 35 6c fe 03 1f b0  08 42 e0 5d b2 5e 40 04  |p.5l.....B.].^@.|
+	// Linkable Ring Signature verified.
+}
diff --git a/kyber/proof/proof.go b/kyber/proof/proof.go
new file mode 100644
index 0000000000..ec343f45b5
--- /dev/null
+++ b/kyber/proof/proof.go
@@ -0,0 +1,769 @@
+// Package proof implements generic support for Sigma-protocols
+// and discrete logarithm proofs in the Camenisch/Stadler framework.
+// For the cryptographic foundations of this framework see
+// "Proof Systems for General Statements about Discrete Logarithms" at
+// ftp://ftp.inf.ethz.ch/pub/crypto/publications/CamSta97b.pdf.
+package proof
+
+import (
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Suite defines the functionalities needed for this package to operate
+// correctly. It provides a general abstraction to easily change the underlying
+// implementations.
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.Encoding
+	kyber.XOFFactory
+	kyber.Random
+}
+
+/*
+A Predicate is a composable logic expression in a knowledge proof system,
+representing a "knowledge specification set" in Camenisch/Stadler terminology.
+Atomic predicates in this system are statements of the form P=x1*B1+...+xn+Bn,
+indicating the prover knows secrets x1,...,xn that make the statement true,
+where P and B1,...,Bn are public points known to the verifier.
+These atomic Rep (representation) predicates may be combined
+with logical And and Or combinators to form composite statements.
+Predicate objects, once created, are immutable and safe to share
+or reuse for any number of proofs and verifications.
+
+After constructing a Predicate using the Rep, And, and Or functions below,
+the caller invokes Prover() to create a Sigma-protocol prover.
+Prover() requires maps defining the values of both the Scalar variables
+and the public Point variables that the Predicate refers to.
+If the statement contains logical Or operators, the caller must also pass
+a map containing branch choices for each Or predicate
+in the "proof-obligated path" down through the Or predicates.
+See the examples provded for the Or function for more details.
+
+Similarly, the caller may invoke Verifier() to create
+a Sigma-protocol verifier for the predicate.
+The caller must pass a map defining the values
+of the public Point variables that the proof refers to.
+The verifier need not be provided any secrets or branch choices, of course.
+(If the verifier needed those then they wouldn't be secret, would they?)
+
+Currently we require that all Or operators be above all And operators
+in the expression - i.e., Or-of-And combinations are allowed,
+but no And-of-Or predicates.
+We could rewrite expressions into this form as Camenisch/Stadler suggest,
+but that could run a risk of unexpected exponential blowup in the worst case.
+We could avoid this risk by not rewriting the expression tree,
+but instead generating Pedersen commits for variables that need to "cross"
+from one OR-domain to another non-mutually-exclusive one.
+For now we simply require expressions to be in the appropriate form.
+*/
+type Predicate interface {
+
+	// Create a Prover proving the statement this Predicate represents.
+	Prover(suite Suite, secrets map[string]kyber.Scalar,
+		points map[string]kyber.Point, choice map[Predicate]int) Prover
+
+	// Create a Verifier for the statement this Predicate represents.
+	Verifier(suite Suite, points map[string]kyber.Point) Verifier
+
+	// Produce a human-readable string representation of the predicate.
+	String() string
+
+	// precedence-sensitive helper stringifier.
+	precString(prec int) string
+
+	// prover/verifier: enumerate the variables named in a predicate
+	enumVars(prf *proof)
+
+	// prover: recursively produce all commitments
+	commit(prf *proof, w kyber.Scalar, v []kyber.Scalar) error
+
+	// prover: given challenge, recursively produce all responses
+	respond(prf *proof, c kyber.Scalar, r []kyber.Scalar) error
+
+	// verifier: get all the commitments required in this predicate,
+	// and fill the r slice with empty secrets for responses needed.
+	getCommits(prf *proof, r []kyber.Scalar) error
+
+	// verifier: check all commitments against challenges and responses
+	verify(prf *proof, c kyber.Scalar, r []kyber.Scalar) error
+}
+
+// stringification precedence levels
+const (
+	precNone = iota
+	precOr
+	precAnd
+	precAtom
+)
+
+// Internal prover/verifier state
+type proof struct {
+	s Suite
+
+	nsvars     int            // number of Scalar variables
+	npvars     int            // number of Point variables
+	svar, pvar []string       // Scalar and Point variable names
+	sidx, pidx map[string]int // Maps from strings to variable indexes
+
+	pval map[string]kyber.Point // values of public Point variables
+
+	// prover-specific state
+	pc     ProverContext
+	sval   map[string]kyber.Scalar   // values of private Scalar variables
+	choice map[Predicate]int         // OR branch choices set by caller
+	pp     map[Predicate]*proverPred // per-predicate prover state
+
+	// verifier-specific state
+	vc VerifierContext
+	vp map[Predicate]*verifierPred // per-predicate verifier state
+}
+type proverPred struct {
+	w  kyber.Scalar   // secret pre-challenge
+	v  []kyber.Scalar // secret blinding factor for each variable
+	wi []kyber.Scalar // OR predicates: individual sub-challenges
+}
+type verifierPred struct {
+	V kyber.Point    // public commitment produced by verifier
+	r []kyber.Scalar // per-variable responses produced by verifier
+}
+
+////////// Rep predicate //////////
+
+// A term describes a point-multiplication term in a representation expression.
+type term struct {
+	S string // Scalar multiplier for this term
+	B string // Generator for this term
+}
+
+type repPred struct {
+	P string // Public point of which a representation is known
+	T []term // Terms comprising the known representation
+}
+
+// Rep creates a predicate stating that the prover knows
+// a representation of a point P with respect to
+// one or more secrets and base point pairs.
+//
+// In its simplest usage, Rep indicates that the prover knows a secret x
+// that is the (elliptic curve) discrete logarithm of a public point P
+// with respect to a well-known base point B:
+//
+//	Rep(P,x,B)
+//
+// Rep can take any number of (Scalar,Base) variable name pairs, however.
+// A Rep statement of the form Rep(P,x1,B1,...,xn,Bn)
+// indicates that the prover knows secrets x1,...,xn
+// such that point P is the sum x1*B1+...+xn*Bn.
+//
+func Rep(P string, SB ...string) Predicate {
+	if len(SB)&1 != 0 {
+		panic("mismatched Scalar")
+	}
+	t := make([]term, len(SB)/2)
+	for i := range t {
+		t[i].S = SB[i*2]
+		t[i].B = SB[i*2+1]
+	}
+	return &repPred{P, t}
+}
+
+// Return a string representation of this proof-of-representation predicate,
+// mainly for debugging.
+func (rp *repPred) String() string {
+	return rp.precString(precNone)
+}
+
+func (rp *repPred) precString(prec int) string {
+	s := rp.P + "="
+	for i := range rp.T {
+		if i > 0 {
+			s += "+"
+		}
+		t := &rp.T[i]
+		s += t.S
+		s += "*"
+		s += t.B
+	}
+	return s
+}
+
+func (rp *repPred) enumVars(prf *proof) {
+	prf.enumPointVar(rp.P)
+	for i := range rp.T {
+		prf.enumScalarVar(rp.T[i].S)
+		prf.enumPointVar(rp.T[i].B)
+	}
+}
+
+func (rp *repPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error {
+
+	// Create per-predicate prover state
+	v := prf.makeScalars(pv)
+	pp := &proverPred{w, v, nil}
+	prf.pp[rp] = pp
+
+	// Compute commit V=wY+v1G1+...+vkGk
+	V := prf.s.Point()
+	if w != nil { // We're on a non-obligated branch
+		V.Mul(w, prf.pval[rp.P])
+	} else { // We're on a proof-obligated branch, so w=0
+		V.Null()
+	}
+	P := prf.s.Point()
+	for i := 0; i < len(rp.T); i++ {
+		t := rp.T[i] // current term
+		s := prf.sidx[t.S]
+
+		// Choose a blinding secret the first time
+		// we encounter each variable
+		if v[s] == nil {
+			v[s] = prf.s.Scalar()
+			prf.pc.PriRand(v[s])
+		}
+		P.Mul(v[s], prf.pval[t.B])
+		V.Add(V, P)
+	}
+
+	// Encode and send the commitment to the verifier
+	return prf.pc.Put(V)
+}
+
+func (rp *repPred) respond(prf *proof, c kyber.Scalar,
+	pr []kyber.Scalar) error {
+	pp := prf.pp[rp]
+
+	// Create a response array for this OR-domain if not done already
+	r := prf.makeScalars(pr)
+
+	for i := range rp.T {
+		t := rp.T[i] // current term
+		s := prf.sidx[t.S]
+
+		// Produce a correct response for each variable
+		// the first time we encounter that variable.
+		if r[s] == nil {
+			if pp.w != nil {
+				// We're on a non-proof-obligated branch:
+				// w was our challenge, v[s] is our response.
+				r[s] = pp.v[s]
+				continue
+			}
+
+			// We're on a proof-obligated branch,
+			// so we need to calculate the correct response
+			// as r = v-cx where x is the secret variable
+			ri := prf.s.Scalar()
+			ri.Mul(c, prf.sval[t.S])
+			ri.Sub(pp.v[s], ri)
+			r[s] = ri
+		}
+	}
+
+	// Send our responses if we created the array (i.e., if pr == nil)
+	return prf.sendResponses(pr, r)
+}
+
+func (rp *repPred) getCommits(prf *proof, pr []kyber.Scalar) error {
+
+	// Create per-predicate verifier state
+	V := prf.s.Point()
+	r := prf.makeScalars(pr)
+	vp := &verifierPred{V, r}
+	prf.vp[rp] = vp
+
+	// Get the commitment for this representation
+	if e := prf.vc.Get(vp.V); e != nil {
+		return e
+	}
+
+	// Fill in the r vector with the responses we'll need.
+	for i := range rp.T {
+		t := rp.T[i] // current term
+		s := prf.sidx[t.S]
+		if r[s] == nil {
+			r[s] = prf.s.Scalar()
+		}
+	}
+	return nil
+}
+
+func (rp *repPred) verify(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error {
+	vp := prf.vp[rp]
+	r := vp.r
+
+	// Get the needed responses if a parent didn't already
+	if e := prf.getResponses(pr, r); e != nil {
+		return e
+	}
+
+	// Recompute commit V=cY+r1G1+...+rkGk
+	V := prf.s.Point()
+	V.Mul(c, prf.pval[rp.P])
+	P := prf.s.Point()
+	for i := 0; i < len(rp.T); i++ {
+		t := rp.T[i] // current term
+		s := prf.sidx[t.S]
+		P.Mul(r[s], prf.pval[t.B])
+		V.Add(V, P)
+	}
+	if !V.Equal(vp.V) {
+		return errors.New("invalid proof: commit mismatch")
+	}
+
+	return nil
+}
+
+func (rp *repPred) Prover(suite Suite, secrets map[string]kyber.Scalar,
+	points map[string]kyber.Point,
+	choice map[Predicate]int) Prover {
+	return proof{}.init(suite, rp).prover(rp, secrets, points, choice)
+}
+
+func (rp *repPred) Verifier(suite Suite,
+	points map[string]kyber.Point) Verifier {
+	return proof{}.init(suite, rp).verifier(rp, points)
+}
+
+////////// And predicate //////////
+
+type andPred []Predicate
+
+// And predicate states that all of the constituent sub-predicates are true.
+// And predicates may contain Rep predicates and/or other And predicates.
+func And(sub ...Predicate) Predicate {
+	and := andPred(sub)
+	return &and
+}
+
+// Return a string representation of this AND predicate, mainly for debugging.
+func (ap *andPred) String() string {
+	return ap.precString(precNone)
+}
+
+func (ap *andPred) precString(prec int) string {
+	sub := []Predicate(*ap)
+	s := sub[0].precString(precAnd)
+	for i := 1; i < len(sub); i++ {
+		s = s + " && " + sub[i].precString(precAnd)
+	}
+	if prec != precNone && prec != precAnd {
+		s = "(" + s + ")"
+	}
+	return s
+}
+
+func (ap *andPred) enumVars(prf *proof) {
+	sub := []Predicate(*ap)
+	for i := range sub {
+		sub[i].enumVars(prf)
+	}
+}
+
+func (ap *andPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error {
+	sub := []Predicate(*ap)
+
+	// Create per-predicate prover state
+	v := prf.makeScalars(pv)
+	//pp := proverPred{w,v,nil}
+	//prf.pp[ap] = pp
+
+	// Recursively generate commitments
+	for i := 0; i < len(sub); i++ {
+		if e := sub[i].commit(prf, w, v); e != nil {
+			return e
+		}
+	}
+
+	return nil
+}
+
+func (ap *andPred) respond(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error {
+	sub := []Predicate(*ap)
+	//pp := prf.pp[ap]
+
+	// Recursively compute responses in all sub-predicates
+	r := prf.makeScalars(pr)
+	for i := range sub {
+		if e := sub[i].respond(prf, c, r); e != nil {
+			return e
+		}
+	}
+	return prf.sendResponses(pr, r)
+}
+
+func (ap *andPred) getCommits(prf *proof, pr []kyber.Scalar) error {
+	sub := []Predicate(*ap)
+
+	// Create per-predicate verifier state
+	r := prf.makeScalars(pr)
+	vp := &verifierPred{nil, r}
+	prf.vp[ap] = vp
+
+	for i := range sub {
+		if e := sub[i].getCommits(prf, r); e != nil {
+			return e
+		}
+	}
+	return nil
+}
+
+func (ap *andPred) verify(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error {
+	sub := []Predicate(*ap)
+	vp := prf.vp[ap]
+	r := vp.r
+
+	if e := prf.getResponses(pr, r); e != nil {
+		return e
+	}
+	for i := range sub {
+		if e := sub[i].verify(prf, c, r); e != nil {
+			return e
+		}
+	}
+	return nil
+}
+
+func (ap *andPred) Prover(suite Suite, secrets map[string]kyber.Scalar,
+	points map[string]kyber.Point,
+	choice map[Predicate]int) Prover {
+	return proof{}.init(suite, ap).prover(ap, secrets, points, choice)
+}
+
+func (ap *andPred) Verifier(suite Suite,
+	points map[string]kyber.Point) Verifier {
+	return proof{}.init(suite, ap).verifier(ap, points)
+}
+
+////////// Or predicate //////////
+
+type orPred []Predicate
+
+// Or predicate states that the prover knows
+// at least one of the sub-predicates to be true,
+// but the proof does not reveal any information about which.
+func Or(sub ...Predicate) Predicate {
+	or := orPred(sub)
+	return &or
+}
+
+// Return a string representation of this OR predicate, mainly for debugging.
+func (op *orPred) String() string {
+	return op.precString(precNone)
+}
+
+func (op *orPred) precString(prec int) string {
+	sub := []Predicate(*op)
+	s := sub[0].precString(precOr)
+	for i := 1; i < len(sub); i++ {
+		s = s + " || " + sub[i].precString(precOr)
+	}
+	if prec != precNone && prec != precOr {
+		s = "(" + s + ")"
+	}
+	return s
+}
+
+func (op *orPred) enumVars(prf *proof) {
+	sub := []Predicate(*op)
+	for i := range sub {
+		sub[i].enumVars(prf)
+	}
+}
+
+func (op *orPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error {
+	sub := []Predicate(*op)
+	if pv != nil { // only happens within an AND expression
+		return errors.New("can't have OR predicates within AND predicates")
+	}
+
+	// Create per-predicate prover state
+	wi := make([]kyber.Scalar, len(sub))
+	pp := &proverPred{w, nil, wi}
+	prf.pp[op] = pp
+
+	// Choose pre-challenges for our subs.
+	if w == nil {
+		// We're on a proof-obligated branch;
+		// choose random pre-challenges for only non-obligated subs.
+		choice, ok := prf.choice[op]
+		if !ok || choice < 0 || choice >= len(sub) {
+			return errors.New("no choice of proof branch for OR-predicate " +
+				op.String())
+		}
+		for i := 0; i < len(sub); i++ {
+			if i != choice {
+				wi[i] = prf.s.Scalar()
+				prf.pc.PriRand(wi[i])
+			} // else wi[i] == nil for proof-obligated sub
+		}
+	} else {
+		// Since w != nil, we're in a non-obligated branch,
+		// so choose random pre-challenges for all subs
+		// such that they add up to the master pre-challenge w.
+		last := len(sub) - 1 // index of last sub
+		wl := prf.s.Scalar().Set(w)
+		for i := 0; i < last; i++ { // choose all but last
+			wi[i] = prf.s.Scalar()
+			prf.pc.PriRand(wi[i])
+			wl.Sub(wl, wi[i])
+		}
+		wi[last] = wl
+	}
+
+	// Now recursively choose commitments within each sub
+	for i := 0; i < len(sub); i++ {
+		// Fresh variable-blinding secrets for each pre-commitment
+		if e := sub[i].commit(prf, wi[i], nil); e != nil {
+			return e
+		}
+	}
+
+	return nil
+}
+
+func (op *orPred) respond(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error {
+	sub := []Predicate(*op)
+	pp := prf.pp[op]
+	if pr != nil {
+		return errors.New("OR predicates can't be nested in anything else")
+	}
+
+	ci := pp.wi
+	if pp.w == nil {
+		// Calculate the challenge for the proof-obligated subtree
+		cs := prf.s.Scalar().Set(c)
+		choice := prf.choice[op]
+		for i := 0; i < len(sub); i++ {
+			if i != choice {
+				cs.Sub(cs, ci[i])
+			}
+		}
+		ci[choice] = cs
+	}
+
+	// If there's more than one choice, send all our sub-challenges.
+	if len(sub) > 1 {
+		if e := prf.pc.Put(ci); e != nil {
+			return e
+		}
+	}
+
+	// Recursively compute responses in all subtrees
+	for i := range sub {
+		if e := sub[i].respond(prf, ci[i], nil); e != nil {
+			return e
+		}
+	}
+
+	return nil
+}
+
+// Get from the verifier all the commitments needed for this predicate
+func (op *orPred) getCommits(prf *proof, pr []kyber.Scalar) error {
+	sub := []Predicate(*op)
+	for i := range sub {
+		if e := sub[i].getCommits(prf, nil); e != nil {
+			return e
+		}
+	}
+	return nil
+}
+
+func (op *orPred) verify(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error {
+	sub := []Predicate(*op)
+	if pr != nil {
+		return errors.New("OR predicates can't be in anything else")
+	}
+
+	// Get the prover's sub-challenges
+	nsub := len(sub)
+	ci := make([]kyber.Scalar, nsub)
+	if nsub > 1 {
+		if e := prf.vc.Get(ci); e != nil {
+			return e
+		}
+
+		// Make sure they add up to the parent's composite challenge
+		csum := prf.s.Scalar().Zero()
+		for i := 0; i < nsub; i++ {
+			csum.Add(csum, ci[i])
+		}
+		if !csum.Equal(c) {
+			return errors.New("invalid proof: bad sub-challenges")
+		}
+
+	} else { // trivial single-sub OR
+		ci[0] = c
+	}
+
+	// Recursively verify all subs
+	for i := range sub {
+		if e := sub[i].verify(prf, ci[i], nil); e != nil {
+			return e
+		}
+	}
+
+	return nil
+}
+
+func (op *orPred) Prover(suite Suite, secrets map[string]kyber.Scalar,
+	points map[string]kyber.Point,
+	choice map[Predicate]int) Prover {
+	return proof{}.init(suite, op).prover(op, secrets, points, choice)
+}
+
+func (op *orPred) Verifier(suite Suite,
+	points map[string]kyber.Point) Verifier {
+	return proof{}.init(suite, op).verifier(op, points)
+}
+
+/*
+type lin struct {
+	a1,a2,b kyber.Scalar
+	x1,x2 PriVar
+}
+*/
+
+// Construct a predicate asserting a linear relationship a1x1+a2x2=b,
+// where a1,a2,b are public values and x1,x2 are secrets.
+/*
+func (p *Prover) Linear(a1,a2,b kyber.Scalar, x1,x2 PriVar) {
+	return &lin{a1,a2,b,x1,x2}
+}
+*/
+
+func (prf proof) init(suite Suite, pred Predicate) *proof {
+	prf.s = suite
+
+	// Enumerate all the variables in a consistent order.
+	// Reserve variable index 0 for convenience.
+	prf.svar = []string{""}
+	prf.pvar = []string{""}
+	prf.sidx = make(map[string]int)
+	prf.pidx = make(map[string]int)
+	pred.enumVars(&prf)
+	prf.nsvars = len(prf.svar)
+	prf.npvars = len(prf.pvar)
+
+	return &prf
+}
+
+func (prf *proof) enumScalarVar(name string) {
+	if prf.sidx[name] == 0 {
+		prf.sidx[name] = len(prf.svar)
+		prf.svar = append(prf.svar, name)
+	}
+}
+
+func (prf *proof) enumPointVar(name string) {
+	if prf.pidx[name] == 0 {
+		prf.pidx[name] = len(prf.pvar)
+		prf.pvar = append(prf.pvar, name)
+	}
+}
+
+// Make a response-array if that wasn't already done in a parent predicate.
+func (prf *proof) makeScalars(pr []kyber.Scalar) []kyber.Scalar {
+	if pr == nil {
+		return make([]kyber.Scalar, prf.nsvars)
+	}
+	return pr
+}
+
+// Transmit our response-array if a corresponding makeScalars() created it.
+func (prf *proof) sendResponses(pr []kyber.Scalar, r []kyber.Scalar) error {
+	if pr == nil {
+		for i := range r {
+			// Send responses only for variables
+			// that were used in this OR-domain.
+			if r[i] != nil {
+				if e := prf.pc.Put(r[i]); e != nil {
+					return e
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// In the verifier, get the responses at the top of an OR-domain,
+// if a corresponding makeScalars() call created it.
+func (prf *proof) getResponses(pr []kyber.Scalar, r []kyber.Scalar) error {
+	if pr == nil {
+		for i := range r {
+			if r[i] != nil {
+				if e := prf.vc.Get(r[i]); e != nil {
+					return e
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (prf *proof) prove(p Predicate, sval map[string]kyber.Scalar,
+	pval map[string]kyber.Point,
+	choice map[Predicate]int, pc ProverContext) error {
+	prf.pc = pc
+	prf.sval = sval
+	prf.pval = pval
+	prf.choice = choice
+	prf.pp = make(map[Predicate]*proverPred)
+
+	// Generate all commitments
+	if e := p.commit(prf, nil, nil); e != nil {
+		return e
+	}
+
+	// Generate top-level challenge from public randomness
+	c := prf.s.Scalar()
+	if e := pc.PubRand(c); e != nil {
+		return e
+	}
+
+	// Generate all responses based on master challenge
+	return p.respond(prf, c, nil)
+}
+
+func (prf *proof) verify(p Predicate, pval map[string]kyber.Point,
+	vc VerifierContext) error {
+	prf.vc = vc
+	prf.pval = pval
+	prf.vp = make(map[Predicate]*verifierPred)
+
+	// Get the commitments from the verifier,
+	// and calculate the sets of responses we'll need for each OR-domain.
+	if e := p.getCommits(prf, nil); e != nil {
+		return e
+	}
+
+	// Produce the top-level challenge
+	c := prf.s.Scalar()
+	if e := vc.PubRand(c); e != nil {
+		return e
+	}
+
+	// Check all the responses and sub-challenges against the commitments.
+	return p.verify(prf, c, nil)
+}
+
+// Produce a higher-order Prover embodying a given proof predicate.
+func (prf *proof) prover(p Predicate, sval map[string]kyber.Scalar,
+	pval map[string]kyber.Point,
+	choice map[Predicate]int) Prover {
+
+	return Prover(func(ctx ProverContext) error {
+		return prf.prove(p, sval, pval, choice, ctx)
+	})
+}
+
+// Produce a higher-order Verifier embodying a given proof predicate.
+func (prf *proof) verifier(p Predicate, pval map[string]kyber.Point) Verifier {
+
+	return Verifier(func(ctx VerifierContext) error {
+		return prf.verify(p, pval, ctx)
+	})
+}
diff --git a/kyber/proof/proof_test.go b/kyber/proof/proof_test.go
new file mode 100644
index 0000000000..6ca8d1797d
--- /dev/null
+++ b/kyber/proof/proof_test.go
@@ -0,0 +1,248 @@
+package proof
+
+import (
+	"encoding/hex"
+	"fmt"
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+func TestRep(t *testing.T) {
+	rand := blake2xb.New([]byte("seed"))
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(rand)
+
+	x := suite.Scalar().Pick(rand)
+	y := suite.Scalar().Pick(rand)
+	B := suite.Point().Base()
+	X := suite.Point().Mul(x, nil)
+	Y := suite.Point().Mul(y, X)
+	R := suite.Point().Add(X, Y)
+
+	choice := make(map[Predicate]int)
+
+	// Simple single-secret predicate: prove X=x*B
+	log := Rep("X", "x", "B")
+
+	// Two-secret representation: prove R=x*B+y*X
+	rep := Rep("R", "x", "B", "y", "X")
+
+	// Make an and-predicate
+	and := And(log, rep)
+	andx := And(and)
+
+	// Make up a couple incorrect facts
+	falseLog := Rep("Y", "x", "B")
+	falseRep := Rep("R", "x", "B", "y", "B")
+
+	falseAnd := And(falseLog, falseRep)
+
+	or1 := Or(falseAnd, andx)
+	choice[or1] = 1
+	or1x := Or(or1) // test trivial case
+	choice[or1x] = 0
+
+	or2a := Rep("B", "y", "X")
+	or2b := Rep("R", "x", "R")
+	or2 := Or(or2a, or2b)
+	or2x := Or(or2) // test trivial case
+
+	pred := Or(or1x, or2x)
+	choice[pred] = 0
+
+	sval := map[string]kyber.Scalar{"x": x, "y": y}
+	pval := map[string]kyber.Point{"B": B, "X": X, "Y": Y, "R": R}
+	prover := pred.Prover(suite, sval, pval, choice)
+	proof, err := HashProve(suite, "TEST", prover)
+	if err != nil {
+		t.Fatal("prover: " + err.Error())
+	}
+
+	verifier := pred.Verifier(suite, pval)
+	if err := HashVerify(suite, "TEST", verifier, proof); err != nil {
+		t.Fatal("verify: " + err.Error())
+	}
+}
+
+// This code creates a simple discrete logarithm knowledge proof.
+// In particular, that the prover knows a secret x
+// that is the elliptic curve discrete logarithm of a point X
+// with respect to some base B: i.e., X=x*B.
+// If we take X as a public key and x as its corresponding private key,
+// then this constitutes a "proof of ownership" of the public key X.
+func Example_rep1() {
+	pred := Rep("X", "x", "B")
+	fmt.Println(pred.String())
+	// Output: X=x*B
+}
+
+// This example shows how to generate and verify noninteractive proofs
+// of the statement in the example above, i.e.,
+// a proof of ownership of public key X.
+func Example_rep2() {
+	pred := Rep("X", "x", "B")
+	fmt.Println(pred.String())
+
+	// Crypto setup
+	rand := blake2xb.New([]byte("example"))
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(rand)
+	B := suite.Point().Base() // standard base point
+
+	// Create a public/private keypair (X,x)
+	x := suite.Scalar().Pick(rand) // create a private key x
+	X := suite.Point().Mul(x, nil) // corresponding public key X
+
+	// Generate a proof that we know the discrete logarithm of X.
+	sval := map[string]kyber.Scalar{"x": x}
+	pval := map[string]kyber.Point{"B": B, "X": X}
+	prover := pred.Prover(suite, sval, pval, nil)
+	proof, _ := HashProve(suite, "TEST", prover)
+	fmt.Print("Proof:\n" + hex.Dump(proof))
+
+	// Verify this knowledge proof.
+	verifier := pred.Verifier(suite, pval)
+	err := HashVerify(suite, "TEST", verifier, proof)
+	if err != nil {
+		fmt.Println("Proof failed to verify: ", err)
+		return
+	}
+	fmt.Println("Proof verified.")
+
+	// Output:
+	// X=x*B
+	// Proof:
+	// 00000000  e9 a2 da f4 9d 7c e2 25  35 be 0a 15 78 9c ea ca  |.....|.%5...x...|
+	// 00000010  a7 1e 6e d6 26 c3 40 ed  0d 3d 71 d4 a9 ef 55 3b  |..n.&.@..=q...U;|
+	// 00000020  c1 84 20 a6 b7 79 86 9c  f8 dd 09 82 1e 48 a9 00  |.. ..y.......H..|
+	// 00000030  3e f3 68 66 3f a0 58 f9  88 df b4 35 1b 2f 72 0d  |>.hf?.X....5./r.|
+	// Proof verified.
+}
+
+// This code creates a predicate stating that the prover knows a representation
+// of point X with respect to two different bases B1 and B2.
+// This means the prover knows two secrets x1 and x2
+// such that X=x1*B1+x2*B2.
+//
+// Point X might constitute a Pedersen commitment, for example,
+// where x1 is the value being committed to and x2 is a random blinding factor.
+// Assuming the discrete logarithm problem is hard in the relevant group
+// and the logarithmic relationship between bases B1 and B2 is unknown -
+// which we would be true if B1 and B2 are chosen at random, for example -
+// then a prover who has committed to point P
+// will later be unable to "open" the commitment
+// using anything other than secrets x1 and x2.
+// The prover can also prove that one of the secrets (say x1)
+// is equal to a secret used in the representation of some other point,
+// while leaving the other secret (x2) unconstrained.
+//
+// If the prover does know the relationship between B1 and B2, however,
+// then X does not serve as a useful commitment:
+// the prover can trivially compute the x1 corresponding to an arbitrary x2.
+//
+func Example_rep3() {
+	pred := Rep("X", "x1", "B1", "x2", "B2")
+	fmt.Println(pred.String())
+	// Output: X=x1*B1+x2*B2
+}
+
+// This code creates an And predicate indicating that
+// the prover knows two different secrets x and y,
+// such that point X is equal to x*B
+// and point Y is equal to y*B.
+// This predicate might be used to prove knowledge of
+// the private keys corresponding to two public keys X and Y, for example.
+func Example_and1() {
+	pred := And(Rep("X", "x", "B"), Rep("Y", "y", "B"))
+	fmt.Println(pred.String())
+	// Output: X=x*B && Y=y*B
+}
+
+// This code creates an And predicate indicating that
+// the prover knows a single secret value x,
+// such that point X1 is equal to x*B1
+// and point X2 is equal to x*B2.
+// Thus, the prover not only proves knowledge of the discrete logarithm
+// of X1 with respect to B1 and of X2 with respect to B2,
+// but also proves that those two discrete logarithms are equal.
+func Example_and2() {
+	pred := And(Rep("X1", "x", "B1"), Rep("X2", "x", "B2"))
+	fmt.Println(pred.String())
+	// Output: X1=x*B1 && X2=x*B2
+}
+
+// This code creates an Or predicate indicating that
+// the prover either knows a secret x such that X=x*B,
+// or the prover knows a secret y such that Y=y*B.
+// This predicate in essence proves knowledge of the private key
+// for one of two public keys X or Y,
+// without revealing which key the prover owns.
+func Example_or1() {
+	pred := Or(Rep("X", "x", "B"), Rep("Y", "y", "B"))
+	fmt.Println(pred.String())
+	// Output: X=x*B || Y=y*B
+}
+
+// This code shows how to create and verify Or-predicate proofs,
+// such as the one above.
+// In this case, we know a secret x such that X=x*B,
+// but we don't know a secret y such that Y=y*B,
+// because we simply pick Y as a random point
+// instead of generating it by scalar multiplication.
+// (And if the group is cryptographically secure
+// we won't find be able to find such a y.)
+func Example_or2() {
+	// Create an Or predicate.
+	pred := Or(Rep("X", "x", "B"), Rep("Y", "y", "B"))
+	fmt.Println("Predicate: " + pred.String())
+
+	// Crypto setup
+	rand := blake2xb.New([]byte("example"))
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(rand)
+	B := suite.Point().Base() // standard base point
+
+	// Create a public/private keypair (X,x) and a random point Y
+	x := suite.Scalar().Pick(rand) // create a private key x
+	X := suite.Point().Mul(x, nil) // corresponding public key X
+	Y := suite.Point().Pick(rand)  // pick a random point Y
+
+	// We'll need to tell the prover which Or clause is actually true.
+	// In this case clause 0, the first sub-predicate, is true:
+	// i.e., we know a secret x such that X=x*B.
+	choice := make(map[Predicate]int)
+	choice[pred] = 0
+
+	// Generate a proof that we know the discrete logarithm of X or Y.
+	sval := map[string]kyber.Scalar{"x": x}
+	pval := map[string]kyber.Point{"B": B, "X": X, "Y": Y}
+	prover := pred.Prover(suite, sval, pval, choice)
+	proof, _ := HashProve(suite, "TEST", prover)
+	fmt.Print("Proof:\n" + hex.Dump(proof))
+
+	// Verify this knowledge proof.
+	// The verifier doesn't need the secret values or choice map, of course.
+	verifier := pred.Verifier(suite, pval)
+	err := HashVerify(suite, "TEST", verifier, proof)
+	if err != nil {
+		fmt.Println("Proof failed to verify: " + err.Error())
+	}
+	fmt.Println("Proof verified.")
+
+	// Output:
+	// Predicate: X=x*B || Y=y*B
+	// Proof:
+	// 00000000  44 bb 0f bb 2b 06 29 a6  73 59 0f c1 5a ca de 36  |D...+.).sY..Z..6|
+	// 00000010  4c c8 15 ed b1 eb 50 d3  d9 d2 9b 31 6c d3 0f 6b  |L.....P....1l..k|
+	// 00000020  a2 a9 bc d2 8c 6d d0 5e  9a 8e d1 8e 04 fb 88 af  |.....m.^........|
+	// 00000030  fb 90 8a 2a 71 ac 34 08  f9 bc 07 78 08 44 40 07  |...*q.4....x.D@.|
+	// 00000040  ab 1f 36 7e 7b db 50 7d  49 38 34 75 69 07 67 4b  |..6~{.P}I84ui.gK|
+	// 00000050  55 cb 28 f2 50 ad d1 4b  24 d2 d1 44 fe 44 b0 0e  |U.(.P..K$..D.D..|
+	// 00000060  00 e8 d3 8b 37 76 4f 47  d1 4a 93 0c cd df 20 08  |....7vOG.J.... .|
+	// 00000070  fc 0f ad f9 01 6c 30 c0  02 d4 fa 1b 1f 1c fa 04  |.....l0.........|
+	// 00000080  6d 2a a7 d8 8e 67 72 87  51 0e 16 72 51 87 99 83  |m*...gr.Q..rQ...|
+	// 00000090  2e c9 4e a1 ca 20 7d 64  33 04 f5 66 9b d3 74 03  |..N.. }d3..f..t.|
+	// 000000a0  2b e0 be 8d 56 55 1a d1  6e 11 21 fc 20 3e 0f 5f  |+...VU..n.!. >._|
+	// 000000b0  4d 97 a9 bf 1a 28 27 6d  3b 71 04 e1 c0 86 96 08  |M....('m;q......|
+	// Proof verified.
+}
diff --git a/kyber/random.go b/kyber/random.go
new file mode 100644
index 0000000000..434d76722f
--- /dev/null
+++ b/kyber/random.go
@@ -0,0 +1,13 @@
+package kyber
+
+import (
+	"crypto/cipher"
+)
+
+// Random is an interface that can be mixed in to local suite definitions.
+type Random interface {
+	// RandomStream returns a cipher.Stream that produces a
+	// cryptographically random key stream. The stream must
+	// tolerate being used in multiple goroutines.
+	RandomStream() cipher.Stream
+}
diff --git a/kyber/share/dkg/pedersen/dkg.go b/kyber/share/dkg/pedersen/dkg.go
new file mode 100644
index 0000000000..756c79a196
--- /dev/null
+++ b/kyber/share/dkg/pedersen/dkg.go
@@ -0,0 +1,715 @@
+// Package dkg implements a general distributed key generation (DKG) framework.
+// This package serves two functionalities: (1) to run a fresh new DKG from
+// scratch and (2) to reshare old shares to a potentially distinct new set of
+// nodes (the "resharing" protocol). The former protocol is described in "A
+// threshold cryptosystem without a trusted party" by Torben Pryds Pedersen.
+// https://dl.acm.org/citation.cfm?id=1754929. The latter protocol is
+// implemented in "Verifiable Secret Redistribution for Threshold Signing
+// Schemes", by T. Wong et
+// al.(https://www.cs.cmu.edu/~wing/publications/Wong-Wing02b.pdf)
+package dkg
+
+import (
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+
+	"go.dedis.ch/kyber/v3/share"
+	vss "go.dedis.ch/kyber/v3/share/vss/pedersen"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+)
+
+// Suite wraps the functionalities needed by the dkg package
+type Suite vss.Suite
+
+// Config holds all required information to run a fresh DKG protocol or a
+// resharing protocol. In the case of a new fresh DKG protocol, one must fill
+// the following fields: Suite, Longterm, NewNodes, Threshold (opt). In the case
+// of a resharing protocol, one must fill the following: Suite, Longterm,
+// OldNodes, NewNodes. If the node using this config is creating new shares
+// (i.e. it belongs to the current group), the Share field must be filled in
+// with the current share of the node. If the node using this config is a new
+// addition and thus has no current share, the PublicCoeffs field be must be
+// filled in.
+type Config struct {
+	Suite Suite
+
+	// Longterm is the longterm secret key.
+	Longterm kyber.Scalar
+
+	// Current group of share holders. It will be nil for new DKG. These nodes
+	// will have invalid shares after the protocol has been run. To be able to issue
+	// new shares to a new group, the group member's public key must be inside this
+	// list and in the Share field. Keys can be disjoint or not with respect to the
+	// NewNodes list.
+	OldNodes []kyber.Point
+
+	// PublicCoeffs are the coefficients of the distributed polynomial needed
+	// during the resharing protocol. The first coefficient is the key. It is
+	// required for new share holders.  It should be nil for a new DKG.
+	PublicCoeffs []kyber.Point
+
+	// Expected new group of share holders. These public-key designated nodes
+	// will be in possession of new shares after the protocol has been run. To be a
+	// receiver of a new share, one's public key must be inside this list. Keys
+	// can be disjoint or not with respect to the OldNodes list.
+	NewNodes []kyber.Point
+
+	// Share to refresh. It must be nil for a new node wishing to
+	// join or create a group. To be able to issue new fresh shares to a new group,
+	// one's share must be specified here, along with the public key inside the
+	// OldNodes field.
+	Share *DistKeyShare
+
+	// New threshold to use if set. Default will be returned by `vss.MinimumT()`
+	Threshold int
+}
+
+// NewDKGConfig returns a Config that is made for a fresh new DKG run.
+func NewDKGConfig(suite Suite, longterm kyber.Scalar, participants []kyber.Point) *Config {
+	return &Config{
+		Suite:     suite,
+		Longterm:  longterm,
+		NewNodes:  participants,
+		OldNodes:  participants,
+		Threshold: vss.MinimumT(len(participants)),
+	}
+}
+
+// NewReshareConfig returns a new config to use with DistKeyGenerator to run the
+// re-sharing protocols between the old nodes and the new nodes, i.e. the future
+// share holders. Share must be non-nil for previously enrolled nodes to
+// actively issue new shares. The public coefficients, pcoeffs, are needed in
+// order for participants in newNodes to be able to verify the validity of newly
+// received shares.
+func NewReshareConfig(suite Suite, longterm kyber.Scalar, oldNodes, newNodes []kyber.Point,
+	share *DistKeyShare, pcoeffs []kyber.Point) *Config {
+	return &Config{
+		Suite:        suite,
+		Longterm:     longterm,
+		OldNodes:     oldNodes,
+		NewNodes:     newNodes,
+		Share:        share,
+		PublicCoeffs: pcoeffs,
+		Threshold:    vss.MinimumT(len(newNodes)),
+	}
+}
+
+// DistKeyGenerator is the struct that runs the DKG protocol.
+type DistKeyGenerator struct {
+	// config driving the behavior of DistKeyGenerator
+	c     *Config
+	suite Suite
+
+	long   kyber.Scalar
+	pub    kyber.Point
+	dpub   *share.PubPoly
+	dealer *vss.Dealer
+	// verifiers indexed by dealer index
+	verifiers map[uint32]*vss.Verifier
+	// performs the part of the response verification for old nodes
+	oldAggregators map[uint32]*vss.Aggregator
+
+	// index in the old list of nodes
+	oidx int
+	// index in the new list of nodes
+	nidx int
+	// old threshold used in the previous DKG
+	oldT int
+	// new threshold to use in this round
+	newT int
+	// indicates whether we are in the re-sharing protocol or basic DKG
+	isResharing bool
+	// indicates whether we are able to issue shares or not
+	canIssue bool
+	// Indicates whether we are able to receive a new share or not
+	canReceive bool
+	// indicates whether the node holding the pub key is present in the new list
+	newPresent bool
+	// indicates whether the node is present in the old list
+	oldPresent bool
+}
+
+// NewDistKeyHandler takes a Config and returns a DistKeyGenerator that is able
+// to drive the DKG or resharing protocol.
+func NewDistKeyHandler(c *Config) (*DistKeyGenerator, error) {
+	if c.NewNodes == nil && c.OldNodes == nil {
+		return nil, errors.New("dkg: can't run with empty node list")
+	}
+
+	var isResharing bool
+	if c.Share != nil || c.PublicCoeffs != nil {
+		isResharing = true
+	}
+	// canReceive is true by default since in the default DKG mode everyone
+	// participates
+	var canReceive = true
+	pub := c.Suite.Point().Mul(c.Longterm, nil)
+	oidx, oldPresent := findPub(c.OldNodes, pub)
+	nidx, newPresent := findPub(c.NewNodes, pub)
+	if !oldPresent && !newPresent {
+		return nil, errors.New("dkg: public key not found in old list or new list")
+	}
+
+	var newThreshold int
+	if c.Threshold != 0 {
+		newThreshold = c.Threshold
+	} else {
+		newThreshold = vss.MinimumT(len(c.NewNodes))
+	}
+
+	var dealer *vss.Dealer
+	var err error
+	var canIssue bool
+	if c.Share != nil {
+		// resharing case
+		secretCoeff := c.Share.Share.V
+		dealer, err = vss.NewDealer(c.Suite, c.Longterm, secretCoeff, c.NewNodes, newThreshold)
+		canIssue = true
+	} else if !isResharing && newPresent {
+		// fresh DKG case
+		secretCoeff := c.Suite.Scalar().Pick(c.Suite.RandomStream())
+		dealer, err = vss.NewDealer(c.Suite, c.Longterm, secretCoeff, c.NewNodes, newThreshold)
+		canIssue = true
+		c.OldNodes = c.NewNodes
+		oidx, oldPresent = findPub(c.OldNodes, pub)
+	}
+
+	var dpub *share.PubPoly
+	var oldThreshold int
+	if !newPresent {
+		// if we are not in the new list of nodes, then we definitely can't
+		// receive anything
+		canReceive = false
+	} else if isResharing && newPresent {
+		if c.PublicCoeffs == nil && c.Share == nil {
+			return nil, errors.New("dkg: can't receive new shares without the public polynomial")
+		} else if c.PublicCoeffs != nil {
+			dpub = share.NewPubPoly(c.Suite, c.Suite.Point().Base(), c.PublicCoeffs)
+		} else if c.Share != nil {
+			// take the commits of the share, no need to duplicate information
+			c.PublicCoeffs = c.Share.Commits
+			dpub = share.NewPubPoly(c.Suite, c.Suite.Point().Base(), c.PublicCoeffs)
+		}
+		// oldThreshold is only useful in the context of a new share holder, to
+		// make sure there are enough correct deals from the old nodes.
+		canReceive = true
+		oldThreshold = len(c.PublicCoeffs)
+	}
+
+	return &DistKeyGenerator{
+		dealer:         dealer,
+		verifiers:      make(map[uint32]*vss.Verifier),
+		oldAggregators: make(map[uint32]*vss.Aggregator),
+		suite:          c.Suite,
+		long:           c.Longterm,
+		pub:            pub,
+		canReceive:     canReceive,
+		canIssue:       canIssue,
+		isResharing:    isResharing,
+		dpub:           dpub,
+		oidx:           oidx,
+		nidx:           nidx,
+		c:              c,
+		oldT:           oldThreshold,
+		newT:           newThreshold,
+		newPresent:     newPresent,
+		oldPresent:     oldPresent,
+	}, err
+}
+
+// NewDistKeyGenerator returns a dist key generator ready to create a fresh
+// distributed key with the regular DKG protocol.
+func NewDistKeyGenerator(suite Suite, longterm kyber.Scalar, participants []kyber.Point, t int) (*DistKeyGenerator, error) {
+	c := &Config{
+		Suite:     suite,
+		Longterm:  longterm,
+		NewNodes:  participants,
+		Threshold: t,
+	}
+	return NewDistKeyHandler(c)
+}
+
+// Deals returns all the deals that must be broadcasted to all participants in
+// the new list. The deal corresponding to this DKG is already added to this DKG
+// and is ommitted from the returned map. To know which participant a deal
+// belongs to, loop over the keys as indices in the list of new participants:
+//
+//   for i,dd := range distDeals {
+//      sendTo(participants[i],dd)
+//   }
+//
+// If this method cannot process its own Deal, that indicates a
+// severe problem with the configuration or implementation and
+// results in a panic.
+func (d *DistKeyGenerator) Deals() (map[int]*Deal, error) {
+	if !d.canIssue {
+		return nil, nil
+	}
+	deals, err := d.dealer.EncryptedDeals()
+	if err != nil {
+		return nil, err
+	}
+	dd := make(map[int]*Deal)
+	for i := range d.c.NewNodes {
+		distd := &Deal{
+			Index: uint32(d.oidx),
+			Deal:  deals[i],
+		}
+		// sign the deal
+		buff, err := distd.MarshalBinary()
+		if err != nil {
+			return nil, err
+		}
+		distd.Signature, err = schnorr.Sign(d.suite, d.long, buff)
+		if err != nil {
+			return nil, err
+		}
+
+		if i == int(d.nidx) && d.canReceive {
+			if _, ok := d.verifiers[uint32(d.nidx)]; ok {
+				// already processed our own deal
+				continue
+			}
+			if resp, err := d.ProcessDeal(distd); err != nil {
+				panic("dkg: cannot process own deal: " + err.Error())
+			} else if resp.Response.Status != vss.StatusApproval {
+				panic("dkg: own deal gave a complaint")
+			}
+			continue
+		}
+		dd[i] = distd
+	}
+	return dd, nil
+}
+
+// ProcessDeal takes a Deal created by Deals() and stores and verifies it. It
+// returns a Response to broadcast to every other participant, including the old
+// participants. It returns an error in case the deal has already been stored,
+// or if the deal is incorrect (see vss.Verifier.ProcessEncryptedDeal).
+func (d *DistKeyGenerator) ProcessDeal(dd *Deal) (*Response, error) {
+	var pub kyber.Point
+	var ok bool
+	if d.isResharing {
+		pub, ok = getPub(d.c.OldNodes, dd.Index)
+	} else {
+		pub, ok = getPub(d.c.NewNodes, dd.Index)
+	}
+	// public key of the dealer
+	if !ok {
+		return nil, errors.New("dkg: dist deal out of bounds index")
+	}
+
+	// verify signature
+	buff, err := dd.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	if err := schnorr.Verify(d.suite, pub, buff, dd.Signature); err != nil {
+		return nil, err
+	}
+
+	if _, ok := d.verifiers[dd.Index]; ok {
+		return nil, errors.New("dkg: already received dist deal from same index")
+	}
+
+	// verifier receiving the dealer's deal
+	ver, err := vss.NewVerifier(d.suite, d.long, pub, d.c.NewNodes)
+	if err != nil {
+		return nil, err
+	}
+
+	d.verifiers[dd.Index] = ver
+	resp, err := ver.ProcessEncryptedDeal(dd.Deal)
+	if err != nil {
+		return nil, err
+	}
+
+	reject := func() (*Response, error) {
+		idx, present := findPub(d.c.NewNodes, pub)
+		if present {
+			d.verifiers[uint32(idx)].UnsafeSetResponseDKG(uint32(idx), vss.StatusComplaint)
+		}
+		// indicate to VSS that the new status is complaint, since the check is
+		// done outside of  VSS package control.
+		d.verifiers[uint32(d.nidx)].UnsafeSetResponseDKG(uint32(d.nidx), vss.StatusComplaint)
+		resp.Status = vss.StatusComplaint
+		s, err := schnorr.Sign(d.suite, d.long, resp.Hash(d.suite))
+		if err != nil {
+			return nil, err
+		}
+		resp.Signature = s
+		return &Response{
+			Index:    dd.Index,
+			Response: resp,
+		}, nil
+	}
+
+	if d.isResharing && d.canReceive {
+		// verify share integrity wrt to the dist. secret
+		dealCommits := ver.Commits()
+		// Check that the received committed share is equal to the one we
+		// generate from the known public polynomial
+		expectedPubShare := d.dpub.Eval(int(dd.Index))
+		if !expectedPubShare.V.Equal(dealCommits[0]) {
+			return reject()
+		}
+	}
+
+	// if the dealer in the old list is also present in the new list, then set
+	// his response to approval since he won't issue his own response for his
+	// own deal
+	newIdx, found := findPub(d.c.NewNodes, pub)
+	if found {
+		d.verifiers[dd.Index].UnsafeSetResponseDKG(uint32(newIdx), vss.StatusApproval)
+	}
+
+	return &Response{
+		Index:    dd.Index,
+		Response: resp,
+	}, nil
+}
+
+// ProcessResponse takes a response from every other peer.  If the response
+// designates the deal of another participant than this dkg, this dkg stores it
+// and returns nil with a possible error regarding the validity of the response.
+// If the response designates a deal this dkg has issued, then the dkg will process
+// the response, and returns a justification.
+func (d *DistKeyGenerator) ProcessResponse(resp *Response) (*Justification, error) {
+	if d.isResharing && d.canIssue && !d.newPresent {
+		return d.processResharingResponse(resp)
+	}
+
+	v, ok := d.verifiers[resp.Index]
+	if !ok {
+		return nil, errors.New("dkg: response received but no deal for it")
+	}
+
+	if err := v.ProcessResponse(resp.Response); err != nil {
+		return nil, err
+	}
+
+	myIdx := uint32(d.oidx)
+	if !d.canIssue || resp.Index != myIdx {
+		// no justification if we dont issue deals or the deal's not from us
+		return nil, nil
+	}
+
+	j, err := d.dealer.ProcessResponse(resp.Response)
+	if err != nil {
+		return nil, err
+	}
+	if j == nil {
+		return nil, nil
+	}
+	if err := v.ProcessJustification(j); err != nil {
+		return nil, err
+	}
+
+	return &Justification{
+		Index:         uint32(d.oidx),
+		Justification: j,
+	}, nil
+}
+
+// special case when an node that is present in the old list but not in the
+// new,i.e. leaving the group, does not have any verifiers since it can't
+// receive shares. This function makes some check on the response and returns a
+// justification if the response is invalid.
+func (d *DistKeyGenerator) processResharingResponse(resp *Response) (*Justification, error) {
+	agg, present := d.oldAggregators[resp.Index]
+	if !present {
+		agg = vss.NewEmptyAggregator(d.suite, d.c.NewNodes)
+		d.oldAggregators[resp.Index] = agg
+	}
+
+	err := agg.ProcessResponse(resp.Response)
+	if int(resp.Index) != d.oidx {
+		return nil, err
+	}
+
+	if resp.Response.Status == vss.StatusApproval {
+		return nil, nil
+	}
+
+	// status is complaint and it is about our deal
+	deal, err := d.dealer.PlaintextDeal(int(resp.Response.Index))
+	if err != nil {
+		return nil, errors.New("dkg: resharing response can't get deal. BUG - REPORT")
+	}
+	j := &Justification{
+		Index: uint32(d.oidx),
+		Justification: &vss.Justification{
+			SessionID: d.dealer.SessionID(),
+			Index:     resp.Response.Index, // good index because of signature check
+			Deal:      deal,
+		},
+	}
+	return j, nil
+}
+
+// ProcessJustification takes a justification and validates it. It returns an
+// error in case the justification is wrong.
+func (d *DistKeyGenerator) ProcessJustification(j *Justification) error {
+	v, ok := d.verifiers[j.Index]
+	if !ok {
+		return errors.New("dkg: Justification received but no deal for it")
+	}
+	return v.ProcessJustification(j.Justification)
+}
+
+// SetTimeout triggers the timeout on all verifiers, and thus makes sure
+// all verifiers have either responded, or have a StatusComplaint response.
+func (d *DistKeyGenerator) SetTimeout() {
+	for _, v := range d.verifiers {
+		v.SetTimeout()
+	}
+}
+
+// Certified returns true if all deals are certified. Normally, it *should* be
+// only a threshold of deals but due to network synchronicity assumption, this
+// is much easier.
+func (d *DistKeyGenerator) Certified() bool {
+	if d.isResharing {
+		return len(d.QUAL()) >= len(d.c.OldNodes)
+	}
+	return len(d.QUAL()) >= len(d.c.NewNodes)
+}
+
+// ExpectedDeals returns the number of deals that this node will
+// receive from the other participants.
+func (d *DistKeyGenerator) ExpectedDeals() int {
+	switch {
+	case d.newPresent && d.oldPresent:
+		return len(d.c.OldNodes) - 1
+	case d.newPresent && !d.oldPresent:
+		return len(d.c.OldNodes)
+	default:
+		return 0
+	}
+}
+
+// QUAL returns the index in the list of participants that forms the QUALIFIED
+// set as described in the "New-DKG" protocol by Rabin. Basically, it consists
+// of all valid deals at the end of the protocols. It does NOT take into account
+// any malicious share holder which share may have been revealed, due to invalid
+// complaint.
+// XXX Have a method of retrieving invalid shares ?
+func (d *DistKeyGenerator) QUAL() []int {
+	var good []int
+	if d.isResharing && d.canIssue && !d.newPresent {
+		d.oldQualIter(func(i uint32, v *vss.Aggregator) bool {
+			good = append(good, int(i))
+			return true
+		})
+		return good
+	}
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		good = append(good, int(i))
+		return true
+	})
+	return good
+}
+
+func (d *DistKeyGenerator) isInQUAL(idx uint32) bool {
+	var found bool
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		if i == idx {
+			found = true
+			return false
+		}
+		return true
+	})
+	return found
+}
+
+func (d *DistKeyGenerator) qualIter(fn func(idx uint32, v *vss.Verifier) bool) {
+	for i, v := range d.verifiers {
+		if v.DealCertified() {
+			if !fn(i, v) {
+				break
+			}
+		}
+	}
+}
+
+func (d *DistKeyGenerator) oldQualIter(fn func(idx uint32, v *vss.Aggregator) bool) {
+	for i, v := range d.oldAggregators {
+		if v.DealCertified() {
+			if !fn(i, v) {
+				break
+			}
+		}
+	}
+}
+
+// DistKeyShare generates the distributed key relative to this receiver.
+// It throws an error if something is wrong such as not enough deals received.
+// The shared secret can be computed when all deals have been sent and
+// basically consists of a public point and a share. The public point is the sum
+// of all aggregated individual public commits of each individual secrets.
+// The share is evaluated from the global Private Polynomial, basically SUM of
+// fj(i) for a receiver i.
+func (d *DistKeyGenerator) DistKeyShare() (*DistKeyShare, error) {
+	if !d.Certified() {
+		return nil, errors.New("dkg: distributed key not certified")
+	}
+	if !d.canReceive {
+		return nil, errors.New("dkg: should not expect to compute any dist. share")
+	}
+
+	if d.isResharing {
+		return d.resharingKey()
+	}
+
+	return d.dkgKey()
+}
+
+func (d *DistKeyGenerator) dkgKey() (*DistKeyShare, error) {
+	sh := d.suite.Scalar().Zero()
+	var pub *share.PubPoly
+	var err error
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		// share of dist. secret = sum of all share received.
+		deal := v.Deal()
+		s := deal.SecShare.V
+		sh = sh.Add(sh, s)
+		// Dist. public key = sum of all revealed commitments
+		poly := share.NewPubPoly(d.suite, d.suite.Point().Base(), deal.Commitments)
+		if pub == nil {
+			// first polynomial we see (instead of generating n empty commits)
+			pub = poly
+			return true
+		}
+		pub, err = pub.Add(poly)
+		return err == nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+	_, commits := pub.Info()
+
+	return &DistKeyShare{
+		Commits: commits,
+		Share: &share.PriShare{
+			I: int(d.nidx),
+			V: sh,
+		},
+		PrivatePoly: d.dealer.PrivatePoly().Coefficients(),
+	}, nil
+
+}
+
+func (d *DistKeyGenerator) resharingKey() (*DistKeyShare, error) {
+	// only old nodes sends shares
+	shares := make([]*share.PriShare, len(d.c.OldNodes))
+	coeffs := make([][]kyber.Point, len(d.c.OldNodes))
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		deal := v.Deal()
+		coeffs[int(i)] = deal.Commitments
+		// share of dist. secret. Invertion of rows/column
+		deal.SecShare.I = int(i)
+		shares[int(i)] = deal.SecShare
+		return true
+	})
+
+	// the private polynomial is generated from the old nodes, thus inheriting
+	// the old threshold condition
+	priPoly, err := share.RecoverPriPoly(d.suite, shares, d.oldT, len(d.c.NewNodes))
+	if err != nil {
+		return nil, err
+	}
+	privateShare := &share.PriShare{
+		I: int(d.nidx),
+		V: priPoly.Secret(),
+	}
+
+	// recover public polynomial by interpolating coefficient-wise all
+	// polynomials
+	// the new public polynomial must however have "newT" coefficients since it
+	// will be held by the new nodes.
+	finalCoeffs := make([]kyber.Point, d.newT)
+	for i := 0; i < d.newT; i++ {
+		tmpCoeffs := make([]*share.PubShare, len(coeffs))
+		// take all i-th coefficients
+		for j := range coeffs {
+			if coeffs[j] == nil {
+				continue
+			}
+			tmpCoeffs[j] = &share.PubShare{I: j, V: coeffs[j][i]}
+		}
+
+		// using the old threshold / length because there are at most
+		// len(d.c.OldNodes) i-th coefficients since they are the one generating one
+		// each, thus using the old threshold.
+		coeff, err := share.RecoverCommit(d.suite, tmpCoeffs, d.oldT, len(d.c.OldNodes))
+		if err != nil {
+			return nil, err
+		}
+		finalCoeffs[i] = coeff
+	}
+
+	// Reconstruct the final public polynomial
+	pubPoly := share.NewPubPoly(d.suite, nil, finalCoeffs)
+
+	if !pubPoly.Check(privateShare) {
+		return nil, errors.New("dkg: share do not correspond to public polynomial ><")
+	}
+	return &DistKeyShare{
+		Commits:     finalCoeffs,
+		Share:       privateShare,
+		PrivatePoly: priPoly.Coefficients(),
+	}, nil
+}
+
+// Verifiers returns the current mapping of indexes to verifiers.
+func (d *DistKeyGenerator) Verifiers() map[uint32]*vss.Verifier {
+	return d.verifiers
+}
+
+//Renew adds the new distributed key share g (with secret 0) to the distributed key share d.
+func (d *DistKeyShare) Renew(suite Suite, g *DistKeyShare) (*DistKeyShare, error) {
+	//Check G(0) = 0*G.
+	if !g.Public().Equal(suite.Point().Base().Mul(suite.Scalar().Zero(), nil)) {
+		return nil, errors.New("wrong renewal function")
+	}
+
+	//Check whether they have the same index
+	if d.Share.I != g.Share.I {
+		return nil, errors.New("not the same party")
+	}
+
+	newShare := suite.Scalar().Add(d.Share.V, g.Share.V)
+	newCommits := make([]kyber.Point, len(d.Commits))
+	for i := range newCommits {
+		newCommits[i] = suite.Point().Add(d.Commits[i], g.Commits[i])
+	}
+	return &DistKeyShare{
+		Commits: newCommits,
+		Share: &share.PriShare{
+			I: d.Share.I,
+			V: newShare,
+		},
+	}, nil
+}
+
+func getPub(list []kyber.Point, i uint32) (kyber.Point, bool) {
+	if i >= uint32(len(list)) {
+		return nil, false
+	}
+	return list[i], true
+}
+
+func findPub(list []kyber.Point, toFind kyber.Point) (int, bool) {
+	for i, p := range list {
+		if p.Equal(toFind) {
+			return i, true
+		}
+	}
+	return 0, false
+}
+
+func checksDealCertified(i uint32, v *vss.Verifier) bool {
+	return v.DealCertified()
+}
diff --git a/kyber/share/dkg/pedersen/dkg_test.go b/kyber/share/dkg/pedersen/dkg_test.go
new file mode 100644
index 0000000000..01dbe63b5f
--- /dev/null
+++ b/kyber/share/dkg/pedersen/dkg_test.go
@@ -0,0 +1,788 @@
+package dkg
+
+import (
+	"crypto/rand"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/share"
+	vss "go.dedis.ch/kyber/v3/share/vss/pedersen"
+)
+
+var suite = edwards25519.NewBlakeSHA256Ed25519()
+
+const nbParticipants = 5
+
+func generate() (partPubs []kyber.Point, partSec []kyber.Scalar, dkgs []*DistKeyGenerator) {
+	partPubs = make([]kyber.Point, nbParticipants)
+	partSec = make([]kyber.Scalar, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		sec, pub := genPair()
+		partPubs[i] = pub
+		partSec[i] = sec
+	}
+	dkgs = dkgGen(partPubs, partSec)
+	return
+}
+
+func TestDKGNewDistKeyGenerator(t *testing.T) {
+	partPubs, partSec, _ := generate()
+
+	long := partSec[0]
+	dkg, err := NewDistKeyGenerator(suite, long, partPubs, nbParticipants/2+1)
+	require.Nil(t, err)
+	require.NotNil(t, dkg.dealer)
+	require.True(t, dkg.canIssue)
+	require.True(t, dkg.canReceive)
+	require.True(t, dkg.newPresent)
+	// because we set old = new
+	require.True(t, dkg.oldPresent)
+	require.True(t, dkg.canReceive)
+	require.False(t, dkg.isResharing)
+
+	sec, _ := genPair()
+	_, err = NewDistKeyGenerator(suite, sec, partPubs, nbParticipants/2+1)
+	require.Error(t, err)
+}
+
+func TestDKGDeal(t *testing.T) {
+	_, _, dkgs := generate()
+	dkg := dkgs[0]
+
+	dks, err := dkg.DistKeyShare()
+	require.Error(t, err)
+	require.Nil(t, dks)
+
+	deals, err := dkg.Deals()
+	require.Nil(t, err)
+	require.Len(t, deals, nbParticipants-1)
+
+	for i := range deals {
+		require.NotNil(t, deals[i])
+		require.Equal(t, uint32(0), deals[i].Index)
+	}
+
+	v, ok := dkg.verifiers[uint32(dkg.nidx)]
+	require.True(t, ok)
+	require.NotNil(t, v)
+}
+
+func TestDKGProcessDeal(t *testing.T) {
+	_, _, dkgs := generate()
+
+	dkg := dkgs[0]
+	deals, err := dkg.Deals()
+	require.Nil(t, err)
+
+	rec := dkgs[1]
+	deal := deals[1]
+	require.Equal(t, int(deal.Index), 0)
+	require.Equal(t, 1, rec.nidx)
+
+	// verifier don't find itself
+	goodP := rec.c.NewNodes
+	rec.c.NewNodes = make([]kyber.Point, 0)
+	resp, err := rec.ProcessDeal(deal)
+	require.Nil(t, resp)
+	require.Error(t, err)
+	rec.c.NewNodes = goodP
+
+	// good deal
+	resp, err = rec.ProcessDeal(deal)
+	require.NotNil(t, resp)
+	require.Equal(t, vss.StatusApproval, resp.Response.Status)
+	require.Nil(t, err)
+	_, ok := rec.verifiers[deal.Index]
+	require.True(t, ok)
+	require.Equal(t, uint32(0), resp.Index)
+
+	// duplicate
+	resp, err = rec.ProcessDeal(deal)
+	require.Nil(t, resp)
+	require.Error(t, err)
+
+	// wrong index
+	goodIdx := deal.Index
+	deal.Index = uint32(nbParticipants + 1)
+	resp, err = rec.ProcessDeal(deal)
+	require.Nil(t, resp)
+	require.Error(t, err)
+	deal.Index = goodIdx
+
+	// wrong deal
+	goodSig := deal.Deal.Signature
+	deal.Deal.Signature = randomBytes(len(deal.Deal.Signature))
+	resp, err = rec.ProcessDeal(deal)
+	require.Nil(t, resp)
+	require.Error(t, err)
+	deal.Deal.Signature = goodSig
+
+}
+
+func TestDKGProcessResponse(t *testing.T) {
+	// first peer generates wrong deal
+	// second peer processes it and returns a complaint
+	// first peer process the complaint
+
+	_, _, dkgs := generate()
+	dkg := dkgs[0]
+	idxRec := 1
+	rec := dkgs[idxRec]
+	deal, err := dkg.dealer.PlaintextDeal(idxRec)
+	require.Nil(t, err)
+
+	// give a wrong deal
+	goodSecret := deal.SecShare.V
+	deal.SecShare.V = suite.Scalar().Zero()
+	dd, err := dkg.Deals()
+	encD := dd[idxRec]
+	require.Nil(t, err)
+	resp, err := rec.ProcessDeal(encD)
+	require.Nil(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, vss.StatusComplaint, resp.Response.Status)
+	deal.SecShare.V = goodSecret
+	dd, _ = dkg.Deals()
+	encD = dd[idxRec]
+
+	// no verifier tied to Response
+	v, ok := dkg.verifiers[0]
+	require.NotNil(t, v)
+	require.True(t, ok)
+	require.NotNil(t, v)
+	delete(dkg.verifiers, 0)
+	j, err := dkg.ProcessResponse(resp)
+	require.Nil(t, j)
+	require.NotNil(t, err)
+	dkg.verifiers[0] = v
+
+	// invalid response
+	goodSig := resp.Response.Signature
+	resp.Response.Signature = randomBytes(len(goodSig))
+	j, err = dkg.ProcessResponse(resp)
+	require.Nil(t, j)
+	require.Error(t, err)
+	resp.Response.Signature = goodSig
+
+	// valid complaint from our deal
+	j, err = dkg.ProcessResponse(resp)
+	require.NotNil(t, j)
+	require.Nil(t, err)
+
+	// valid complaint from another deal from another peer
+	dkg2 := dkgs[2]
+	require.Nil(t, err)
+	// fake a wrong deal
+	// deal20, err := dkg2.dealer.PlaintextDeal(0)
+	// require.Nil(t, err)
+	deal21, err := dkg2.dealer.PlaintextDeal(1)
+	require.Nil(t, err)
+	goodRnd21 := deal21.SecShare.V
+	deal21.SecShare.V = suite.Scalar().Zero()
+	deals2, err := dkg2.Deals()
+	require.Nil(t, err)
+
+	resp12, err := rec.ProcessDeal(deals2[idxRec])
+	require.NotNil(t, resp)
+	require.Equal(t, vss.StatusComplaint, resp12.Response.Status)
+	require.Equal(t, deals2[idxRec].Index, uint32(dkg2.nidx))
+	require.Equal(t, resp12.Index, uint32(dkg2.nidx))
+	require.Equal(t, vss.StatusComplaint, rec.verifiers[uint32(dkg2.oidx)].Responses()[uint32(rec.nidx)].Status)
+
+	deal21.SecShare.V = goodRnd21
+	deals2, err = dkg2.Deals()
+	require.Nil(t, err)
+
+	// give it to the first peer
+	// process dealer 2's deal
+	r, err := dkg.ProcessDeal(deals2[0])
+	require.Nil(t, err)
+	require.NotNil(t, r)
+
+	// process response from peer 1
+	j, err = dkg.ProcessResponse(resp12)
+	require.Nil(t, j)
+	require.Nil(t, err)
+
+	// Justification part:
+	// give the complaint to the dealer
+	j, err = dkg2.ProcessResponse(resp12)
+	require.Nil(t, err)
+	require.NotNil(t, j)
+
+	// hack because all is local, and resp has been modified locally by dkg2's
+	// dealer, the status has became "justified"
+	resp12.Response.Status = vss.StatusComplaint
+	err = dkg.ProcessJustification(j)
+	require.Nil(t, err)
+
+	// remove verifiers
+	v = dkg.verifiers[j.Index]
+	delete(dkg.verifiers, j.Index)
+	err = dkg.ProcessJustification(j)
+	require.Error(t, err)
+	dkg.verifiers[j.Index] = v
+
+}
+
+func TestSetTimeout(t *testing.T) {
+	_, _, dkgs := generate()
+
+	// full secret sharing exchange
+	// 1. broadcast deals
+	resps := make([]*Response, 0, nbParticipants*nbParticipants)
+	for _, dkg := range dkgs {
+		deals, err := dkg.Deals()
+		require.Nil(t, err)
+		for i, d := range deals {
+			resp, err := dkgs[i].ProcessDeal(d)
+			require.Nil(t, err)
+			require.Equal(t, vss.StatusApproval, resp.Response.Status)
+			resps = append(resps, resp)
+		}
+	}
+
+	// 2. Broadcast responses
+	for _, resp := range resps {
+		for _, dkg := range dkgs {
+			if !dkg.verifiers[resp.Index].EnoughApprovals() {
+				// ignore messages about ourself
+				if resp.Response.Index == uint32(dkg.nidx) {
+					continue
+				}
+				j, err := dkg.ProcessResponse(resp)
+				require.Nil(t, err)
+				require.Nil(t, j)
+			}
+		}
+	}
+
+	// 3. make sure everyone has the same QUAL set
+	for _, dkg := range dkgs {
+		for _, dkg2 := range dkgs {
+			require.False(t, dkg.isInQUAL(uint32(dkg2.nidx)))
+		}
+	}
+
+	for _, dkg := range dkgs {
+		dkg.SetTimeout()
+	}
+
+	for _, dkg := range dkgs {
+		for _, dkg2 := range dkgs {
+			require.True(t, dkg.isInQUAL(uint32(dkg2.nidx)))
+		}
+	}
+
+}
+
+func TestDistKeyShare(t *testing.T) {
+	_, _, dkgs := generate()
+	fullExchange(t, dkgs)
+
+	for _, dkg := range dkgs {
+		require.True(t, dkg.Certified())
+	}
+	// verify integrity of shares etc
+	dkss := make([]*DistKeyShare, nbParticipants)
+	var poly *share.PriPoly
+	for i, dkg := range dkgs {
+		dks, err := dkg.DistKeyShare()
+		require.Nil(t, err)
+		require.NotNil(t, dks)
+		require.NotNil(t, dks.PrivatePoly)
+		dkss[i] = dks
+		require.Equal(t, dkg.nidx, dks.Share.I)
+
+		pripoly := share.CoefficientsToPriPoly(suite, dks.PrivatePoly)
+		if poly == nil {
+			poly = pripoly
+			continue
+		}
+		poly, err = poly.Add(pripoly)
+		require.NoError(t, err)
+	}
+
+	shares := make([]*share.PriShare, nbParticipants)
+	for i, dks := range dkss {
+		require.True(t, checkDks(dks, dkss[0]), "dist key share not equal %d vs %d", dks.Share.I, 0)
+		shares[i] = dks.Share
+	}
+
+	secret, err := share.RecoverSecret(suite, shares, nbParticipants, nbParticipants)
+	require.Nil(t, err)
+
+	secretCoeffs := poly.Coefficients()
+	require.Equal(t, secret.String(), secretCoeffs[0].String())
+
+	commitSecret := suite.Point().Mul(secret, nil)
+	require.Equal(t, dkss[0].Public().String(), commitSecret.String())
+}
+
+func dkgGen(partPubs []kyber.Point, partSec []kyber.Scalar) []*DistKeyGenerator {
+	dkgs := make([]*DistKeyGenerator, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		dkg, err := NewDistKeyGenerator(suite, partSec[i], partPubs, vss.MinimumT(nbParticipants))
+		if err != nil {
+			panic(err)
+		}
+		dkgs[i] = dkg
+	}
+	return dkgs
+}
+
+func genPair() (kyber.Scalar, kyber.Point) {
+	sc := suite.Scalar().Pick(suite.RandomStream())
+	return sc, suite.Point().Mul(sc, nil)
+}
+
+func randomBytes(n int) []byte {
+	var buff = make([]byte, n)
+	_, _ = rand.Read(buff[:])
+	return buff
+}
+func checkDks(dks1, dks2 *DistKeyShare) bool {
+	if len(dks1.Commits) != len(dks2.Commits) {
+		return false
+	}
+	for i, p := range dks1.Commits {
+		if !p.Equal(dks2.Commits[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+func fullExchange(t *testing.T, dkgs []*DistKeyGenerator) {
+	// full secret sharing exchange
+	// 1. broadcast deals
+	resps := make([]*Response, 0, nbParticipants*nbParticipants)
+	for idx, dkg := range dkgs {
+		deals, err := dkg.Deals()
+		require.Nil(t, err)
+		for i, d := range deals {
+			require.True(t, i != idx)
+			resp, err := dkgs[i].ProcessDeal(d)
+			require.Nil(t, err)
+			require.Equal(t, vss.StatusApproval, resp.Response.Status)
+			resps = append(resps, resp)
+		}
+	}
+	// 2. Broadcast responses
+	for _, resp := range resps {
+		for _, dkg := range dkgs {
+			// Ignore messages about ourselves
+			if resp.Response.Index == uint32(dkg.nidx) {
+				continue
+			}
+			j, err := dkg.ProcessResponse(resp)
+			require.Nil(t, err)
+			require.Nil(t, j)
+		}
+	}
+
+	// 3. make sure everyone has the same QUAL set
+	for _, dkg := range dkgs {
+		for _, dkg2 := range dkgs {
+			require.True(t, dkg.isInQUAL(uint32(dkg2.nidx)))
+		}
+	}
+}
+
+// Test resharing of a DKG to the same set of nodes
+func TestDKGResharing(t *testing.T) {
+	partPubs, partSec, dkgs := generate()
+	fullExchange(t, dkgs)
+
+	shares := make([]*DistKeyShare, len(dkgs))
+	sshares := make([]*share.PriShare, len(dkgs))
+	for i, dkg := range dkgs {
+		share, err := dkg.DistKeyShare()
+		require.NoError(t, err)
+		shares[i] = share
+		sshares[i] = shares[i].Share
+	}
+	// start resharing within the same group
+	newDkgs := make([]*DistKeyGenerator, len(dkgs))
+	var err error
+	for i := range dkgs {
+		c := &Config{
+			Suite:    suite,
+			Longterm: partSec[i],
+			OldNodes: partPubs,
+			NewNodes: partPubs,
+			Share:    shares[i],
+		}
+		newDkgs[i], err = NewDistKeyHandler(c)
+		require.NoError(t, err)
+	}
+	fullExchange(t, newDkgs)
+	newShares := make([]*DistKeyShare, len(dkgs))
+	newSShares := make([]*share.PriShare, len(dkgs))
+	for i := range newDkgs {
+		dks, err := newDkgs[i].DistKeyShare()
+		require.NoError(t, err)
+		newShares[i] = dks
+		newSShares[i] = newShares[i].Share
+	}
+	// check
+	// 1. shares are different between the two rounds
+	// 2. shares reconstruct to the same secret
+	// 3. public polynomial is different but for the first coefficient /public
+	// key/
+	// 1.
+	for i := 0; i < len(dkgs); i++ {
+		require.False(t, shares[i].Share.V.Equal(newShares[i].Share.V))
+	}
+	thr := vss.MinimumT(nbParticipants)
+	// 2.
+	oldSecret, err := share.RecoverSecret(suite, sshares, thr, nbParticipants)
+	require.NoError(t, err)
+	newSecret, err := share.RecoverSecret(suite, newSShares, thr, nbParticipants)
+	require.NoError(t, err)
+	require.Equal(t, oldSecret.String(), newSecret.String())
+}
+
+// Test resharing to a different set of nodes with one common
+func TestDKGResharingNewNodes(t *testing.T) {
+	partPubs, partSec, dkgs := generate()
+	fullExchange(t, dkgs)
+
+	shares := make([]*DistKeyShare, len(dkgs))
+	sshares := make([]*share.PriShare, len(dkgs))
+	for i, dkg := range dkgs {
+		share, err := dkg.DistKeyShare()
+		require.NoError(t, err)
+		shares[i] = share
+		sshares[i] = shares[i].Share
+	}
+	// start resharing to a different group
+	oldN := nbParticipants
+	oldT := len(shares[0].Commits)
+	newN := oldN + 1
+	newT := oldT + 1
+	privates := make([]kyber.Scalar, newN)
+	publics := make([]kyber.Point, newN)
+	privates[0] = dkgs[oldN-1].long
+	publics[0] = suite.Point().Mul(privates[0], nil)
+	for i := 1; i < newN; i++ {
+		privates[i] = suite.Scalar().Pick(suite.RandomStream())
+		publics[i] = suite.Point().Mul(privates[i], nil)
+	}
+
+	// creating the old dkgs and new dkgs
+	oldDkgs := make([]*DistKeyGenerator, oldN)
+	newDkgs := make([]*DistKeyGenerator, newN)
+	var err error
+	for i := 0; i < oldN; i++ {
+		c := &Config{
+			Suite:     suite,
+			Longterm:  partSec[i],
+			OldNodes:  partPubs,
+			NewNodes:  publics,
+			Share:     shares[i],
+			Threshold: newT,
+		}
+		oldDkgs[i], err = NewDistKeyHandler(c)
+		require.NoError(t, err)
+		if i == oldN-1 {
+			require.True(t, oldDkgs[i].canReceive)
+			require.True(t, oldDkgs[i].canIssue)
+			require.True(t, oldDkgs[i].isResharing)
+			require.True(t, oldDkgs[i].newPresent)
+			require.Equal(t, oldDkgs[i].oidx, i)
+			require.Equal(t, 0, oldDkgs[i].nidx)
+			continue
+		}
+		require.False(t, oldDkgs[i].canReceive)
+		require.True(t, oldDkgs[i].canIssue)
+		require.True(t, oldDkgs[i].isResharing)
+		require.False(t, oldDkgs[i].newPresent)
+		require.Equal(t, oldDkgs[i].oidx, i)
+	}
+	// the first one is the last old one
+	newDkgs[0] = oldDkgs[oldN-1]
+	for i := 1; i < newN; i++ {
+		c := &Config{
+			Suite:        suite,
+			Longterm:     privates[i],
+			OldNodes:     partPubs,
+			NewNodes:     publics,
+			PublicCoeffs: shares[0].Commits,
+			Threshold:    newT,
+		}
+		newDkgs[i], err = NewDistKeyHandler(c)
+		require.NoError(t, err)
+		require.True(t, newDkgs[i].canReceive)
+		require.False(t, newDkgs[i].canIssue)
+		require.True(t, newDkgs[i].isResharing)
+		require.True(t, newDkgs[i].newPresent)
+		require.Equal(t, newDkgs[i].nidx, i)
+	}
+
+	// full secret sharing exchange
+	// 1. broadcast deals
+	deals := make([]map[int]*Deal, 0, newN*newN)
+	for _, dkg := range oldDkgs {
+		localDeals, err := dkg.Deals()
+		require.Nil(t, err)
+		deals = append(deals, localDeals)
+		if dkg.canReceive && dkg.nidx == 0 {
+			// because it stores its own deal / response
+			require.Equal(t, 1, len(dkg.verifiers))
+		} else {
+			require.Equal(t, 0, len(dkg.verifiers))
+		}
+	}
+
+	// the index key indicates the dealer index for which the responses are for
+	resps := make(map[int][]*Response)
+	for i, localDeals := range deals {
+		for j, d := range localDeals {
+			dkg := newDkgs[j]
+			resp, err := dkg.ProcessDeal(d)
+			require.Nil(t, err)
+			require.Equal(t, vss.StatusApproval, resp.Response.Status)
+			resps[i] = append(resps[i], resp)
+		}
+	}
+
+	// all new dkgs should have the same length of verifiers map
+	for _, dkg := range newDkgs {
+		// one deal per old participants
+		require.Equal(t, oldN, len(dkg.verifiers), "dkg nidx %d failing", dkg.nidx)
+	}
+
+	// 2. Broadcast responses
+	for _, dealResponses := range resps {
+		for _, resp := range dealResponses {
+			for _, dkg := range oldDkgs {
+				// Ignore messages from ourselves
+				if resp.Response.Index == uint32(dkg.nidx) {
+					continue
+				}
+				j, err := dkg.ProcessResponse(resp)
+				//fmt.Printf("old dkg %d process responses from new dkg %d about deal %d\n", dkg.oidx, dkg.nidx, resp.Index)
+				if err != nil {
+					fmt.Printf("old dkg at (oidx %d, nidx %d) has received response from idx %d for dealer idx %d\n", dkg.oidx, dkg.nidx, resp.Response.Index, resp.Index)
+				}
+				require.Nil(t, err)
+				require.Nil(t, j)
+			}
+
+			for _, dkg := range newDkgs[1:] {
+				// Ignore messages from ourselves
+				if resp.Response.Index == uint32(dkg.nidx) {
+					continue
+				}
+				j, err := dkg.ProcessResponse(resp)
+				//fmt.Printf("new dkg %d process responses from new dkg %d about deal %d\n", dkg.nidx, dkg.nidx, resp.Index)
+				if err != nil {
+					fmt.Printf("new dkg at nidx %d has received response from idx %d for deal %d\n", dkg.nidx, resp.Response.Index, resp.Index)
+				}
+				require.Nil(t, err)
+				require.Nil(t, j)
+			}
+
+		}
+	}
+
+	for _, dkg := range newDkgs {
+		for i := 0; i < oldN; i++ {
+			require.True(t, dkg.verifiers[uint32(i)].DealCertified(), "new dkg %d has not certified deal %d => %v", dkg.nidx, i, dkg.verifiers[uint32(i)].Responses())
+		}
+	}
+
+	// 3. make sure everyone has the same QUAL set
+	for _, dkg := range newDkgs {
+		for _, dkg2 := range oldDkgs {
+			require.True(t, dkg.isInQUAL(uint32(dkg2.oidx)), "new dkg %d has not in qual old dkg %d (qual = %v)", dkg.nidx, dkg2.oidx, dkg.QUAL())
+		}
+	}
+
+	newShares := make([]*DistKeyShare, newN)
+	newSShares := make([]*share.PriShare, newN)
+	for i := range newDkgs {
+		dks, err := newDkgs[i].DistKeyShare()
+		require.NoError(t, err)
+		newShares[i] = dks
+		newSShares[i] = newShares[i].Share
+	}
+	// check shares reconstruct to the same secret
+	oldSecret, err := share.RecoverSecret(suite, sshares, oldT, oldN)
+	require.NoError(t, err)
+	newSecret, err := share.RecoverSecret(suite, newSShares, newT, newN)
+	require.NoError(t, err)
+	require.Equal(t, oldSecret.String(), newSecret.String())
+}
+
+func TestDKGResharingPartialNewNodes(t *testing.T) {
+	partPubs, partSec, dkgs := generate()
+	fullExchange(t, dkgs)
+
+	shares := make([]*DistKeyShare, len(dkgs))
+	sshares := make([]*share.PriShare, len(dkgs))
+	for i, dkg := range dkgs {
+		share, err := dkg.DistKeyShare()
+		require.NoError(t, err)
+		shares[i] = share
+		sshares[i] = shares[i].Share
+	}
+	// start resharing to a different group
+	oldN := nbParticipants
+	oldT := len(shares[0].Commits)
+	newN := oldN + 1
+	newT := oldT + 1
+	total := oldN + 2
+	newOffset := oldN - 1 // idx at which a new key is added to the group
+
+	privates := make([]kyber.Scalar, 0, newN)
+	publics := make([]kyber.Point, 0, newN)
+	for _, dkg := range dkgs[1:] {
+		privates = append(privates, dkg.long)
+		publics = append(publics, suite.Point().Mul(privates[len(privates)-1], nil))
+	}
+	// add two new guys
+	privates = append(privates, suite.Scalar().Pick(suite.RandomStream()))
+	publics = append(publics, suite.Point().Mul(privates[len(privates)-1], nil))
+	privates = append(privates, suite.Scalar().Pick(suite.RandomStream()))
+	publics = append(publics, suite.Point().Mul(privates[len(privates)-1], nil))
+
+	// creating all dkgs
+	totalDkgs := make([]*DistKeyGenerator, total)
+	var err error
+	for i := 0; i < oldN; i++ {
+		c := &Config{
+			Suite:     suite,
+			Longterm:  partSec[i],
+			OldNodes:  partPubs,
+			NewNodes:  publics,
+			Share:     shares[i],
+			Threshold: newT,
+		}
+		totalDkgs[i], err = NewDistKeyHandler(c)
+		require.NoError(t, err)
+		if i >= 1 {
+			require.True(t, totalDkgs[i].canReceive)
+			require.True(t, totalDkgs[i].canIssue)
+			require.True(t, totalDkgs[i].isResharing)
+			require.True(t, totalDkgs[i].newPresent)
+			require.Equal(t, totalDkgs[i].oidx, i)
+			require.Equal(t, i-1, totalDkgs[i].nidx)
+			continue
+		}
+		require.False(t, totalDkgs[i].canReceive)
+		require.True(t, totalDkgs[i].canIssue)
+		require.True(t, totalDkgs[i].isResharing)
+		require.False(t, totalDkgs[i].newPresent)
+		require.Equal(t, totalDkgs[i].oidx, i)
+	}
+	// the first one is the last old one
+	for i := oldN; i < total; i++ {
+		newIdx := i - oldN + newOffset
+		c := &Config{
+			Suite:        suite,
+			Longterm:     privates[newIdx],
+			OldNodes:     partPubs,
+			NewNodes:     publics,
+			PublicCoeffs: shares[0].Commits,
+			Threshold:    newT,
+		}
+		totalDkgs[i], err = NewDistKeyHandler(c)
+		require.NoError(t, err)
+		require.True(t, totalDkgs[i].canReceive)
+		require.False(t, totalDkgs[i].canIssue)
+		require.True(t, totalDkgs[i].isResharing)
+		require.True(t, totalDkgs[i].newPresent)
+		require.Equal(t, totalDkgs[i].nidx, newIdx)
+	}
+	newDkgs := totalDkgs[1:]
+	oldDkgs := totalDkgs[:oldN]
+	require.Equal(t, oldN, len(oldDkgs))
+	require.Equal(t, newN, len(newDkgs))
+
+	// full secret sharing exchange
+	// 1. broadcast deals
+	deals := make([]map[int]*Deal, 0, newN*newN)
+	for _, dkg := range oldDkgs {
+		localDeals, err := dkg.Deals()
+		require.Nil(t, err)
+		deals = append(deals, localDeals)
+		if dkg.canReceive && dkg.newPresent {
+			// because it stores its own deal / response
+			require.Equal(t, 1, len(dkg.verifiers))
+		} else {
+			require.Equal(t, 0, len(dkg.verifiers))
+		}
+	}
+
+	// the index key indicates the dealer index for which the responses are for
+	resps := make(map[int][]*Response)
+	for i, localDeals := range deals {
+		for j, d := range localDeals {
+			dkg := newDkgs[j]
+			resp, err := dkg.ProcessDeal(d)
+			require.Nil(t, err)
+			require.Equal(t, vss.StatusApproval, resp.Response.Status)
+			resps[i] = append(resps[i], resp)
+			if i == 0 {
+				//fmt.Printf("dealer (oidx %d, nidx %d) processing deal to %d from %d\n", newDkgs[i].oidx, newDkgs[i].nidx, i, d.Index)
+			}
+		}
+	}
+
+	// all new dkgs should have the same length of verifiers map
+	for _, dkg := range newDkgs {
+		// one deal per old participants
+		require.Equal(t, oldN, len(dkg.verifiers), "dkg nidx %d failing", dkg.nidx)
+	}
+
+	// 2. Broadcast responses
+	for _, dealResponses := range resps {
+		for _, resp := range dealResponses {
+			for _, dkg := range totalDkgs {
+				// Ignore messages from ourselves
+				if dkg.canReceive && resp.Response.Index == uint32(dkg.nidx) {
+					continue
+				}
+				j, err := dkg.ProcessResponse(resp)
+				//fmt.Printf("old dkg %d process responses from new dkg %d about deal %d\n", dkg.oidx, dkg.nidx, resp.Index)
+				if err != nil {
+					fmt.Printf("old dkg at (oidx %d, nidx %d) has received response from idx %d for dealer idx %d\n", dkg.oidx, dkg.nidx, resp.Response.Index, resp.Index)
+				}
+				require.Nil(t, err)
+				require.Nil(t, j)
+			}
+		}
+	}
+	for _, dkg := range newDkgs {
+		for i := 0; i < oldN; i++ {
+			require.True(t, dkg.verifiers[uint32(i)].DealCertified(), "new dkg %d has not certified deal %d => %v", dkg.nidx, i, dkg.verifiers[uint32(i)].Responses())
+		}
+	}
+
+	// 3. make sure everyone has the same QUAL set
+	for _, dkg := range newDkgs {
+		for _, dkg2 := range oldDkgs {
+			require.True(t, dkg.isInQUAL(uint32(dkg2.oidx)), "new dkg %d has not in qual old dkg %d (qual = %v)", dkg.nidx, dkg2.oidx, dkg.QUAL())
+		}
+	}
+
+	newShares := make([]*DistKeyShare, newN)
+	newSShares := make([]*share.PriShare, newN)
+	for i := range newDkgs {
+		dks, err := newDkgs[i].DistKeyShare()
+		require.NoError(t, err)
+		newShares[i] = dks
+		newSShares[i] = newShares[i].Share
+	}
+	// check shares reconstruct to the same secret
+	oldSecret, err := share.RecoverSecret(suite, sshares, oldT, oldN)
+	require.NoError(t, err)
+	newSecret, err := share.RecoverSecret(suite, newSShares, newT, newN)
+	require.NoError(t, err)
+	require.Equal(t, oldSecret.String(), newSecret.String())
+}
diff --git a/kyber/share/dkg/pedersen/structs.go b/kyber/share/dkg/pedersen/structs.go
new file mode 100644
index 0000000000..6ffab89afe
--- /dev/null
+++ b/kyber/share/dkg/pedersen/structs.go
@@ -0,0 +1,77 @@
+package dkg
+
+import (
+	"bytes"
+	"encoding/binary"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	vss "go.dedis.ch/kyber/v3/share/vss/pedersen"
+)
+
+// DistKeyShare holds the share of a distributed key for a participant.
+type DistKeyShare struct {
+	// Coefficients of the public polynomial holding the public key.
+	Commits []kyber.Point
+	// Share of the distributed secret which is private information.
+	Share *share.PriShare
+	// Coefficients of the private polynomial generated by the node holding the
+	// share. The final distributed polynomial is the sum of all these
+	// individual polynomials, but it is never computed.
+	PrivatePoly []kyber.Scalar
+}
+
+// Public returns the public key associated with the distributed private key.
+func (d *DistKeyShare) Public() kyber.Point {
+	return d.Commits[0]
+}
+
+// PriShare implements the dss.DistKeyShare interface so either pedersen or
+// rabin dkg can be used with dss.
+func (d *DistKeyShare) PriShare() *share.PriShare {
+	return d.Share
+}
+
+// Commitments implements the dss.DistKeyShare interface so either pedersen or
+// rabin dkg can be used with dss.
+func (d *DistKeyShare) Commitments() []kyber.Point {
+	return d.Commits
+}
+
+// Deal holds the Deal for one participant as well as the index of the issuing
+// Dealer.
+type Deal struct {
+	// Index of the Dealer in the list of participants
+	Index uint32
+	// Deal issued for another participant
+	Deal *vss.EncryptedDeal
+	// Signature over the whole message
+	Signature []byte
+}
+
+// MarshalBinary returns a binary representation of this deal, which is the
+// message  signed in a dkg deal.
+func (d *Deal) MarshalBinary() ([]byte, error) {
+	var b bytes.Buffer
+	binary.Write(&b, binary.LittleEndian, d.Index)
+	b.Write(d.Deal.Cipher)
+	return b.Bytes(), nil
+}
+
+// Response holds the Response from another participant as well as the index of
+// the target Dealer.
+type Response struct {
+	// Index of the Dealer for which this response is for
+	Index uint32
+	// Response issued from another participant
+	Response *vss.Response
+}
+
+// Justification holds the Justification from a Dealer as well as the index of
+// the Dealer in question.
+type Justification struct {
+	// Index of the Dealer who answered with this Justification
+	Index uint32
+	// Justification issued from the Dealer
+	Justification *vss.Justification
+}
diff --git a/kyber/share/dkg/rabin/dkg.go b/kyber/share/dkg/rabin/dkg.go
new file mode 100644
index 0000000000..376d1e1a41
--- /dev/null
+++ b/kyber/share/dkg/rabin/dkg.go
@@ -0,0 +1,695 @@
+// Package dkg implements the protocol described in
+// "Secure Distributed Key Generation for Discrete-Log
+// Based Cryptosystems" by R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin.
+// DKG enables a group of participants to generate a distributed key
+// with each participants holding only a share of the key. The key is also
+// never computed locally but generated distributively whereas the public part
+// of the key is known by every participants.
+// The underlying basis for this protocol is the VSS protocol implemented in the
+// share/vss package.
+//
+// The protocol works as follow:
+//
+//   1. Each participant instantiates a DistKeyShare (DKS) struct.
+//   2. Then each participant runs an instance of the VSS protocol:
+//     - each participant generates their deals with the method `Deals()` and then
+//      sends them to the right recipient.
+//     - each participant processes the received deal with `ProcessDeal()` and
+//      broadcasts the resulting response.
+//     - each participant processes the response with `ProcessResponse()`. If a
+//      justification is returned, it must be broadcasted.
+//   3. Each participant can check if step 2. is done by calling
+//   `Certified()`.Those participants where Certified() returned true, belong to
+//   the set of "qualified" participants who will generate the distributed
+//   secret. To get the list of qualified participants, use QUAL().
+//   4. Each QUAL participant generates their secret commitments calling
+//    `SecretCommits()` and broadcasts them to the QUAL set.
+//   5. Each QUAL participant processes the received secret commitments using
+//    `SecretCommits()`. If there is an error, it can return a commitment complaint
+//    (ComplaintCommits) that must be broadcasted to the QUAL set.
+//   6. Each QUAL participant receiving a complaint can process it with
+//    `ProcessComplaintCommits()` which returns the secret share
+//    (ReconstructCommits) given from the malicious participant. This structure
+//    must be broadcasted to all the QUAL participant.
+//   7. At this point, every QUAL participant can issue the distributed key by
+//    calling `DistKeyShare()`.
+package dkg
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+	"go.dedis.ch/protobuf"
+
+	"go.dedis.ch/kyber/v3/share"
+	vss "go.dedis.ch/kyber/v3/share/vss/rabin"
+)
+
+// Suite wraps the functionalities needed by the dkg package
+type Suite vss.Suite
+
+// DistKeyShare holds the share of a distributed key for a participant.
+type DistKeyShare struct {
+	// Coefficients of the public polynomial holding the public key
+	Commits []kyber.Point
+	// Share of the distributed secret
+	Share *share.PriShare
+}
+
+// Public returns the public key associated with the distributed private key.
+func (d *DistKeyShare) Public() kyber.Point {
+	return d.Commits[0]
+}
+
+// PriShare implements the dss.DistKeyShare interface so either pedersen or
+// rabin dkg can be used with dss.
+func (d *DistKeyShare) PriShare() *share.PriShare {
+	return d.Share
+}
+
+// Commitments implements the dss.DistKeyShare interface so either pedersen or
+// rabin dkg can be used with dss.
+func (d *DistKeyShare) Commitments() []kyber.Point {
+	return d.Commits
+}
+
+// Deal holds the Deal for one participant as well as the index of the issuing
+// Dealer.
+//  NOTE: Doing that in vss.go would be possible but then the Dealer is always
+//  assumed to be a member of the participants. It's only the case here.
+type Deal struct {
+	// Index of the Dealer in the list of participants
+	Index uint32
+	// Deal issued for another participant
+	Deal *vss.EncryptedDeal
+}
+
+// Response holds the Response from another participant as well as the index of
+// the target Dealer.
+type Response struct {
+	// Index of the Dealer for which this response is for
+	Index uint32
+	// Response issued from another participant
+	Response *vss.Response
+}
+
+// Justification holds the Justification from a Dealer as well as the index of
+// the Dealer in question.
+type Justification struct {
+	// Index of the Dealer who answered with this Justification
+	Index uint32
+	// Justification issued from the Dealer
+	Justification *vss.Justification
+}
+
+// SecretCommits is sent during the distributed public key reconstruction phase,
+// basically a Feldman VSS scheme.
+type SecretCommits struct {
+	// Index of the Dealer in the list of participants
+	Index uint32
+	// Commitments generated by the Dealer
+	Commitments []kyber.Point
+	// SessionID generated by the Dealer tied to the Deal
+	SessionID []byte
+	// Signature from the Dealer
+	Signature []byte
+}
+
+// ComplaintCommits is sent if the secret commitments revealed by a peer are not
+// valid.
+type ComplaintCommits struct {
+	// Index of the Verifier _issuing_ the ComplaintCommit
+	Index uint32
+	// DealerIndex being the index of the Dealer who issued the SecretCommits
+	DealerIndex uint32
+	// Deal that has been given from the Dealer (at DealerIndex) to this node
+	// (at Index)
+	Deal *vss.Deal
+	// Signature made by the verifier
+	Signature []byte
+}
+
+// ReconstructCommits holds the information given by a participant who reveals
+// the deal received from a peer that has received a ComplaintCommits.
+type ReconstructCommits struct {
+	// Id of the session
+	SessionID []byte
+	// Index of the verifier who received the deal
+	Index uint32
+	// DealerIndex is the index of the dealer who issued the Deal
+	DealerIndex uint32
+	// Share contained in the Deal
+	Share *share.PriShare
+	// Signature over all over fields generated by the issuing verifier
+	Signature []byte
+}
+
+// DistKeyGenerator is the struct that runs the DKG protocol.
+type DistKeyGenerator struct {
+	suite Suite
+
+	index uint32
+	long  kyber.Scalar
+	pub   kyber.Point
+
+	participants []kyber.Point
+
+	t int
+
+	dealer    *vss.Dealer
+	verifiers map[uint32]*vss.Verifier
+
+	// list of commitments to each secret polynomial
+	commitments map[uint32]*share.PubPoly
+
+	// Map of deals collected to reconstruct the full polynomial of a dealer.
+	// The key is index of the dealer. Once there are enough ReconstructCommits
+	// struct, this dkg will re-construct the polynomial and stores it into the
+	// list of commitments.
+	pendingReconstruct map[uint32][]*ReconstructCommits
+	reconstructed      map[uint32]bool
+}
+
+// NewDistKeyGenerator returns a DistKeyGenerator out of the suite,
+// the longterm secret key, the list of participants, and the
+// threshold t parameter. It returns an error if the secret key's
+// commitment can't be found in the list of participants.
+func NewDistKeyGenerator(suite Suite, longterm kyber.Scalar, participants []kyber.Point, t int) (*DistKeyGenerator, error) {
+	pub := suite.Point().Mul(longterm, nil)
+	// find our index
+	var found bool
+	var index uint32
+	for i, p := range participants {
+		if p.Equal(pub) {
+			found = true
+			index = uint32(i)
+			break
+		}
+	}
+	if !found {
+		return nil, errors.New("dkg: own public key not found in list of participants")
+	}
+	var err error
+	// generate our dealer / deal
+	ownSec := suite.Scalar().Pick(suite.RandomStream())
+	dealer, err := vss.NewDealer(suite, longterm, ownSec, participants, t)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DistKeyGenerator{
+		dealer:             dealer,
+		verifiers:          make(map[uint32]*vss.Verifier),
+		commitments:        make(map[uint32]*share.PubPoly),
+		pendingReconstruct: make(map[uint32][]*ReconstructCommits),
+		reconstructed:      make(map[uint32]bool),
+		t:                  t,
+		suite:              suite,
+		long:               longterm,
+		pub:                pub,
+		participants:       participants,
+		index:              index,
+	}, nil
+}
+
+// Deals returns all the deals that must be broadcasted to all
+// participants. The deal corresponding to this DKG is already added
+// to this DKG and is ommitted from the returned map. To know
+// to which participant a deal belongs to, loop over the keys as indices in
+// the list of participants:
+//
+//   for i,dd := range distDeals {
+//      sendTo(participants[i],dd)
+//   }
+//
+// This method panics if it can't process its own deal.
+func (d *DistKeyGenerator) Deals() (map[int]*Deal, error) {
+	deals, err := d.dealer.EncryptedDeals()
+	if err != nil {
+		return nil, err
+	}
+	dd := make(map[int]*Deal)
+	for i := range d.participants {
+		distd := &Deal{
+			Index: d.index,
+			Deal:  deals[i],
+		}
+		if i == int(d.index) {
+			if _, ok := d.verifiers[d.index]; ok {
+				// already processed our own deal
+				continue
+			}
+
+			resp, err := d.ProcessDeal(distd)
+			if err != nil {
+				panic(err)
+			} else if !resp.Response.Approved {
+				panic("dkg: own deal gave a complaint")
+			}
+
+			// If processed own deal correctly, set positive response in this
+			// DKG's dealer's own verifier
+			d.dealer.UnsafeSetResponseDKG(d.index, true)
+			continue
+		}
+		dd[i] = distd
+	}
+	return dd, nil
+}
+
+// ProcessDeal takes a Deal created by Deals() and stores and verifies it. It
+// returns a Response to broadcast to every other participants. It returns an
+// error in case the deal has already been stored, or if the deal is incorrect
+// (see `vss.Verifier.ProcessEncryptedDeal()`).
+func (d *DistKeyGenerator) ProcessDeal(dd *Deal) (*Response, error) {
+	// public key of the dealer
+	pub, ok := findPub(d.participants, dd.Index)
+	if !ok {
+		return nil, errors.New("dkg: dist deal out of bounds index")
+	}
+
+	if _, ok := d.verifiers[dd.Index]; ok {
+		return nil, errors.New("dkg: already received dist deal from same index")
+	}
+
+	// verifier receiving the dealer's deal
+	ver, err := vss.NewVerifier(d.suite, d.long, pub, d.participants)
+	if err != nil {
+		return nil, err
+	}
+
+	d.verifiers[dd.Index] = ver
+	resp, err := ver.ProcessEncryptedDeal(dd.Deal)
+	if err != nil {
+		return nil, err
+	}
+
+	// Set StatusApproval for the verifier that represents the participant
+	// that distibuted the Deal
+	d.verifiers[dd.Index].UnsafeSetResponseDKG(dd.Index, true)
+
+	return &Response{
+		Index:    dd.Index,
+		Response: resp,
+	}, nil
+}
+
+// ProcessResponse takes a response from every other peer.  If the response
+// designates the deal of another participants than this dkg, this dkg stores it
+// and returns nil with a possible error regarding the validity of the response.
+// If the response designates a deal this dkg has issued, then the dkg will process
+// the response, and returns a justification.
+func (d *DistKeyGenerator) ProcessResponse(resp *Response) (*Justification, error) {
+	v, ok := d.verifiers[resp.Index]
+	if !ok {
+		return nil, errors.New("dkg: complaint received but no deal for it")
+	}
+
+	if err := v.ProcessResponse(resp.Response); err != nil {
+		return nil, err
+	}
+
+	if resp.Index != uint32(d.index) {
+		return nil, nil
+	}
+
+	j, err := d.dealer.ProcessResponse(resp.Response)
+	if err != nil {
+		return nil, err
+	}
+	if j == nil {
+		return nil, nil
+	}
+	// a justification for our own deal, are we cheating !?
+	if err := v.ProcessJustification(j); err != nil {
+		return nil, err
+	}
+
+	return &Justification{
+		Index:         d.index,
+		Justification: j,
+	}, nil
+}
+
+// ProcessJustification takes a justification and validates it. It returns an
+// error in case the justification is wrong.
+func (d *DistKeyGenerator) ProcessJustification(j *Justification) error {
+	v, ok := d.verifiers[j.Index]
+	if !ok {
+		return errors.New("dkg: Justification received but no deal for it")
+	}
+	return v.ProcessJustification(j.Justification)
+}
+
+// SetTimeout triggers the timeout on all verifiers, and thus makes sure
+// all verifiers have either responded, or have a StatusComplaint response.
+func (d *DistKeyGenerator) SetTimeout() {
+	for _, v := range d.verifiers {
+		v.SetTimeout()
+	}
+}
+
+// Certified returns true if at least t deals are certified (see
+// vss.Verifier.DealCertified()). If the distribution is certified, the protocol
+// can continue using d.SecretCommits().
+func (d *DistKeyGenerator) Certified() bool {
+	return len(d.QUAL()) >= d.t
+}
+
+// QUAL returns the index in the list of participants that forms the QUALIFIED
+// set as described in the "New-DKG" protocol by Rabin. Basically, it consists
+// of all participants that are not disqualified after having  exchanged all
+// deals, responses and justification. This is the set that is used to extract
+// the distributed public key with SecretCommits() and ProcessSecretCommits().
+func (d *DistKeyGenerator) QUAL() []int {
+	var good []int
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		good = append(good, int(i))
+		return true
+	})
+	return good
+}
+
+func (d *DistKeyGenerator) isInQUAL(idx uint32) bool {
+	var found bool
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		if i == idx {
+			found = true
+			return false
+		}
+		return true
+	})
+	return found
+}
+
+func (d *DistKeyGenerator) qualIter(fn func(idx uint32, v *vss.Verifier) bool) {
+	for i, v := range d.verifiers {
+		if v.DealCertified() {
+			if !fn(i, v) {
+				break
+			}
+		}
+	}
+}
+
+// SecretCommits returns the commitments of the coefficients of the secret
+// polynomials. This secret commits must be broadcasted to every other
+// participant and must be processed by ProcessSecretCommits. In this manner,
+// the coefficients are revealed through a Feldman VSS scheme.
+// This dkg must have its deal certified, otherwise it returns an error. The
+// SecretCommits returned is already added to this dkg's list of SecretCommits.
+func (d *DistKeyGenerator) SecretCommits() (*SecretCommits, error) {
+	if !d.dealer.DealCertified() {
+		return nil, errors.New("dkg: can't give SecretCommits if deal not certified")
+	}
+	sc := &SecretCommits{
+		Commitments: d.dealer.Commits(),
+		Index:       uint32(d.index),
+		SessionID:   d.dealer.SessionID(),
+	}
+	msg := sc.Hash(d.suite)
+	sig, err := schnorr.Sign(d.suite, d.long, msg)
+	if err != nil {
+		return nil, err
+	}
+	sc.Signature = sig
+	// adding our own commitments
+	d.commitments[uint32(d.index)] = share.NewPubPoly(d.suite, d.suite.Point().Base(), sc.Commitments)
+	return sc, err
+}
+
+// ProcessSecretCommits takes a SecretCommits from every other participant and
+// verifies and stores it. It returns an error in case the SecretCommits is
+// invalid. In case the SecretCommits are valid, but this dkg can't verify its
+// share, it returns a ComplaintCommits that must be broadcasted to every other
+// participant. It returns (nil,nil) otherwise.
+func (d *DistKeyGenerator) ProcessSecretCommits(sc *SecretCommits) (*ComplaintCommits, error) {
+	pub, ok := findPub(d.participants, sc.Index)
+	if !ok {
+		return nil, errors.New("dkg: secretcommits received with index out of bounds")
+	}
+
+	if !d.isInQUAL(sc.Index) {
+		return nil, errors.New("dkg: secretcommits from a non QUAL member")
+	}
+
+	// mapping verified by isInQUAL
+	v := d.verifiers[sc.Index]
+
+	if !bytes.Equal(v.SessionID(), sc.SessionID) {
+		return nil, errors.New("dkg: secretcommits received with wrong session id")
+	}
+
+	msg := sc.Hash(d.suite)
+	if err := schnorr.Verify(d.suite, pub, msg, sc.Signature); err != nil {
+		return nil, err
+	}
+
+	deal := v.Deal()
+	poly := share.NewPubPoly(d.suite, d.suite.Point().Base(), sc.Commitments)
+	if !poly.Check(deal.SecShare) {
+		cc := &ComplaintCommits{
+			Index:       uint32(d.index),
+			DealerIndex: sc.Index,
+			Deal:        deal,
+		}
+		var err error
+		msg := cc.Hash(d.suite)
+		if cc.Signature, err = schnorr.Sign(d.suite, d.long, msg); err != nil {
+			return nil, err
+		}
+		return cc, nil
+	}
+	// commitments are fine
+	d.commitments[sc.Index] = poly
+	return nil, nil
+}
+
+// ProcessComplaintCommits takes any ComplaintCommits revealed through
+// ProcessSecretCommits() from other participants in QUAL. It returns the
+// ReconstructCommits message that must be  broadcasted to every other participant
+// in QUAL so the polynomial in question can be reconstructed.
+func (d *DistKeyGenerator) ProcessComplaintCommits(cc *ComplaintCommits) (*ReconstructCommits, error) {
+	issuer, ok := findPub(d.participants, cc.Index)
+	if !ok {
+		return nil, errors.New("dkg: commitcomplaint with unknown issuer")
+	}
+
+	if !d.isInQUAL(cc.Index) {
+		return nil, errors.New("dkg: complaintcommit from non-qual member")
+	}
+
+	if err := schnorr.Verify(d.suite, issuer, cc.Hash(d.suite), cc.Signature); err != nil {
+		return nil, err
+	}
+
+	v, ok := d.verifiers[cc.DealerIndex]
+	if !ok {
+		return nil, errors.New("dkg: commitcomplaint linked to unknown verifier")
+	}
+
+	// the verification should pass for the deal, and not with the secret
+	// commits. Verification 4) in DKG Rabin's paper.
+	if err := v.VerifyDeal(cc.Deal, false); err != nil {
+		return nil, fmt.Errorf("dkg: verifying deal: %s", err)
+	}
+
+	secretCommits, ok := d.commitments[cc.DealerIndex]
+	if !ok {
+		return nil, errors.New("dkg: complaint about non received commitments")
+	}
+
+	// the secret commits check should fail. Verification 5) in DKG Rabin's
+	// paper.
+	if secretCommits.Check(cc.Deal.SecShare) {
+		return nil, errors.New("dkg: invalid complaint, deal verifying")
+	}
+
+	deal := v.Deal()
+	if deal == nil {
+		return nil, errors.New("dkg: complaint linked to non certified deal")
+	}
+
+	delete(d.commitments, cc.DealerIndex)
+	rc := &ReconstructCommits{
+		SessionID:   cc.Deal.SessionID,
+		Index:       d.index,
+		DealerIndex: cc.DealerIndex,
+		Share:       deal.SecShare,
+	}
+
+	msg := rc.Hash(d.suite)
+	var err error
+	rc.Signature, err = schnorr.Sign(d.suite, d.long, msg)
+	if err != nil {
+		return nil, err
+	}
+	d.pendingReconstruct[cc.DealerIndex] = append(d.pendingReconstruct[cc.DealerIndex], rc)
+	return rc, nil
+}
+
+// ProcessReconstructCommits takes a ReconstructCommits message and stores it
+// along any others. If there are enough messages to recover the coefficients of
+// the public polynomials of the malicious dealer in question, then the
+// polynomial is recovered.
+func (d *DistKeyGenerator) ProcessReconstructCommits(rs *ReconstructCommits) error {
+	if _, ok := d.reconstructed[rs.DealerIndex]; ok {
+		// commitments already reconstructed, no need for other shares
+		return nil
+	}
+	_, ok := d.commitments[rs.DealerIndex]
+	if ok {
+		return errors.New("dkg: commitments not invalidated by any complaints")
+	}
+
+	pub, ok := findPub(d.participants, rs.Index)
+	if !ok {
+		return errors.New("dkg: reconstruct commits with invalid verifier index")
+	}
+
+	msg := rs.Hash(d.suite)
+	if err := schnorr.Verify(d.suite, pub, msg, rs.Signature); err != nil {
+		return err
+	}
+
+	var arr = d.pendingReconstruct[rs.DealerIndex]
+	// check if packet is already received or not
+	// or if the session ID does not match the others
+	for _, r := range arr {
+		if r.Index == rs.Index {
+			return nil
+		}
+		if !bytes.Equal(r.SessionID, rs.SessionID) {
+			return errors.New("dkg: reconstruct commits invalid session id")
+		}
+	}
+	// add it to list of pending shares
+	arr = append(arr, rs)
+	d.pendingReconstruct[rs.DealerIndex] = arr
+	// check if we can reconstruct commitments
+	if len(arr) >= d.t {
+		var shares = make([]*share.PriShare, len(arr))
+		for i, r := range arr {
+			shares[i] = r.Share
+		}
+		// error only happens when you have less than t shares, but we ensure
+		// there are more just before
+		pri, _ := share.RecoverPriPoly(d.suite, shares, d.t, len(d.participants))
+		d.commitments[rs.DealerIndex] = pri.Commit(d.suite.Point().Base())
+		// note it has been reconstructed.
+		d.reconstructed[rs.DealerIndex] = true
+		delete(d.pendingReconstruct, rs.DealerIndex)
+	}
+	return nil
+}
+
+// Finished returns true if the DKG has operated the protocol correctly and has
+// all necessary information to generate the DistKeyShare() by itself. It
+// returns false otherwise.
+func (d *DistKeyGenerator) Finished() bool {
+	var ret = true
+	var nb = 0
+	d.qualIter(func(idx uint32, v *vss.Verifier) bool {
+		nb++
+		// ALL QUAL members should have their commitments by now either given or
+		// reconstructed.
+		if _, ok := d.commitments[idx]; !ok {
+			ret = false
+			return false
+		}
+		return true
+	})
+	return nb >= d.t && ret
+}
+
+// DistKeyShare generates the distributed key relative to this receiver
+// It throws an error if something is wrong such as not enough deals received.
+// The shared secret can be computed when all deals have been sent and
+// basically consists of a public point and a share. The public point is the sum
+// of all aggregated individual public commits of each individual secrets.
+// the share is evaluated from the global Private Polynomial, basically SUM of
+// fj(i) for a receiver i.
+func (d *DistKeyGenerator) DistKeyShare() (*DistKeyShare, error) {
+	if !d.Certified() {
+		return nil, errors.New("dkg: distributed key not certified")
+	}
+
+	sh := d.suite.Scalar().Zero()
+	var pub *share.PubPoly
+	var err error
+
+	d.qualIter(func(i uint32, v *vss.Verifier) bool {
+		// share of dist. secret = sum of all share received.
+		s := v.Deal().SecShare.V
+		sh = sh.Add(sh, s)
+		// Dist. public key = sum of all revealed commitments
+		poly, ok := d.commitments[i]
+		if !ok {
+			err = fmt.Errorf("dkg: protocol not finished: %d commitments missing", i)
+			return false
+		}
+		if pub == nil {
+			// first polynomial we see (instead of generating n empty commits)
+			pub = poly
+			return true
+		}
+		pub, err = pub.Add(poly)
+		return err == nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+	_, commits := pub.Info()
+
+	return &DistKeyShare{
+		Commits: commits,
+		Share: &share.PriShare{
+			I: int(d.index),
+			V: sh,
+		},
+	}, nil
+}
+
+// Hash returns the hash value of this struct used in the signature process.
+func (sc *SecretCommits) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("secretcommits"))
+	_ = binary.Write(h, binary.LittleEndian, sc.Index)
+	for _, p := range sc.Commitments {
+		_, _ = p.MarshalTo(h)
+	}
+	return h.Sum(nil)
+}
+
+// Hash returns the hash value of this struct used in the signature process.
+func (cc *ComplaintCommits) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("commitcomplaint"))
+	_ = binary.Write(h, binary.LittleEndian, cc.Index)
+	_ = binary.Write(h, binary.LittleEndian, cc.DealerIndex)
+	buff, _ := protobuf.Encode(cc.Deal)
+	_, _ = h.Write(buff)
+	return h.Sum(nil)
+}
+
+// Hash returns the hash value of this struct used in the signature process.
+func (rc *ReconstructCommits) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("reconstructcommits"))
+	_ = binary.Write(h, binary.LittleEndian, rc.Index)
+	_ = binary.Write(h, binary.LittleEndian, rc.DealerIndex)
+	_, _ = h.Write(rc.Share.Hash(s))
+	return h.Sum(nil)
+}
+
+func findPub(list []kyber.Point, i uint32) (kyber.Point, bool) {
+	if i >= uint32(len(list)) {
+		return nil, false
+	}
+	return list[i], true
+}
diff --git a/kyber/share/dkg/rabin/dkg_test.go b/kyber/share/dkg/rabin/dkg_test.go
new file mode 100644
index 0000000000..a90e0a03a9
--- /dev/null
+++ b/kyber/share/dkg/rabin/dkg_test.go
@@ -0,0 +1,695 @@
+package dkg
+
+import (
+	"crypto/rand"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/share"
+	vss "go.dedis.ch/kyber/v3/share/vss/rabin"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+)
+
+var suite = edwards25519.NewBlakeSHA256Ed25519()
+
+var nbParticipants = 7
+
+var partPubs []kyber.Point
+var partSec []kyber.Scalar
+
+var dkgs []*DistKeyGenerator
+
+func init() {
+	partPubs = make([]kyber.Point, nbParticipants)
+	partSec = make([]kyber.Scalar, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		sec, pub := genPair()
+		partPubs[i] = pub
+		partSec[i] = sec
+	}
+	dkgs = dkgGen()
+}
+
+func TestDKGNewDistKeyGenerator(t *testing.T) {
+	long := partSec[0]
+	dkg, err := NewDistKeyGenerator(suite, long, partPubs, nbParticipants/2+1)
+	assert.Nil(t, err)
+	assert.NotNil(t, dkg.dealer)
+	// quick testing here; easier.
+	scs, err := dkg.SecretCommits()
+	assert.Nil(t, scs)
+	assert.Error(t, err)
+
+	sec, _ := genPair()
+	_, err = NewDistKeyGenerator(suite, sec, partPubs, nbParticipants/2+1)
+	assert.Error(t, err)
+
+}
+
+func TestDKGDeal(t *testing.T) {
+	dkg := dkgs[0]
+
+	dks, err := dkg.DistKeyShare()
+	assert.Error(t, err)
+	assert.Nil(t, dks)
+
+	deals, err := dkg.Deals()
+	require.Nil(t, err)
+	assert.Len(t, deals, nbParticipants-1)
+
+	for i := range deals {
+		assert.NotNil(t, deals[i])
+		assert.Equal(t, uint32(0), deals[i].Index)
+	}
+
+	v, ok := dkg.verifiers[dkg.index]
+	assert.True(t, ok)
+	assert.NotNil(t, v)
+}
+
+func TestDKGProcessDeal(t *testing.T) {
+	dkgs = dkgGen()
+	dkg := dkgs[0]
+	deals, err := dkg.Deals()
+	require.Nil(t, err)
+
+	rec := dkgs[1]
+	deal := deals[1]
+	assert.Equal(t, int(deal.Index), 0)
+	assert.Equal(t, uint32(1), rec.index)
+
+	// verifier don't find itself
+	goodP := rec.participants
+	rec.participants = make([]kyber.Point, 0)
+	resp, err := rec.ProcessDeal(deal)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	rec.participants = goodP
+
+	// good deal
+	resp, err = rec.ProcessDeal(deal)
+	assert.NotNil(t, resp)
+	assert.Equal(t, true, resp.Response.Approved)
+	assert.Nil(t, err)
+	_, ok := rec.verifiers[deal.Index]
+	require.True(t, ok)
+	assert.Equal(t, uint32(0), resp.Index)
+
+	// duplicate
+	resp, err = rec.ProcessDeal(deal)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+
+	// wrong index
+	goodIdx := deal.Index
+	deal.Index = uint32(nbParticipants + 1)
+	resp, err = rec.ProcessDeal(deal)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	deal.Index = goodIdx
+
+	// wrong deal
+	goodSig := deal.Deal.Signature
+	deal.Deal.Signature = randomBytes(len(deal.Deal.Signature))
+	resp, err = rec.ProcessDeal(deal)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	deal.Deal.Signature = goodSig
+
+}
+
+func TestDKGProcessResponse(t *testing.T) {
+	// first peer generates wrong deal
+	// second peer processes it and returns a complaint
+	// first peer process the complaint
+
+	dkgs = dkgGen()
+	dkg := dkgs[0]
+	idxRec := 1
+	rec := dkgs[idxRec]
+	deal, err := dkg.dealer.PlaintextDeal(idxRec)
+	require.Nil(t, err)
+
+	// give a wrong deal
+	goodSecret := deal.RndShare.V
+	deal.RndShare.V = suite.Scalar().Zero()
+	dd, err := dkg.Deals()
+	encD := dd[idxRec]
+	require.Nil(t, err)
+	resp, err := rec.ProcessDeal(encD)
+	assert.Nil(t, err)
+	require.NotNil(t, resp)
+	assert.Equal(t, false, resp.Response.Approved)
+	deal.RndShare.V = goodSecret
+	dd, _ = dkg.Deals()
+	encD = dd[idxRec]
+
+	// no verifier tied to Response
+	v, ok := dkg.verifiers[0]
+	require.NotNil(t, v)
+	require.True(t, ok)
+	require.NotNil(t, v)
+	delete(dkg.verifiers, 0)
+	j, err := dkg.ProcessResponse(resp)
+	assert.Nil(t, j)
+	assert.NotNil(t, err)
+	dkg.verifiers[0] = v
+
+	// invalid response
+	goodSig := resp.Response.Signature
+	resp.Response.Signature = randomBytes(len(goodSig))
+	j, err = dkg.ProcessResponse(resp)
+	assert.Nil(t, j)
+	assert.Error(t, err)
+	resp.Response.Signature = goodSig
+
+	// valid complaint from our deal
+	j, err = dkg.ProcessResponse(resp)
+	assert.NotNil(t, j)
+	assert.Nil(t, err)
+
+	// valid complaint from another deal from another peer
+	dkg2 := dkgs[2]
+	require.Nil(t, err)
+	// fake a wrong deal
+	//deal20, err := dkg2.dealer.PlaintextDeal(0)
+	//require.Nil(t, err)
+	deal21, err := dkg2.dealer.PlaintextDeal(1)
+	require.Nil(t, err)
+	goodRnd21 := deal21.RndShare.V
+	deal21.RndShare.V = suite.Scalar().Zero()
+	deals2, err := dkg2.Deals()
+	require.Nil(t, err)
+
+	resp12, err := rec.ProcessDeal(deals2[idxRec])
+	assert.NotNil(t, resp)
+	assert.Equal(t, false, resp12.Response.Approved)
+
+	deal21.RndShare.V = goodRnd21
+	deals2, err = dkg2.Deals()
+	require.Nil(t, err)
+
+	// give it to the first peer
+	// process dealer 2's deal
+	r, err := dkg.ProcessDeal(deals2[0])
+	assert.Nil(t, err)
+	assert.NotNil(t, r)
+
+	// process response from peer 1
+	j, err = dkg.ProcessResponse(resp12)
+	assert.Nil(t, j)
+	assert.Nil(t, err)
+
+	// Justification part:
+	// give the complaint to the dealer
+	j, err = dkg2.ProcessResponse(resp12)
+	assert.Nil(t, err)
+	assert.NotNil(t, j)
+
+	// hack because all is local, and resp has been modified locally by dkg2's
+	// dealer, the status has became "justified"
+	resp12.Response.Approved = false
+	err = dkg.ProcessJustification(j)
+	assert.Nil(t, err)
+
+	// remove verifiers
+	v = dkg.verifiers[j.Index]
+	delete(dkg.verifiers, j.Index)
+	err = dkg.ProcessJustification(j)
+	assert.Error(t, err)
+	dkg.verifiers[j.Index] = v
+
+}
+
+func TestDKGSecretCommits(t *testing.T) {
+	fullExchange(t)
+
+	dkg := dkgs[0]
+
+	sc, err := dkg.SecretCommits()
+	assert.Nil(t, err)
+	msg := sc.Hash(suite)
+	assert.Nil(t, schnorr.Verify(suite, dkg.pub, msg, sc.Signature))
+
+	dkg2 := dkgs[1]
+	// wrong index
+	goodIdx := sc.Index
+	sc.Index = uint32(nbParticipants + 1)
+	cc, err := dkg2.ProcessSecretCommits(sc)
+	assert.Nil(t, cc)
+	assert.Error(t, err)
+	sc.Index = goodIdx
+
+	// not in qual: delete the verifier
+	goodV := dkg2.verifiers[uint32(0)]
+	delete(dkg2.verifiers, uint32(0))
+	cc, err = dkg2.ProcessSecretCommits(sc)
+	assert.Nil(t, cc)
+	assert.Error(t, err)
+	dkg2.verifiers[uint32(0)] = goodV
+
+	// invalid sig
+	goodSig := sc.Signature
+	sc.Signature = randomBytes(len(goodSig))
+	cc, err = dkg2.ProcessSecretCommits(sc)
+	assert.Nil(t, cc)
+	assert.Error(t, err)
+	sc.Signature = goodSig
+	// invalid session id
+	goodSid := sc.SessionID
+	sc.SessionID = randomBytes(len(goodSid))
+	cc, err = dkg2.ProcessSecretCommits(sc)
+	assert.Nil(t, cc)
+	assert.Error(t, err)
+	sc.SessionID = goodSid
+
+	// wrong commitments
+	goodPoint := sc.Commitments[0]
+	sc.Commitments[0] = suite.Point().Null()
+	msg = sc.Hash(suite)
+	sig, err := schnorr.Sign(suite, dkg.long, msg)
+	require.Nil(t, err)
+	goodSig = sc.Signature
+	sc.Signature = sig
+	cc, err = dkg2.ProcessSecretCommits(sc)
+	assert.NotNil(t, cc)
+	assert.Nil(t, err)
+	sc.Commitments[0] = goodPoint
+	sc.Signature = goodSig
+
+	// all fine
+	cc, err = dkg2.ProcessSecretCommits(sc)
+	assert.Nil(t, cc)
+	assert.Nil(t, err)
+}
+
+func TestDKGComplaintCommits(t *testing.T) {
+	fullExchange(t)
+
+	var scs []*SecretCommits
+	for _, dkg := range dkgs {
+		sc, err := dkg.SecretCommits()
+		require.Nil(t, err)
+		scs = append(scs, sc)
+	}
+
+	for _, sc := range scs {
+		for _, dkg := range dkgs {
+			cc, err := dkg.ProcessSecretCommits(sc)
+			assert.Nil(t, err)
+			assert.Nil(t, cc)
+		}
+	}
+
+	// change the sc for the second one
+	wrongSc := &SecretCommits{}
+	wrongSc.Index = scs[0].Index
+	wrongSc.SessionID = scs[0].SessionID
+	wrongSc.Commitments = make([]kyber.Point, len(scs[0].Commitments))
+	copy(wrongSc.Commitments, scs[0].Commitments)
+	//goodScCommit := scs[0].Commitments[0]
+	wrongSc.Commitments[0] = suite.Point().Null()
+	msg := wrongSc.Hash(suite)
+	wrongSc.Signature, _ = schnorr.Sign(suite, dkgs[0].long, msg)
+
+	dkg := dkgs[1]
+	cc, err := dkg.ProcessSecretCommits(wrongSc)
+	assert.Nil(t, err)
+	assert.NotNil(t, cc)
+
+	dkg2 := dkgs[2]
+	// ComplaintCommits: wrong index
+	goodIndex := cc.Index
+	cc.Index = uint32(nbParticipants)
+	rc, err := dkg2.ProcessComplaintCommits(cc)
+	assert.Nil(t, rc)
+	assert.Error(t, err)
+	cc.Index = goodIndex
+
+	// invalid signature
+	goodSig := cc.Signature
+	cc.Signature = randomBytes(len(cc.Signature))
+	rc, err = dkg2.ProcessComplaintCommits(cc)
+	assert.Nil(t, rc)
+	assert.Error(t, err)
+	cc.Signature = goodSig
+
+	// no verifiers
+	v := dkg2.verifiers[uint32(0)]
+	delete(dkg2.verifiers, uint32(0))
+	rc, err = dkg2.ProcessComplaintCommits(cc)
+	assert.Nil(t, rc)
+	assert.Error(t, err)
+	dkg2.verifiers[uint32(0)] = v
+
+	// deal does not verify
+	goodDeal := cc.Deal
+	cc.Deal = &vss.Deal{
+		SessionID:   goodDeal.SessionID,
+		SecShare:    goodDeal.SecShare,
+		RndShare:    goodDeal.RndShare,
+		T:           goodDeal.T,
+		Commitments: goodDeal.Commitments,
+	}
+	rc, err = dkg2.ProcessComplaintCommits(cc)
+	assert.Nil(t, rc)
+	assert.Error(t, err)
+	cc.Deal = goodDeal
+
+	//  no commitments
+	sc := dkg2.commitments[uint32(0)]
+	delete(dkg2.commitments, uint32(0))
+	rc, err = dkg2.ProcessComplaintCommits(cc)
+	assert.Nil(t, rc)
+	assert.Error(t, err)
+	dkg2.commitments[uint32(0)] = sc
+
+	// secret commits are passing the check
+	rc, err = dkg2.ProcessComplaintCommits(cc)
+	assert.Nil(t, rc)
+	assert.Error(t, err)
+
+	/*
+		TODO find a way to be the malicious guys,i.e.
+		make a deal which validates, but revealing the commitments coefficients makes
+		the check fails.
+		f is the secret polynomial
+		g is the "random" one
+		[f(i) + g(i)]*G == [F + G](i)
+		but
+		f(i)*G != F(i)
+
+		goodV := cc.Deal.SecShare.V
+		goodDSig := cc.Deal.Signature
+		cc.Deal.SecShare.V = suite.Scalar().Zero()
+		msg = msgDeal(cc.Deal)
+		sig, _ := sign.Schnorr(suite, dkgs[cc.DealerIndex].long, msg)
+		cc.Deal.Signature = sig
+		msg = msgCommitComplaint(cc)
+		sig, _ = sign.Schnorr(suite, dkgs[cc.Index].long, msg)
+		goodCCSig := cc.Signature
+		cc.Signature = sig
+		rc, err = dkg2.ProcessComplaintCommits(cc)
+		assert.Nil(t, err)
+		assert.NotNil(t, rc)
+		cc.Deal.SecShare.V = goodV
+		cc.Deal.Signature = goodDSig
+		cc.Signature = goodCCSig
+	*/
+
+}
+
+func TestDKGReconstructCommits(t *testing.T) {
+	fullExchange(t)
+
+	var scs []*SecretCommits
+	for _, dkg := range dkgs {
+		sc, err := dkg.SecretCommits()
+		require.Nil(t, err)
+		scs = append(scs, sc)
+	}
+
+	// give the secret commits to all dkgs but the second one
+	for _, sc := range scs {
+		for _, dkg := range dkgs[2:] {
+			cc, err := dkg.ProcessSecretCommits(sc)
+			assert.Nil(t, err)
+			assert.Nil(t, cc)
+		}
+	}
+
+	// peer 1 wants to reconstruct coeffs from dealer 1
+	rc := &ReconstructCommits{
+		Index:       1,
+		DealerIndex: 0,
+		Share:       dkgs[uint32(1)].verifiers[uint32(0)].Deal().SecShare,
+		SessionID:   dkgs[uint32(1)].verifiers[uint32(0)].Deal().SessionID,
+	}
+	msg := rc.Hash(suite)
+	rc.Signature, _ = schnorr.Sign(suite, dkgs[1].long, msg)
+
+	dkg2 := dkgs[2]
+	// reconstructed already set
+	dkg2.reconstructed[0] = true
+	assert.Nil(t, dkg2.ProcessReconstructCommits(rc))
+	delete(dkg2.reconstructed, uint32(0))
+
+	// commitments not invalidated by any complaints
+	assert.Error(t, dkg2.ProcessReconstructCommits(rc))
+	delete(dkg2.commitments, uint32(0))
+
+	// invalid index
+	goodI := rc.Index
+	rc.Index = uint32(nbParticipants)
+	assert.Error(t, dkg2.ProcessReconstructCommits(rc))
+	rc.Index = goodI
+
+	// invalid sig
+	goodSig := rc.Signature
+	rc.Signature = randomBytes(len(goodSig))
+	assert.Error(t, dkg2.ProcessReconstructCommits(rc))
+	rc.Signature = goodSig
+
+	// all fine
+	assert.Nil(t, dkg2.ProcessReconstructCommits(rc))
+
+	// packet already received
+	var found bool
+	for _, p := range dkg2.pendingReconstruct[rc.DealerIndex] {
+		if p.Index == rc.Index {
+			found = true
+			break
+		}
+	}
+	assert.True(t, found)
+	assert.False(t, dkg2.Finished())
+	// generate enough secret commits  to recover the secret
+	for _, dkg := range dkgs[2:] {
+		rc = &ReconstructCommits{
+			SessionID:   dkg.verifiers[uint32(0)].Deal().SessionID,
+			Index:       dkg.index,
+			DealerIndex: 0,
+			Share:       dkg.verifiers[uint32(0)].Deal().SecShare,
+		}
+		msg := rc.Hash(suite)
+		rc.Signature, _ = schnorr.Sign(suite, dkg.long, msg)
+
+		if dkg2.reconstructed[uint32(0)] {
+			break
+		}
+		// invalid session ID
+		goodSID := rc.SessionID
+		rc.SessionID = randomBytes(len(goodSID))
+		require.Error(t, dkg2.ProcessReconstructCommits(rc))
+		rc.SessionID = goodSID
+
+		_ = dkg2.ProcessReconstructCommits(rc)
+	}
+	assert.True(t, dkg2.reconstructed[uint32(0)])
+	com := dkg2.commitments[uint32(0)]
+	assert.NotNil(t, com)
+	assert.Equal(t, dkgs[0].dealer.SecretCommit().String(), com.Commit().String())
+
+	assert.True(t, dkg2.Finished())
+}
+
+func TestSetTimeout(t *testing.T) {
+	dkgs = dkgGen()
+	// full secret sharing exchange
+	// 1. broadcast deals
+	resps := make([]*Response, 0, nbParticipants*nbParticipants)
+	for _, dkg := range dkgs {
+		deals, err := dkg.Deals()
+		require.Nil(t, err)
+		for i, d := range deals {
+			resp, err := dkgs[i].ProcessDeal(d)
+			require.Nil(t, err)
+			require.True(t, resp.Response.Approved)
+			resps = append(resps, resp)
+		}
+	}
+
+	// 2. Broadcast responses
+	for _, resp := range resps {
+		for _, dkg := range dkgs {
+			if !dkg.verifiers[resp.Index].EnoughApprovals() {
+				// ignore messages about ourself
+				if resp.Response.Index == dkg.index {
+					continue
+				}
+				j, err := dkg.ProcessResponse(resp)
+				require.Nil(t, err)
+				require.Nil(t, j)
+			}
+		}
+	}
+
+	// 3. make sure everyone has the same QUAL set
+	for _, dkg := range dkgs {
+		for _, dkg2 := range dkgs {
+			require.False(t, dkg.isInQUAL(dkg2.index))
+		}
+	}
+
+	for _, dkg := range dkgs {
+		dkg.SetTimeout()
+	}
+
+	for _, dkg := range dkgs {
+		for _, dkg2 := range dkgs {
+			require.True(t, dkg.isInQUAL(dkg2.index))
+		}
+	}
+
+}
+
+func TestDistKeyShare(t *testing.T) {
+	fullExchange(t)
+
+	var scs []*SecretCommits
+	for i, dkg := range dkgs[:len(dkgs)-1] {
+		sc, err := dkg.SecretCommits()
+		require.Nil(t, err)
+		scs = append(scs, sc)
+		for j, dkg := range dkgs[:len(dkgs)-1] {
+			if i == j {
+				continue
+			}
+			cc, err := dkg.ProcessSecretCommits(sc)
+			require.Nil(t, err)
+			require.Nil(t, cc)
+		}
+	}
+
+	// check that we can't get the dist key share before exchanging commitments
+	lastDkg := dkgs[len(dkgs)-1]
+	dks, err := lastDkg.DistKeyShare()
+	assert.Nil(t, dks)
+	assert.Error(t, err)
+
+	for _, sc := range scs {
+		cc, err := lastDkg.ProcessSecretCommits(sc)
+		require.Nil(t, cc)
+		require.Nil(t, err)
+	}
+
+	sc, err := lastDkg.SecretCommits()
+	require.Nil(t, err)
+	require.NotNil(t, sc)
+
+	for _, dkg := range dkgs[:len(dkgs)-1] {
+		sc, err := dkg.ProcessSecretCommits(sc)
+		require.Nil(t, sc)
+		require.Nil(t, err)
+
+		require.Equal(t, nbParticipants, len(dkg.QUAL()))
+		require.Equal(t, nbParticipants, len(dkg.commitments))
+	}
+
+	// missing one commitment
+	lastCommitment0 := lastDkg.commitments[0]
+	delete(lastDkg.commitments, uint32(0))
+	dks, err = lastDkg.DistKeyShare()
+	assert.Nil(t, dks)
+	assert.Error(t, err)
+	lastDkg.commitments[uint32(0)] = lastCommitment0
+
+	// everyone should be finished
+	for _, dkg := range dkgs {
+		assert.True(t, dkg.Finished())
+	}
+	// verify integrity of shares etc
+	dkss := make([]*DistKeyShare, nbParticipants)
+	for i, dkg := range dkgs {
+		dks, err := dkg.DistKeyShare()
+		require.NotNil(t, dks)
+		assert.Nil(t, err)
+		dkss[i] = dks
+		assert.Equal(t, dkg.index, uint32(dks.Share.I))
+	}
+
+	shares := make([]*share.PriShare, nbParticipants)
+	for i, dks := range dkss {
+		assert.True(t, checkDks(dks, dkss[0]), "dist key share not equal %d vs %d", dks.Share.I, 0)
+		shares[i] = dks.Share
+	}
+
+	secret, err := share.RecoverSecret(suite, shares, nbParticipants, nbParticipants)
+	assert.Nil(t, err)
+
+	commitSecret := suite.Point().Mul(secret, nil)
+	assert.Equal(t, dkss[0].Public().String(), commitSecret.String())
+}
+
+func dkgGen() []*DistKeyGenerator {
+	dkgs := make([]*DistKeyGenerator, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		dkg, err := NewDistKeyGenerator(suite, partSec[i], partPubs, nbParticipants/2+1)
+		if err != nil {
+			panic(err)
+		}
+		dkgs[i] = dkg
+	}
+	return dkgs
+}
+
+func genPair() (kyber.Scalar, kyber.Point) {
+	sc := suite.Scalar().Pick(suite.RandomStream())
+	return sc, suite.Point().Mul(sc, nil)
+}
+
+func randomBytes(n int) []byte {
+	var buff = make([]byte, n)
+	_, _ = rand.Read(buff[:])
+	return buff
+}
+func checkDks(dks1, dks2 *DistKeyShare) bool {
+	if len(dks1.Commits) != len(dks2.Commits) {
+		return false
+	}
+	for i, p := range dks1.Commits {
+		if !p.Equal(dks2.Commits[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+func fullExchange(t *testing.T) {
+	dkgs = dkgGen()
+	// full secret sharing exchange
+	// 1. broadcast deals
+	resps := make([]*Response, 0, nbParticipants*nbParticipants)
+	for _, dkg := range dkgs {
+		deals, err := dkg.Deals()
+		require.Nil(t, err)
+		for i, d := range deals {
+			resp, err := dkgs[i].ProcessDeal(d)
+			require.Nil(t, err)
+			require.Equal(t, true, resp.Response.Approved)
+			resps = append(resps, resp)
+		}
+	}
+	// 2. Broadcast responses
+	for _, resp := range resps {
+		for _, dkg := range dkgs {
+			// ignore all messages from ourself
+			if resp.Response.Index == dkg.index {
+				continue
+			}
+			j, err := dkg.ProcessResponse(resp)
+			require.Nil(t, err)
+			require.Nil(t, j)
+		}
+	}
+	// 3. make sure everyone has the same QUAL set
+	for _, dkg := range dkgs {
+		for _, dkg2 := range dkgs {
+			require.True(t, dkg.isInQUAL(dkg2.index))
+		}
+	}
+
+}
diff --git a/kyber/share/poly.go b/kyber/share/poly.go
new file mode 100644
index 0000000000..47fc7adbff
--- /dev/null
+++ b/kyber/share/poly.go
@@ -0,0 +1,523 @@
+// Package share implements Shamir secret sharing and polynomial commitments.
+// Shamir's scheme allows you to split a secret value into multiple parts, so called
+// shares, by evaluating a secret sharing polynomial at certain indices. The
+// shared secret can only be reconstructed (via Lagrange interpolation) if a
+// threshold of the participants provide their shares. A polynomial commitment
+// scheme allows a committer to commit to a secret sharing polynomial so that
+// a verifier can check the claimed evaluations of the committed polynomial.
+// Both schemes of this package are core building blocks for more advanced
+// secret sharing techniques.
+package share
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"strings"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Some error definitions
+var errorGroups = errors.New("non-matching groups")
+var errorCoeffs = errors.New("different number of coefficients")
+
+// PriShare represents a private share.
+type PriShare struct {
+	I int          // Index of the private share
+	V kyber.Scalar // Value of the private share
+}
+
+func (p *PriShare) String() string {
+	return fmt.Sprintf("PriShare{%d:%v}", p.I, p.V)
+}
+
+// Hash returns the hash representation of this share
+func (p *PriShare) Hash(s kyber.HashFactory) []byte {
+	h := s.Hash()
+	_, _ = p.V.MarshalTo(h)
+	_ = binary.Write(h, binary.LittleEndian, p.I)
+	return h.Sum(nil)
+}
+
+// PriPoly represents a secret sharing polynomial.
+type PriPoly struct {
+	g      kyber.Group    // Cryptographic group
+	coeffs []kyber.Scalar // Coefficients of the polynomial
+}
+
+// NewPriPoly creates a new secret sharing polynomial using the provided
+// cryptographic group, the secret sharing threshold t, and the secret to be
+// shared s. If s is nil, a new s is chosen using the provided randomness
+// stream rand.
+func NewPriPoly(group kyber.Group, t int, s kyber.Scalar, rand cipher.Stream) *PriPoly {
+	coeffs := make([]kyber.Scalar, t)
+	coeffs[0] = s
+	if coeffs[0] == nil {
+		coeffs[0] = group.Scalar().Pick(rand)
+	}
+	for i := 1; i < t; i++ {
+		coeffs[i] = group.Scalar().Pick(rand)
+	}
+	return &PriPoly{g: group, coeffs: coeffs}
+}
+
+// CoefficientsToPriPoly returns a PriPoly based on the given coefficients
+func CoefficientsToPriPoly(g kyber.Group, coeffs []kyber.Scalar) *PriPoly {
+	return &PriPoly{g: g, coeffs: coeffs}
+}
+
+// Threshold returns the secret sharing threshold.
+func (p *PriPoly) Threshold() int {
+	return len(p.coeffs)
+}
+
+// Secret returns the shared secret p(0), i.e., the constant term of the polynomial.
+func (p *PriPoly) Secret() kyber.Scalar {
+	return p.coeffs[0]
+}
+
+// Eval computes the private share v = p(i).
+func (p *PriPoly) Eval(i int) *PriShare {
+	xi := p.g.Scalar().SetInt64(1 + int64(i))
+	v := p.g.Scalar().Zero()
+	for j := p.Threshold() - 1; j >= 0; j-- {
+		v.Mul(v, xi)
+		v.Add(v, p.coeffs[j])
+	}
+	return &PriShare{i, v}
+}
+
+// Shares creates a list of n private shares p(1),...,p(n).
+func (p *PriPoly) Shares(n int) []*PriShare {
+	shares := make([]*PriShare, n)
+	for i := range shares {
+		shares[i] = p.Eval(i)
+	}
+	return shares
+}
+
+// Add computes the component-wise sum of the polynomials p and q and returns it
+// as a new polynomial.
+func (p *PriPoly) Add(q *PriPoly) (*PriPoly, error) {
+	if p.g.String() != q.g.String() {
+		return nil, errorGroups
+	}
+	if p.Threshold() != q.Threshold() {
+		return nil, errorCoeffs
+	}
+	coeffs := make([]kyber.Scalar, p.Threshold())
+	for i := range coeffs {
+		coeffs[i] = p.g.Scalar().Add(p.coeffs[i], q.coeffs[i])
+	}
+	return &PriPoly{p.g, coeffs}, nil
+}
+
+// Equal checks equality of two secret sharing polynomials p and q. If p and q are trivially
+// unequal (e.g., due to mismatching cryptographic groups or polynomial size), this routine
+// returns in variable time. Otherwise it runs in constant time regardless of whether it
+// eventually returns true or false.
+func (p *PriPoly) Equal(q *PriPoly) bool {
+	if p.g.String() != q.g.String() {
+		return false
+	}
+	if len(p.coeffs) != len(q.coeffs) {
+		return false
+	}
+	b := 1
+	for i := 0; i < p.Threshold(); i++ {
+		pb, _ := p.coeffs[i].MarshalBinary()
+		qb, _ := q.coeffs[i].MarshalBinary()
+		b &= subtle.ConstantTimeCompare(pb, qb)
+	}
+	return b == 1
+}
+
+// Commit creates a public commitment polynomial for the given base point b or
+// the standard base if b == nil.
+func (p *PriPoly) Commit(b kyber.Point) *PubPoly {
+	commits := make([]kyber.Point, p.Threshold())
+	for i := range commits {
+		commits[i] = p.g.Point().Mul(p.coeffs[i], b)
+	}
+	return &PubPoly{p.g, b, commits}
+}
+
+// Mul multiples p and q together. The result is a polynomial of the sum of
+// the two degrees of p and q. NOTE: it does not check for null coefficients
+// after the multiplication, so the degree of the polynomial is "always" as
+// described above. This is only for use in secret sharing schemes. It is not
+// a general polynomial multiplication routine.
+func (p *PriPoly) Mul(q *PriPoly) *PriPoly {
+	d1 := len(p.coeffs) - 1
+	d2 := len(q.coeffs) - 1
+	newDegree := d1 + d2
+	coeffs := make([]kyber.Scalar, newDegree+1)
+	for i := range coeffs {
+		coeffs[i] = p.g.Scalar().Zero()
+	}
+	for i := range p.coeffs {
+		for j := range q.coeffs {
+			tmp := p.g.Scalar().Mul(p.coeffs[i], q.coeffs[j])
+			coeffs[i+j] = tmp.Add(coeffs[i+j], tmp)
+		}
+	}
+	return &PriPoly{p.g, coeffs}
+}
+
+// Coefficients return the list of coefficients representing p. This
+// information is generally PRIVATE and should not be revealed to a third party
+// lightly.
+func (p *PriPoly) Coefficients() []kyber.Scalar {
+	return p.coeffs
+}
+
+// RecoverSecret reconstructs the shared secret p(0) from a list of private
+// shares using Lagrange interpolation.
+func RecoverSecret(g kyber.Group, shares []*PriShare, t, n int) (kyber.Scalar, error) {
+	x, y := xyScalar(g, shares, t, n)
+	if len(x) < t {
+		return nil, errors.New("share: not enough shares to recover secret")
+	}
+
+	acc := g.Scalar().Zero()
+	num := g.Scalar()
+	den := g.Scalar()
+	tmp := g.Scalar()
+
+	for i, xi := range x {
+		yi := y[i]
+		num.Set(yi)
+		den.One()
+		for j, xj := range x {
+			if i == j {
+				continue
+			}
+			num.Mul(num, xj)
+			den.Mul(den, tmp.Sub(xj, xi))
+		}
+		acc.Add(acc, num.Div(num, den))
+	}
+
+	return acc, nil
+}
+
+// xyScalar returns the list of (x_i, y_i) pairs indexed. The first map returned
+// is the list of x_i and the second map is the list of y_i, both indexed in
+// their respective map at index i.
+func xyScalar(g kyber.Group, shares []*PriShare, t, n int) (map[int]kyber.Scalar, map[int]kyber.Scalar) {
+	// we are sorting first the shares since the shares may be unrelated for
+	// some applications. In this case, all participants needs to interpolate on
+	// the exact same order shares.
+	// XXX naive n^2 sorting => move that to inplace golang native sort
+	sorted := make([]*PriShare, n)
+	for i := 0; i < len(shares); i++ {
+		if shares[i] != nil {
+			sorted[shares[i].I] = shares[i]
+		}
+	}
+	if len(sorted) < len(shares) {
+		panic("that should not happen")
+	}
+
+	x := make(map[int]kyber.Scalar)
+	y := make(map[int]kyber.Scalar)
+	for _, s := range sorted {
+		if s == nil || s.V == nil || s.I < 0 || n <= s.I {
+			continue
+		}
+		idx := s.I
+		x[idx] = g.Scalar().SetInt64(int64(idx + 1))
+		y[idx] = s.V
+		if len(x) == t {
+			break
+		}
+	}
+	return x, y
+}
+
+func minusConst(g kyber.Group, c kyber.Scalar) *PriPoly {
+	neg := g.Scalar().Neg(c)
+	return &PriPoly{
+		g:      g,
+		coeffs: []kyber.Scalar{neg, g.Scalar().One()},
+	}
+}
+
+// RecoverPriPoly takes a list of shares and the parameters t and n to
+// reconstruct the secret polynomial completely, i.e., all private
+// coefficients.  It is up to the caller to make sure that there are enough
+// shares to correctly re-construct the polynomial. There must be at least t
+// shares.
+func RecoverPriPoly(g kyber.Group, shares []*PriShare, t, n int) (*PriPoly, error) {
+	x, y := xyScalar(g, shares, t, n)
+	if len(x) != t {
+		return nil, errors.New("share: not enough shares to recover private polynomial")
+	}
+
+	var accPoly *PriPoly
+	var err error
+	//den := g.Scalar()
+	// Notations follow the Wikipedia article on Lagrange interpolation
+	// https://en.wikipedia.org/wiki/Lagrange_polynomial
+	for j := range x {
+		basis := lagrangeBasis(g, j, x)
+		for i := range basis.coeffs {
+			basis.coeffs[i] = basis.coeffs[i].Mul(basis.coeffs[i], y[j])
+		}
+
+		if accPoly == nil {
+			accPoly = basis
+			continue
+		}
+
+		// add all L_j * y_j together
+		accPoly, err = accPoly.Add(basis)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return accPoly, nil
+}
+
+func (p *PriPoly) String() string {
+	var strs = make([]string, len(p.coeffs))
+	for i, c := range p.coeffs {
+		strs[i] = c.String()
+	}
+	return "[ " + strings.Join(strs, ", ") + " ]"
+}
+
+// PubShare represents a public share.
+type PubShare struct {
+	I int         // Index of the public share
+	V kyber.Point // Value of the public share
+}
+
+// Hash returns the hash representation of this share.
+func (p *PubShare) Hash(s kyber.HashFactory) []byte {
+	h := s.Hash()
+	_, _ = p.V.MarshalTo(h)
+	_ = binary.Write(h, binary.LittleEndian, p.I)
+	return h.Sum(nil)
+}
+
+// PubPoly represents a public commitment polynomial to a secret sharing polynomial.
+type PubPoly struct {
+	g       kyber.Group   // Cryptographic group
+	b       kyber.Point   // Base point, nil for standard base
+	commits []kyber.Point // Commitments to coefficients of the secret sharing polynomial
+}
+
+// NewPubPoly creates a new public commitment polynomial.
+func NewPubPoly(g kyber.Group, b kyber.Point, commits []kyber.Point) *PubPoly {
+	return &PubPoly{g, b, commits}
+}
+
+// Info returns the base point and the commitments to the polynomial coefficients.
+func (p *PubPoly) Info() (base kyber.Point, commits []kyber.Point) {
+	return p.b, p.commits
+}
+
+// Threshold returns the secret sharing threshold.
+func (p *PubPoly) Threshold() int {
+	return len(p.commits)
+}
+
+// Commit returns the secret commitment p(0), i.e., the constant term of the polynomial.
+func (p *PubPoly) Commit() kyber.Point {
+	return p.commits[0]
+}
+
+// Eval computes the public share v = p(i).
+func (p *PubPoly) Eval(i int) *PubShare {
+	xi := p.g.Scalar().SetInt64(1 + int64(i)) // x-coordinate of this share
+	v := p.g.Point().Null()
+	for j := p.Threshold() - 1; j >= 0; j-- {
+		v.Mul(xi, v)
+		v.Add(v, p.commits[j])
+	}
+	return &PubShare{i, v}
+}
+
+// Shares creates a list of n public commitment shares p(1),...,p(n).
+func (p *PubPoly) Shares(n int) []*PubShare {
+	shares := make([]*PubShare, n)
+	for i := range shares {
+		shares[i] = p.Eval(i)
+	}
+	return shares
+}
+
+// Add computes the component-wise sum of the polynomials p and q and returns it
+// as a new polynomial. NOTE: If the base points p.b and q.b are different then the
+// base point of the resulting PubPoly cannot be computed without knowing the
+// discrete logarithm between p.b and q.b. In this particular case, we are using
+// p.b as a default value which of course does not correspond to the correct
+// base point and thus should not be used in further computations.
+func (p *PubPoly) Add(q *PubPoly) (*PubPoly, error) {
+	if p.g.String() != q.g.String() {
+		return nil, errorGroups
+	}
+
+	if p.Threshold() != q.Threshold() {
+		return nil, errorCoeffs
+	}
+
+	commits := make([]kyber.Point, p.Threshold())
+	for i := range commits {
+		commits[i] = p.g.Point().Add(p.commits[i], q.commits[i])
+	}
+
+	return &PubPoly{p.g, p.b, commits}, nil
+}
+
+// Equal checks equality of two public commitment polynomials p and q. If p and
+// q are trivially unequal (e.g., due to mismatching cryptographic groups),
+// this routine returns in variable time. Otherwise it runs in constant time
+// regardless of whether it eventually returns true or false.
+func (p *PubPoly) Equal(q *PubPoly) bool {
+	if p.g.String() != q.g.String() {
+		return false
+	}
+	b := 1
+	for i := 0; i < p.Threshold(); i++ {
+		pb, _ := p.commits[i].MarshalBinary()
+		qb, _ := q.commits[i].MarshalBinary()
+		b &= subtle.ConstantTimeCompare(pb, qb)
+	}
+	return b == 1
+}
+
+// Check a private share against a public commitment polynomial.
+func (p *PubPoly) Check(s *PriShare) bool {
+	pv := p.Eval(s.I)
+	ps := p.g.Point().Mul(s.V, p.b)
+	return pv.V.Equal(ps)
+}
+
+// xyCommits is the public version of xScalars.
+func xyCommit(g kyber.Group, shares []*PubShare, t, n int) (map[int]kyber.Scalar, map[int]kyber.Point) {
+	// we are sorting first the shares since the shares may be unrelated for
+	// some applications. In this case, all participants needs to interpolate on
+	// the exact same order shares.
+	// XXX naive n^2 sorting => move that to inplace golang native sort
+	sorted := make([]*PubShare, n)
+	for i := 0; i < len(shares); i++ {
+		if shares[i] != nil {
+			sorted[shares[i].I] = shares[i]
+		}
+	}
+
+	if len(sorted) < len(shares) {
+		panic("that should not happen")
+	}
+	x := make(map[int]kyber.Scalar)
+	y := make(map[int]kyber.Point)
+
+	for _, s := range sorted {
+		if s == nil || s.V == nil || s.I < 0 || n <= s.I {
+			continue
+		}
+		idx := s.I
+		x[idx] = g.Scalar().SetInt64(int64(idx + 1))
+		y[idx] = s.V
+		if len(x) == t {
+			break
+		}
+	}
+	return x, y
+}
+
+// RecoverCommit reconstructs the secret commitment p(0) from a list of public
+// shares using Lagrange interpolation.
+func RecoverCommit(g kyber.Group, shares []*PubShare, t, n int) (kyber.Point, error) {
+	x, y := xyCommit(g, shares, t, n)
+	if len(x) < t {
+		return nil, errors.New("share: not enough good public shares to reconstruct secret commitment")
+	}
+
+	num := g.Scalar()
+	den := g.Scalar()
+	tmp := g.Scalar()
+	Acc := g.Point().Null()
+	Tmp := g.Point()
+
+	for i, xi := range x {
+		num.One()
+		den.One()
+		for j, xj := range x {
+			if i == j {
+				continue
+			}
+			num.Mul(num, xj)
+			den.Mul(den, tmp.Sub(xj, xi))
+		}
+		Tmp.Mul(num.Div(num, den), y[i])
+		Acc.Add(Acc, Tmp)
+	}
+
+	return Acc, nil
+}
+
+// RecoverPubPoly reconstructs the full public polynomial from a set of public
+// shares using Lagrange interpolation.
+func RecoverPubPoly(g kyber.Group, shares []*PubShare, t, n int) (*PubPoly, error) {
+	x, y := xyCommit(g, shares, t, n)
+	if len(x) < t {
+		return nil, errors.New("share: not enough good public shares to reconstruct secret commitment")
+	}
+
+	var accPoly *PubPoly
+	var err error
+
+	for j := range x {
+		basis := lagrangeBasis(g, j, x)
+
+		// compute the L_j * y_j polynomial in point space
+		tmp := basis.Commit(y[j])
+		if accPoly == nil {
+			accPoly = tmp
+			continue
+		}
+
+		// add all L_j * y_j together
+		accPoly, err = accPoly.Add(tmp)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return accPoly, nil
+
+}
+
+// lagrangeBasis returns a PriPoly containing the Lagrange coefficients for the
+// i-th position. xs is a mapping between the indices and the values that the
+// interpolation is using, computed with xyScalar().
+func lagrangeBasis(g kyber.Group, i int, xs map[int]kyber.Scalar) *PriPoly {
+	var basis = &PriPoly{
+		g:      g,
+		coeffs: []kyber.Scalar{g.Scalar().One()},
+	}
+	// compute lagrange basis l_j
+	den := g.Scalar().One()
+	var acc = g.Scalar().One()
+	for m, xm := range xs {
+		if i == m {
+			continue
+		}
+		basis = basis.Mul(minusConst(g, xm))
+		den.Sub(xs[i], xm) // den = xi - xm
+		den.Inv(den)       // den = 1 / den
+		acc.Mul(acc, den)  // acc = acc * den
+	}
+
+	// multiply all coefficients by the denominator
+	for i := range basis.coeffs {
+		basis.coeffs[i] = basis.coeffs[i].Mul(basis.coeffs[i], acc)
+	}
+	return basis
+}
diff --git a/kyber/share/poly_test.go b/kyber/share/poly_test.go
new file mode 100644
index 0000000000..b06fb7a8f6
--- /dev/null
+++ b/kyber/share/poly_test.go
@@ -0,0 +1,458 @@
+package share
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+)
+
+func TestSecretRecovery(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+	poly := NewPriPoly(g, t, nil, g.RandomStream())
+	shares := poly.Shares(n)
+
+	recovered, err := RecoverSecret(g, shares, t, n)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	if !recovered.Equal(poly.Secret()) {
+		test.Fatal("recovered secret does not match initial value")
+	}
+}
+func TestSecretRecoveryDelete(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+	poly := NewPriPoly(g, t, nil, g.RandomStream())
+	shares := poly.Shares(n)
+
+	// Corrupt a few shares
+	shares[2] = nil
+	shares[5] = nil
+	shares[7] = nil
+	shares[8] = nil
+
+	recovered, err := RecoverSecret(g, shares, t, n)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	if !recovered.Equal(poly.Secret()) {
+		test.Fatal("recovered secret does not match initial value")
+	}
+}
+
+func TestSecretRecoveryDeleteFail(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	poly := NewPriPoly(g, t, nil, g.RandomStream())
+	shares := poly.Shares(n)
+
+	// Corrupt one more share than acceptable
+	shares[1] = nil
+	shares[2] = nil
+	shares[5] = nil
+	shares[7] = nil
+	shares[8] = nil
+
+	_, err := RecoverSecret(g, shares, t, n)
+	if err == nil {
+		test.Fatal("recovered secret unexpectably")
+	}
+}
+
+func TestSecretPolyEqual(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	p1 := NewPriPoly(g, t, nil, g.RandomStream())
+	p2 := NewPriPoly(g, t, nil, g.RandomStream())
+	p3 := NewPriPoly(g, t, nil, g.RandomStream())
+
+	p12, _ := p1.Add(p2)
+	p13, _ := p1.Add(p3)
+
+	p123, _ := p12.Add(p3)
+	p132, _ := p13.Add(p2)
+
+	if !p123.Equal(p132) {
+		test.Fatal("private polynomials not equal")
+	}
+}
+
+func TestPublicCheck(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	priPoly := NewPriPoly(g, t, nil, g.RandomStream())
+	priShares := priPoly.Shares(n)
+	pubPoly := priPoly.Commit(nil)
+
+	for i, share := range priShares {
+		if !pubPoly.Check(share) {
+			test.Fatalf("private share %v not valid with respect to the public commitment polynomial", i)
+		}
+	}
+}
+
+func TestPublicRecovery(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	priPoly := NewPriPoly(g, t, nil, g.RandomStream())
+	pubPoly := priPoly.Commit(nil)
+	pubShares := pubPoly.Shares(n)
+
+	recovered, err := RecoverCommit(g, pubShares, t, n)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	if !recovered.Equal(pubPoly.Commit()) {
+		test.Fatal("recovered commit does not match initial value")
+	}
+
+	polyRecovered, err := RecoverPubPoly(g, pubShares, t, n)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	require.True(test, pubPoly.Equal(polyRecovered))
+}
+
+func TestPublicRecoveryDelete(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	priPoly := NewPriPoly(g, t, nil, g.RandomStream())
+	pubPoly := priPoly.Commit(nil)
+	shares := pubPoly.Shares(n)
+
+	// Corrupt a few shares
+	shares[2] = nil
+	shares[5] = nil
+	shares[7] = nil
+	shares[8] = nil
+
+	recovered, err := RecoverCommit(g, shares, t, n)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	if !recovered.Equal(pubPoly.Commit()) {
+		test.Fatal("recovered commit does not match initial value")
+	}
+}
+
+func TestPublicRecoveryDeleteFail(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	priPoly := NewPriPoly(g, t, nil, g.RandomStream())
+	pubPoly := priPoly.Commit(nil)
+	shares := pubPoly.Shares(n)
+
+	// Corrupt one more share than acceptable
+	shares[1] = nil
+	shares[2] = nil
+	shares[5] = nil
+	shares[7] = nil
+	shares[8] = nil
+
+	_, err := RecoverCommit(g, shares, t, n)
+	if err == nil {
+		test.Fatal("recovered commit unexpectably")
+	}
+}
+
+func TestPrivateAdd(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	p := NewPriPoly(g, t, nil, g.RandomStream())
+	q := NewPriPoly(g, t, nil, g.RandomStream())
+
+	r, err := p.Add(q)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	ps := p.Secret()
+	qs := q.Secret()
+	rs := g.Scalar().Add(ps, qs)
+
+	if !rs.Equal(r.Secret()) {
+		test.Fatal("addition of secret sharing polynomials failed")
+	}
+}
+
+func TestPublicAdd(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	G := g.Point().Pick(g.RandomStream())
+	H := g.Point().Pick(g.RandomStream())
+
+	p := NewPriPoly(g, t, nil, g.RandomStream())
+	q := NewPriPoly(g, t, nil, g.RandomStream())
+
+	P := p.Commit(G)
+	Q := q.Commit(H)
+
+	R, err := P.Add(Q)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	shares := R.Shares(n)
+	recovered, err := RecoverCommit(g, shares, t, n)
+	if err != nil {
+		test.Fatal(err)
+	}
+
+	x := P.Commit()
+	y := Q.Commit()
+	z := g.Point().Add(x, y)
+
+	if !recovered.Equal(z) {
+		test.Fatal("addition of public commitment polynomials failed")
+	}
+}
+
+func TestPublicPolyEqual(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	G := g.Point().Pick(g.RandomStream())
+
+	p1 := NewPriPoly(g, t, nil, g.RandomStream())
+	p2 := NewPriPoly(g, t, nil, g.RandomStream())
+	p3 := NewPriPoly(g, t, nil, g.RandomStream())
+
+	P1 := p1.Commit(G)
+	P2 := p2.Commit(G)
+	P3 := p3.Commit(G)
+
+	P12, _ := P1.Add(P2)
+	P13, _ := P1.Add(P3)
+
+	P123, _ := P12.Add(P3)
+	P132, _ := P13.Add(P2)
+
+	if !P123.Equal(P132) {
+		test.Fatal("public polynomials not equal")
+	}
+}
+
+func TestPriPolyMul(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+	a := NewPriPoly(suite, t, nil, suite.RandomStream())
+	b := NewPriPoly(suite, t, nil, suite.RandomStream())
+
+	c := a.Mul(b)
+	assert.Equal(test, len(a.coeffs)+len(b.coeffs)-1, len(c.coeffs))
+	nul := suite.Scalar().Zero()
+	for _, coeff := range c.coeffs {
+		assert.NotEqual(test, nul.String(), coeff.String())
+	}
+
+	a0 := a.coeffs[0]
+	b0 := b.coeffs[0]
+	mul := suite.Scalar().Mul(b0, a0)
+	c0 := c.coeffs[0]
+	assert.Equal(test, c0.String(), mul.String())
+
+	at := a.coeffs[len(a.coeffs)-1]
+	bt := b.coeffs[len(b.coeffs)-1]
+	mul = suite.Scalar().Mul(at, bt)
+	ct := c.coeffs[len(c.coeffs)-1]
+	assert.Equal(test, ct.String(), mul.String())
+}
+
+func TestRecoverPriPoly(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+	a := NewPriPoly(suite, t, nil, suite.RandomStream())
+
+	shares := a.Shares(n)
+	reverses := make([]*PriShare, len(shares))
+	l := len(shares) - 1
+	for i := range shares {
+		reverses[l-i] = shares[i]
+	}
+	recovered, err := RecoverPriPoly(suite, shares, t, n)
+	assert.Nil(test, err)
+
+	reverseRecovered, err := RecoverPriPoly(suite, reverses, t, n)
+	assert.Nil(test, err)
+
+	for i := 0; i < t; i++ {
+		assert.Equal(test, recovered.Eval(i).V.String(), a.Eval(i).V.String())
+		assert.Equal(test, reverseRecovered.Eval(i).V.String(), a.Eval(i).V.String())
+	}
+}
+
+func TestPriPolyCoefficients(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+	a := NewPriPoly(suite, t, nil, suite.RandomStream())
+
+	coeffs := a.Coefficients()
+	require.Len(test, coeffs, t)
+
+	b := CoefficientsToPriPoly(suite, coeffs)
+	require.Equal(test, a.coeffs, b.coeffs)
+
+}
+
+func TestRefreshDKG(test *testing.T) {
+	g := edwards25519.NewBlakeSHA256Ed25519()
+	n := 10
+	t := n/2 + 1
+
+	// Run an n-fold Pedersen VSS (= DKG)
+	priPolys := make([]*PriPoly, n)
+	priShares := make([][]*PriShare, n)
+	pubPolys := make([]*PubPoly, n)
+	pubShares := make([][]*PubShare, n)
+	for i := 0; i < n; i++ {
+		priPolys[i] = NewPriPoly(g, t, nil, g.RandomStream())
+		priShares[i] = priPolys[i].Shares(n)
+		pubPolys[i] = priPolys[i].Commit(nil)
+		pubShares[i] = pubPolys[i].Shares(n)
+	}
+
+	// Verify VSS shares
+	for i := 0; i < n; i++ {
+		for j := 0; j < n; j++ {
+			sij := priShares[i][j]
+			// s_ij * G
+			sijG := g.Point().Base().Mul(sij.V, nil)
+			require.True(test, sijG.Equal(pubShares[i][j].V))
+		}
+	}
+
+	// Create private DKG shares
+	dkgShares := make([]*PriShare, n)
+	for i := 0; i < n; i++ {
+		acc := g.Scalar().Zero()
+		for j := 0; j < n; j++ { // assuming all participants are in the qualified set
+			acc = g.Scalar().Add(acc, priShares[j][i].V)
+		}
+		dkgShares[i] = &PriShare{i, acc}
+	}
+
+	// Create public DKG commitments (= verification vector)
+	dkgCommits := make([]kyber.Point, t)
+	for k := 0; k < t; k++ {
+		acc := g.Point().Null()
+		for i := 0; i < n; i++ { // assuming all participants are in the qualified set
+			_, coeff := pubPolys[i].Info()
+			acc = g.Point().Add(acc, coeff[k])
+		}
+		dkgCommits[k] = acc
+	}
+
+	// Check that the private DKG shares verify against the public DKG commits
+	dkgPubPoly := NewPubPoly(g, nil, dkgCommits)
+	for i := 0; i < n; i++ {
+		require.True(test, dkgPubPoly.Check(dkgShares[i]))
+	}
+
+	// Start verifiable resharing process
+	subPriPolys := make([]*PriPoly, n)
+	subPriShares := make([][]*PriShare, n)
+	subPubPolys := make([]*PubPoly, n)
+	subPubShares := make([][]*PubShare, n)
+
+	// Create subshares and subpolys
+	for i := 0; i < n; i++ {
+		subPriPolys[i] = NewPriPoly(g, t, dkgShares[i].V, g.RandomStream())
+		subPriShares[i] = subPriPolys[i].Shares(n)
+		subPubPolys[i] = subPriPolys[i].Commit(nil)
+		subPubShares[i] = subPubPolys[i].Shares(n)
+		require.True(test, g.Point().Mul(subPriShares[i][0].V, nil).Equal(subPubShares[i][0].V))
+	}
+
+	// Handout shares to new nodes column-wise and verify them
+	newDKGShares := make([]*PriShare, n)
+	for i := 0; i < n; i++ {
+		tmpPriShares := make([]*PriShare, n) // column-wise reshuffled sub-shares
+		tmpPubShares := make([]*PubShare, n) // public commitments to old DKG private shares
+		for j := 0; j < n; j++ {
+			// Check 1: Verify that the received individual private subshares s_ji
+			// is correct by evaluating the public commitment vector
+			tmpPriShares[j] = &PriShare{I: j, V: subPriShares[j][i].V} // Shares that participant i gets from j
+			require.True(test, g.Point().Mul(tmpPriShares[j].V, nil).Equal(subPubPolys[j].Eval(i).V))
+
+			// Check 2: Verify that the received sub public shares are
+			// commitments to the original secret
+			tmpPubShares[j] = dkgPubPoly.Eval(j)
+			require.True(test, tmpPubShares[j].V.Equal(subPubPolys[j].Commit()))
+		}
+		// Check 3: Verify that the received public shares interpolate to the
+		// original DKG public key
+		com, err := RecoverCommit(g, tmpPubShares, t, n)
+		require.NoError(test, err)
+		require.True(test, dkgCommits[0].Equal(com))
+
+		// Compute the refreshed private DKG share of node i
+		s, err := RecoverSecret(g, tmpPriShares, t, n)
+		require.NoError(test, err)
+		newDKGShares[i] = &PriShare{I: i, V: s}
+	}
+
+	// Refresh the DKG commitments (= verification vector)
+	newDKGCommits := make([]kyber.Point, t)
+	for i := 0; i < t; i++ {
+		pubShares := make([]*PubShare, n)
+		for j := 0; j < n; j++ {
+			_, c := subPubPolys[j].Info()
+			pubShares[j] = &PubShare{I: j, V: c[i]}
+		}
+		com, err := RecoverCommit(g, pubShares, t, n)
+		require.NoError(test, err)
+		newDKGCommits[i] = com
+	}
+
+	// Check that the old and new DKG public keys are the same
+	require.True(test, dkgCommits[0].Equal(newDKGCommits[0]))
+
+	// Check that the old and new DKG private shares are different
+	for i := 0; i < n; i++ {
+		require.False(test, dkgShares[i].V.Equal(newDKGShares[i].V))
+	}
+
+	// Check that the refreshed private DKG shares verify against the refreshed public DKG commits
+	q := NewPubPoly(g, nil, newDKGCommits)
+	for i := 0; i < n; i++ {
+		require.True(test, q.Check(newDKGShares[i]))
+	}
+
+	// Recover the private polynomial
+	refreshedPriPoly, err := RecoverPriPoly(g, newDKGShares, t, n)
+	require.NoError(test, err)
+
+	// Check that the secret and the corresponding (old) public commit match
+	require.True(test, g.Point().Mul(refreshedPriPoly.Secret(), nil).Equal(dkgCommits[0]))
+}
diff --git a/kyber/share/pvss/pvss.go b/kyber/share/pvss/pvss.go
new file mode 100644
index 0000000000..8c8fc8cfee
--- /dev/null
+++ b/kyber/share/pvss/pvss.go
@@ -0,0 +1,190 @@
+// Package pvss implements public verifiable secret sharing as introduced in
+// "A Simple Publicly Verifiable Secret Sharing Scheme and its Application to
+// Electronic Voting" by Berry Schoenmakers. In comparison to regular verifiable
+// secret sharing schemes, PVSS enables any third party to verify shares
+// distributed by a dealer using zero-knowledge proofs. PVSS runs in three steps:
+//  1. The dealer creates a list of encrypted public verifiable shares using
+//     EncShares() and distributes them to the trustees.
+//  2. Upon the announcement that the secret should be released, each trustee
+//     uses DecShare() to first verify and, if valid, decrypt his share.
+//  3. Once a threshold of decrypted shares has been released, anyone can
+//     verify them and, if enough shares are valid, recover the shared secret
+//     using RecoverSecret().
+package pvss
+
+import (
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/proof/dleq"
+	"go.dedis.ch/kyber/v3/share"
+)
+
+// Suite describes the functionalities needed by this package in order to
+// function correctly.
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.Encoding
+	kyber.XOFFactory
+	kyber.Random
+}
+
+// Some error definitions.
+var errorTooFewShares = errors.New("not enough shares to recover secret")
+var errorDifferentLengths = errors.New("inputs of different lengths")
+var errorEncVerification = errors.New("verification of encrypted share failed")
+var errorDecVerification = errors.New("verification of decrypted share failed")
+
+// PubVerShare is a public verifiable share.
+type PubVerShare struct {
+	S share.PubShare // Share
+	P dleq.Proof     // Proof
+}
+
+// EncShares creates a list of encrypted publicly verifiable PVSS shares for
+// the given secret and the list of public keys X using the sharing threshold
+// t and the base point H. The function returns the list of shares and the
+// public commitment polynomial.
+func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, t int) (shares []*PubVerShare, commit *share.PubPoly, err error) {
+	n := len(X)
+	encShares := make([]*PubVerShare, n)
+
+	// Create secret sharing polynomial
+	priPoly := share.NewPriPoly(suite, t, secret, suite.RandomStream())
+
+	// Create secret set of shares
+	priShares := priPoly.Shares(n)
+
+	// Create public polynomial commitments with respect to basis H
+	pubPoly := priPoly.Commit(H)
+
+	// Prepare data for encryption consistency proofs ...
+	indices := make([]int, n)
+	values := make([]kyber.Scalar, n)
+	HS := make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		indices[i] = priShares[i].I
+		values[i] = priShares[i].V
+		HS[i] = H
+	}
+
+	// Create NIZK discrete-logarithm equality proofs
+	proofs, _, sX, err := dleq.NewDLEQProofBatch(suite, HS, X, values)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for i := 0; i < n; i++ {
+		ps := &share.PubShare{I: indices[i], V: sX[i]}
+		encShares[i] = &PubVerShare{*ps, *proofs[i]}
+	}
+
+	return encShares, pubPoly, nil
+}
+
+// VerifyEncShare checks that the encrypted share sX satisfies
+// log_{H}(sH) == log_{X}(sX) where sH is the public commitment computed by
+// evaluating the public commitment polynomial at the encrypted share's index i.
+func VerifyEncShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, encShare *PubVerShare) error {
+	if err := encShare.P.Verify(suite, H, X, sH, encShare.S.V); err != nil {
+		return errorEncVerification
+	}
+	return nil
+}
+
+// VerifyEncShareBatch provides the same functionality as VerifyEncShare but for
+// slices of encrypted shares. The function returns the valid encrypted shares
+// together with the corresponding public keys.
+func VerifyEncShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, error) {
+	if len(X) != len(sH) || len(sH) != len(encShares) {
+		return nil, nil, errorDifferentLengths
+	}
+	var K []kyber.Point  // good public keys
+	var E []*PubVerShare // good encrypted shares
+	for i := 0; i < len(X); i++ {
+		if err := VerifyEncShare(suite, H, X[i], sH[i], encShares[i]); err == nil {
+			K = append(K, X[i])
+			E = append(E, encShares[i])
+		}
+	}
+	return K, E, nil
+}
+
+// DecShare first verifies the encrypted share against the encryption
+// consistency proof and, if valid, decrypts it and creates a decryption
+// consistency proof.
+func DecShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, x kyber.Scalar, encShare *PubVerShare) (*PubVerShare, error) {
+	if err := VerifyEncShare(suite, H, X, sH, encShare); err != nil {
+		return nil, err
+	}
+	G := suite.Point().Base()
+	V := suite.Point().Mul(suite.Scalar().Inv(x), encShare.S.V) // decryption: x^{-1} * (xS)
+	ps := &share.PubShare{I: encShare.S.I, V: V}
+	P, _, _, err := dleq.NewDLEQProof(suite, G, V, x)
+	if err != nil {
+		return nil, err
+	}
+	return &PubVerShare{*ps, *P}, nil
+}
+
+// DecShareBatch provides the same functionality as DecShare but for slices of
+// encrypted shares. The function returns the valid encrypted and decrypted
+// shares as well as the corresponding public keys.
+func DecShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point, x kyber.Scalar, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) {
+	if len(X) != len(sH) || len(sH) != len(encShares) {
+		return nil, nil, nil, errorDifferentLengths
+	}
+	var K []kyber.Point  // good public keys
+	var E []*PubVerShare // good encrypted shares
+	var D []*PubVerShare // good decrypted shares
+	for i := 0; i < len(encShares); i++ {
+		if ds, err := DecShare(suite, H, X[i], sH[i], x, encShares[i]); err == nil {
+			K = append(K, X[i])
+			E = append(E, encShares[i])
+			D = append(D, ds)
+		}
+	}
+	return K, E, D, nil
+}
+
+// VerifyDecShare checks that the decrypted share sG satisfies
+// log_{G}(X) == log_{sG}(sX). Note that X = xG and sX = s(xG) = x(sG).
+func VerifyDecShare(suite Suite, G kyber.Point, X kyber.Point, encShare *PubVerShare, decShare *PubVerShare) error {
+	if err := decShare.P.Verify(suite, G, decShare.S.V, X, encShare.S.V); err != nil {
+		return errorDecVerification
+	}
+	return nil
+}
+
+// VerifyDecShareBatch provides the same functionality as VerifyDecShare but for
+// slices of decrypted shares. The function returns the the valid decrypted shares.
+func VerifyDecShareBatch(suite Suite, G kyber.Point, X []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare) ([]*PubVerShare, error) {
+	if len(X) != len(encShares) || len(encShares) != len(decShares) {
+		return nil, errorDifferentLengths
+	}
+	var D []*PubVerShare // good decrypted shares
+	for i := 0; i < len(X); i++ {
+		if err := VerifyDecShare(suite, G, X[i], encShares[i], decShares[i]); err == nil {
+			D = append(D, decShares[i])
+		}
+	}
+	return D, nil
+}
+
+// RecoverSecret first verifies the given decrypted shares against their
+// decryption consistency proofs and then tries to recover the shared secret.
+func RecoverSecret(suite Suite, G kyber.Point, X []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare, t int, n int) (kyber.Point, error) {
+	D, err := VerifyDecShareBatch(suite, G, X, encShares, decShares)
+	if err != nil {
+		return nil, err
+	}
+	if len(D) < t {
+		return nil, errorTooFewShares
+	}
+	var shares []*share.PubShare
+	for _, s := range D {
+		shares = append(shares, &s.S)
+	}
+	return share.RecoverCommit(suite, shares, t, n)
+}
diff --git a/kyber/share/pvss/pvss_test.go b/kyber/share/pvss/pvss_test.go
new file mode 100644
index 0000000000..e9dfe32b5c
--- /dev/null
+++ b/kyber/share/pvss/pvss_test.go
@@ -0,0 +1,258 @@
+package pvss
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+)
+
+func TestPVSS(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	G := suite.Point().Base()
+	H := suite.Point().Pick(suite.XOF([]byte("H")))
+	n := 10
+	t := 2*n/3 + 1
+	x := make([]kyber.Scalar, n) // trustee private keys
+	X := make([]kyber.Point, n)  // trustee public keys
+	for i := 0; i < n; i++ {
+		x[i] = suite.Scalar().Pick(suite.RandomStream())
+		X[i] = suite.Point().Mul(x[i], nil)
+	}
+
+	// Scalar of shared secret
+	secret := suite.Scalar().Pick(suite.RandomStream())
+
+	// (1) Share distribution (dealer)
+	encShares, pubPoly, err := EncShares(suite, H, X, secret, t)
+	require.Equal(test, err, nil)
+
+	// (2) Share decryption (trustees)
+	sH := make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		sH[i] = pubPoly.Eval(encShares[i].S.I).V
+	}
+
+	var K []kyber.Point  // good public keys
+	var E []*PubVerShare // good encrypted shares
+	var D []*PubVerShare // good decrypted shares
+
+	for i := 0; i < n; i++ {
+		if ds, err := DecShare(suite, H, X[i], sH[i], x[i], encShares[i]); err == nil {
+			K = append(K, X[i])
+			E = append(E, encShares[i])
+			D = append(D, ds)
+		}
+	}
+
+	// (3) Check decrypted shares and recover secret if possible (dealer/3rd party)
+	recovered, err := RecoverSecret(suite, G, K, E, D, t, n)
+	require.Equal(test, err, nil)
+	require.True(test, suite.Point().Mul(secret, nil).Equal(recovered))
+}
+
+func TestPVSSDelete(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	G := suite.Point().Base()
+	H := suite.Point().Pick(suite.XOF([]byte("H")))
+	n := 10
+	t := 2*n/3 + 1
+	x := make([]kyber.Scalar, n) // trustee private keys
+	X := make([]kyber.Point, n)  // trustee public keys
+	for i := 0; i < n; i++ {
+		x[i] = suite.Scalar().Pick(suite.RandomStream())
+		X[i] = suite.Point().Mul(x[i], nil)
+	}
+
+	// Scalar of shared secret
+	secret := suite.Scalar().Pick(suite.RandomStream())
+
+	// (1) Share distribution (dealer)
+	encShares, pubPoly, err := EncShares(suite, H, X, secret, t)
+	require.Equal(test, err, nil)
+
+	// Corrupt some of the encrypted shares
+	encShares[0].S.V = suite.Point().Null()
+	encShares[5].S.V = suite.Point().Null()
+
+	// (2) Share decryption (trustees)
+	sH := make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		sH[i] = pubPoly.Eval(encShares[i].S.I).V
+	}
+
+	var K []kyber.Point  // good public keys
+	var E []*PubVerShare // good encrypted shares
+	var D []*PubVerShare // good decrypted shares
+
+	for i := 0; i < n; i++ {
+		if ds, err := DecShare(suite, H, X[i], sH[i], x[i], encShares[i]); err == nil {
+			K = append(K, X[i])
+			E = append(E, encShares[i])
+			D = append(D, ds)
+		}
+	}
+
+	// Corrupt some of the decrypted shares
+	D[1].S.V = suite.Point().Null()
+
+	// (3) Check decrypted shares and recover secret if possible (dealer/3rd party)
+	recovered, err := RecoverSecret(suite, G, K, E, D, t, n)
+	require.Equal(test, err, nil)
+	require.True(test, suite.Point().Mul(secret, nil).Equal(recovered))
+}
+
+func TestPVSSDeleteFail(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	G := suite.Point().Base()
+	H := suite.Point().Pick(suite.XOF([]byte("H")))
+	n := 10
+	t := 2*n/3 + 1
+	x := make([]kyber.Scalar, n) // trustee private keys
+	X := make([]kyber.Point, n)  // trustee public keys
+	for i := 0; i < n; i++ {
+		x[i] = suite.Scalar().Pick(suite.RandomStream())
+		X[i] = suite.Point().Mul(x[i], nil)
+	}
+
+	// Scalar of shared secret
+	secret := suite.Scalar().Pick(suite.RandomStream())
+
+	// (1) Share distribution (dealer)
+	encShares, pubPoly, err := EncShares(suite, H, X, secret, t)
+	require.Equal(test, err, nil)
+
+	// Corrupt some of the encrypted shares
+	encShares[0].S.V = suite.Point().Null()
+	encShares[5].S.V = suite.Point().Null()
+
+	// (2) Share decryption (trustees)
+	sH := make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		sH[i] = pubPoly.Eval(encShares[i].S.I).V
+	}
+
+	var K []kyber.Point  // good public keys
+	var E []*PubVerShare // good encrypted shares
+	var D []*PubVerShare // good decrypted shares
+
+	for i := 0; i < n; i++ {
+		if ds, err := DecShare(suite, H, X[i], sH[i], x[i], encShares[i]); err == nil {
+			K = append(K, X[i])
+			E = append(E, encShares[i])
+			D = append(D, ds)
+		}
+	}
+
+	// Corrupt enough decrypted shares to make the secret unrecoverable
+	D[0].S.V = suite.Point().Null()
+	D[1].S.V = suite.Point().Null()
+
+	// (3) Check decrypted shares and recover secret if possible (dealer/3rd party)
+	_, err = RecoverSecret(suite, G, K, E, D, t, n)
+	require.Equal(test, err, errorTooFewShares) // this test is supposed to fail
+}
+
+func TestPVSSBatch(test *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	G := suite.Point().Base()
+	H := suite.Point().Pick(suite.XOF([]byte("H")))
+	n := 5
+	t := 2*n/3 + 1
+	x := make([]kyber.Scalar, n) // trustee private keys
+	X := make([]kyber.Point, n)  // trustee public keys
+	for i := 0; i < n; i++ {
+		x[i] = suite.Scalar().Pick(suite.RandomStream())
+		X[i] = suite.Point().Mul(x[i], nil)
+	}
+
+	// (1) Share distribution (multiple dealers)
+	s0 := suite.Scalar().Pick(suite.RandomStream())
+	e0, p0, err := EncShares(suite, H, X, s0, t)
+	require.Equal(test, err, nil)
+
+	s1 := suite.Scalar().Pick(suite.RandomStream())
+	e1, p1, err := EncShares(suite, H, X, s1, t)
+	require.Equal(test, err, nil)
+
+	s2 := suite.Scalar().Pick(suite.RandomStream())
+	e2, p2, err := EncShares(suite, H, X, s2, t)
+	require.Equal(test, err, nil)
+
+	sH0 := make([]kyber.Point, n)
+	sH1 := make([]kyber.Point, n)
+	sH2 := make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		sH0[i] = p0.Eval(e0[i].S.I).V
+		sH1[i] = p1.Eval(e1[i].S.I).V
+		sH2[i] = p2.Eval(e2[i].S.I).V
+	}
+
+	// Batch verification
+	X0, E0, err := VerifyEncShareBatch(suite, H, X, sH0, e0)
+	require.Equal(test, err, nil)
+
+	X1, E1, err := VerifyEncShareBatch(suite, H, X, sH1, e1)
+	require.Equal(test, err, nil)
+
+	X2, E2, err := VerifyEncShareBatch(suite, H, X, sH2, e2)
+	require.Equal(test, err, nil)
+
+	// Reorder (some) poly evals, keys, and shares
+	P0 := []kyber.Point{p0.Eval(E0[0].S.I).V, p1.Eval(E1[0].S.I).V, p2.Eval(E2[0].S.I).V}
+	P1 := []kyber.Point{p0.Eval(E0[1].S.I).V, p1.Eval(E1[1].S.I).V, p2.Eval(E2[1].S.I).V}
+	P2 := []kyber.Point{p0.Eval(E0[2].S.I).V, p1.Eval(E1[2].S.I).V, p2.Eval(E2[2].S.I).V}
+	P3 := []kyber.Point{p0.Eval(E0[3].S.I).V, p1.Eval(E1[3].S.I).V, p2.Eval(E2[3].S.I).V}
+
+	Y0 := []kyber.Point{X0[0], X1[0], X2[0]}
+	Y1 := []kyber.Point{X0[1], X1[1], X2[1]}
+	Y2 := []kyber.Point{X0[2], X1[2], X2[2]}
+	Y3 := []kyber.Point{X0[3], X1[3], X2[3]}
+
+	Z0 := []*PubVerShare{E0[0], E1[0], E2[0]}
+	Z1 := []*PubVerShare{E0[1], E1[1], E2[1]}
+	Z2 := []*PubVerShare{E0[2], E1[2], E2[2]}
+	Z3 := []*PubVerShare{E0[3], E1[3], E2[3]}
+
+	// (2) Share batch decryption (trustees)
+	KD0, ED0, DD0, err := DecShareBatch(suite, H, Y0, P0, x[0], Z0)
+	require.Equal(test, err, nil)
+
+	KD1, ED1, DD1, err := DecShareBatch(suite, H, Y1, P1, x[1], Z1)
+	require.Equal(test, err, nil)
+
+	KD2, ED2, DD2, err := DecShareBatch(suite, H, Y2, P2, x[2], Z2)
+	require.Equal(test, err, nil)
+
+	KD3, ED3, DD3, err := DecShareBatch(suite, H, Y3, P3, x[3], Z3)
+	require.Equal(test, err, nil)
+
+	// Re-establish order
+	XF0 := []kyber.Point{KD0[0], KD1[0], KD2[0], KD3[0]}
+	XF1 := []kyber.Point{KD0[1], KD1[1], KD2[1], KD3[1]}
+	XF2 := []kyber.Point{KD0[2], KD1[2], KD2[2], KD3[2]}
+
+	EF0 := []*PubVerShare{ED0[0], ED1[0], ED2[0], ED3[0]}
+	EF1 := []*PubVerShare{ED0[1], ED1[1], ED2[1], ED3[1]}
+	EF2 := []*PubVerShare{ED0[2], ED1[2], ED2[2], ED3[2]}
+
+	DF0 := []*PubVerShare{DD0[0], DD1[0], DD2[0], DD3[0]}
+	DF1 := []*PubVerShare{DD0[1], DD1[1], DD2[1], DD3[1]}
+	DF2 := []*PubVerShare{DD0[2], DD1[2], DD2[2], DD3[2]}
+
+	// (3) Recover secrets
+	S0, err := RecoverSecret(suite, G, XF0, EF0, DF0, t, n)
+	require.Equal(test, err, nil)
+
+	S1, err := RecoverSecret(suite, G, XF1, EF1, DF1, t, n)
+	require.Equal(test, err, nil)
+
+	S2, err := RecoverSecret(suite, G, XF2, EF2, DF2, t, n)
+	require.Equal(test, err, nil)
+
+	// Verify secrets
+	require.True(test, suite.Point().Mul(s0, nil).Equal(S0))
+	require.True(test, suite.Point().Mul(s1, nil).Equal(S1))
+	require.True(test, suite.Point().Mul(s2, nil).Equal(S2))
+}
diff --git a/kyber/share/vss/pedersen/dh.go b/kyber/share/vss/pedersen/dh.go
new file mode 100644
index 0000000000..c4e34ddcee
--- /dev/null
+++ b/kyber/share/vss/pedersen/dh.go
@@ -0,0 +1,52 @@
+package vss
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"hash"
+
+	"go.dedis.ch/kyber/v3"
+
+	"golang.org/x/crypto/hkdf"
+)
+
+// dhExchange computes the shared key from a private key and a public key
+func dhExchange(suite Suite, ownPrivate kyber.Scalar, remotePublic kyber.Point) kyber.Point {
+	sk := suite.Point()
+	sk.Mul(ownPrivate, remotePublic)
+	return sk
+}
+
+var sharedKeyLength = 32
+
+// newAEAD returns the AEAD cipher to be use to encrypt a share
+func newAEAD(fn func() hash.Hash, preSharedKey kyber.Point, context []byte) (cipher.AEAD, error) {
+	preBuff, _ := preSharedKey.MarshalBinary()
+	reader := hkdf.New(fn, preBuff, nil, context)
+
+	sharedKey := make([]byte, sharedKeyLength)
+	if _, err := reader.Read(sharedKey); err != nil {
+		return nil, err
+	}
+	block, err := aes.NewCipher(sharedKey)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	return gcm, nil
+}
+
+// context returns the context slice to be used when encrypting a share
+func context(suite Suite, dealer kyber.Point, verifiers []kyber.Point) []byte {
+	h := suite.Hash()
+	_, _ = h.Write([]byte("vss-dealer"))
+	_, _ = dealer.MarshalTo(h)
+	_, _ = h.Write([]byte("vss-verifiers"))
+	for _, v := range verifiers {
+		_, _ = v.MarshalTo(h)
+	}
+	return h.Sum(nil)
+}
diff --git a/kyber/share/vss/pedersen/vss.go b/kyber/share/vss/pedersen/vss.go
new file mode 100644
index 0000000000..2e5d462abb
--- /dev/null
+++ b/kyber/share/vss/pedersen/vss.go
@@ -0,0 +1,777 @@
+// Package vss implements the verifiable secret sharing scheme from
+// "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing"
+// by Torben Pryds Pedersen.
+// https://link.springer.com/content/pdf/10.1007/3-540-46766-1_9.pdf
+package vss
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+	"go.dedis.ch/protobuf"
+)
+
+// Suite defines the capabilities required by the vss package.
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.XOFFactory
+	kyber.Random
+}
+
+// Dealer encapsulates for creating and distributing the shares and for
+// replying to any Responses.
+type Dealer struct {
+	suite  Suite
+	reader cipher.Stream
+	// long is the longterm key of the Dealer
+	long          kyber.Scalar
+	pub           kyber.Point
+	secret        kyber.Scalar
+	secretCommits []kyber.Point
+	secretPoly    *share.PriPoly
+	verifiers     []kyber.Point
+	hkdfContext   []byte
+	// threshold of shares that is needed to reconstruct the secret
+	t int
+	// sessionID is a unique identifier for the whole session of the scheme
+	sessionID []byte
+	// list of deals this Dealer has generated
+	deals []*Deal
+	*Aggregator
+}
+
+// Deal encapsulates the verifiable secret share and is sent by the dealer to a verifier.
+type Deal struct {
+	// Unique session identifier for this protocol run
+	SessionID []byte
+	// Private share generated by the dealer
+	SecShare *share.PriShare
+	// Threshold used for this secret sharing run
+	T uint32
+	// Commitments are the coefficients used to verify the shares against
+	Commitments []kyber.Point
+}
+
+// EncryptedDeal contains the deal in a encrypted form only decipherable by the
+// correct recipient. The encryption is performed in a similar manner as what is
+// done in TLS. The dealer generates a temporary key pair, signs it with its
+// longterm secret key.
+type EncryptedDeal struct {
+	// Ephemeral Diffie Hellman key
+	DHKey []byte
+	// Signature of the DH key by the longterm key of the dealer
+	Signature []byte
+	// Nonce used for the encryption
+	Nonce []byte
+	// AEAD encryption of the deal marshalled by protobuf
+	Cipher []byte
+}
+
+// Response is sent by the verifiers to all participants and holds each
+// individual validation or refusal of a Deal.
+type Response struct {
+	// SessionID related to this run of the protocol
+	SessionID []byte
+	// Index of the verifier issuing this Response from the new set of nodes
+	Index uint32
+	// false = NO APPROVAL == Complaint , true = APPROVAL
+	Status bool
+	// Signature over the whole packet
+	Signature []byte
+}
+
+const (
+	// StatusComplaint is a constant value meaning that a verifier issues
+	// a Complaint against its Dealer.
+	StatusComplaint bool = false
+	// StatusApproval is a constant value meaning that a verifier agrees with
+	// the share it received.
+	StatusApproval bool = true
+)
+
+// Justification is a message that is broadcasted by the Dealer in response to
+// a Complaint. It contains the original Complaint as well as the shares
+// distributed to the complainer.
+type Justification struct {
+	// SessionID related to the current run of the protocol
+	SessionID []byte
+	// Index of the verifier who issued the Complaint,i.e. index of this Deal
+	Index uint32
+	// Deal in cleartext
+	Deal *Deal
+	// Signature over the whole packet
+	Signature []byte
+}
+
+// NewDealer returns a Dealer capable of leading the secret sharing scheme. It
+// does not have to be trusted by other Verifiers. The security parameter t is
+// the number of shares required to reconstruct the secret. It is HIGHLY
+// RECOMMENDED to use a threshold higher or equal than what the method
+// MinimumT() returns, otherwise it breaks the security assumptions of the whole
+// scheme. It returns an error if the t is less than or equal to 2.
+func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error) {
+	d := &Dealer{
+		suite:     suite,
+		long:      longterm,
+		secret:    secret,
+		verifiers: verifiers,
+	}
+	if !validT(t, verifiers) {
+		return nil, fmt.Errorf("dealer: t %d invalid", t)
+	}
+	d.t = t
+
+	f := share.NewPriPoly(d.suite, d.t, d.secret, suite.RandomStream())
+	d.pub = d.suite.Point().Mul(d.long, nil)
+
+	// Compute public polynomial coefficients
+	F := f.Commit(d.suite.Point().Base())
+	_, d.secretCommits = F.Info()
+
+	var err error
+	d.sessionID, err = sessionID(d.suite, d.pub, d.verifiers, d.secretCommits, d.t)
+	if err != nil {
+		return nil, err
+	}
+
+	d.Aggregator = newAggregator(d.suite, d.pub, d.verifiers, d.secretCommits, d.t, d.sessionID)
+	// C = F + G
+	d.deals = make([]*Deal, len(d.verifiers))
+	for i := range d.verifiers {
+		fi := f.Eval(i)
+		d.deals[i] = &Deal{
+			SessionID:   d.sessionID,
+			SecShare:    fi,
+			Commitments: d.secretCommits,
+			T:           uint32(d.t),
+		}
+	}
+	d.hkdfContext = context(suite, d.pub, verifiers)
+	d.secretPoly = f
+	return d, nil
+}
+
+// PlaintextDeal returns the plaintext version of the deal destined for peer i.
+// Use this only for testing.
+func (d *Dealer) PlaintextDeal(i int) (*Deal, error) {
+	if i >= len(d.deals) {
+		return nil, errors.New("dealer: PlaintextDeal given wrong index")
+	}
+	return d.deals[i], nil
+}
+
+// EncryptedDeal returns the encryption of the deal that must be given to the
+// verifier at index i.
+// The dealer first generates a temporary Diffie Hellman key, signs it using its
+// longterm key, and computes the shared key depending on its longterm and
+// ephemeral key and the verifier's public key.
+// This shared key is then fed into a HKDF whose output is the key to a AEAD
+// (AES256-GCM) scheme to encrypt the deal.
+func (d *Dealer) EncryptedDeal(i int) (*EncryptedDeal, error) {
+	vPub, ok := findPub(d.verifiers, uint32(i))
+	if !ok {
+		return nil, errors.New("dealer: wrong index to generate encrypted deal")
+	}
+	// gen ephemeral key
+	dhSecret := d.suite.Scalar().Pick(d.suite.RandomStream())
+	dhPublic := d.suite.Point().Mul(dhSecret, nil)
+	// signs the public key
+	dhPublicBuff, _ := dhPublic.MarshalBinary()
+	signature, err := schnorr.Sign(d.suite, d.long, dhPublicBuff)
+	if err != nil {
+		return nil, err
+	}
+	// AES128-GCM
+	pre := dhExchange(d.suite, dhSecret, vPub)
+	gcm, err := newAEAD(d.suite.Hash, pre, d.hkdfContext)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	dealBuff, err := protobuf.Encode(d.deals[i])
+	if err != nil {
+		return nil, err
+	}
+	encrypted := gcm.Seal(nil, nonce, dealBuff, d.hkdfContext)
+	dhBytes, _ := dhPublic.MarshalBinary()
+	return &EncryptedDeal{
+		DHKey:     dhBytes,
+		Signature: signature,
+		Nonce:     nonce,
+		Cipher:    encrypted,
+	}, nil
+}
+
+// EncryptedDeals calls `EncryptedDeal` for each index of the verifier and
+// returns the list of encrypted deals. Each index in the returned slice
+// corresponds to the index in the list of verifiers.
+func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error) {
+	deals := make([]*EncryptedDeal, len(d.verifiers))
+	var err error
+	for i := range d.verifiers {
+		deals[i], err = d.EncryptedDeal(i)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return deals, nil
+}
+
+// ProcessResponse analyzes the given Response. If it's a valid complaint, then
+// it returns a Justification. This Justification must be broadcasted to every
+// participants. If it's an invalid complaint, it returns an error about the
+// complaint. The verifiers will also ignore an invalid Complaint.
+func (d *Dealer) ProcessResponse(r *Response) (*Justification, error) {
+	if err := d.verifyResponse(r); err != nil {
+		return nil, err
+	}
+	if r.Status == StatusApproval {
+		return nil, nil
+	}
+
+	j := &Justification{
+		SessionID: d.sessionID,
+		// index is guaranteed to be good because of d.verifyResponse before
+		Index: r.Index,
+		Deal:  d.deals[int(r.Index)],
+	}
+	sig, err := schnorr.Sign(d.suite, d.long, j.Hash(d.suite))
+	if err != nil {
+		return nil, err
+	}
+	j.Signature = sig
+	return j, nil
+}
+
+// SecretCommit returns the commitment of the secret being shared by this
+// dealer. This function is only to be called once the deal has enough approvals
+// and is verified otherwise it returns nil.
+func (d *Dealer) SecretCommit() kyber.Point {
+	if !d.EnoughApprovals() || !d.DealCertified() {
+		return nil
+	}
+	return d.suite.Point().Mul(d.secret, nil)
+}
+
+// Commits returns the commitments of the coefficient of the secret polynomial
+// the Dealer is sharing.
+func (d *Dealer) Commits() []kyber.Point {
+	return d.secretCommits
+}
+
+// Key returns the longterm key pair used by this Dealer.
+func (d *Dealer) Key() (secret kyber.Scalar, public kyber.Point) {
+	return d.long, d.pub
+}
+
+// SessionID returns the current sessionID generated by this dealer for this
+// protocol run.
+func (d *Dealer) SessionID() []byte {
+	return d.sessionID
+}
+
+// SetTimeout marks the end of a round, invalidating any missing (or future) response
+// for this DKG protocol round. The caller is expected to call this after a long timeout
+// so each DKG node can still compute its share if enough Deals are valid.
+func (d *Dealer) SetTimeout() {
+	d.Aggregator.cleanVerifiers()
+}
+
+// PrivatePoly returns the private polynomial used to generate the deal. This
+// private polynomial can be saved and then later on used to generate new
+// shares.  This information SHOULD STAY PRIVATE and thus MUST never be given
+// to any third party.
+func (d *Dealer) PrivatePoly() *share.PriPoly {
+	return d.secretPoly
+}
+
+// Verifier receives a Deal from a Dealer, can reply with a Complaint, and can
+// collaborate with other Verifiers to reconstruct a secret.
+type Verifier struct {
+	suite       Suite
+	longterm    kyber.Scalar
+	pub         kyber.Point
+	dealer      kyber.Point
+	index       int
+	verifiers   []kyber.Point
+	hkdfContext []byte
+	*Aggregator
+}
+
+// NewVerifier returns a Verifier out of:
+//   - its longterm secret key
+//   - the longterm dealer public key
+//   - the list of public key of verifiers. The list MUST include the public key of this Verifier also.
+// The security parameter t of the secret sharing scheme is automatically set to
+// a default safe value. If a different t value is required, it is possible to set
+// it with `verifier.SetT()`.
+func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point,
+	verifiers []kyber.Point) (*Verifier, error) {
+
+	pub := suite.Point().Mul(longterm, nil)
+	var ok bool
+	var index int
+	for i, v := range verifiers {
+		if v.Equal(pub) {
+			ok = true
+			index = i
+			break
+		}
+	}
+	if !ok {
+		return nil, errors.New("vss: public key not found in the list of verifiers")
+	}
+	v := &Verifier{
+		suite:       suite,
+		longterm:    longterm,
+		dealer:      dealerKey,
+		verifiers:   verifiers,
+		pub:         pub,
+		index:       index,
+		hkdfContext: context(suite, dealerKey, verifiers),
+	}
+	return v, nil
+}
+
+// ProcessEncryptedDeal decrypt the deal received from the Dealer.
+// If the deal is valid, i.e. the verifier can verify its shares
+// against the public coefficients and the signature is valid, an approval
+// response is returned and must be broadcasted to every participants
+// including the dealer.
+// If the deal itself is invalid, it returns a complaint response that must be
+// broadcasted to every other participants including the dealer.
+// If the deal has already been received, or the signature generation of the
+// response failed, it returns an error without any responses.
+func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error) {
+	d, err := v.decryptDeal(e)
+	if err != nil {
+		return nil, err
+	}
+	if d.SecShare.I != v.index {
+		return nil, errors.New("vss: verifier got wrong index from deal")
+	}
+
+	t := int(d.T)
+
+	sid, err := sessionID(v.suite, v.dealer, v.verifiers, d.Commitments, t)
+	if err != nil {
+		return nil, err
+	}
+
+	if v.Aggregator == nil {
+		v.Aggregator = newAggregator(v.suite, v.dealer, v.verifiers, d.Commitments, t, d.SessionID)
+	}
+
+	r := &Response{
+		SessionID: sid,
+		Index:     uint32(v.index),
+		Status:    StatusApproval,
+	}
+	if err = v.VerifyDeal(d, true); err != nil {
+		r.Status = StatusComplaint
+	}
+
+	if err == errDealAlreadyProcessed {
+		return nil, err
+	}
+
+	if r.Signature, err = schnorr.Sign(v.suite, v.longterm, r.Hash(v.suite)); err != nil {
+		return nil, err
+	}
+
+	if err = v.Aggregator.addResponse(r); err != nil {
+		return nil, err
+	}
+	return r, nil
+}
+
+func (v *Verifier) decryptDeal(e *EncryptedDeal) (*Deal, error) {
+	// verify signature
+	if err := schnorr.Verify(v.suite, v.dealer, e.DHKey, e.Signature); err != nil {
+		return nil, err
+	}
+
+	// compute shared key and AES526-GCM cipher
+	dhKey := v.suite.Point()
+	if err := dhKey.UnmarshalBinary(e.DHKey); err != nil {
+		return nil, err
+	}
+	pre := dhExchange(v.suite, v.longterm, dhKey)
+	gcm, err := newAEAD(v.suite.Hash, pre, v.hkdfContext)
+	if err != nil {
+		return nil, err
+	}
+	decrypted, err := gcm.Open(nil, e.Nonce, e.Cipher, v.hkdfContext)
+	if err != nil {
+		return nil, err
+	}
+	deal := &Deal{}
+	err = deal.decode(v.suite, decrypted)
+	return deal, err
+}
+
+// ErrNoDealBeforeResponse is an error returned if a verifier receives a
+// deal before having received any responses. For the moment, the caller must
+// be sure to have dispatched a deal before.
+var ErrNoDealBeforeResponse = errors.New("verifier: need to receive deal before response")
+
+// ProcessResponse analyzes the given response. If it's a valid complaint, the
+// verifier should expect to see a Justification from the Dealer. It returns an
+// error if it's not a valid response.
+// Call `v.DealCertified()` to check if the whole protocol is finished.
+func (v *Verifier) ProcessResponse(resp *Response) error {
+	if v.Aggregator == nil {
+		return ErrNoDealBeforeResponse
+	}
+	return v.Aggregator.verifyResponse(resp)
+}
+
+// Commits returns the commitments of the coefficients of the polynomial
+// contained in the Deal received. It is public information. The private
+// information in the deal must be retrieved through Deal().
+func (v *Verifier) Commits() []kyber.Point {
+	return v.deal.Commitments
+}
+
+// Deal returns the Deal that this verifier has received. It returns
+// nil if the deal is not certified or there is not enough approvals.
+func (v *Verifier) Deal() *Deal {
+	if !v.EnoughApprovals() || !v.DealCertified() {
+		return nil
+	}
+	return v.deal
+}
+
+// ProcessJustification takes a DealerResponse and returns an error if
+// something went wrong during the verification. If it is the case, that
+// probably means the Dealer is acting maliciously. In order to be sure, call
+// `v.EnoughApprovals()` and if true, `v.DealCertified()`.
+func (v *Verifier) ProcessJustification(dr *Justification) error {
+	return v.Aggregator.verifyJustification(dr)
+}
+
+// Key returns the longterm key pair this verifier is using during this protocol
+// run.
+func (v *Verifier) Key() (kyber.Scalar, kyber.Point) {
+	return v.longterm, v.pub
+}
+
+// Index returns the index of the verifier in the list of participants used
+// during this run of the protocol.
+func (v *Verifier) Index() int {
+	return v.index
+}
+
+// SessionID returns the session id generated by the Dealer. It returns
+// an nil slice if the verifier has not received the Deal yet.
+func (v *Verifier) SessionID() []byte {
+	return v.sid
+}
+
+// RecoverSecret recovers the secret shared by a Dealer by gathering at least t
+// Deals from the verifiers. It returns an error if there is not enough Deals or
+// if all Deals don't have the same SessionID.
+func RecoverSecret(suite Suite, deals []*Deal, n, t int) (kyber.Scalar, error) {
+	shares := make([]*share.PriShare, len(deals))
+	for i, deal := range deals {
+		// all sids the same
+		if bytes.Equal(deal.SessionID, deals[0].SessionID) {
+			shares[i] = deal.SecShare
+		} else {
+			return nil, errors.New("vss: all deals need to have same session id")
+		}
+	}
+	return share.RecoverSecret(suite, shares, t, n)
+}
+
+// SetTimeout marks the end of a round, invalidating any missing (or future) response
+// for this DKG protocol round. The caller is expected to call this after a long timeout
+// so each DKG node can still compute its share if enough Deals are valid.
+func (v *Verifier) SetTimeout() {
+	v.Aggregator.cleanVerifiers()
+}
+
+// UnsafeSetResponseDKG is an UNSAFE bypass method to allow DKG to use VSS
+// that works on basis of approval only.
+func (v *Verifier) UnsafeSetResponseDKG(idx uint32, approval bool) {
+	r := &Response{
+		SessionID: v.Aggregator.sid,
+		Index:     uint32(idx),
+		Status:    approval,
+	}
+
+	v.Aggregator.addResponse(r)
+}
+
+// Aggregator is used to collect all deals, and responses for one protocol run.
+// It brings common functionalities for both Dealer and Verifier structs.
+type Aggregator struct {
+	suite     Suite
+	dealer    kyber.Point
+	verifiers []kyber.Point
+	commits   []kyber.Point
+
+	responses map[uint32]*Response
+	sid       []byte
+	deal      *Deal
+	t         int
+	badDealer bool
+}
+
+func newAggregator(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int, sid []byte) *Aggregator {
+	agg := &Aggregator{
+		suite:     suite,
+		dealer:    dealer,
+		verifiers: verifiers,
+		commits:   commitments,
+		t:         t,
+		sid:       sid,
+		responses: make(map[uint32]*Response),
+	}
+	return agg
+}
+
+// NewEmptyAggregator returns a structure capable of storing Responses about a
+// deal and check if the deal is certified or not.
+func NewEmptyAggregator(suite Suite, verifiers []kyber.Point) *Aggregator {
+	return &Aggregator{
+		suite:     suite,
+		verifiers: verifiers,
+		responses: make(map[uint32]*Response),
+	}
+}
+
+var errDealAlreadyProcessed = errors.New("vss: verifier already received a deal")
+
+// VerifyDeal analyzes the deal and returns an error if it's incorrect. If
+// inclusion is true, it also returns an error if it is the second time this struct
+// analyzes a Deal.
+func (a *Aggregator) VerifyDeal(d *Deal, inclusion bool) error {
+	if a.deal != nil && inclusion {
+		return errDealAlreadyProcessed
+
+	}
+	if a.deal == nil {
+		a.commits = d.Commitments
+		a.sid = d.SessionID
+		a.deal = d
+	}
+
+	if !validT(int(d.T), a.verifiers) {
+		return errors.New("vss: invalid t received in Deal")
+	}
+
+	if !bytes.Equal(a.sid, d.SessionID) {
+		return errors.New("vss: find different sessionIDs from Deal")
+	}
+
+	fi := d.SecShare
+	if fi.I < 0 || fi.I >= len(a.verifiers) {
+		return errors.New("vss: index out of bounds in Deal")
+	}
+	// compute fi * G
+	fig := a.suite.Point().Base().Mul(fi.V, nil)
+
+	commitPoly := share.NewPubPoly(a.suite, nil, d.Commitments)
+
+	pubShare := commitPoly.Eval(fi.I)
+	if !fig.Equal(pubShare.V) {
+		return errors.New("vss: share does not verify against commitments in Deal")
+	}
+	return nil
+}
+
+// cleanVerifiers checks the Aggregator's response array and creates a StatusComplaint
+// response for all verifiers that did not respond to the Deal.
+func (a *Aggregator) cleanVerifiers() {
+	for i := range a.verifiers {
+		if _, ok := a.responses[uint32(i)]; !ok {
+			a.responses[uint32(i)] = &Response{
+				SessionID: a.sid,
+				Index:     uint32(i),
+				Status:    StatusComplaint,
+			}
+		}
+	}
+}
+
+// ProcessResponse verifies the validity of the given response and stores it
+// internall. It is  the public version of verifyResponse created this way to
+// allow higher-level package to use these functionalities.
+func (a *Aggregator) ProcessResponse(r *Response) error {
+	return a.verifyResponse(r)
+}
+
+func (a *Aggregator) verifyResponse(r *Response) error {
+	if a.sid != nil && !bytes.Equal(r.SessionID, a.sid) {
+		return errors.New("vss: receiving inconsistent sessionID in response")
+	}
+
+	pub, ok := findPub(a.verifiers, r.Index)
+	if !ok {
+		return errors.New("vss: index out of bounds in response")
+	}
+
+	if err := schnorr.Verify(a.suite, pub, r.Hash(a.suite), r.Signature); err != nil {
+		return err
+	}
+
+	return a.addResponse(r)
+}
+
+func (a *Aggregator) verifyJustification(j *Justification) error {
+	if _, ok := findPub(a.verifiers, j.Index); !ok {
+		return errors.New("vss: index out of bounds in justification")
+	}
+	r, ok := a.responses[j.Index]
+	if !ok {
+		return errors.New("vss: no complaints received for this justification")
+	}
+	if r.Status != StatusComplaint {
+		return errors.New("vss: justification received for an approval")
+	}
+
+	if err := a.VerifyDeal(j.Deal, false); err != nil {
+		// if one response is bad, flag the dealer as malicious
+		a.badDealer = true
+		return err
+	}
+	r.Status = StatusApproval
+	return nil
+}
+
+func (a *Aggregator) addResponse(r *Response) error {
+	if _, ok := findPub(a.verifiers, r.Index); !ok {
+		return errors.New("vss: index out of bounds in Complaint")
+	}
+	if _, ok := a.responses[r.Index]; ok {
+		return errors.New("vss: already existing response from same origin")
+	}
+	a.responses[r.Index] = r
+	return nil
+}
+
+// EnoughApprovals returns true if enough verifiers have sent their approval for
+// the deal they received.
+func (a *Aggregator) EnoughApprovals() bool {
+	var app int
+	for _, r := range a.responses {
+		if r.Status == StatusApproval {
+			app++
+		}
+	}
+	return app >= a.t
+}
+
+// Responses returns the current mapping from indexes to Responses.
+func (a *Aggregator) Responses() map[uint32]*Response {
+	return a.responses
+}
+
+// DealCertified returns true if there has been less than t complaints, all
+// Justifications were correct and if EnoughApprovals() returns true.
+func (a *Aggregator) DealCertified() bool {
+	var verifiersUnstable int
+
+	// XXX currently it can still happen that an Aggregator has not been set,
+	// because it did not receive any deals yet or responses.
+	if a == nil {
+		return false
+	}
+
+	// Check either a StatusApproval or StatusComplaint for all known verifiers
+	// i.e. make sure all verifiers are either timed-out or OK.
+	for i := range a.verifiers {
+		if _, ok := a.responses[uint32(i)]; !ok {
+			verifiersUnstable++
+		}
+	}
+
+	tooMuchComplaints := verifiersUnstable > 0 || a.badDealer
+	return a.EnoughApprovals() && !tooMuchComplaints
+}
+
+// MinimumT returns the minimum safe T that is proven to be secure with this
+// protocol. It expects n, the total number of participants.
+// WARNING: Setting a lower T could make
+// the whole protocol insecure. Setting a higher T only makes it harder to
+// reconstruct the secret.
+func MinimumT(n int) int {
+	return (n + 1) / 2
+}
+
+func validT(t int, verifiers []kyber.Point) bool {
+	return t >= 2 && t <= len(verifiers) && int(uint32(t)) == t
+}
+
+func deriveH(suite Suite, verifiers []kyber.Point) kyber.Point {
+	var b bytes.Buffer
+	for _, v := range verifiers {
+		_, _ = v.MarshalTo(&b)
+	}
+	base := suite.Point().Pick(suite.XOF(b.Bytes()))
+	return base
+}
+
+func findPub(verifiers []kyber.Point, idx uint32) (kyber.Point, bool) {
+	iidx := int(idx)
+	if iidx >= len(verifiers) {
+		return nil, false
+	}
+	return verifiers[iidx], true
+}
+
+func sessionID(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int) ([]byte, error) {
+	h := suite.Hash()
+	_, _ = dealer.MarshalTo(h)
+
+	for _, v := range verifiers {
+		_, _ = v.MarshalTo(h)
+	}
+
+	for _, c := range commitments {
+		_, _ = c.MarshalTo(h)
+	}
+	_ = binary.Write(h, binary.LittleEndian, uint32(t))
+
+	return h.Sum(nil), nil
+}
+
+// Hash returns the Hash representation of the Response
+func (r *Response) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("response"))
+	_, _ = h.Write(r.SessionID)
+	_ = binary.Write(h, binary.LittleEndian, r.Index)
+	_ = binary.Write(h, binary.LittleEndian, r.Status)
+	return h.Sum(nil)
+}
+
+func (d *Deal) decode(s Suite, buff []byte) error {
+	constructors := make(protobuf.Constructors)
+	var point kyber.Point
+	var secret kyber.Scalar
+	constructors[reflect.TypeOf(&point).Elem()] = func() interface{} { return s.Point() }
+	constructors[reflect.TypeOf(&secret).Elem()] = func() interface{} { return s.Scalar() }
+	return protobuf.DecodeWithConstructors(buff, d, constructors)
+}
+
+// Hash returns the hash of a Justification.
+func (j *Justification) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("justification"))
+	_, _ = h.Write(j.SessionID)
+	_ = binary.Write(h, binary.LittleEndian, j.Index)
+	buff, _ := protobuf.Encode(j.Deal)
+	_, _ = h.Write(buff)
+	return h.Sum(nil)
+}
diff --git a/kyber/share/vss/pedersen/vss_test.go b/kyber/share/vss/pedersen/vss_test.go
new file mode 100644
index 0000000000..42007f7b82
--- /dev/null
+++ b/kyber/share/vss/pedersen/vss_test.go
@@ -0,0 +1,640 @@
+package vss
+
+import (
+	"math/rand"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+	"go.dedis.ch/protobuf"
+)
+
+var rng = blake2xb.New(nil)
+
+var suite = edwards25519.NewBlakeSHA256Ed25519WithRand(rng)
+
+var nbVerifiers = 7
+
+var vssThreshold int
+
+var verifiersPub []kyber.Point
+var verifiersSec []kyber.Scalar
+
+var dealerPub kyber.Point
+var dealerSec kyber.Scalar
+
+var secret kyber.Scalar
+
+func init() {
+	verifiersSec, verifiersPub = genCommits(nbVerifiers)
+	dealerSec, dealerPub = genPair()
+	secret, _ = genPair()
+	vssThreshold = MinimumT(nbVerifiers)
+}
+
+func TestVSSWhole(t *testing.T) {
+	dealer, verifiers := genAll()
+
+	// 1. dispatch deal
+	resps := make([]*Response, nbVerifiers)
+	encDeals, err := dealer.EncryptedDeals()
+	require.Nil(t, err)
+	for i, d := range encDeals {
+		require.Equal(t, ErrNoDealBeforeResponse, verifiers[i].ProcessResponse(nil))
+		resp, err := verifiers[i].ProcessEncryptedDeal(d)
+		require.Nil(t, err)
+		resps[i] = resp
+	}
+
+	// 2. dispatch responses
+	for _, resp := range resps {
+		for i, v := range verifiers {
+			if resp.Index == uint32(i) {
+				continue
+			}
+			require.Nil(t, v.ProcessResponse(resp))
+		}
+		// 2.1. check dealer (no justification here)
+		j, err := dealer.ProcessResponse(resp)
+		require.Nil(t, err)
+		require.Nil(t, j)
+	}
+
+	// 3. check certified
+	for _, v := range verifiers {
+		require.True(t, v.DealCertified())
+	}
+
+	// 4. collect deals
+	deals := make([]*Deal, nbVerifiers)
+	for i, v := range verifiers {
+		deals[i] = v.Deal()
+	}
+
+	// 5. recover
+	sec, err := RecoverSecret(suite, deals, nbVerifiers, MinimumT(nbVerifiers))
+	assert.Nil(t, err)
+	require.NotNil(t, sec)
+	assert.Equal(t, dealer.secret.String(), sec.String())
+
+	priPoly := dealer.PrivatePoly()
+	priCoeffs := priPoly.Coefficients()
+	require.Equal(t, secret.String(), priCoeffs[0].String())
+}
+
+func TestVSSDealerNew(t *testing.T) {
+	goodT := MinimumT(nbVerifiers)
+	dealer, err := NewDealer(suite, dealerSec, secret, verifiersPub, goodT)
+	require.NoError(t, err)
+	require.NotNil(t, dealer.secretPoly)
+
+	for _, badT := range []int{0, 1, -4} {
+		_, err = NewDealer(suite, dealerSec, secret, verifiersPub, badT)
+		assert.Error(t, err)
+	}
+
+}
+
+func TestVSSVerifierNew(t *testing.T) {
+	randIdx := rand.Int() % len(verifiersPub)
+	v, err := NewVerifier(suite, verifiersSec[randIdx], dealerPub, verifiersPub)
+	assert.NoError(t, err)
+	assert.Equal(t, randIdx, v.index)
+
+	wrongKey := suite.Scalar().Pick(rng)
+	_, err = NewVerifier(suite, wrongKey, dealerPub, verifiersPub)
+	assert.Error(t, err)
+}
+
+func TestVSSShare(t *testing.T) {
+	dealer, verifiers := genAll()
+	ver := verifiers[0]
+	deal, err := dealer.EncryptedDeal(0)
+	require.Nil(t, err)
+
+	resp, err := ver.ProcessEncryptedDeal(deal)
+	require.NotNil(t, resp)
+	require.Equal(t, StatusApproval, resp.Status)
+	require.Nil(t, err)
+
+	aggr := ver.Aggregator
+
+	for i := 1; i < aggr.t-1; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+	// not enough approvals
+	assert.Nil(t, ver.Deal())
+
+	aggr.responses[uint32(aggr.t)] = &Response{Status: StatusApproval}
+
+	// Timeout all other (i>t) verifiers
+	ver.SetTimeout()
+
+	// deal not certified
+	aggr.badDealer = true
+	assert.Nil(t, ver.Deal())
+	aggr.badDealer = false
+
+	assert.NotNil(t, ver.Deal())
+
+}
+
+func TestVSSAggregatorEnoughApprovals(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.Aggregator
+	// just below
+	for i := 0; i < aggr.t-1; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+	assert.False(t, aggr.EnoughApprovals())
+	assert.Nil(t, dealer.SecretCommit())
+
+	aggr.responses[uint32(aggr.t)] = &Response{Status: StatusApproval}
+	assert.True(t, aggr.EnoughApprovals())
+
+	for i := aggr.t + 1; i < nbVerifiers; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+
+	// mark remaning verifiers as timed out
+	dealer.SetTimeout()
+
+	assert.True(t, aggr.EnoughApprovals())
+	assert.Equal(t, suite.Point().Mul(secret, nil), dealer.SecretCommit())
+}
+
+func TestVSSAggregatorDealCertified(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.Aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+
+	// Mark remaining verifiers as timed-out
+	dealer.SetTimeout()
+
+	assert.True(t, aggr.DealCertified())
+	assert.Equal(t, suite.Point().Mul(secret, nil), dealer.SecretCommit())
+	// bad dealer response
+	aggr.badDealer = true
+	assert.False(t, aggr.DealCertified())
+	assert.Nil(t, dealer.SecretCommit())
+
+	// reset dealer status
+	aggr.badDealer = false
+
+	// inconsistent state on purpose
+	// too much complaints
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusComplaint}
+	}
+	assert.False(t, aggr.DealCertified())
+}
+
+func TestVSSVerifierDecryptDeal(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	d := dealer.deals[0]
+
+	// all fine
+	encD, err := dealer.EncryptedDeal(0)
+	require.Nil(t, err)
+	decD, err := v.decryptDeal(encD)
+	require.Nil(t, err)
+	b1, _ := protobuf.Encode(d)
+	b2, _ := protobuf.Encode(decD)
+	assert.Equal(t, b1, b2)
+
+	// wrong dh key
+	goodDh := encD.DHKey
+	encD.DHKey, err = suite.Point().Null().MarshalBinary()
+	require.Nil(t, err)
+	decD, err = v.decryptDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, decD)
+	encD.DHKey = goodDh
+
+	// wrong signature
+	goodSig := encD.Signature
+	encD.Signature = randomBytes(32)
+	decD, err = v.decryptDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, decD)
+	encD.Signature = goodSig
+
+	// wrong ciphertext
+	goodCipher := encD.Cipher
+	encD.Cipher = randomBytes(len(goodCipher))
+	decD, err = v.decryptDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, decD)
+	encD.Cipher = goodCipher
+}
+
+func TestVSSVerifierReceiveDeal(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	d := dealer.deals[0]
+
+	encD, err := dealer.EncryptedDeal(0)
+	require.Nil(t, err)
+
+	// correct deal
+	resp, err := v.ProcessEncryptedDeal(encD)
+	require.NotNil(t, resp)
+	assert.Equal(t, StatusApproval, resp.Status)
+	assert.Nil(t, err)
+	assert.Equal(t, v.index, int(resp.Index))
+	assert.Equal(t, dealer.sid, resp.SessionID)
+	assert.Nil(t, schnorr.Verify(suite, v.pub, resp.Hash(suite), resp.Signature))
+	assert.Equal(t, v.responses[uint32(v.index)], resp)
+
+	// wrong encryption
+	goodSig := encD.Signature
+	encD.Signature = randomBytes(32)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	encD.Signature = goodSig
+
+	// wrong index
+	goodIdx := d.SecShare.I
+	d.SecShare.I = (goodIdx - 1) % nbVerifiers
+	encD, _ = dealer.EncryptedDeal(0)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, resp)
+	d.SecShare.I = goodIdx
+
+	// wrong commitments
+	goodCommit := d.Commitments[0]
+	d.Commitments[0] = suite.Point().Pick(rng)
+	encD, _ = dealer.EncryptedDeal(0)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, resp)
+	d.Commitments[0] = goodCommit
+
+	// already seen twice
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	v.Aggregator.deal = nil
+
+	// approval already existing from same origin, should never happen right ?
+	v.Aggregator.responses[uint32(v.index)] = &Response{Status: StatusApproval}
+	d.Commitments[0] = suite.Point().Pick(rng)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	d.Commitments[0] = goodCommit
+
+	// valid complaint
+	v.Aggregator.deal = nil
+	delete(v.Aggregator.responses, uint32(v.index))
+	//d.RndShare.V = suite.Scalar().SetBytes(randomBytes(32))
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.NotNil(t, resp)
+	assert.Equal(t, StatusComplaint, resp.Status)
+	assert.Nil(t, err)
+}
+
+func TestVSSAggregatorVerifyJustification(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	d := dealer.deals[0]
+
+	wrongV := suite.Scalar().Pick(rng)
+	goodV := d.SecShare.V
+	d.SecShare.V = wrongV
+	encD, _ := dealer.EncryptedDeal(0)
+	resp, err := v.ProcessEncryptedDeal(encD)
+	assert.NotNil(t, resp)
+	assert.Equal(t, StatusComplaint, resp.Status)
+	assert.Nil(t, err)
+	assert.Equal(t, v.responses[uint32(v.index)], resp)
+	// in tests, pointers point to the same underlying share..
+	d.SecShare.V = goodV
+
+	j, err := dealer.ProcessResponse(resp)
+
+	// invalid deal justified
+	goodV = j.Deal.SecShare.V
+	j.Deal.SecShare.V = wrongV
+	err = v.ProcessJustification(j)
+	assert.Error(t, err)
+	assert.True(t, v.Aggregator.badDealer)
+	j.Deal.SecShare.V = goodV
+	v.Aggregator.badDealer = false
+
+	// valid complaint
+	assert.Nil(t, v.ProcessJustification(j))
+
+	// invalid complaint
+	resp.SessionID = randomBytes(len(resp.SessionID))
+	badJ, err := dealer.ProcessResponse(resp)
+	assert.Nil(t, badJ)
+	assert.Error(t, err)
+	resp.SessionID = dealer.sid
+
+	// no complaints for this justification before
+	delete(v.Aggregator.responses, uint32(v.index))
+	assert.Error(t, v.ProcessJustification(j))
+	v.Aggregator.responses[uint32(v.index)] = resp
+
+}
+
+func TestVSSAggregatorVerifyResponseDuplicate(t *testing.T) {
+	dealer, verifiers := genAll()
+	v1 := verifiers[0]
+	v2 := verifiers[1]
+	//d1 := dealer.deals[0]
+	//d2 := dealer.deals[1]
+	encD1, _ := dealer.EncryptedDeal(0)
+	encD2, _ := dealer.EncryptedDeal(1)
+
+	resp1, err := v1.ProcessEncryptedDeal(encD1)
+	assert.Nil(t, err)
+	assert.NotNil(t, resp1)
+	assert.Equal(t, StatusApproval, resp1.Status)
+
+	resp2, err := v2.ProcessEncryptedDeal(encD2)
+	assert.Nil(t, err)
+	assert.NotNil(t, resp2)
+	assert.Equal(t, StatusApproval, resp2.Status)
+
+	err = v1.ProcessResponse(resp2)
+	assert.Nil(t, err)
+	r, ok := v1.Aggregator.responses[uint32(v2.index)]
+	assert.True(t, ok)
+	assert.Equal(t, resp2, r)
+
+	err = v1.ProcessResponse(resp2)
+	assert.Error(t, err)
+
+	delete(v1.Aggregator.responses, uint32(v2.index))
+	v1.Aggregator.responses[uint32(v2.index)] = &Response{Status: StatusApproval}
+	err = v1.ProcessResponse(resp2)
+	assert.Error(t, err)
+}
+
+func TestVSSAggregatorVerifyResponse(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	deal := dealer.deals[0]
+	//goodSec := deal.SecShare.V
+	wrongSec, _ := genPair()
+	deal.SecShare.V = wrongSec
+	encD, _ := dealer.EncryptedDeal(0)
+	// valid complaint
+	resp, err := v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, err)
+	assert.NotNil(t, resp)
+	assert.Equal(t, StatusComplaint, resp.Status)
+	assert.NotNil(t, v.Aggregator)
+	assert.Equal(t, resp.SessionID, dealer.sid)
+
+	aggr := v.Aggregator
+	r, ok := aggr.responses[uint32(v.index)]
+	assert.True(t, ok)
+	assert.Equal(t, StatusComplaint, r.Status)
+
+	// wrong index
+	resp.Index = uint32(len(verifiersPub))
+	sig, err := schnorr.Sign(suite, v.longterm, resp.Hash(suite))
+	resp.Signature = sig
+	assert.Error(t, aggr.verifyResponse(resp))
+	resp.Index = 0
+
+	// wrong signature
+	goodSig := resp.Signature
+	resp.Signature = randomBytes(len(goodSig))
+	assert.Error(t, aggr.verifyResponse(resp))
+	resp.Signature = goodSig
+
+	// wrongID
+	wrongID := randomBytes(len(resp.SessionID))
+	goodID := resp.SessionID
+	resp.SessionID = wrongID
+	assert.Error(t, aggr.verifyResponse(resp))
+	resp.SessionID = goodID
+}
+
+func TestVSSAggregatorAllResponses(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.Aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+	assert.True(t, aggr.EnoughApprovals())
+	assert.False(t, aggr.DealCertified())
+
+	for i := aggr.t; i < nbVerifiers; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+
+	assert.True(t, aggr.DealCertified())
+	assert.Equal(t, suite.Point().Mul(secret, nil), dealer.SecretCommit())
+}
+
+func TestVSSDealerTimeout(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.Aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+
+	// Enough approvals, but all remaining responses missing
+	assert.True(t, aggr.EnoughApprovals())
+	assert.False(t, aggr.DealCertified())
+
+	// Tell dealer to consider other verifiers timed-out
+	dealer.SetTimeout()
+
+	// Deal should be certified
+	assert.True(t, aggr.DealCertified())
+	assert.NotNil(t, dealer.SecretCommit())
+}
+
+func TestVSSVerifierTimeout(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+
+	encDeal, err := dealer.EncryptedDeal(0)
+
+	require.Nil(t, err)
+
+	// Make verifier create it's Aggregator by processing EncDeal
+	resp, err := v.ProcessEncryptedDeal(encDeal)
+	require.NotNil(t, resp)
+	require.Nil(t, err)
+
+	aggr := v.Aggregator
+
+	// Add t responses
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Status: StatusApproval}
+	}
+
+	// Enough Approvals, but not a response for every verifier
+	assert.True(t, aggr.EnoughApprovals())
+	assert.False(t, aggr.DealCertified())
+
+	// Trigger time out, thus adding StatusComplaint to all
+	// remaining verifiers
+	v.SetTimeout()
+
+	// Deal must be certified now
+	assert.True(t, aggr.DealCertified())
+	assert.NotNil(t, v.Deal())
+}
+
+func TestVSSAggregatorVerifyDeal(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.Aggregator
+	deals := dealer.deals
+
+	// OK
+	deal := deals[0]
+	err := aggr.VerifyDeal(deal, true)
+	assert.NoError(t, err)
+	assert.NotNil(t, aggr.deal)
+
+	// already received deal
+	err = aggr.VerifyDeal(deal, true)
+	assert.Error(t, err)
+
+	// wrong T
+	wrongT := uint32(1)
+	goodT := deal.T
+	deal.T = wrongT
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.T = goodT
+
+	// wrong SessionID
+	goodSid := deal.SessionID
+	deal.SessionID = make([]byte, 32)
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.SessionID = goodSid
+
+	// index different in one share
+	goodI := deal.SecShare.I
+	deal.SecShare.I = goodI + 1
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.SecShare.I = goodI
+
+	// index not in bounds
+	deal.SecShare.I = -1
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.SecShare.I = len(verifiersPub)
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+
+	// shares invalid in respect to the commitments
+	wrongSec, _ := genPair()
+	deal.SecShare.V = wrongSec
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+}
+
+func TestVSSAggregatorAddComplaint(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.Aggregator
+
+	var idx uint32 = 1
+	c := &Response{
+		Index:  idx,
+		Status: StatusComplaint,
+	}
+	// ok
+	assert.Nil(t, aggr.addResponse(c))
+	assert.Equal(t, aggr.responses[idx], c)
+
+	// response already there
+	assert.Error(t, aggr.addResponse(c))
+	delete(aggr.responses, idx)
+
+}
+
+func TestVSSSessionID(t *testing.T) {
+	dealer, _ := NewDealer(suite, dealerSec, secret, verifiersPub, vssThreshold)
+	commitments := dealer.deals[0].Commitments
+	sid, err := sessionID(suite, dealerPub, verifiersPub, commitments, dealer.t)
+	assert.NoError(t, err)
+
+	sid2, err2 := sessionID(suite, dealerPub, verifiersPub, commitments, dealer.t)
+	assert.NoError(t, err2)
+	assert.Equal(t, sid, sid2)
+
+	wrongDealerPub := suite.Point().Add(dealerPub, dealerPub)
+
+	sid3, err3 := sessionID(suite, wrongDealerPub, verifiersPub, commitments, dealer.t)
+	assert.NoError(t, err3)
+	assert.NotEqual(t, sid3, sid2)
+}
+
+func TestVSSFindPub(t *testing.T) {
+	p, ok := findPub(verifiersPub, 0)
+	assert.True(t, ok)
+	assert.Equal(t, verifiersPub[0], p)
+
+	p, ok = findPub(verifiersPub, uint32(len(verifiersPub)))
+	assert.False(t, ok)
+	assert.Nil(t, p)
+}
+
+func TestVSSDHExchange(t *testing.T) {
+	pub := suite.Point().Base()
+	priv := suite.Scalar().Pick(rng)
+	point := dhExchange(suite, priv, pub)
+	assert.Equal(t, pub.Mul(priv, nil).String(), point.String())
+}
+
+func TestVSSContext(t *testing.T) {
+	c := context(suite, dealerPub, verifiersPub)
+	assert.Len(t, c, suite.Hash().Size())
+}
+
+func genPair() (kyber.Scalar, kyber.Point) {
+	secret := suite.Scalar().Pick(suite.RandomStream())
+	public := suite.Point().Mul(secret, nil)
+	return secret, public
+}
+
+func genCommits(n int) ([]kyber.Scalar, []kyber.Point) {
+	var secrets = make([]kyber.Scalar, n)
+	var publics = make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		secrets[i], publics[i] = genPair()
+	}
+	return secrets, publics
+}
+
+func genDealer() *Dealer {
+	d, _ := NewDealer(suite, dealerSec, secret, verifiersPub, vssThreshold)
+	return d
+}
+
+func genAll() (*Dealer, []*Verifier) {
+	dealer := genDealer()
+	var verifiers = make([]*Verifier, nbVerifiers)
+	for i := 0; i < nbVerifiers; i++ {
+		v, _ := NewVerifier(suite, verifiersSec[i], dealerPub, verifiersPub)
+		verifiers[i] = v
+	}
+	return dealer, verifiers
+}
+
+func randomBytes(n int) []byte {
+	var buff = make([]byte, n)
+	_, err := rand.Read(buff)
+	if err != nil {
+		panic(err)
+	}
+	return buff
+}
diff --git a/kyber/share/vss/rabin/dh.go b/kyber/share/vss/rabin/dh.go
new file mode 100644
index 0000000000..345c397d19
--- /dev/null
+++ b/kyber/share/vss/rabin/dh.go
@@ -0,0 +1,56 @@
+package vss
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"hash"
+
+	"go.dedis.ch/kyber/v3"
+
+	"golang.org/x/crypto/hkdf"
+)
+
+// dhExchange computes the shared key from a private key and a public key
+func dhExchange(suite Suite, ownPrivate kyber.Scalar, remotePublic kyber.Point) kyber.Point {
+	sk := suite.Point()
+	sk.Mul(ownPrivate, remotePublic)
+	return sk
+}
+
+var sharedKeyLength = 32
+
+// newAEAD returns the AEAD cipher to be use to encrypt a share
+func newAEAD(fn func() hash.Hash, preSharedKey kyber.Point, context []byte) (cipher.AEAD, error) {
+	preBuff, _ := preSharedKey.MarshalBinary()
+	reader := hkdf.New(fn, preBuff, nil, context)
+
+	sharedKey := make([]byte, sharedKeyLength)
+	if _, err := reader.Read(sharedKey); err != nil {
+		return nil, err
+	}
+	block, err := aes.NewCipher(sharedKey)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	return gcm, nil
+}
+
+// keySize is arbitrary, make it long enough to seed the XOF
+const keySize = 128
+
+// context returns the context slice to be used when encrypting a share
+func context(suite Suite, dealer kyber.Point, verifiers []kyber.Point) []byte {
+	h := suite.XOF([]byte("vss-dealer"))
+	_, _ = dealer.MarshalTo(h)
+	_, _ = h.Write([]byte("vss-verifiers"))
+	for _, v := range verifiers {
+		_, _ = v.MarshalTo(h)
+	}
+	sum := make([]byte, keySize)
+	h.Read(sum)
+	return sum
+}
diff --git a/kyber/share/vss/rabin/vss.go b/kyber/share/vss/rabin/vss.go
new file mode 100644
index 0000000000..d9e8f06e9e
--- /dev/null
+++ b/kyber/share/vss/rabin/vss.go
@@ -0,0 +1,765 @@
+// Package vss implements the verifiable secret sharing scheme from the
+// paper "Provably Secure Distributed Schnorr Signatures and a (t, n) Threshold
+// Scheme for Implicit Certificates".
+// VSS enables a dealer to share a secret securely and verifiably among n
+// participants out of which at least t are required for its reconstruction.
+// The verifiability of the process prevents a
+// malicious dealer from influencing the outcome to his advantage as each
+// verifier can check the validity of the received share. The protocol has the
+// following steps:
+//
+//   1) The dealer send a Deal to every verifiers using `Deals()`. Each deal must
+//   be sent securely to one verifier whose public key is at the same index than
+//   the index of the Deal.
+//
+//   2) Each verifier processes the Deal with `ProcessDeal`.
+//   This function returns a Response which can be twofold:
+//   - an approval, to confirm a correct deal
+//   - a complaint to announce an incorrect deal notifying others that the
+//     dealer might be malicious.
+//	 All Responses must be broadcasted to every verifiers and the dealer.
+//   3) The dealer can respond to each complaint by a justification revealing the
+//   share he originally sent out to the accusing verifier. This is done by
+//   calling `ProcessResponse` on the `Dealer`.
+//   4) The verifiers refuse the shared secret and abort the protocol if there
+//   are at least t complaints OR if a Justification is wrong. The verifiers
+//   accept the shared secret if there are at least t approvals at which point
+//   any t out of n verifiers can reveal their shares to reconstruct the shared
+//   secret.
+package vss
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+	"go.dedis.ch/protobuf"
+)
+
+// Suite defines the capabilities required by the vss package.
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.XOFFactory
+	kyber.Random
+}
+
+// Dealer encapsulates for creating and distributing the shares and for
+// replying to any Responses.
+type Dealer struct {
+	suite  Suite
+	reader cipher.Stream
+	// long is the longterm key of the Dealer
+	long          kyber.Scalar
+	pub           kyber.Point
+	secret        kyber.Scalar
+	secretCommits []kyber.Point
+	verifiers     []kyber.Point
+	hkdfContext   []byte
+	// threshold of shares that is needed to reconstruct the secret
+	t int
+	// sessionID is a unique identifier for the whole session of the scheme
+	sessionID []byte
+	// list of deals this Dealer has generated
+	deals []*Deal
+	*aggregator
+}
+
+// Deal encapsulates the verifiable secret share and is sent by the dealer to a verifier.
+type Deal struct {
+	// Unique session identifier for this protocol run
+	SessionID []byte
+	// Private share generated by the dealer
+	SecShare *share.PriShare
+	// Random share generated by the dealer
+	RndShare *share.PriShare
+	// Threshold used for this secret sharing run
+	T uint32
+	// Commitments are the coefficients used to verify the shares against
+	Commitments []kyber.Point
+}
+
+// EncryptedDeal contains the deal in a encrypted form only decipherable by the
+// correct recipient. The encryption is performed in a similar manner as what is
+// done in TLS. The dealer generates a temporary key pair, signs it with its
+// longterm secret key.
+type EncryptedDeal struct {
+	// Ephemeral Diffie Hellman key
+	DHKey kyber.Point
+	// Signature of the DH key by the longterm key of the dealer
+	Signature []byte
+	// Nonce used for the encryption
+	Nonce []byte
+	// AEAD encryption of the deal marshalled by protobuf
+	Cipher []byte
+}
+
+// Response is sent by the verifiers to all participants and holds each
+// individual validation or refusal of a Deal.
+type Response struct {
+	// SessionID related to this run of the protocol
+	SessionID []byte
+	// Index of the verifier issuing this Response
+	Index uint32
+	// Approved is true if the Response is valid
+	Approved bool
+	// Signature over the whole packet
+	Signature []byte
+}
+
+// Justification is a message that is broadcasted by the Dealer in response to
+// a Complaint. It contains the original Complaint as well as the shares
+// distributed to the complainer.
+type Justification struct {
+	// SessionID related to the current run of the protocol
+	SessionID []byte
+	// Index of the verifier who issued the Complaint,i.e. index of this Deal
+	Index uint32
+	// Deal in cleartext
+	Deal *Deal
+	// Signature over the whole packet
+	Signature []byte
+}
+
+// NewDealer returns a Dealer capable of leading the secret sharing scheme. It
+// does not have to be trusted by other Verifiers. The security parameter t is
+// the number of shares required to reconstruct the secret. It is HIGHLY
+// RECOMMENDED to use a threshold higher or equal than what the method
+// MinimumT() returns, otherwise it breaks the security assumptions of the whole
+// scheme. It returns an error if the t is inferior or equal to 2.
+func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error) {
+	d := &Dealer{
+		suite:     suite,
+		long:      longterm,
+		secret:    secret,
+		verifiers: verifiers,
+	}
+	if !validT(t, verifiers) {
+		return nil, fmt.Errorf("dealer: t %d invalid", t)
+	}
+	d.t = t
+
+	H := deriveH(d.suite, d.verifiers)
+	f := share.NewPriPoly(d.suite, d.t, d.secret, suite.RandomStream())
+	g := share.NewPriPoly(d.suite, d.t, nil, suite.RandomStream())
+	d.pub = d.suite.Point().Mul(d.long, nil)
+
+	// Compute public polynomial coefficients
+	F := f.Commit(d.suite.Point().Base())
+	_, d.secretCommits = F.Info()
+	G := g.Commit(H)
+
+	C, err := F.Add(G)
+	if err != nil {
+		return nil, err
+	}
+	_, commitments := C.Info()
+
+	d.sessionID, err = sessionID(d.suite, d.pub, d.verifiers, commitments, d.t)
+	if err != nil {
+		return nil, err
+	}
+
+	d.aggregator = newAggregator(d.suite, d.pub, d.verifiers, commitments, d.t, d.sessionID)
+	// C = F + G
+	d.deals = make([]*Deal, len(d.verifiers))
+	for i := range d.verifiers {
+		fi := f.Eval(i)
+		gi := g.Eval(i)
+		d.deals[i] = &Deal{
+			SessionID:   d.sessionID,
+			SecShare:    fi,
+			RndShare:    gi,
+			Commitments: commitments,
+			T:           uint32(d.t),
+		}
+	}
+	d.hkdfContext = context(suite, d.pub, verifiers)
+	return d, nil
+}
+
+// PlaintextDeal returns the plaintext version of the deal destined for peer i.
+// Use this only for testing.
+func (d *Dealer) PlaintextDeal(i int) (*Deal, error) {
+	if i >= len(d.deals) {
+		return nil, errors.New("dealer: PlaintextDeal given wrong index")
+	}
+	return d.deals[i], nil
+}
+
+// EncryptedDeal returns the encryption of the deal that must be given to the
+// verifier at index i.
+// The dealer first generates a temporary Diffie Hellman key, signs it using its
+// longterm key, and computes the shared key depending on its longterm and
+// ephemeral key and the verifier's public key.
+// This shared key is then fed into a HKDF whose output is the key to a AEAD
+// (AES256-GCM) scheme to encrypt the deal.
+func (d *Dealer) EncryptedDeal(i int) (*EncryptedDeal, error) {
+	vPub, ok := findPub(d.verifiers, uint32(i))
+	if !ok {
+		return nil, errors.New("dealer: wrong index to generate encrypted deal")
+	}
+	// gen ephemeral key
+	dhSecret := d.suite.Scalar().Pick(d.suite.RandomStream())
+	dhPublic := d.suite.Point().Mul(dhSecret, nil)
+	// signs the public key
+	dhPublicBuff, _ := dhPublic.MarshalBinary()
+	signature, err := schnorr.Sign(d.suite, d.long, dhPublicBuff)
+	if err != nil {
+		return nil, err
+	}
+	// AES128-GCM
+	pre := dhExchange(d.suite, dhSecret, vPub)
+	gcm, err := newAEAD(d.suite.Hash, pre, d.hkdfContext)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	dealBuff, err := protobuf.Encode(d.deals[i])
+	if err != nil {
+		return nil, err
+	}
+	encrypted := gcm.Seal(nil, nonce, dealBuff, d.hkdfContext)
+	return &EncryptedDeal{
+		DHKey:     dhPublic,
+		Signature: signature,
+		Nonce:     nonce,
+		Cipher:    encrypted,
+	}, nil
+}
+
+// EncryptedDeals calls `EncryptedDeal` for each index of the verifier and
+// returns the list of encrypted deals. Each index in the returned slice
+// corresponds to the index in the list of verifiers.
+func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error) {
+	deals := make([]*EncryptedDeal, len(d.verifiers))
+	var err error
+	for i := range d.verifiers {
+		deals[i], err = d.EncryptedDeal(i)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return deals, nil
+}
+
+// ProcessResponse analyzes the given Response. If it's a valid complaint, then
+// it returns a Justification. This Justification must be broadcasted to every
+// participants. If it's an invalid complaint, it returns an error about the
+// complaint. The verifiers will also ignore an invalid Complaint.
+func (d *Dealer) ProcessResponse(r *Response) (*Justification, error) {
+	if err := d.verifyResponse(r); err != nil {
+		return nil, err
+	}
+	if r.Approved {
+		return nil, nil
+	}
+
+	j := &Justification{
+		SessionID: d.sessionID,
+		// index is guaranteed to be good because of d.verifyResponse before
+		Index: r.Index,
+		Deal:  d.deals[int(r.Index)],
+	}
+	sig, err := schnorr.Sign(d.suite, d.long, j.Hash(d.suite))
+	if err != nil {
+		return nil, err
+	}
+	j.Signature = sig
+	return j, nil
+}
+
+// SecretCommit returns the commitment of the secret being shared by this
+// dealer. This function is only to be called once the deal has enough approvals
+// and is verified otherwise it returns nil.
+func (d *Dealer) SecretCommit() kyber.Point {
+	if !d.EnoughApprovals() || !d.DealCertified() {
+		return nil
+	}
+	return d.suite.Point().Mul(d.secret, nil)
+}
+
+// Commits returns the commitments of the coefficient of the secret polynomial
+// the Dealer is sharing.
+func (d *Dealer) Commits() []kyber.Point {
+	if !d.EnoughApprovals() || !d.DealCertified() {
+		return nil
+	}
+	return d.secretCommits
+}
+
+// Key returns the longterm key pair used by this Dealer.
+func (d *Dealer) Key() (secret kyber.Scalar, public kyber.Point) {
+	return d.long, d.pub
+}
+
+// SessionID returns the current sessionID generated by this dealer for this
+// protocol run.
+func (d *Dealer) SessionID() []byte {
+	return d.sessionID
+}
+
+// SetTimeout tells this dealer to consider this moment the maximum time limit.
+// it calls cleanVerifiers which will take care of all Verifiers who have not
+// responded until now.
+func (d *Dealer) SetTimeout() {
+	d.aggregator.cleanVerifiers()
+}
+
+// Verifier receives a Deal from a Dealer, can reply with a Complaint, and can
+// collaborate with other Verifiers to reconstruct a secret.
+type Verifier struct {
+	suite       Suite
+	longterm    kyber.Scalar
+	pub         kyber.Point
+	dealer      kyber.Point
+	index       int
+	verifiers   []kyber.Point
+	hkdfContext []byte
+	*aggregator
+}
+
+// NewVerifier returns a Verifier out of:
+// - its longterm secret key
+// - the longterm dealer public key
+// - the list of public key of verifiers. The list MUST include the public key
+// of this Verifier also.
+// The security parameter t of the secret sharing scheme is automatically set to
+// a default safe value. If a different t value is required, it is possible to set
+// it with `verifier.SetT()`.
+func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point,
+	verifiers []kyber.Point) (*Verifier, error) {
+
+	pub := suite.Point().Mul(longterm, nil)
+	var ok bool
+	var index int
+	for i, v := range verifiers {
+		if v.Equal(pub) {
+			ok = true
+			index = i
+			break
+		}
+	}
+	if !ok {
+		return nil, errors.New("vss: public key not found in the list of verifiers")
+	}
+	v := &Verifier{
+		suite:       suite,
+		longterm:    longterm,
+		dealer:      dealerKey,
+		verifiers:   verifiers,
+		pub:         pub,
+		index:       index,
+		hkdfContext: context(suite, dealerKey, verifiers),
+	}
+	return v, nil
+}
+
+// ProcessEncryptedDeal decrypt the deal received from the Dealer.
+// If the deal is valid, i.e. the verifier can verify its shares
+// against the public coefficients and the signature is valid, an approval
+// response is returned and must be broadcasted to every participants
+// including the dealer.
+// If the deal itself is invalid, it returns a complaint response that must be
+// broadcasted to every other participants including the dealer.
+// If the deal has already been received, or the signature generation of the
+// response failed, it returns an error without any responses.
+func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error) {
+	d, err := v.decryptDeal(e)
+	if err != nil {
+		return nil, err
+	}
+	if d.SecShare.I != v.index {
+		return nil, errors.New("vss: verifier got wrong index from deal")
+	}
+
+	t := int(d.T)
+
+	sid, err := sessionID(v.suite, v.dealer, v.verifiers, d.Commitments, t)
+	if err != nil {
+		return nil, err
+	}
+
+	if v.aggregator == nil {
+		v.aggregator = newAggregator(v.suite, v.dealer, v.verifiers, d.Commitments, t, d.SessionID)
+	}
+
+	r := &Response{
+		SessionID: sid,
+		Index:     uint32(v.index),
+		Approved:  true,
+	}
+	if err = v.VerifyDeal(d, true); err != nil {
+		r.Approved = false
+	}
+
+	if err == errDealAlreadyProcessed {
+		return nil, err
+	}
+
+	if r.Signature, err = schnorr.Sign(v.suite, v.longterm, r.Hash(v.suite)); err != nil {
+		return nil, err
+	}
+
+	if err = v.aggregator.addResponse(r); err != nil {
+		return nil, err
+	}
+	return r, nil
+}
+
+func (v *Verifier) decryptDeal(e *EncryptedDeal) (*Deal, error) {
+	ephBuff, err := e.DHKey.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	// verify signature
+	if err := schnorr.Verify(v.suite, v.dealer, ephBuff, e.Signature); err != nil {
+		return nil, err
+	}
+
+	// compute shared key and AES526-GCM cipher
+	pre := dhExchange(v.suite, v.longterm, e.DHKey)
+	gcm, err := newAEAD(v.suite.Hash, pre, v.hkdfContext)
+	if err != nil {
+		return nil, err
+	}
+	decrypted, err := gcm.Open(nil, e.Nonce, e.Cipher, v.hkdfContext)
+	if err != nil {
+		return nil, err
+	}
+	deal := &Deal{}
+	err = deal.decode(v.suite, decrypted)
+	return deal, err
+}
+
+// ProcessResponse analyzes the given response. If it's a valid complaint, the
+// verifier should expect to see a Justification from the Dealer. It returns an
+// error if it's not a valid response.
+// Call `v.DealCertified()` to check if the whole protocol is finished.
+func (v *Verifier) ProcessResponse(resp *Response) error {
+	return v.aggregator.verifyResponse(resp)
+}
+
+// Deal returns the Deal that this verifier has received. It returns
+// nil if the deal is not certified or there is not enough approvals.
+func (v *Verifier) Deal() *Deal {
+	if !v.EnoughApprovals() || !v.DealCertified() {
+		return nil
+	}
+	return v.deal
+}
+
+// ProcessJustification takes a DealerResponse and returns an error if
+// something went wrong during the verification. If it is the case, that
+// probably means the Dealer is acting maliciously. In order to be sure, call
+// `v.EnoughApprovals()` and if true, `v.DealCertified()`.
+func (v *Verifier) ProcessJustification(dr *Justification) error {
+	return v.aggregator.verifyJustification(dr)
+}
+
+// Key returns the longterm key pair this verifier is using during this protocol
+// run.
+func (v *Verifier) Key() (kyber.Scalar, kyber.Point) {
+	return v.longterm, v.pub
+}
+
+// Index returns the index of the verifier in the list of participants used
+// during this run of the protocol.
+func (v *Verifier) Index() int {
+	return v.index
+}
+
+// SessionID returns the session id generated by the Dealer. WARNING: it returns
+// an nil slice if the verifier has not received the Deal yet !
+func (v *Verifier) SessionID() []byte {
+	return v.sid
+}
+
+// RecoverSecret recovers the secret shared by a Dealer by gathering at least t
+// Deals from the verifiers. It returns an error if there is not enough Deals or
+// if all Deals don't have the same SessionID.
+func RecoverSecret(suite Suite, deals []*Deal, n, t int) (kyber.Scalar, error) {
+	shares := make([]*share.PriShare, len(deals))
+	for i, deal := range deals {
+		// all sids the same
+		if bytes.Equal(deal.SessionID, deals[0].SessionID) {
+			shares[i] = deal.SecShare
+		} else {
+			return nil, errors.New("vss: all deals need to have same session id")
+		}
+	}
+	return share.RecoverSecret(suite, shares, t, n)
+}
+
+// SetTimeout tells this verifier to consider this moment the maximum time limit.
+// it calls cleanVerifiers which will take care of all Verifiers who have not
+// responded until now.
+func (v *Verifier) SetTimeout() {
+	v.aggregator.cleanVerifiers()
+}
+
+// aggregator is used to collect all deals, and responses for one protocol run.
+// It brings common functionalities for both Dealer and Verifier structs.
+type aggregator struct {
+	suite     Suite
+	dealer    kyber.Point
+	verifiers []kyber.Point
+	commits   []kyber.Point
+
+	responses map[uint32]*Response
+	sid       []byte
+	deal      *Deal
+	t         int
+	badDealer bool
+}
+
+func newAggregator(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int, sid []byte) *aggregator {
+	agg := &aggregator{
+		suite:     suite,
+		dealer:    dealer,
+		verifiers: verifiers,
+		commits:   commitments,
+		t:         t,
+		sid:       sid,
+		responses: make(map[uint32]*Response),
+	}
+	return agg
+}
+
+var errDealAlreadyProcessed = errors.New("vss: verifier already received a deal")
+
+// VerifyDeal analyzes the deal and returns an error if it's incorrect. If
+// inclusion is true, it also returns an error if it the second time this struct
+// analyzes a Deal.
+func (a *aggregator) VerifyDeal(d *Deal, inclusion bool) error {
+	if a.deal != nil && inclusion {
+		return errDealAlreadyProcessed
+
+	}
+	if a.deal == nil {
+		a.commits = d.Commitments
+		a.sid = d.SessionID
+		a.deal = d
+	}
+
+	if !validT(int(d.T), a.verifiers) {
+		return errors.New("vss: invalid t received in Deal")
+	}
+
+	if !bytes.Equal(a.sid, d.SessionID) {
+		return errors.New("vss: find different sessionIDs from Deal")
+	}
+
+	fi := d.SecShare
+	gi := d.RndShare
+	if fi.I != gi.I {
+		return errors.New("vss: not the same index for f and g share in Deal")
+	}
+	if fi.I < 0 || fi.I >= len(a.verifiers) {
+		return errors.New("vss: index out of bounds in Deal")
+	}
+	// compute fi * G + gi * H
+	fig := a.suite.Point().Base().Mul(fi.V, nil)
+	H := deriveH(a.suite, a.verifiers)
+	gih := a.suite.Point().Mul(gi.V, H)
+	ci := a.suite.Point().Add(fig, gih)
+
+	commitPoly := share.NewPubPoly(a.suite, nil, d.Commitments)
+
+	pubShare := commitPoly.Eval(fi.I)
+	if !ci.Equal(pubShare.V) {
+		return errors.New("vss: share does not verify against commitments in Deal")
+	}
+	return nil
+}
+
+// cleanVerifiers checks the aggregator's response array and creates a StatusComplaint
+// response for all verifiers who have no response in the array.
+func (a *aggregator) cleanVerifiers() {
+	for i := range a.verifiers {
+		if _, ok := a.responses[uint32(i)]; !ok {
+			a.responses[uint32(i)] = &Response{
+				SessionID: a.sid,
+				Index:     uint32(i),
+				Approved:  false,
+			}
+		}
+	}
+}
+
+func (a *aggregator) verifyResponse(r *Response) error {
+	if !bytes.Equal(r.SessionID, a.sid) {
+		return errors.New("vss: receiving inconsistent sessionID in response")
+	}
+
+	pub, ok := findPub(a.verifiers, r.Index)
+	if !ok {
+		return errors.New("vss: index out of bounds in response")
+	}
+
+	if err := schnorr.Verify(a.suite, pub, r.Hash(a.suite), r.Signature); err != nil {
+		return err
+	}
+
+	return a.addResponse(r)
+}
+
+func (a *aggregator) verifyJustification(j *Justification) error {
+	if _, ok := findPub(a.verifiers, j.Index); !ok {
+		return errors.New("vss: index out of bounds in justification")
+	}
+	r, ok := a.responses[j.Index]
+	if !ok {
+		return errors.New("vss: no complaints received for this justification")
+	}
+	if r.Approved {
+		return errors.New("vss: justification received for an approval")
+	}
+
+	if err := a.VerifyDeal(j.Deal, false); err != nil {
+		// if one response is bad, flag the dealer as malicious
+		a.badDealer = true
+		return err
+	}
+	r.Approved = true
+	return nil
+}
+
+func (a *aggregator) addResponse(r *Response) error {
+	if _, ok := findPub(a.verifiers, r.Index); !ok {
+		return errors.New("vss: index out of bounds in Complaint")
+	}
+	if _, ok := a.responses[r.Index]; ok {
+		return errors.New("vss: already existing response from same origin")
+	}
+	a.responses[r.Index] = r
+	return nil
+}
+
+// EnoughApprovals returns true if enough verifiers have sent their approval for
+// the deal they received.
+func (a *aggregator) EnoughApprovals() bool {
+	var app int
+	for _, r := range a.responses {
+		if r.Approved {
+			app++
+		}
+	}
+	return app >= a.t
+}
+
+// DealCertified returns true if there has been less than t complaints, all
+// Justifications were correct and if EnoughApprovals() returns true.
+func (a *aggregator) DealCertified() bool {
+	// a can be nil if we're calling it before receiving a deal
+	if a == nil {
+		return false
+	}
+
+	var verifiersUnstable int
+	// Check either a StatusApproval or StatusComplaint for all known verifiers
+	// i.e. make sure all verifiers are either timed-out or OK.
+	for i := range a.verifiers {
+		if _, ok := a.responses[uint32(i)]; !ok {
+			verifiersUnstable++
+		}
+	}
+
+	tooMuchComplaints := verifiersUnstable > 0 || a.badDealer
+	return a.EnoughApprovals() && !tooMuchComplaints
+}
+
+// UnsafeSetResponseDKG is an UNSAFE bypass method to allow DKG to use VSS
+// that works on basis of approval only.
+func (a *aggregator) UnsafeSetResponseDKG(idx uint32, approval bool) {
+	r := &Response{
+		SessionID: a.sid,
+		Index:     uint32(idx),
+		Approved:  approval,
+	}
+
+	a.addResponse(r)
+}
+
+// MinimumT returns the minimum safe T that is proven to be secure with this
+// protocol. It expects n, the total number of participants.
+// WARNING: Setting a lower T could make
+// the whole protocol insecure. Setting a higher T only makes it harder to
+// reconstruct the secret.
+func MinimumT(n int) int {
+	return (n + 1) / 2
+}
+
+func validT(t int, verifiers []kyber.Point) bool {
+	return t >= 2 && t <= len(verifiers) && int(uint32(t)) == t
+}
+
+func deriveH(suite Suite, verifiers []kyber.Point) kyber.Point {
+	var b bytes.Buffer
+	for _, v := range verifiers {
+		_, _ = v.MarshalTo(&b)
+	}
+	base := suite.Point().Pick(suite.XOF(b.Bytes()))
+	return base
+}
+
+func findPub(verifiers []kyber.Point, idx uint32) (kyber.Point, bool) {
+	iidx := int(idx)
+	if iidx >= len(verifiers) {
+		return nil, false
+	}
+	return verifiers[iidx], true
+}
+
+func sessionID(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int) ([]byte, error) {
+	h := suite.Hash()
+	_, _ = dealer.MarshalTo(h)
+
+	for _, v := range verifiers {
+		_, _ = v.MarshalTo(h)
+	}
+
+	for _, c := range commitments {
+		_, _ = c.MarshalTo(h)
+	}
+	_ = binary.Write(h, binary.LittleEndian, uint32(t))
+
+	return h.Sum(nil), nil
+}
+
+// Hash returns the Hash representation of the Response
+func (r *Response) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("response"))
+	_, _ = h.Write(r.SessionID)
+	_ = binary.Write(h, binary.LittleEndian, r.Index)
+	_ = binary.Write(h, binary.LittleEndian, r.Approved)
+	return h.Sum(nil)
+}
+
+func (d *Deal) decode(s Suite, buff []byte) error {
+	constructors := make(protobuf.Constructors)
+	var point kyber.Point
+	var secret kyber.Scalar
+	constructors[reflect.TypeOf(&point).Elem()] = func() interface{} { return s.Point() }
+	constructors[reflect.TypeOf(&secret).Elem()] = func() interface{} { return s.Scalar() }
+	return protobuf.DecodeWithConstructors(buff, d, constructors)
+}
+
+// Hash returns the hash of a Justification.
+func (j *Justification) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write([]byte("justification"))
+	_, _ = h.Write(j.SessionID)
+	_ = binary.Write(h, binary.LittleEndian, j.Index)
+	buff, _ := protobuf.Encode(j.Deal)
+	_, _ = h.Write(buff)
+	return h.Sum(nil)
+}
diff --git a/kyber/share/vss/rabin/vss_test.go b/kyber/share/vss/rabin/vss_test.go
new file mode 100644
index 0000000000..87c4c5fc34
--- /dev/null
+++ b/kyber/share/vss/rabin/vss_test.go
@@ -0,0 +1,609 @@
+package vss
+
+import (
+	"math/rand"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+	"go.dedis.ch/protobuf"
+)
+
+var suite = edwards25519.NewBlakeSHA256Ed25519()
+
+var nbVerifiers = 7
+
+var vssThreshold int
+
+var verifiersPub []kyber.Point
+var verifiersSec []kyber.Scalar
+
+var dealerPub kyber.Point
+var dealerSec kyber.Scalar
+
+var secret kyber.Scalar
+
+func init() {
+	verifiersSec, verifiersPub = genCommits(nbVerifiers)
+	dealerSec, dealerPub = genPair()
+	secret, _ = genPair()
+	vssThreshold = MinimumT(nbVerifiers)
+}
+
+func TestVSSWhole(t *testing.T) {
+	dealer, verifiers := genAll()
+
+	// 1. dispatch deal
+	resps := make([]*Response, nbVerifiers)
+	encDeals, err := dealer.EncryptedDeals()
+	require.Nil(t, err)
+	for i, d := range encDeals {
+		resp, err := verifiers[i].ProcessEncryptedDeal(d)
+		require.Nil(t, err)
+		resps[i] = resp
+	}
+
+	// 2. dispatch responses
+	for _, resp := range resps {
+		for i, v := range verifiers {
+			if resp.Index == uint32(i) {
+				continue
+			}
+			require.Nil(t, v.ProcessResponse(resp))
+		}
+		// 2.1. check dealer (no justification here)
+		j, err := dealer.ProcessResponse(resp)
+		require.Nil(t, err)
+		require.Nil(t, j)
+	}
+
+	// 3. check certified
+	for _, v := range verifiers {
+		require.True(t, v.DealCertified())
+	}
+
+	// 4. collect deals
+	deals := make([]*Deal, nbVerifiers)
+	for i, v := range verifiers {
+		deals[i] = v.Deal()
+	}
+
+	// 5. recover
+	sec, err := RecoverSecret(suite, deals, nbVerifiers, MinimumT(nbVerifiers))
+	assert.Nil(t, err)
+	require.NotNil(t, sec)
+	assert.Equal(t, dealer.secret.String(), sec.String())
+}
+
+func TestVSSDealerNew(t *testing.T) {
+	goodT := MinimumT(nbVerifiers)
+	_, err := NewDealer(suite, dealerSec, secret, verifiersPub, goodT)
+	assert.NoError(t, err)
+
+	for _, badT := range []int{0, 1, -4} {
+		_, err = NewDealer(suite, dealerSec, secret, verifiersPub, badT)
+		assert.Error(t, err)
+	}
+}
+
+func TestVSSVerifierNew(t *testing.T) {
+	randIdx := rand.Int() % len(verifiersPub)
+	v, err := NewVerifier(suite, verifiersSec[randIdx], dealerPub, verifiersPub)
+	assert.NoError(t, err)
+	assert.Equal(t, randIdx, v.index)
+
+	wrongKey := suite.Scalar().Pick(suite.RandomStream())
+	_, err = NewVerifier(suite, wrongKey, dealerPub, verifiersPub)
+	assert.Error(t, err)
+}
+
+func TestVSSShare(t *testing.T) {
+	dealer, verifiers := genAll()
+	ver := verifiers[0]
+	deal, err := dealer.EncryptedDeal(0)
+	require.Nil(t, err)
+
+	resp, err := ver.ProcessEncryptedDeal(deal)
+	require.NotNil(t, resp)
+	require.Equal(t, true, resp.Approved)
+	require.Nil(t, err)
+
+	aggr := ver.aggregator
+
+	for i := 1; i < aggr.t-1; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+
+	ver.SetTimeout()
+
+	// not enough approvals
+	assert.Nil(t, ver.Deal())
+	aggr.responses[uint32(aggr.t)] = &Response{Approved: true}
+	// deal not certified
+	aggr.badDealer = true
+	assert.Nil(t, ver.Deal())
+	aggr.badDealer = false
+
+	assert.NotNil(t, ver.Deal())
+
+}
+
+func TestVSSAggregatorEnoughApprovals(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.aggregator
+	// just below
+	for i := 0; i < aggr.t-1; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+
+	dealer.SetTimeout()
+
+	assert.False(t, aggr.EnoughApprovals())
+	assert.Nil(t, dealer.SecretCommit())
+
+	aggr.responses[uint32(aggr.t)] = &Response{Approved: true}
+	assert.True(t, aggr.EnoughApprovals())
+
+	for i := aggr.t + 1; i < nbVerifiers; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+	assert.True(t, aggr.EnoughApprovals())
+	assert.Equal(t, suite.Point().Mul(secret, nil), dealer.SecretCommit())
+}
+
+func TestVSSAggregatorDealCertified(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+
+	dealer.SetTimeout()
+
+	assert.True(t, aggr.DealCertified())
+	assert.Equal(t, suite.Point().Mul(secret, nil), dealer.SecretCommit())
+	// bad dealer response
+	aggr.badDealer = true
+	assert.False(t, aggr.DealCertified())
+	assert.Nil(t, dealer.SecretCommit())
+	// inconsistent state on purpose
+	// too much complaints
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: false}
+	}
+	assert.False(t, aggr.DealCertified())
+}
+
+func TestVSSVerifierDecryptDeal(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	d := dealer.deals[0]
+
+	// all fine
+	encD, err := dealer.EncryptedDeal(0)
+	require.Nil(t, err)
+	decD, err := v.decryptDeal(encD)
+	require.Nil(t, err)
+	b1, _ := protobuf.Encode(d)
+	b2, _ := protobuf.Encode(decD)
+	assert.Equal(t, b1, b2)
+
+	// wrong dh key
+	goodDh := encD.DHKey
+	encD.DHKey = suite.Point()
+	decD, err = v.decryptDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, decD)
+	encD.DHKey = goodDh
+
+	// wrong signature
+	goodSig := encD.Signature
+	encD.Signature = randomBytes(32)
+	decD, err = v.decryptDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, decD)
+	encD.Signature = goodSig
+
+	// wrong ciphertext
+	goodCipher := encD.Cipher
+	encD.Cipher = randomBytes(len(goodCipher))
+	decD, err = v.decryptDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, decD)
+	encD.Cipher = goodCipher
+}
+
+func TestVSSVerifierReceiveDeal(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	d := dealer.deals[0]
+
+	encD, err := dealer.EncryptedDeal(0)
+	require.Nil(t, err)
+
+	// correct deal
+	resp, err := v.ProcessEncryptedDeal(encD)
+	require.NotNil(t, resp)
+	assert.Equal(t, true, resp.Approved)
+	assert.Nil(t, err)
+	assert.Equal(t, v.index, int(resp.Index))
+	assert.Equal(t, dealer.sid, resp.SessionID)
+	assert.Nil(t, schnorr.Verify(suite, v.pub, resp.Hash(suite), resp.Signature))
+	assert.Equal(t, v.responses[uint32(v.index)], resp)
+
+	// wrong encryption
+	goodSig := encD.Signature
+	encD.Signature = randomBytes(32)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	encD.Signature = goodSig
+
+	// wrong index
+	goodIdx := d.SecShare.I
+	d.SecShare.I = (goodIdx - 1) % nbVerifiers
+	encD, _ = dealer.EncryptedDeal(0)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, resp)
+	d.SecShare.I = goodIdx
+
+	// wrong commitments
+	goodCommit := d.Commitments[0]
+	d.Commitments[0] = suite.Point().Pick(suite.RandomStream())
+	encD, _ = dealer.EncryptedDeal(0)
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Error(t, err)
+	assert.Nil(t, resp)
+	d.Commitments[0] = goodCommit
+
+	// already seen twice
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	v.aggregator.deal = nil
+
+	// approval already existing from same origin, should never happen right ?
+	v.aggregator.responses[uint32(v.index)] = &Response{Approved: true}
+	d.Commitments[0] = suite.Point().Pick(suite.RandomStream())
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, resp)
+	assert.Error(t, err)
+	d.Commitments[0] = goodCommit
+
+	// valid complaint
+	v.aggregator.deal = nil
+	delete(v.aggregator.responses, uint32(v.index))
+	d.RndShare.V = suite.Scalar().SetBytes(randomBytes(32))
+	resp, err = v.ProcessEncryptedDeal(encD)
+	assert.NotNil(t, resp)
+	assert.Equal(t, false, resp.Approved)
+	assert.Nil(t, err)
+}
+
+func TestVSSAggregatorVerifyJustification(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	d := dealer.deals[0]
+
+	wrongV := suite.Scalar().Pick(suite.RandomStream())
+	goodV := d.SecShare.V
+	d.SecShare.V = wrongV
+	encD, _ := dealer.EncryptedDeal(0)
+	resp, err := v.ProcessEncryptedDeal(encD)
+	assert.NotNil(t, resp)
+	assert.Equal(t, false, resp.Approved)
+	assert.Nil(t, err)
+	assert.Equal(t, v.responses[uint32(v.index)], resp)
+	// in tests, pointers point to the same underlying share..
+	d.SecShare.V = goodV
+
+	j, err := dealer.ProcessResponse(resp)
+
+	// invalid deal justified
+	goodV = j.Deal.SecShare.V
+	j.Deal.SecShare.V = wrongV
+	err = v.ProcessJustification(j)
+	assert.Error(t, err)
+	assert.True(t, v.aggregator.badDealer)
+	j.Deal.SecShare.V = goodV
+	v.aggregator.badDealer = false
+
+	// valid complaint
+	assert.Nil(t, v.ProcessJustification(j))
+
+	// invalid complaint
+	resp.SessionID = randomBytes(len(resp.SessionID))
+	badJ, err := dealer.ProcessResponse(resp)
+	assert.Nil(t, badJ)
+	assert.Error(t, err)
+	resp.SessionID = dealer.sid
+
+	// no complaints for this justification before
+	delete(v.aggregator.responses, uint32(v.index))
+	assert.Error(t, v.ProcessJustification(j))
+	v.aggregator.responses[uint32(v.index)] = resp
+
+}
+
+func TestVSSAggregatorVerifyResponseDuplicate(t *testing.T) {
+	dealer, verifiers := genAll()
+	v1 := verifiers[0]
+	v2 := verifiers[1]
+	//d1 := dealer.deals[0]
+	//d2 := dealer.deals[1]
+	encD1, _ := dealer.EncryptedDeal(0)
+	encD2, _ := dealer.EncryptedDeal(1)
+
+	resp1, err := v1.ProcessEncryptedDeal(encD1)
+	assert.Nil(t, err)
+	assert.NotNil(t, resp1)
+	assert.Equal(t, true, resp1.Approved)
+
+	resp2, err := v2.ProcessEncryptedDeal(encD2)
+	assert.Nil(t, err)
+	assert.NotNil(t, resp2)
+	assert.Equal(t, true, resp2.Approved)
+
+	err = v1.ProcessResponse(resp2)
+	assert.Nil(t, err)
+	r, ok := v1.aggregator.responses[uint32(v2.index)]
+	assert.True(t, ok)
+	assert.Equal(t, resp2, r)
+
+	err = v1.ProcessResponse(resp2)
+	assert.Error(t, err)
+
+	delete(v1.aggregator.responses, uint32(v2.index))
+	v1.aggregator.responses[uint32(v2.index)] = &Response{Approved: true}
+	err = v1.ProcessResponse(resp2)
+	assert.Error(t, err)
+}
+
+func TestVSSAggregatorVerifyResponse(t *testing.T) {
+	dealer, verifiers := genAll()
+	v := verifiers[0]
+	deal := dealer.deals[0]
+	//goodSec := deal.SecShare.V
+	wrongSec, _ := genPair()
+	deal.SecShare.V = wrongSec
+	encD, _ := dealer.EncryptedDeal(0)
+	// valid complaint
+	resp, err := v.ProcessEncryptedDeal(encD)
+	assert.Nil(t, err)
+	assert.NotNil(t, resp)
+	assert.Equal(t, false, resp.Approved)
+	assert.NotNil(t, v.aggregator)
+	assert.Equal(t, resp.SessionID, dealer.sid)
+
+	aggr := v.aggregator
+	r, ok := aggr.responses[uint32(v.index)]
+	assert.True(t, ok)
+	assert.Equal(t, false, r.Approved)
+
+	// wrong index
+	resp.Index = uint32(len(verifiersPub))
+	sig, err := schnorr.Sign(suite, v.longterm, resp.Hash(suite))
+	resp.Signature = sig
+	assert.Error(t, aggr.verifyResponse(resp))
+	resp.Index = 0
+
+	// wrong signature
+	goodSig := resp.Signature
+	resp.Signature = randomBytes(len(goodSig))
+	assert.Error(t, aggr.verifyResponse(resp))
+	resp.Signature = goodSig
+
+	// wrongID
+	wrongID := randomBytes(len(resp.SessionID))
+	goodID := resp.SessionID
+	resp.SessionID = wrongID
+	assert.Error(t, aggr.verifyResponse(resp))
+	resp.SessionID = goodID
+}
+
+func TestVSSAggregatorVerifyDeal(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.aggregator
+	deals := dealer.deals
+
+	// OK
+	deal := deals[0]
+	err := aggr.VerifyDeal(deal, true)
+	assert.NoError(t, err)
+	assert.NotNil(t, aggr.deal)
+
+	// already received deal
+	err = aggr.VerifyDeal(deal, true)
+	assert.Error(t, err)
+
+	// wrong T
+	wrongT := uint32(1)
+	goodT := deal.T
+	deal.T = wrongT
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.T = goodT
+
+	// wrong SessionID
+	goodSid := deal.SessionID
+	deal.SessionID = make([]byte, 32)
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.SessionID = goodSid
+
+	// index different in one share
+	goodI := deal.RndShare.I
+	deal.RndShare.I = goodI + 1
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.RndShare.I = goodI
+
+	// index not in bounds
+	deal.SecShare.I = -1
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+	deal.SecShare.I = len(verifiersPub)
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+
+	// shares invalid in respect to the commitments
+	wrongSec, _ := genPair()
+	deal.SecShare.V = wrongSec
+	assert.Error(t, aggr.VerifyDeal(deal, false))
+}
+
+func TestVSSAggregatorAddComplaint(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.aggregator
+
+	var idx uint32 = 1
+	c := &Response{
+		Index:    idx,
+		Approved: false,
+	}
+	// ok
+	assert.Nil(t, aggr.addResponse(c))
+	assert.Equal(t, aggr.responses[idx], c)
+
+	// response already there
+	assert.Error(t, aggr.addResponse(c))
+	delete(aggr.responses, idx)
+
+}
+
+func TestVSSAggregatorCleanVerifiers(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+
+	assert.True(t, aggr.EnoughApprovals())
+	assert.False(t, aggr.DealCertified())
+
+	aggr.cleanVerifiers()
+
+	assert.True(t, aggr.DealCertified())
+}
+
+func TestVSSDealerSetTimeout(t *testing.T) {
+	dealer := genDealer()
+	aggr := dealer.aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+
+	assert.True(t, aggr.EnoughApprovals())
+	assert.False(t, aggr.DealCertified())
+
+	dealer.SetTimeout()
+
+	assert.True(t, aggr.DealCertified())
+}
+
+func TestVSSVerifierSetTimeout(t *testing.T) {
+	dealer, verifiers := genAll()
+	ver := verifiers[0]
+
+	encD, err := dealer.EncryptedDeal(0)
+
+	require.Nil(t, err)
+
+	resp, err := ver.ProcessEncryptedDeal(encD)
+
+	require.Nil(t, err)
+	require.NotNil(t, resp)
+
+	aggr := ver.aggregator
+
+	for i := 0; i < aggr.t; i++ {
+		aggr.responses[uint32(i)] = &Response{Approved: true}
+	}
+
+	assert.True(t, aggr.EnoughApprovals())
+	assert.False(t, aggr.DealCertified())
+
+	ver.SetTimeout()
+
+	assert.True(t, aggr.DealCertified())
+}
+
+func TestVSSSessionID(t *testing.T) {
+	dealer, _ := NewDealer(suite, dealerSec, secret, verifiersPub, vssThreshold)
+	commitments := dealer.deals[0].Commitments
+	sid, err := sessionID(suite, dealerPub, verifiersPub, commitments, dealer.t)
+	assert.NoError(t, err)
+
+	sid2, err2 := sessionID(suite, dealerPub, verifiersPub, commitments, dealer.t)
+	assert.NoError(t, err2)
+	assert.Equal(t, sid, sid2)
+
+	wrongDealerPub := suite.Point().Add(dealerPub, dealerPub)
+
+	sid3, err3 := sessionID(suite, wrongDealerPub, verifiersPub, commitments, dealer.t)
+	assert.NoError(t, err3)
+	assert.NotEqual(t, sid3, sid2)
+}
+
+func TestVSSFindPub(t *testing.T) {
+	p, ok := findPub(verifiersPub, 0)
+	assert.True(t, ok)
+	assert.Equal(t, verifiersPub[0], p)
+
+	p, ok = findPub(verifiersPub, uint32(len(verifiersPub)))
+	assert.False(t, ok)
+	assert.Nil(t, p)
+}
+
+func TestVSSDHExchange(t *testing.T) {
+	pub := suite.Point().Base()
+	priv := suite.Scalar().Pick(suite.RandomStream())
+	point := dhExchange(suite, priv, pub)
+	assert.Equal(t, pub.Mul(priv, nil).String(), point.String())
+}
+
+func TestVSSContext(t *testing.T) {
+	c := context(suite, dealerPub, verifiersPub)
+	assert.Len(t, c, keySize)
+}
+
+func genPair() (kyber.Scalar, kyber.Point) {
+	secret := suite.Scalar().Pick(suite.RandomStream())
+	public := suite.Point().Mul(secret, nil)
+	return secret, public
+}
+
+func genCommits(n int) ([]kyber.Scalar, []kyber.Point) {
+	var secrets = make([]kyber.Scalar, n)
+	var publics = make([]kyber.Point, n)
+	for i := 0; i < n; i++ {
+		secrets[i], publics[i] = genPair()
+	}
+	return secrets, publics
+}
+
+func genDealer() *Dealer {
+	d, _ := NewDealer(suite, dealerSec, secret, verifiersPub, vssThreshold)
+	return d
+}
+
+func genAll() (*Dealer, []*Verifier) {
+	dealer := genDealer()
+	var verifiers = make([]*Verifier, nbVerifiers)
+	for i := 0; i < nbVerifiers; i++ {
+		v, _ := NewVerifier(suite, verifiersSec[i], dealerPub, verifiersPub)
+		verifiers[i] = v
+	}
+	return dealer, verifiers
+}
+
+func randomBytes(n int) []byte {
+	var buff = make([]byte, n)
+	_, err := rand.Read(buff)
+	if err != nil {
+		panic(err)
+	}
+	return buff
+}
diff --git a/kyber/shuffle/biffle.go b/kyber/shuffle/biffle.go
new file mode 100644
index 0000000000..af0ec72d3a
--- /dev/null
+++ b/kyber/shuffle/biffle.go
@@ -0,0 +1,91 @@
+package shuffle
+
+import (
+	"crypto/cipher"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/proof"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+func bifflePred() proof.Predicate {
+
+	// Branch 0 of either/or proof (for bit=0)
+	rep000 := proof.Rep("Xbar0-X0", "beta0", "G")
+	rep001 := proof.Rep("Ybar0-Y0", "beta0", "H")
+	rep010 := proof.Rep("Xbar1-X1", "beta1", "G")
+	rep011 := proof.Rep("Ybar1-Y1", "beta1", "H")
+
+	// Branch 1 of either/or proof (for bit=1)
+	rep100 := proof.Rep("Xbar0-X1", "beta1", "G")
+	rep101 := proof.Rep("Ybar0-Y1", "beta1", "H")
+	rep110 := proof.Rep("Xbar1-X0", "beta0", "G")
+	rep111 := proof.Rep("Ybar1-Y0", "beta0", "H")
+
+	and0 := proof.And(rep000, rep001, rep010, rep011)
+	and1 := proof.And(rep100, rep101, rep110, rep111)
+
+	or := proof.Or(and0, and1)
+	return or
+}
+
+func bifflePoints(suite Suite, G, H kyber.Point,
+	X, Y, Xbar, Ybar [2]kyber.Point) map[string]kyber.Point {
+
+	return map[string]kyber.Point{
+		"G":        G,
+		"H":        H,
+		"Xbar0-X0": suite.Point().Sub(Xbar[0], X[0]),
+		"Ybar0-Y0": suite.Point().Sub(Ybar[0], Y[0]),
+		"Xbar1-X1": suite.Point().Sub(Xbar[1], X[1]),
+		"Ybar1-Y1": suite.Point().Sub(Ybar[1], Y[1]),
+		"Xbar0-X1": suite.Point().Sub(Xbar[0], X[1]),
+		"Ybar0-Y1": suite.Point().Sub(Ybar[0], Y[1]),
+		"Xbar1-X0": suite.Point().Sub(Xbar[1], X[0]),
+		"Ybar1-Y0": suite.Point().Sub(Ybar[1], Y[0])}
+}
+
+// Biffle is a binary shuffle ("biffle") for 2 ciphertexts based on general ZKPs.
+func Biffle(suite Suite, G, H kyber.Point,
+	X, Y [2]kyber.Point, rand cipher.Stream) (
+	Xbar, Ybar [2]kyber.Point, prover proof.Prover) {
+
+	// Pick the single-bit permutation.
+	var buf [1]byte
+	random.Bytes(buf[:], rand)
+	bit := int(buf[0] & 1)
+
+	// Pick a fresh ElGamal blinding factor for each pair
+	var beta [2]kyber.Scalar
+	for i := 0; i < 2; i++ {
+		beta[i] = suite.Scalar().Pick(rand)
+	}
+
+	// Create the output pair vectors
+	for i := 0; i < 2; i++ {
+		piI := i ^ bit
+		Xbar[i] = suite.Point().Mul(beta[piI], G)
+		Xbar[i].Add(Xbar[i], X[piI])
+		Ybar[i] = suite.Point().Mul(beta[piI], H)
+		Ybar[i].Add(Ybar[i], Y[piI])
+	}
+
+	or := bifflePred()
+	secrets := map[string]kyber.Scalar{
+		"beta0": beta[0],
+		"beta1": beta[1]}
+	points := bifflePoints(suite, G, H, X, Y, Xbar, Ybar)
+	choice := map[proof.Predicate]int{or: bit}
+	prover = or.Prover(suite, secrets, points, choice)
+	return
+}
+
+// BiffleVerifier returns a verifier of the biffle
+func BiffleVerifier(suite Suite, G, H kyber.Point,
+	X, Y, Xbar, Ybar [2]kyber.Point) (
+	verifier proof.Verifier) {
+
+	or := bifflePred()
+	points := bifflePoints(suite, G, H, X, Y, Xbar, Ybar)
+	return or.Verifier(suite, points)
+}
diff --git a/kyber/shuffle/biffle_test.go b/kyber/shuffle/biffle_test.go
new file mode 100644
index 0000000000..2b73cde33b
--- /dev/null
+++ b/kyber/shuffle/biffle_test.go
@@ -0,0 +1,63 @@
+package shuffle
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/proof"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+func TestBiffle(t *testing.T) {
+	rand := blake2xb.New(nil)
+	s := edwards25519.NewBlakeSHA256Ed25519WithRand(rand)
+	biffleTest(s, N)
+}
+
+func biffleTest(suite Suite, N int) {
+	rand := suite.RandomStream()
+
+	// Create a "server" private/public keypair
+	h := suite.Scalar().Pick(rand)
+	H := suite.Point().Mul(h, nil)
+
+	// Create a set of ephemeral "client" keypairs to shuffle
+	var c [2]kyber.Scalar
+	var C [2]kyber.Point
+	//	fmt.Println("\nclient keys:")
+	for i := 0; i < 2; i++ {
+		c[i] = suite.Scalar().Pick(rand)
+		C[i] = suite.Point().Mul(c[i], nil)
+		//		fmt.Println(" "+C[i].String())
+	}
+
+	// ElGamal-encrypt all these keypairs with the "server" key
+	var X, Y [2]kyber.Point
+	r := suite.Scalar() // temporary
+	for i := 0; i < 2; i++ {
+		r.Pick(rand)
+		X[i] = suite.Point().Mul(r, nil)
+		Y[i] = suite.Point().Mul(r, H) // ElGamal blinding factor
+		Y[i].Add(Y[i], C[i])           // Encrypted client public key
+	}
+
+	// Repeat only the actual shuffle portion for test purposes.
+	for i := 0; i < N; i++ {
+
+		// Do a key-shuffle
+		Xbar, Ybar, prover := Biffle(suite, nil, H, X, Y, rand)
+		prf, err := proof.HashProve(suite, "Biffle", prover)
+		if err != nil {
+			panic("Biffle proof failed: " + err.Error())
+		}
+		//fmt.Printf("proof:\n%s\n",hex.Dump(prf))
+
+		// Check it
+		verifier := BiffleVerifier(suite, nil, H, X, Y, Xbar, Ybar)
+		err = proof.HashVerify(suite, "Biffle", verifier, prf)
+		if err != nil {
+			panic("Biffle verify failed: " + err.Error())
+		}
+	}
+}
diff --git a/kyber/shuffle/pair.go b/kyber/shuffle/pair.go
new file mode 100644
index 0000000000..9be69550f0
--- /dev/null
+++ b/kyber/shuffle/pair.go
@@ -0,0 +1,379 @@
+// Package shuffle implements Andrew Neff's verifiable shuffle proof scheme.
+// Neff's shuffle proof algorithm as implemented here is described in the paper
+// "Verifiable Mixing (Shuffling) of ElGamal Pairs", April 2004.
+//
+// The PairShuffle type implements the general algorithm
+// to prove the correctness of a shuffle of arbitrary ElGamal pairs.
+// This will be the primary API of interest for most applications.
+// For basic usage, the caller should first instantiate a PairShuffle object,
+// then invoke PairShuffle.Init() to initialize the shuffle parameters,
+// and finally invoke PairShuffle.Shuffle() to shuffle
+// a list of ElGamal pairs, yielding a list of re-randomized pairs
+// and a noninteractive proof of its correctness.
+//
+// The SimpleShuffle type implements Neff's more restrictive "simple shuffle",
+// which requires the prover to know the discrete logarithms
+// of all the individual ElGamal ciphertexts involved in the shuffle.
+// The general PairShuffle builds on this SimpleShuffle scheme,
+// but SimpleShuffle may also be used by itself in situations
+// that satisfy its assumptions, and is more efficient.
+package shuffle
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/proof"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+// Suite wraps the functionalities needed by the shuffle/ package. These are the
+// same functionatlities needed by the proof/ package.
+type Suite proof.Suite
+
+// XX these could all be inlined into PairShuffleProof; do we want to?
+
+// XX the Zs in front of some field names are a kludge to make them
+// accessible via the reflection API,
+// which refuses to touch unexported fields in a struct.
+
+// P (Prover) step 1: public commitments
+type ega1 struct {
+	Gamma            kyber.Point
+	A, C, U, W       []kyber.Point
+	Lambda1, Lambda2 kyber.Point
+}
+
+// V (Verifier) step 2: random challenge t
+type ega2 struct {
+	Zrho []kyber.Scalar
+}
+
+// P step 3: Theta vectors
+type ega3 struct {
+	D []kyber.Point
+}
+
+// V step 4: random challenge c
+type ega4 struct {
+	Zlambda kyber.Scalar
+}
+
+// P step 5: alpha vector
+type ega5 struct {
+	Zsigma []kyber.Scalar
+	Ztau   kyber.Scalar
+}
+
+// P and V, step 5: simple k-shuffle proof
+type ega6 struct {
+	SimpleShuffle
+}
+
+// PairShuffle creates a proof of the correctness of a shuffle
+// of a series of ElGamal pairs.
+//
+// The caller must first invoke Init()
+// to establish the cryptographic parameters for the shuffle:
+// in particular, the relevant cryptographic Group,
+// and the number of ElGamal pairs to be shuffled.
+//
+// The caller then may either perform its own shuffle,
+// according to a permutation of the caller's choosing,
+// and invoke Prove() to create a proof of its correctness;
+// or alternatively the caller may simply invoke Shuffle()
+// to pick a random permutation, compute the shuffle,
+// and compute the correctness proof.
+type PairShuffle struct {
+	grp kyber.Group
+	k   int
+	p1  ega1
+	v2  ega2
+	p3  ega3
+	v4  ega4
+	p5  ega5
+	pv6 SimpleShuffle
+}
+
+// Init creates a new PairShuffleProof instance for a k-element ElGamal pair shuffle.
+// This protocol follows the ElGamal Pair Shuffle defined in section 4 of
+// Andrew Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004.
+func (ps *PairShuffle) Init(grp kyber.Group, k int) *PairShuffle {
+
+	if k <= 1 {
+		panic("can't shuffle permutation of size <= 1")
+	}
+
+	// Create a well-formed PairShuffleProof with arrays correctly sized.
+	ps.grp = grp
+	ps.k = k
+	ps.p1.A = make([]kyber.Point, k)
+	ps.p1.C = make([]kyber.Point, k)
+	ps.p1.U = make([]kyber.Point, k)
+	ps.p1.W = make([]kyber.Point, k)
+	ps.v2.Zrho = make([]kyber.Scalar, k)
+	ps.p3.D = make([]kyber.Point, k)
+	ps.p5.Zsigma = make([]kyber.Scalar, k)
+	ps.pv6.Init(grp, k)
+
+	return ps
+}
+
+// Prove returns an error if the shuffle is not correct.
+func (ps *PairShuffle) Prove(
+	pi []int, g, h kyber.Point, beta []kyber.Scalar,
+	X, Y []kyber.Point, rand cipher.Stream,
+	ctx proof.ProverContext) error {
+
+	grp := ps.grp
+	k := ps.k
+	if k != len(pi) || k != len(beta) {
+		panic("mismatched vector lengths")
+	}
+
+	// Compute pi^-1 inverse permutation
+	piinv := make([]int, k)
+	for i := 0; i < k; i++ {
+		piinv[pi[i]] = i
+	}
+
+	// P step 1
+	p1 := &ps.p1
+	z := grp.Scalar() // scratch
+
+	// pick random secrets
+	u := make([]kyber.Scalar, k)
+	w := make([]kyber.Scalar, k)
+	a := make([]kyber.Scalar, k)
+	var tau0, nu, gamma kyber.Scalar
+	ctx.PriRand(u, w, a, &tau0, &nu, &gamma)
+
+	// compute public commits
+	p1.Gamma = grp.Point().Mul(gamma, g)
+	wbeta := grp.Scalar() // scratch
+	wbetasum := grp.Scalar().Set(tau0)
+	p1.Lambda1 = grp.Point().Null()
+	p1.Lambda2 = grp.Point().Null()
+	XY := grp.Point()  // scratch
+	wu := grp.Scalar() // scratch
+	for i := 0; i < k; i++ {
+		p1.A[i] = grp.Point().Mul(a[i], g)
+		p1.C[i] = grp.Point().Mul(z.Mul(gamma, a[pi[i]]), g)
+		p1.U[i] = grp.Point().Mul(u[i], g)
+		p1.W[i] = grp.Point().Mul(z.Mul(gamma, w[i]), g)
+		wbetasum.Add(wbetasum, wbeta.Mul(w[i], beta[pi[i]]))
+		p1.Lambda1.Add(p1.Lambda1, XY.Mul(wu.Sub(w[piinv[i]], u[i]), X[i]))
+		p1.Lambda2.Add(p1.Lambda2, XY.Mul(wu.Sub(w[piinv[i]], u[i]), Y[i]))
+	}
+	p1.Lambda1.Add(p1.Lambda1, XY.Mul(wbetasum, g))
+	p1.Lambda2.Add(p1.Lambda2, XY.Mul(wbetasum, h))
+	if err := ctx.Put(p1); err != nil {
+		return err
+	}
+
+	// V step 2
+	v2 := &ps.v2
+	if err := ctx.PubRand(v2); err != nil {
+		return err
+	}
+	B := make([]kyber.Point, k)
+	for i := 0; i < k; i++ {
+		P := grp.Point().Mul(v2.Zrho[i], g)
+		B[i] = P.Sub(P, p1.U[i])
+	}
+
+	// P step 3
+	p3 := &ps.p3
+	b := make([]kyber.Scalar, k)
+	for i := 0; i < k; i++ {
+		b[i] = grp.Scalar().Sub(v2.Zrho[i], u[i])
+	}
+	d := make([]kyber.Scalar, k)
+	for i := 0; i < k; i++ {
+		d[i] = grp.Scalar().Mul(gamma, b[pi[i]])
+		p3.D[i] = grp.Point().Mul(d[i], g)
+	}
+	if err := ctx.Put(p3); err != nil {
+		return err
+	}
+
+	// V step 4
+	v4 := &ps.v4
+	if err := ctx.PubRand(v4); err != nil {
+		return err
+	}
+
+	// P step 5
+	p5 := &ps.p5
+	r := make([]kyber.Scalar, k)
+	for i := 0; i < k; i++ {
+		r[i] = grp.Scalar().Add(a[i], z.Mul(v4.Zlambda, b[i]))
+	}
+	s := make([]kyber.Scalar, k)
+	for i := 0; i < k; i++ {
+		s[i] = grp.Scalar().Mul(gamma, r[pi[i]])
+	}
+	p5.Ztau = grp.Scalar().Neg(tau0)
+	for i := 0; i < k; i++ {
+		p5.Zsigma[i] = grp.Scalar().Add(w[i], b[pi[i]])
+		p5.Ztau.Add(p5.Ztau, z.Mul(b[i], beta[i]))
+	}
+	if err := ctx.Put(p5); err != nil {
+		return err
+	}
+
+	// P,V step 6: embedded simple k-shuffle proof
+	return ps.pv6.Prove(g, gamma, r, s, rand, ctx)
+}
+
+// Verify ElGamal Pair Shuffle proofs.
+func (ps *PairShuffle) Verify(
+	g, h kyber.Point, X, Y, Xbar, Ybar []kyber.Point,
+	ctx proof.VerifierContext) error {
+
+	// Validate all vector lengths
+	grp := ps.grp
+	k := ps.k
+	if len(X) != k || len(Y) != k || len(Xbar) != k || len(Ybar) != k {
+		panic("mismatched vector lengths")
+	}
+
+	// P step 1
+	p1 := &ps.p1
+	if err := ctx.Get(p1); err != nil {
+		return err
+	}
+
+	// V step 2
+	v2 := &ps.v2
+	if err := ctx.PubRand(v2); err != nil {
+		return err
+	}
+	B := make([]kyber.Point, k)
+	for i := 0; i < k; i++ {
+		P := grp.Point().Mul(v2.Zrho[i], g)
+		B[i] = P.Sub(P, p1.U[i])
+	}
+
+	// P step 3
+	p3 := &ps.p3
+	if err := ctx.Get(p3); err != nil {
+		return err
+	}
+
+	// V step 4
+	v4 := &ps.v4
+	if err := ctx.PubRand(v4); err != nil {
+		return err
+	}
+
+	// P step 5
+	p5 := &ps.p5
+	if err := ctx.Get(p5); err != nil {
+		return err
+	}
+
+	// P,V step 6: simple k-shuffle
+	if err := ps.pv6.Verify(g, p1.Gamma, ctx); err != nil {
+		return err
+	}
+
+	// V step 7
+	Phi1 := grp.Point().Null()
+	Phi2 := grp.Point().Null()
+	P := grp.Point() // scratch
+	Q := grp.Point() // scratch
+	for i := 0; i < k; i++ {
+		Phi1 = Phi1.Add(Phi1, P.Mul(p5.Zsigma[i], Xbar[i])) // (31)
+		Phi1 = Phi1.Sub(Phi1, P.Mul(v2.Zrho[i], X[i]))
+		Phi2 = Phi2.Add(Phi2, P.Mul(p5.Zsigma[i], Ybar[i])) // (32)
+		Phi2 = Phi2.Sub(Phi2, P.Mul(v2.Zrho[i], Y[i]))
+		//		println("i",i)
+		if !P.Mul(p5.Zsigma[i], p1.Gamma).Equal( // (33)
+			Q.Add(p1.W[i], p3.D[i])) {
+			return errors.New("invalid PairShuffleProof")
+		}
+	}
+	//	println("last")
+	//	println("Phi1",Phi1.String());
+	//	println("Phi2",Phi2.String());
+	//	println("1",P.Add(p1.Lambda1,Q.Mul(g,p5.Ztau)).String());
+	//	println("2",P.Add(p1.Lambda2,Q.Mul(h,p5.Ztau)).String());
+	if !P.Add(p1.Lambda1, Q.Mul(p5.Ztau, g)).Equal(Phi1) || // (34)
+		!P.Add(p1.Lambda2, Q.Mul(p5.Ztau, h)).Equal(Phi2) { // (35)
+		return errors.New("invalid PairShuffleProof")
+	}
+
+	return nil
+}
+
+// Shuffle randomly shuffles and re-randomizes a set of ElGamal pairs,
+// producing a correctness proof in the process.
+// Returns (Xbar,Ybar), the shuffled and randomized pairs.
+// If g or h is nil, the standard base point is used.
+func Shuffle(group kyber.Group, g, h kyber.Point, X, Y []kyber.Point,
+	rand cipher.Stream) (XX, YY []kyber.Point, P proof.Prover) {
+
+	k := len(X)
+	if k != len(Y) {
+		panic("X,Y vectors have inconsistent length")
+	}
+
+	ps := PairShuffle{}
+	ps.Init(group, k)
+
+	// Pick a random permutation
+	pi := make([]int, k)
+	for i := 0; i < k; i++ { // Initialize a trivial permutation
+		pi[i] = i
+	}
+	for i := k - 1; i > 0; i-- { // Shuffle by random swaps
+		j := int(randUint64(rand) % uint64(i+1))
+		if j != i {
+			t := pi[j]
+			pi[j] = pi[i]
+			pi[i] = t
+		}
+	}
+
+	// Pick a fresh ElGamal blinding factor for each pair
+	beta := make([]kyber.Scalar, k)
+	for i := 0; i < k; i++ {
+		beta[i] = ps.grp.Scalar().Pick(rand)
+	}
+
+	// Create the output pair vectors
+	Xbar := make([]kyber.Point, k)
+	Ybar := make([]kyber.Point, k)
+	for i := 0; i < k; i++ {
+		Xbar[i] = ps.grp.Point().Mul(beta[pi[i]], g)
+		Xbar[i].Add(Xbar[i], X[pi[i]])
+		Ybar[i] = ps.grp.Point().Mul(beta[pi[i]], h)
+		Ybar[i].Add(Ybar[i], Y[pi[i]])
+	}
+
+	prover := func(ctx proof.ProverContext) error {
+		return ps.Prove(pi, g, h, beta, X, Y, rand, ctx)
+	}
+	return Xbar, Ybar, prover
+}
+
+// randUint64 chooses a uniform random uint64
+func randUint64(rand cipher.Stream) uint64 {
+	b := random.Bits(64, false, rand)
+	return binary.BigEndian.Uint64(b)
+}
+
+// Verifier produces a Sigma-protocol verifier to check the correctness of a shuffle.
+func Verifier(group kyber.Group, g, h kyber.Point,
+	X, Y, Xbar, Ybar []kyber.Point) proof.Verifier {
+
+	ps := PairShuffle{}
+	ps.Init(group, len(X))
+	verifier := func(ctx proof.VerifierContext) error {
+		return ps.Verify(g, h, X, Y, Xbar, Ybar, ctx)
+	}
+	return verifier
+}
diff --git a/kyber/shuffle/shuffle_test.go b/kyber/shuffle/shuffle_test.go
new file mode 100644
index 0000000000..c46fb1323f
--- /dev/null
+++ b/kyber/shuffle/shuffle_test.go
@@ -0,0 +1,66 @@
+package shuffle
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/proof"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+var k = 5
+var N = 10
+
+func TestShuffle(t *testing.T) {
+	s := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil))
+	shuffleTest(s, k, N)
+}
+
+func shuffleTest(suite Suite, k, N int) {
+	rand := suite.RandomStream()
+
+	// Create a "server" private/public keypair
+	h := suite.Scalar().Pick(rand)
+	H := suite.Point().Mul(h, nil)
+
+	// Create a set of ephemeral "client" keypairs to shuffle
+	c := make([]kyber.Scalar, k)
+	C := make([]kyber.Point, k)
+	//	fmt.Println("\nclient keys:")
+	for i := 0; i < k; i++ {
+		c[i] = suite.Scalar().Pick(rand)
+		C[i] = suite.Point().Mul(c[i], nil)
+		//		fmt.Println(" "+C[i].String())
+	}
+
+	// ElGamal-encrypt all these keypairs with the "server" key
+	X := make([]kyber.Point, k)
+	Y := make([]kyber.Point, k)
+	r := suite.Scalar() // temporary
+	for i := 0; i < k; i++ {
+		r.Pick(rand)
+		X[i] = suite.Point().Mul(r, nil)
+		Y[i] = suite.Point().Mul(r, H) // ElGamal blinding factor
+		Y[i].Add(Y[i], C[i])           // Encrypted client public key
+	}
+
+	// Repeat only the actual shuffle portion for test purposes.
+	for i := 0; i < N; i++ {
+
+		// Do a key-shuffle
+		Xbar, Ybar, prover := Shuffle(suite, nil, H, X, Y, rand)
+		prf, err := proof.HashProve(suite, "PairShuffle", prover)
+		if err != nil {
+			panic("Shuffle proof failed: " + err.Error())
+		}
+		//fmt.Printf("proof:\n%s\n",hex.Dump(prf))
+
+		// Check it
+		verifier := Verifier(suite, nil, H, X, Y, Xbar, Ybar)
+		err = proof.HashVerify(suite, "PairShuffle", verifier, prf)
+		if err != nil {
+			panic("Shuffle verify failed: " + err.Error())
+		}
+	}
+}
diff --git a/kyber/shuffle/simple.go b/kyber/shuffle/simple.go
new file mode 100644
index 0000000000..7f7149815c
--- /dev/null
+++ b/kyber/shuffle/simple.go
@@ -0,0 +1,256 @@
+package shuffle
+
+import (
+	"crypto/cipher"
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/proof"
+)
+
+// XX the Zs in front of some field names are a kludge to make them
+// accessible via the reflection API,
+// which refuses to touch unexported fields in a struct.
+
+// P (Prover) step 0: public inputs to the simple k-shuffle.
+type ssa0 struct {
+	X []kyber.Point
+	Y []kyber.Point
+}
+
+// V (Verifier) step 1: random challenge t
+type ssa1 struct {
+	Zt kyber.Scalar
+}
+
+// P step 2: Theta vectors
+type ssa2 struct {
+	Theta []kyber.Point
+}
+
+// V step 3: random challenge c
+type ssa3 struct {
+	Zc kyber.Scalar
+}
+
+// P step 4: alpha vector
+type ssa4 struct {
+	Zalpha []kyber.Scalar
+}
+
+// SimpleShuffle is the "Simple k-shuffle" defined in section 3 of
+// Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004.
+type SimpleShuffle struct {
+	grp kyber.Group
+	p0  ssa0
+	v1  ssa1
+	p2  ssa2
+	v3  ssa3
+	p4  ssa4
+}
+
+// Simple helper to compute G^{ab-cd} for Theta vector computation.
+func thenc(grp kyber.Group, G kyber.Point,
+	a, b, c, d kyber.Scalar) kyber.Point {
+
+	var ab, cd kyber.Scalar
+	if a != nil {
+		ab = grp.Scalar().Mul(a, b)
+	} else {
+		ab = grp.Scalar().Zero()
+	}
+	if c != nil {
+		if d != nil {
+			cd = grp.Scalar().Mul(c, d)
+		} else {
+			cd = c
+		}
+	} else {
+		cd = grp.Scalar().Zero()
+	}
+	return grp.Point().Mul(ab.Sub(ab, cd), G)
+}
+
+// Init initializes the simple shuffle with the given group and the k parameter
+// from the paper.
+func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle {
+	ss.grp = grp
+	ss.p0.X = make([]kyber.Point, k)
+	ss.p0.Y = make([]kyber.Point, k)
+	ss.p2.Theta = make([]kyber.Point, 2*k)
+	ss.p4.Zalpha = make([]kyber.Scalar, 2*k-1)
+	return ss
+}
+
+// Prove the  "Simple k-shuffle" defined in section 3 of
+// Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004.
+// The Scalar vector y must be a permutation of Scalar vector x
+// but with all elements multiplied by common Scalar gamma.
+func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar,
+	x, y []kyber.Scalar, rand cipher.Stream,
+	ctx proof.ProverContext) error {
+
+	grp := ss.grp
+
+	k := len(x)
+	if k <= 1 {
+		panic("can't shuffle length 1 vector")
+	}
+	if k != len(y) {
+		panic("mismatched vector lengths")
+	}
+
+	//	// Dump input vectors to show their correspondences
+	//	for i := 0; i < k; i++ {
+	//		println("x",grp.Scalar().Mul(gamma,x[i]).String())
+	//	}
+	//	for i := 0; i < k; i++ {
+	//		println("y",y[i].String())
+	//	}
+
+	// Step 0: inputs
+	for i := 0; i < k; i++ { // (4)
+		ss.p0.X[i] = grp.Point().Mul(x[i], G)
+		ss.p0.Y[i] = grp.Point().Mul(y[i], G)
+	}
+	if err := ctx.Put(ss.p0); err != nil {
+		return err
+	}
+
+	// V step 1
+	if err := ctx.PubRand(&ss.v1); err != nil {
+		return err
+	}
+	t := ss.v1.Zt
+
+	// P step 2
+	gammaT := grp.Scalar().Mul(gamma, t)
+	xhat := make([]kyber.Scalar, k)
+	yhat := make([]kyber.Scalar, k)
+	for i := 0; i < k; i++ { // (5) and (6) xhat,yhat vectors
+		xhat[i] = grp.Scalar().Sub(x[i], t)
+		yhat[i] = grp.Scalar().Sub(y[i], gammaT)
+	}
+	thlen := 2*k - 1 // (7) theta and Theta vectors
+	theta := make([]kyber.Scalar, thlen)
+	ctx.PriRand(theta)
+	Theta := make([]kyber.Point, thlen+1)
+	Theta[0] = thenc(grp, G, nil, nil, theta[0], yhat[0])
+	for i := 1; i < k; i++ {
+		Theta[i] = thenc(grp, G, theta[i-1], xhat[i],
+			theta[i], yhat[i])
+	}
+	for i := k; i < thlen; i++ {
+		Theta[i] = thenc(grp, G, theta[i-1], gamma,
+			theta[i], nil)
+	}
+	Theta[thlen] = thenc(grp, G, theta[thlen-1], gamma, nil, nil)
+	ss.p2.Theta = Theta
+	if err := ctx.Put(ss.p2); err != nil {
+		return err
+	}
+
+	// V step 3
+	if err := ctx.PubRand(&ss.v3); err != nil {
+		return err
+	}
+	c := ss.v3.Zc
+
+	// P step 4
+	alpha := make([]kyber.Scalar, thlen)
+	runprod := grp.Scalar().Set(c)
+	for i := 0; i < k; i++ { // (8)
+		runprod.Mul(runprod, xhat[i])
+		runprod.Div(runprod, yhat[i])
+		alpha[i] = grp.Scalar().Add(theta[i], runprod)
+	}
+	gammainv := grp.Scalar().Inv(gamma)
+	rungamma := grp.Scalar().Set(c)
+	for i := 1; i < k; i++ {
+		rungamma.Mul(rungamma, gammainv)
+		alpha[thlen-i] = grp.Scalar().Add(theta[thlen-i], rungamma)
+	}
+	ss.p4.Zalpha = alpha
+	return ctx.Put(ss.p4)
+}
+
+// Simple helper to verify Theta elements,
+// by checking whether A^a*B^-b = T.
+// P,Q,s are simply "scratch" kyber.Point/Scalars reused for efficiency.
+func thver(A, B, T, P, Q kyber.Point, a, b, s kyber.Scalar) bool {
+	P.Mul(a, A)
+	Q.Mul(s.Neg(b), B)
+	P.Add(P, Q)
+	return P.Equal(T)
+}
+
+// Verify for Neff simple k-shuffle proofs.
+func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point,
+	ctx proof.VerifierContext) error {
+
+	grp := ss.grp
+
+	// extract proof transcript
+	X := ss.p0.X
+	Y := ss.p0.Y
+	Theta := ss.p2.Theta
+	alpha := ss.p4.Zalpha
+
+	// Validate all vector lengths
+	k := len(Y)
+	thlen := 2*k - 1
+	if k <= 1 || len(Y) != k || len(Theta) != thlen+1 ||
+		len(alpha) != thlen {
+		return errors.New("malformed SimpleShuffleProof")
+	}
+
+	// check verifiable challenges (usually by reproducing a hash)
+	if err := ctx.Get(ss.p0); err != nil {
+		return err
+	}
+	if err := ctx.PubRand(&ss.v1); err != nil { // fills in v1
+		return err
+	}
+	t := ss.v1.Zt
+	if err := ctx.Get(ss.p2); err != nil {
+		return err
+	}
+	if err := ctx.PubRand(&ss.v3); err != nil { // fills in v3
+		return err
+	}
+	c := ss.v3.Zc
+	if err := ctx.Get(ss.p4); err != nil {
+		return err
+	}
+
+	// Verifier step 5
+	negt := grp.Scalar().Neg(t)
+	U := grp.Point().Mul(negt, G)
+	W := grp.Point().Mul(negt, Gamma)
+	Xhat := make([]kyber.Point, k)
+	Yhat := make([]kyber.Point, k)
+	for i := 0; i < k; i++ {
+		Xhat[i] = grp.Point().Add(X[i], U)
+		Yhat[i] = grp.Point().Add(Y[i], W)
+	}
+	P := grp.Point() // scratch variables
+	Q := grp.Point()
+	s := grp.Scalar()
+	good := true
+	good = good && thver(Xhat[0], Yhat[0], Theta[0], P, Q, c, alpha[0], s)
+	for i := 1; i < k; i++ {
+		good = good && thver(Xhat[i], Yhat[i], Theta[i], P, Q,
+			alpha[i-1], alpha[i], s)
+	}
+	for i := k; i < thlen; i++ {
+		good = good && thver(Gamma, G, Theta[i], P, Q,
+			alpha[i-1], alpha[i], s)
+	}
+	good = good && thver(Gamma, G, Theta[thlen], P, Q,
+		alpha[thlen-1], c, s)
+	if !good {
+		return errors.New("incorrect SimpleShuffleProof")
+	}
+
+	return nil
+}
diff --git a/kyber/shuffle/vartime_test.go b/kyber/shuffle/vartime_test.go
new file mode 100644
index 0000000000..f996a7fd13
--- /dev/null
+++ b/kyber/shuffle/vartime_test.go
@@ -0,0 +1,19 @@
+package shuffle
+
+import (
+	"testing"
+
+	"go.dedis.ch/kyber/v3/group/nist"
+)
+
+func BenchmarkBiffleP256(b *testing.B) {
+	biffleTest(nist.NewBlakeSHA256P256(), b.N)
+}
+
+func Benchmark2PairShuffleP256(b *testing.B) {
+	shuffleTest(nist.NewBlakeSHA256P256(), 2, b.N)
+}
+
+func Benchmark10PairShuffleP256(b *testing.B) {
+	shuffleTest(nist.NewBlakeSHA256P256(), 10, b.N)
+}
diff --git a/kyber/sign/anon/anon.go b/kyber/sign/anon/anon.go
new file mode 100644
index 0000000000..a22168b68b
--- /dev/null
+++ b/kyber/sign/anon/anon.go
@@ -0,0 +1,10 @@
+// Package anon implements cryptographic primitives for anonymous communication.
+package anon
+
+import (
+	"go.dedis.ch/kyber/v3"
+)
+
+// Set represents an explicit anonymity set
+// as a list of public keys.
+type Set []kyber.Point
diff --git a/kyber/sign/anon/enc.go b/kyber/sign/anon/enc.go
new file mode 100644
index 0000000000..dc1d4f6740
--- /dev/null
+++ b/kyber/sign/anon/enc.go
@@ -0,0 +1,187 @@
+package anon
+
+import (
+	"crypto/subtle"
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/key"
+)
+
+func header(suite Suite, X kyber.Point, x kyber.Scalar,
+	Xb, xb []byte, anonymitySet Set) []byte {
+
+	//fmt.Printf("Xb %s\nxb %s\n",
+	//		hex.EncodeToString(Xb),hex.EncodeToString(xb))
+
+	// Encrypt the master scalar key with each public key in the set
+	S := suite.Point()
+	hdr := Xb
+	for i := range anonymitySet {
+		Y := anonymitySet[i]
+		S.Mul(x, Y) // compute DH shared secret
+		seed, _ := S.MarshalBinary()
+		xof := suite.XOF(seed)
+		xc := make([]byte, len(xb))
+		xof.XORKeyStream(xc, xb)
+		hdr = append(hdr, xc...)
+	}
+	return hdr
+}
+
+// Create and encrypt a fresh key decryptable only by the given receivers.
+// Returns the secret key and the ciphertext.
+func encryptKey(suite Suite, anonymitySet Set) (k, c []byte) {
+	// Choose a keypair and encode its representation
+	kp := new(key.Pair)
+	var Xb []byte
+	kp.Gen(suite)
+	Xb, _ = kp.Public.MarshalBinary()
+	xb, _ := kp.Private.MarshalBinary()
+	// Generate the ciphertext header
+	return xb, header(suite, kp.Public, kp.Private, Xb, xb, anonymitySet)
+}
+
+// Decrypt and verify a key encrypted via encryptKey.
+// On success, returns the key and the length of the decrypted header.
+func decryptKey(suite Suite, ciphertext []byte, anonymitySet Set, mine int, privateKey kyber.Scalar) ([]byte, int, error) {
+	// Decode the (supposed) ephemeral public key from the front
+	X := suite.Point()
+	var Xb []byte
+	enclen := X.MarshalSize()
+	if len(ciphertext) < enclen {
+		return nil, 0, errors.New("ciphertext too short")
+	}
+	if err := X.UnmarshalBinary(ciphertext[:enclen]); err != nil {
+		return nil, 0, err
+	}
+	Xb = ciphertext[:enclen]
+	Xblen := len(Xb)
+
+	// Decode the (supposed) master secret with our private key
+	nkeys := len(anonymitySet)
+	if mine < 0 || mine >= nkeys {
+		panic("private-key index out of range")
+	}
+	seclen := suite.ScalarLen()
+	if len(ciphertext) < Xblen+seclen*nkeys {
+		return nil, 0, errors.New("ciphertext too short")
+	}
+	S := suite.Point().Mul(privateKey, X)
+	seed, _ := S.MarshalBinary()
+	xof := suite.XOF(seed)
+	xb := make([]byte, seclen)
+	secofs := Xblen + seclen*mine
+	xof.XORKeyStream(xb, ciphertext[secofs:secofs+seclen])
+	x := suite.Scalar()
+	if err := x.UnmarshalBinary(xb); err != nil {
+		return nil, 0, err
+	}
+
+	// Make sure it reproduces the correct ephemeral public key
+	Xv := suite.Point().Mul(x, nil)
+	if !X.Equal(Xv) {
+		return nil, 0, errors.New("invalid ciphertext")
+	}
+
+	// Regenerate and check the rest of the header,
+	// to ensure that that any of the anonymitySet members could decrypt it
+	hdr := header(suite, X, x, Xb, xb, anonymitySet)
+	hdrlen := len(hdr)
+	if hdrlen != Xblen+seclen*nkeys {
+		panic("wrong header size")
+	}
+	if subtle.ConstantTimeCompare(hdr, ciphertext[:hdrlen]) == 0 {
+		return nil, 0, errors.New("invalid ciphertext")
+	}
+
+	return xb, hdrlen, nil
+}
+
+// constantTimeAllEq returns 1 iff all bytes in slice x have the value y.
+// The time taken is a function of the length of the slices
+// and is independent of the contents.
+func constantTimeAllEq(x []byte, y byte) int {
+	var z byte
+	for _, b := range x {
+		z |= b ^ y
+	}
+	return subtle.ConstantTimeByteEq(z, 0)
+}
+
+// macSize is how long the hashes are that we extract from the XOF.
+// This constant of 16 is taken from the previous implementation's behavior.
+const macSize = 16
+
+// Encrypt a message for reading by any member of an explit anonymity set.
+// The caller supplies one or more keys representing the anonymity set.
+// If the provided set contains only one public key,
+// this reduces to conventional single-receiver public-key encryption.
+func Encrypt(suite Suite, message []byte,
+	anonymitySet Set) []byte {
+
+	xb, hdr := encryptKey(suite, anonymitySet)
+	xof := suite.XOF(xb)
+
+	// We now know the ciphertext layout
+	hdrhi := 0 + len(hdr)
+	msghi := hdrhi + len(message)
+	machi := msghi + macSize
+	ciphertext := make([]byte, machi)
+	copy(ciphertext, hdr)
+
+	// Now encrypt and MAC the message based on the master secret
+	ctx := ciphertext[hdrhi:msghi]
+	mac := ciphertext[msghi:machi]
+
+	xof.XORKeyStream(ctx, message)
+	xof = suite.XOF(ctx)
+	xof.Read(mac)
+
+	return ciphertext
+}
+
+// Decrypt a message encrypted for a particular anonymity set.
+// Returns the cleartext message on success, or an error on failure.
+//
+// The caller provides the anonymity set for which the message is intended,
+// and the private key corresponding to one of the public keys in the set.
+// Decrypt verifies that the message is encrypted correctly for this set -
+// in particular, that it could be decrypted by ALL of the listed members -
+// before returning successfully with the decrypted message.
+//
+// This verification ensures that a malicious sender
+// cannot de-anonymize a receiver by constructing a ciphertext incorrectly
+// so as to be decryptable by only some members of the set.
+// As a side-effect, this verification also ensures plaintext-awareness:
+// that is, it is infeasible for a sender to construct any ciphertext
+// that will be accepted by the receiver without knowing the plaintext.
+//
+func Decrypt(suite Suite, ciphertext []byte, anonymitySet Set, mine int, privateKey kyber.Scalar) ([]byte, error) {
+	// Decrypt and check the encrypted key-header.
+	xb, hdrlen, err := decryptKey(suite, ciphertext, anonymitySet,
+		mine, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Determine the message layout
+	xof := suite.XOF(xb)
+	if len(ciphertext) < hdrlen+macSize {
+		return nil, errors.New("ciphertext too short")
+	}
+	hdrhi := hdrlen
+	msghi := len(ciphertext) - macSize
+
+	// Decrypt the message and check the MAC
+	ctx := ciphertext[hdrhi:msghi]
+	mac := ciphertext[msghi:]
+	msg := make([]byte, len(ctx))
+	xof.XORKeyStream(msg, ctx)
+	xof = suite.XOF(ctx)
+	xof.XORKeyStream(mac, mac)
+	if constantTimeAllEq(mac, 0) == 0 {
+		return nil, errors.New("invalid ciphertext: failed MAC check")
+	}
+	return msg, nil
+}
diff --git a/kyber/sign/anon/enc_test.go b/kyber/sign/anon/enc_test.go
new file mode 100644
index 0000000000..7c3fbe4fa2
--- /dev/null
+++ b/kyber/sign/anon/enc_test.go
@@ -0,0 +1,96 @@
+package anon
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+func ExampleEncrypt_one() {
+	// Crypto setup: Get a suite which returns a predictable
+	// random number stream for this example.
+	// In production, simply use edwards25519.NewBlakeSHA256Ed25519()
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil))
+
+	// Create a public/private keypair (X[mine],x)
+	X := make([]kyber.Point, 1)
+	mine := 0                                      // which public key is mine
+	x := suite.Scalar().Pick(suite.RandomStream()) // create a private key x
+	X[mine] = suite.Point().Mul(x, nil)            // corresponding public key X
+
+	// Encrypt a message with the public key
+	M := []byte("Hello World!")
+	C := Encrypt(suite, M, Set(X))
+	fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C))
+
+	// Decrypt the ciphertext with the private key
+	MM, err := Decrypt(suite, C, Set(X), mine, x)
+	if err != nil {
+		panic(err.Error())
+	}
+	if !bytes.Equal(M, MM) {
+		panic("Decryption failed to reproduce message")
+	}
+	fmt.Printf("Decrypted: '%s'\n", string(MM))
+
+	// Output:
+	// Encryption of 'Hello World!':
+	// 00000000  82 ea 76 3b 11 5f ee b2  ac 08 62 af 84 52 1c 0c  |..v;._....b..R..|
+	// 00000010  e9 1d 7d 15 b5 44 2e 65  cb 19 45 49 45 f0 10 8f  |..}..D.e..EIE...|
+	// 00000020  7b c3 0c 03 22 67 9f 54  9a 44 52 a9 bb ac 51 07  |{..."g.T.DR...Q.|
+	// 00000030  c8 98 9d 5d dd 54 11 e3  9f a9 7c 44 b5 c7 bf f8  |...].T....|D....|
+	// 00000040  23 af 58 fb 5f 40 2d 92  e9 63 fe 71 13 33 e0 ce  |#.X._@-..c.q.3..|
+	// 00000050  65 83 88 45 3c 88 3f bd  2f bd 3a 03              |e..E<.?./.:.|
+	// Decrypted: 'Hello World!'
+}
+
+func ExampleEncrypt_anonSet() {
+	// Crypto setup: Get a suite which returns a predictable
+	// random number stream for this example.
+	// In production, simply use edwards25519.NewBlakeSHA256Ed25519()
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil))
+
+	// Create an anonymity set of random "public keys"
+	X := make([]kyber.Point, 3)
+	for i := range X { // pick random points
+		X[i] = suite.Point().Pick(suite.RandomStream())
+	}
+
+	// Make just one of them an actual public/private keypair (X[mine],x)
+	mine := 1                                      // only the signer knows this
+	x := suite.Scalar().Pick(suite.RandomStream()) // create a private key x
+	X[mine] = suite.Point().Mul(x, nil)            // corresponding public key X
+
+	// Encrypt a message with all the public keys
+	M := []byte("Hello World!") // message to encrypt
+	C := Encrypt(suite, M, Set(X))
+	fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C))
+
+	// Decrypt the ciphertext with the known private key
+	MM, err := Decrypt(suite, C, Set(X), mine, x)
+	if err != nil {
+		panic(err.Error())
+	}
+	if !bytes.Equal(M, MM) {
+		panic("Decryption failed to reproduce message")
+	}
+	fmt.Printf("Decrypted: '%s'\n", string(MM))
+
+	// Output:
+	// Encryption of 'Hello World!':
+	// 00000000  c3 c2 10 b2 dc 66 58 f7  6d 3b 65 a4 c6 b9 2a d5  |.....fX.m;e...*.|
+	// 00000010  3f 8d f8 68 41 92 c7 84  ef 7d a1 6c 59 89 d0 bc  |?..hA....}.lY...|
+	// 00000020  ea 60 08 5f f4 ab 35 48  08 be 85 be e8 58 fa 84  |.`._..5H.....X..|
+	// 00000030  ea 97 d0 57 10 01 c4 bc  9f 65 18 a6 4c e1 d2 b9  |...W.....e..L...|
+	// 00000040  df 81 4a 63 da 92 56 49  20 f4 8a 9e ff d5 52 42  |..Jc..VI .....RB|
+	// 00000050  8d bd 28 b7 b3 61 3b 1c  89 12 cc 4b 8e d9 c0 7b  |..(..a;....K...{|
+	// 00000060  7d f5 d8 53 c9 9f cf e9  cc 68 35 d3 e8 bc 21 b1  |}..S.....h5...!.|
+	// 00000070  01 7d ae b4 b0 eb 5b c0  ad b7 c7 b6 c5 9c 01 df  |.}....[.........|
+	// 00000080  7c 35 28 21 1a 04 94 de  ba 0f 42 6e b9 9f bb c5  ||5(!......Bn....|
+	// 00000090  1e 37 4d ab 06 63 d2 37  97 d5 45 2a              |.7M..c.7..E*|
+	// Decrypted: 'Hello World!'
+}
diff --git a/kyber/sign/anon/sig.go b/kyber/sign/anon/sig.go
new file mode 100644
index 0000000000..cd0a2e5945
--- /dev/null
+++ b/kyber/sign/anon/sig.go
@@ -0,0 +1,251 @@
+package anon
+
+import (
+	"bytes"
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// unlinkable ring signature
+type uSig struct {
+	C0 kyber.Scalar
+	S  []kyber.Scalar
+}
+
+// linkable ring signature
+type lSig struct {
+	C0  kyber.Scalar
+	S   []kyber.Scalar
+	Tag kyber.Point
+}
+
+func signH1pre(suite Suite, linkScope []byte, linkTag kyber.Point,
+	message []byte) kyber.XOF {
+	H1pre := suite.XOF(message) // m
+	if linkScope != nil {
+		_, _ = H1pre.Write(linkScope) // L
+		tag, _ := linkTag.MarshalBinary()
+		_, _ = H1pre.Write(tag) // ~y
+	}
+	return H1pre
+}
+
+func signH1(suite Suite, H1pre kyber.XOF, PG, PH kyber.Point) kyber.Scalar {
+	H1 := H1pre.Clone()
+	PGb, _ := PG.MarshalBinary()
+	_, _ = H1.Write(PGb)
+	if PH != nil {
+		PHb, _ := PH.MarshalBinary()
+		_, _ = H1.Write(PHb)
+	}
+	return suite.Scalar().Pick(H1)
+}
+
+// Sign creates an optionally anonymous, optionally linkable
+// signature on a given message.
+//
+// The caller supplies one or more public keys representing an anonymity set,
+// and the private key corresponding to one of those public keys.
+// The resulting signature proves to a verifier that the owner of
+// one of these public keys signed the message,
+// without revealing which key-holder signed the message,
+// offering anonymity among the members of this explicit anonymity set.
+// The other users whose keys are listed in the anonymity set need not consent
+// or even be aware that they have been included in an anonymity set:
+// anyone having a suitable public key may be "conscripted" into a set.
+//
+// If the provided anonymity set contains only one public key (the signer's),
+// then this function produces a traditional non-anonymous signature,
+// equivalent in both size and performance to a standard ElGamal signature.
+//
+// The caller may request either unlinkable or linkable anonymous signatures.
+// If linkScope is nil, this function generates an unlinkable signature,
+// which contains no information about which member signed the message.
+// The anonymity provided by unlinkable signatures is forward-secure,
+// in that a signature reveals nothing about which member generated it,
+// even if all members' private keys are later released.
+// For cryptographic background on unlinkable anonymity-set signatures -
+// also known as ring signatures or ad-hoc group signatures -
+// see Rivest, "How to Leak a Secret" at
+// https://people.csail.mit.edu/rivest/pubs/RST01.pdf.
+//
+// If the caller passes a non-nil linkScope,
+// the resulting anonymous signature will be linkable.
+// This means that given two signatures produced using the same linkScope,
+// a verifier will be able to tell whether
+// the same or different anonymity set members produced those signatures.
+// In particular, verifying a linkable signature yields a linkage tag.
+// This linkage tag has a 1-to-1 correspondence with the signer's public key
+// within a given linkScope, but is cryptographically unlinkable
+// to either the signer's public key or to linkage tags in other scopes.
+// The provided linkScope may be an arbitrary byte-string;
+// the only significance these scopes have is whether they are equal or unequal.
+// For details on the linkable signature algorithm this function implements,
+// see Liu/Wei/Wong,
+// "Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups" at
+// https://eprint.iacr.org/2004/027.
+//
+// Linkage tags may be used to protect against sock-puppetry or Sybil attacks
+// in situations where a verifier needs to know how many distinct members
+// of an anonymity set are present or signed messages in a given context.
+// It is cryptographically hard for one anonymity set member
+// to produce signatures with different linkage tags in the same scope.
+// An important and fundamental downside, however, is that
+// linkable signatures do NOT offer forward-secure anonymity.
+// If an anonymity set member's private key is later released,
+// it is trivial to check whether or not that member produced a given signature.
+// Also, anonymity set members who did NOT sign a message could
+// (voluntarily or under coercion) prove that they did not sign it,
+// e.g., simply by signing some other message in that linkage context
+// and noting that the resulting linkage tag comes out different.
+// Thus, linkable anonymous signatures are not appropriate to use
+// in situations where there may be significant risk
+// that members' private keys may later be compromised,
+// or that members may be persuaded or coerced into revealing whether or not
+// they produced a signature of interest.
+//
+func Sign(suite Suite, message []byte,
+	anonymitySet Set, linkScope []byte, mine int, privateKey kyber.Scalar) []byte {
+
+	// Note that Rivest's original ring construction directly supports
+	// heterogeneous rings containing public keys of different types -
+	// e.g., a mixture of RSA keys and DSA keys with varying parameters.
+	// Our ring signature construction currently supports
+	// only homogeneous rings containing compatible keys
+	// drawn from the cipher suite (e.g., the same elliptic curve).
+	// The upside to this constrint is greater flexibility:
+	// e.g., we also easily obtain linkable ring signatures,
+	// which are not readily feasible with the original ring construction.
+
+	n := len(anonymitySet)           // anonymity set size
+	L := []kyber.Point(anonymitySet) // public keys in anonymity set
+	pi := mine
+
+	// If we want a linkable ring signature, produce correct linkage tag,
+	// as a pseudorandom base point multiplied by our private key.
+	// Liu's scheme specifies the linkScope as a hash of the ring;
+	// this is one reasonable choice of linkage scope,
+	// but there are others, so we parameterize this choice.
+	var linkBase, linkTag kyber.Point
+	if linkScope != nil {
+		linkStream := suite.XOF(linkScope)
+		linkBase = suite.Point().Pick(linkStream)
+		linkTag = suite.Point().Mul(privateKey, linkBase)
+	}
+
+	// First pre-hash the parameters to H1
+	// that are invariant for different ring positions,
+	// so that we don't have to hash them many times.
+	H1pre := signH1pre(suite, linkScope, linkTag, message)
+
+	// Pick a random commit for my ring position
+	u := suite.Scalar().Pick(suite.RandomStream())
+	var UB, UL kyber.Point
+	UB = suite.Point().Mul(u, nil)
+	if linkScope != nil {
+		UL = suite.Point().Mul(u, linkBase)
+	}
+
+	// Build the challenge ring
+	s := make([]kyber.Scalar, n)
+	c := make([]kyber.Scalar, n)
+	c[(pi+1)%n] = signH1(suite, H1pre, UB, UL)
+	var P, PG, PH kyber.Point
+	P = suite.Point()
+	PG = suite.Point()
+	if linkScope != nil {
+		PH = suite.Point()
+	}
+	for i := (pi + 1) % n; i != pi; i = (i + 1) % n {
+		s[i] = suite.Scalar().Pick(suite.RandomStream())
+		PG.Add(PG.Mul(s[i], nil), P.Mul(c[i], L[i]))
+		if linkScope != nil {
+			PH.Add(PH.Mul(s[i], linkBase), P.Mul(c[i], linkTag))
+		}
+		c[(i+1)%n] = signH1(suite, H1pre, PG, PH)
+		//fmt.Printf("s%d %s\n",i,s[i].String())
+		//fmt.Printf("c%d %s\n",(i+1)%n,c[(i+1)%n].String())
+	}
+	s[pi] = suite.Scalar()
+	s[pi].Mul(privateKey, c[pi]).Sub(u, s[pi]) // s_pi = u - x_pi c_pi
+
+	// Encode and return the signature
+	buf := bytes.Buffer{}
+	if linkScope != nil { // linkable ring signature
+		sig := lSig{c[0], s, linkTag}
+		_ = suite.Write(&buf, &sig)
+	} else { // unlinkable ring signature
+		sig := uSig{c[0], s}
+		_ = suite.Write(&buf, &sig)
+	}
+	return buf.Bytes()
+}
+
+// Verify checks a signature generated by Sign.
+//
+// The caller provides the message, anonymity set, and linkage scope
+// with which the signature was purportedly produced.
+// If the signature is a valid linkable signature (linkScope != nil),
+// this function returns a linkage tag that uniquely corresponds
+// to the signer within the given linkScope.
+// If the signature is a valid unlinkable signature (linkScope == nil),
+// Verify returns an empty but non-nil byte-slice instead of a linkage tag on success.
+// Returns a nil linkage tag and an error if the signature is invalid.
+func Verify(suite Suite, message []byte, anonymitySet Set,
+	linkScope []byte, signatureBuffer []byte) ([]byte, error) {
+
+	n := len(anonymitySet)           // anonymity set size
+	L := []kyber.Point(anonymitySet) // public keys in ring
+
+	// Decode the signature
+	buf := bytes.NewBuffer(signatureBuffer)
+	var linkBase, linkTag kyber.Point
+	sig := lSig{}
+	sig.S = make([]kyber.Scalar, n)
+	if linkScope != nil { // linkable ring signature
+		if err := suite.Read(buf, &sig); err != nil {
+			return nil, err
+		}
+		linkStream := suite.XOF(linkScope)
+		linkBase = suite.Point().Pick(linkStream)
+		linkTag = sig.Tag
+	} else { // unlinkable ring signature
+		if err := suite.Read(buf, &sig.C0); err != nil {
+			return nil, err
+		}
+		if err := suite.Read(buf, &sig.S); err != nil {
+			return nil, err
+		}
+	}
+
+	// Pre-hash the ring-position-invariant parameters to H1.
+	H1pre := signH1pre(suite, linkScope, linkTag, message)
+
+	// Verify the signature
+	var P, PG, PH kyber.Point
+	P = suite.Point()
+	PG = suite.Point()
+	if linkScope != nil {
+		PH = suite.Point()
+	}
+	s := sig.S
+	ci := sig.C0
+	for i := 0; i < n; i++ {
+		PG.Add(PG.Mul(s[i], nil), P.Mul(ci, L[i]))
+		if linkScope != nil {
+			PH.Add(PH.Mul(s[i], linkBase), P.Mul(ci, linkTag))
+		}
+		ci = signH1(suite, H1pre, PG, PH)
+	}
+	if !ci.Equal(sig.C0) {
+		return nil, errors.New("invalid signature")
+	}
+
+	// Return the re-encoded linkage tag, for uniqueness checking
+	if linkScope != nil {
+		tag, _ := linkTag.MarshalBinary()
+		return tag, nil
+	}
+	return []byte{}, nil
+}
diff --git a/kyber/sign/anon/sig_test.go b/kyber/sign/anon/sig_test.go
new file mode 100644
index 0000000000..7b0ffce315
--- /dev/null
+++ b/kyber/sign/anon/sig_test.go
@@ -0,0 +1,313 @@
+package anon
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// This example demonstrates signing and signature verification
+// using a trivial "anonymity set" of size 1, i.e., no anonymity.
+// In this special case the signing scheme devolves to
+// producing traditional ElGamal signatures:
+// the resulting signatures are exactly the same length
+// and represent essentially the same computational cost.
+func ExampleSign_one() {
+	// Crypto setup: Get a suite which returns a predictable
+	// random number stream for this example.
+	// In production, simply use edwards25519.NewBlakeSHA256Ed25519()
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil))
+
+	// Create a public/private keypair (X[mine],x)
+	X := make([]kyber.Point, 1)
+	mine := 0                                      // which public key is mine
+	x := suite.Scalar().Pick(suite.RandomStream()) // create a private key x
+	X[mine] = suite.Point().Mul(x, nil)            // corresponding public key X
+
+	// Generate the signature
+	M := []byte("Hello World!") // message we want to sign
+	sig := Sign(suite, M, Set(X), nil, mine, x)
+	fmt.Print("Signature:\n" + hex.Dump(sig))
+
+	// Verify the signature against the correct message
+	tag, err := Verify(suite, M, Set(X), nil, sig)
+	if err != nil {
+		panic(err.Error())
+	}
+	if tag == nil || len(tag) != 0 {
+		panic("Verify returned wrong tag")
+	}
+	fmt.Println("Signature verified against correct message.")
+
+	// Verify the signature against the wrong message
+	BAD := []byte("Goodbye world!")
+	tag, err = Verify(suite, BAD, Set(X), nil, sig)
+	if err == nil || tag != nil {
+		panic("Signature verified against wrong message!?")
+	}
+	fmt.Println("Verifying against wrong message: " + err.Error())
+
+	// Output:
+	// Signature:
+	// 00000000  45 30 41 6a 51 d1 01 cf  7e ee 63 66 1d e9 e3 cf  |E0AjQ...~.cf....|
+	// 00000010  a3 d2 1b 98 fc 46 99 6d  9f 91 cc 65 f4 9d 10 03  |.....F.m...e....|
+	// 00000020  45 a0 e0 5a bc fe 62 62  45 a9 e5 eb 00 e2 6b 66  |E..Z..bbE.....kf|
+	// 00000030  dc aa f0 53 7c 10 3e bf  bd f6 30 8d 2d 2c 5c 0f  |...S|.>...0.-,\.|
+	// Signature verified against correct message.
+	// Verifying against wrong message: invalid signature
+}
+
+// This example demonstrates how to create unlinkable anonymity-set signatures,
+// and to verify them,
+// using a small anonymity set containing three public keys.
+func ExampleSign_anonSet() {
+	// Crypto setup: Get a suite which returns a predictable
+	// random number stream for this example.
+	// In production, simply use edwards25519.NewBlakeSHA256Ed25519()
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil))
+
+	// Create an anonymity set of random "public keys"
+	X := make([]kyber.Point, 3)
+	for i := range X { // pick random points
+		X[i] = suite.Point().Pick(suite.RandomStream())
+	}
+
+	// Make just one of them an actual public/private keypair (X[mine],x)
+	mine := 1                                      // only the signer knows this
+	x := suite.Scalar().Pick(suite.RandomStream()) // create a private key x
+	X[mine] = suite.Point().Mul(x, nil)            // corresponding public key X
+
+	// Generate the signature
+	M := []byte("Hello World!") // message we want to sign
+	sig := Sign(suite, M, Set(X), nil, mine, x)
+	fmt.Print("Signature:\n" + hex.Dump(sig))
+
+	// Verify the signature against the correct message
+	tag, err := Verify(suite, M, Set(X), nil, sig)
+	if err != nil {
+		panic(err.Error())
+	}
+	if tag == nil || len(tag) != 0 {
+		panic("Verify returned wrong tag")
+	}
+	fmt.Println("Signature verified against correct message.")
+
+	// Verify the signature against the wrong message
+	BAD := []byte("Goodbye world!")
+	tag, err = Verify(suite, BAD, Set(X), nil, sig)
+	if err == nil || tag != nil {
+		panic("Signature verified against wrong message!?")
+	}
+	fmt.Println("Verifying against wrong message: " + err.Error())
+
+	// Output:
+	// Signature:
+	// 00000000  dc 43 94 ce 5e c5 ab c1  f8 3e bd e1 30 a8 19 bd  |.C..^....>..0...|
+	// 00000010  13 f7 b4 0d f0 f5 39 40  c3 de 71 26 f9 1c ba 0f  |......9@..q&....|
+	// 00000020  61 f7 23 a0 e6 7c 95 b7  e4 b2 32 55 40 d4 25 87  |a.#..|....2U@.%.|
+	// 00000030  da d4 76 18 01 22 fb c7  93 f7 40 6b d6 e0 e7 0b  |..v.."....@k....|
+	// 00000040  3d a3 1f 32 50 f8 c1 d2  c6 93 f4 19 e0 c7 2a 06  |=..2P.........*.|
+	// 00000050  ef 6f 1c 4d c9 4f 0e db  c8 30 4d 20 94 52 e8 04  |.o.M.O...0M .R..|
+	// 00000060  f4 6d eb 7c 5f 30 09 60  bf c7 37 cd 44 16 fe bb  |.m.|_0.`..7.D...|
+	// 00000070  b6 5a e5 45 b3 6c 7f b1  12 6d 60 b9 9f 60 0e 0c  |.Z.E.l...m`..`..|
+	// Signature verified against correct message.
+	// Verifying against wrong message: invalid signature
+}
+
+// This example demonstrates the creation of linkable anonymity set signatures,
+// and verification, using an anonymity set containing three public keys.
+// We produce four signatures, two from each of two private key-holders,
+// demonstrating how the resulting verifiable tags distinguish
+// signatures by the same key-holder from signatures by different key-holders.
+func ExampleSign_linkable() {
+	// Crypto setup: Get a suite which returns a predictable
+	// random number stream for this example.
+	// In production, simply use edwards25519.NewBlakeSHA256Ed25519()
+	suite := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil))
+	rand := suite.RandomStream()
+
+	// Create an anonymity set of random "public keys"
+	X := make([]kyber.Point, 3)
+	for i := range X { // pick random points
+		X[i] = suite.Point().Pick(rand)
+	}
+
+	// Make two actual public/private keypairs (X[mine],x)
+	mine1 := 1 // only the signer knows this
+	mine2 := 2
+	x1 := suite.Scalar().Pick(rand) // create a private key x
+	x2 := suite.Scalar().Pick(rand)
+	X[mine1] = suite.Point().Mul(x1, nil) // corresponding public key X
+	X[mine2] = suite.Point().Mul(x2, nil)
+
+	// Generate two signatures using x1 and two using x2
+	M := []byte("Hello World!")     // message we want to sign
+	S := []byte("My Linkage Scope") // scope for linkage tags
+	var sig [4][]byte
+	sig[0] = Sign(suite, M, Set(X), S, mine1, x1)
+	sig[1] = Sign(suite, M, Set(X), S, mine1, x1)
+	sig[2] = Sign(suite, M, Set(X), S, mine2, x2)
+	sig[3] = Sign(suite, M, Set(X), S, mine2, x2)
+	for i := range sig {
+		fmt.Printf("Signature %d:\n%s", i, hex.Dump(sig[i]))
+	}
+
+	// Verify the signatures against the correct message
+	var tag [4][]byte
+	for i := range sig {
+		goodtag, err := Verify(suite, M, Set(X), S, sig[i])
+		if err != nil {
+			panic(err.Error())
+		}
+		tag[i] = goodtag
+		if tag[i] == nil || len(tag[i]) != suite.PointLen() {
+			panic("Verify returned invalid tag")
+		}
+		fmt.Printf("Sig%d tag: %s\n", i,
+			hex.EncodeToString(tag[i]))
+
+		// Verify the signature against the wrong message
+		BAD := []byte("Goodbye world!")
+		badtag, err := Verify(suite, BAD, Set(X), S, sig[i])
+		if err == nil || badtag != nil {
+			panic("Signature verified against wrong message!?")
+		}
+	}
+	if !bytes.Equal(tag[0], tag[1]) || !bytes.Equal(tag[2], tag[3]) ||
+		bytes.Equal(tag[0], tag[2]) {
+		panic("tags aren't coming out right!")
+	}
+
+	// Output:
+	// Signature 0:
+	// 00000000  a2 f1 f3 e3 07 35 6c a9  16 fb 4f c9 a7 35 c7 3b  |.....5l...O..5.;|
+	// 00000010  7f 09 8b 70 45 8d 5f c1  2b 74 22 f2 bf 3d d1 0a  |...pE._.+t"..=..|
+	// 00000020  4b 8b 88 78 28 d6 5f 77  d0 d6 1b 26 47 cb 7a 2e  |K..x(._w...&G.z.|
+	// 00000030  3c f8 8c 4b 8b 39 cd 3e  92 e1 2c 2d ac 7f db 01  |<..K.9.>..,-....|
+	// 00000040  1b 1d c2 e4 1d fd 54 b9  29 b9 f1 ec 9c e1 bc c8  |......T.).......|
+	// 00000050  b5 db c8 9f 71 1c 48 1c  2c 02 b2 14 de e7 b6 08  |....q.H.,.......|
+	// 00000060  61 f7 23 a0 e6 7c 95 b7  e4 b2 32 55 40 d4 25 87  |a.#..|....2U@.%.|
+	// 00000070  da d4 76 18 01 22 fb c7  93 f7 40 6b d6 e0 e7 0b  |..v.."....@k....|
+	// 00000080  da 86 5d 31 13 21 f5 95  70 d8 d7 a1 26 3b 47 dd  |..]1.!..p...&;G.|
+	// 00000090  60 5d c2 1d 38 bf b7 49  e9 47 4a 8d 89 a4 b0 89  |`]..8..I.GJ.....|
+	// Signature 1:
+	// 00000000  14 b6 dd a5 99 0c e7 f7  d5 82 43 d5 45 84 19 7b  |..........C.E..{|
+	// 00000010  db c6 3b f5 ee ce 01 50  17 57 58 21 37 31 25 0d  |..;....P.WX!71%.|
+	// 00000020  81 b1 81 c3 f3 00 f9 0f  9d 58 58 5f 66 f4 52 75  |.........XX_f.Ru|
+	// 00000030  0f bb bc fc 25 58 f7 29  74 8a 57 79 93 75 d9 0b  |....%X.)t.Wy.u..|
+	// 00000040  11 3d 25 cb be 39 0f 88  2c f8 ee 63 93 d8 98 94  |.=%..9..,..c....|
+	// 00000050  1b 85 fd 38 0a 37 87 0b  c1 db a7 53 50 72 98 0c  |...8.7.....SPr..|
+	// 00000060  7f 9a fb 37 f7 64 66 5c  7c b5 1f 2d b1 d5 63 67  |...7.df\|..-..cg|
+	// 00000070  12 1b d4 18 0a 5b 42 b2  c0 9e 3a 42 e2 c2 77 0c  |.....[B...:B..w.|
+	// 00000080  da 86 5d 31 13 21 f5 95  70 d8 d7 a1 26 3b 47 dd  |..]1.!..p...&;G.|
+	// 00000090  60 5d c2 1d 38 bf b7 49  e9 47 4a 8d 89 a4 b0 89  |`]..8..I.GJ.....|
+	// Signature 2:
+	// 00000000  5f 11 1a 2f 10 28 55 d9  e2 be 10 56 7e 57 37 ae  |_../.(U....V~W7.|
+	// 00000010  7a a1 bc ec 87 0f 98 4f  52 cc 70 e6 14 79 8a 01  |z......OR.p..y..|
+	// 00000020  89 f7 f8 b6 91 d1 52 f7  f0 b2 3d 3c 70 f1 95 9e  |......R...=.. .|...R.`.j|
+	// Signature 3:
+	// 00000000  a9 0f 3b 86 6f 4e c6 ea  8d e8 57 2c 1a 20 c6 14  |..;.oN....W,. ..|
+	// 00000010  5e 5b 66 95 0b 41 ce 57  94 a1 f0 36 73 cd c8 04  |^[f..A.W...6s...|
+	// 00000020  ff 47 7b f3 6e ee 9e 1f  bb 0d 96 e7 b8 50 1d 9f  |.G{.n........P..|
+	// 00000030  8f bf ea bc ef f3 d5 d9  9b 05 9b d3 5e c9 41 0e  |............^.A.|
+	// 00000040  d1 e8 a3 f6 7b b4 8e 38  db 73 4a ef ca 9a 68 7b  |....{..8.sJ...h{|
+	// 00000050  c3 d0 2a e3 a9 e5 c1 a3  b7 bb 60 92 75 f1 7e 00  |..*.......`.u.~.|
+	// 00000060  9a bd 63 f7 c0 cf 2d a1  4d 1e 2c 40 ff 11 d6 4f  |..c...-.M.,@...O|
+	// 00000070  c5 a2 70 ab 14 2e 11 ee  24 e6 ca ca 15 e2 f7 0f  |..p.....$.......|
+	// 00000080  49 d9 9a 38 a8 da c4 44  3d 6b 56 70 78 9e f0 01  |I..8...D=kVpx...|
+	// 00000090  c6 da 3e d2 ff 20 b0 7c  0e 88 c6 52 a1 60 f5 6a  |..>.. .|...R.`.j|
+	// Sig0 tag: da865d311321f59570d8d7a1263b47dd605dc21d38bfb749e9474a8d89a4b089
+	// Sig1 tag: da865d311321f59570d8d7a1263b47dd605dc21d38bfb749e9474a8d89a4b089
+	// Sig2 tag: 49d99a38a8dac4443d6b5670789ef001c6da3ed2ff20b07c0e88c652a160f56a
+	// Sig3 tag: 49d99a38a8dac4443d6b5670789ef001c6da3ed2ff20b07c0e88c652a160f56a
+}
+
+var benchMessage = []byte("Hello World!")
+
+var benchPubEd25519, benchPriEd25519 = benchGenKeysEd25519(100)
+var benchSig1Ed25519 = benchGenSigEd25519(1)
+var benchSig10Ed25519 = benchGenSigEd25519(10)
+var benchSig100Ed25519 = benchGenSigEd25519(100)
+
+func benchGenKeys(g kyber.Group,
+	nkeys int) ([]kyber.Point, kyber.Scalar) {
+	rng := random.New()
+
+	// Create an anonymity set of random "public keys"
+	X := make([]kyber.Point, nkeys)
+	for i := range X { // pick random points
+		X[i] = g.Point().Pick(rng)
+	}
+
+	// Make just one of them an actual public/private keypair (X[mine],x)
+	x := g.Scalar().Pick(rng)
+	X[0] = g.Point().Mul(x, nil)
+
+	return X, x
+}
+
+func benchGenKeysEd25519(nkeys int) ([]kyber.Point, kyber.Scalar) {
+	return benchGenKeys(edwards25519.NewBlakeSHA256Ed25519(), nkeys)
+}
+func benchGenSigEd25519(nkeys int) []byte {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	return Sign(suite, benchMessage,
+		Set(benchPubEd25519[:nkeys]), nil,
+		0, benchPriEd25519)
+}
+
+func benchSign(suite Suite, pub []kyber.Point, pri kyber.Scalar,
+	niter int) {
+	for i := 0; i < niter; i++ {
+		Sign(suite, benchMessage, Set(pub), nil, 0, pri)
+	}
+}
+
+func benchVerify(suite Suite, pub []kyber.Point,
+	sig []byte, niter int) {
+	for i := 0; i < niter; i++ {
+		tag, err := Verify(suite, benchMessage, Set(pub), nil, sig)
+		if tag == nil || err != nil {
+			panic("benchVerify failed")
+		}
+	}
+}
+
+func BenchmarkSign1Ed25519(b *testing.B) {
+	benchSign(edwards25519.NewBlakeSHA256Ed25519(),
+		benchPubEd25519[:1], benchPriEd25519, b.N)
+}
+func BenchmarkSign10Ed25519(b *testing.B) {
+	benchSign(edwards25519.NewBlakeSHA256Ed25519(),
+		benchPubEd25519[:10], benchPriEd25519, b.N)
+}
+func BenchmarkSign100Ed25519(b *testing.B) {
+	benchSign(edwards25519.NewBlakeSHA256Ed25519(),
+		benchPubEd25519[:100], benchPriEd25519, b.N)
+}
+
+func BenchmarkVerify1Ed25519(b *testing.B) {
+	benchVerify(edwards25519.NewBlakeSHA256Ed25519(),
+		benchPubEd25519[:1], benchSig1Ed25519, b.N)
+}
+func BenchmarkVerify10Ed25519(b *testing.B) {
+	benchVerify(edwards25519.NewBlakeSHA256Ed25519(),
+		benchPubEd25519[:10], benchSig10Ed25519, b.N)
+}
+func BenchmarkVerify100Ed25519(b *testing.B) {
+	benchVerify(edwards25519.NewBlakeSHA256Ed25519(),
+		benchPubEd25519[:100], benchSig100Ed25519, b.N)
+}
diff --git a/kyber/sign/anon/suite.go b/kyber/sign/anon/suite.go
new file mode 100644
index 0000000000..b840139413
--- /dev/null
+++ b/kyber/sign/anon/suite.go
@@ -0,0 +1,13 @@
+package anon
+
+import (
+	"go.dedis.ch/kyber/v3"
+)
+
+// Suite represents the set of functionalities needed by the package anon.
+type Suite interface {
+	kyber.Group
+	kyber.Encoding
+	kyber.XOFFactory
+	kyber.Random
+}
diff --git a/kyber/sign/bls/bls.go b/kyber/sign/bls/bls.go
new file mode 100644
index 0000000000..ed03a91b15
--- /dev/null
+++ b/kyber/sign/bls/bls.go
@@ -0,0 +1,138 @@
+// Package bls implements the Boneh-Lynn-Shacham (BLS) signature scheme which
+// was introduced in the paper "Short Signatures from the Weil Pairing". BLS
+// requires pairing-based cryptography.
+package bls
+
+import (
+	"crypto/cipher"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/pairing"
+)
+
+type hashablePoint interface {
+	Hash([]byte) kyber.Point
+}
+
+// NewKeyPair creates a new BLS signing key pair. The private key x is a scalar
+// and the public key X is a point on curve G2.
+func NewKeyPair(suite pairing.Suite, random cipher.Stream) (kyber.Scalar, kyber.Point) {
+	x := suite.G2().Scalar().Pick(random)
+	X := suite.G2().Point().Mul(x, nil)
+	return x, X
+}
+
+// Sign creates a BLS signature S = x * H(m) on a message m using the private
+// key x. The signature S is a point on curve G1.
+func Sign(suite pairing.Suite, x kyber.Scalar, msg []byte) ([]byte, error) {
+	hashable, ok := suite.G1().Point().(hashablePoint)
+	if !ok {
+		return nil, errors.New("point needs to implement hashablePoint")
+	}
+	HM := hashable.Hash(msg)
+	xHM := HM.Mul(x, HM)
+	s, err := xHM.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+// AggregateSignatures combines signatures created using the Sign function
+func AggregateSignatures(suite pairing.Suite, sigs ...[]byte) ([]byte, error) {
+	sig := suite.G1().Point()
+	for _, sigBytes := range sigs {
+		sigToAdd := suite.G1().Point()
+		if err := sigToAdd.UnmarshalBinary(sigBytes); err != nil {
+			return nil, err
+		}
+		sig.Add(sig, sigToAdd)
+	}
+	return sig.MarshalBinary()
+}
+
+// AggregatePublicKeys takes a slice of public G2 points and returns
+// the sum of those points. This is used to verify multisignatures.
+func AggregatePublicKeys(suite pairing.Suite, Xs ...kyber.Point) kyber.Point {
+	aggregated := suite.G2().Point()
+	for _, X := range Xs {
+		aggregated.Add(aggregated, X)
+	}
+	return aggregated
+}
+
+// BatchVerify verifies a large number of publicKey/msg pairings with a single aggregated signature.
+// Since aggregation is generally much faster than verification, this can be a speed enhancement.
+// Benchmarks show a roughly 50% performance increase over individual signature verification
+// Every msg must be unique or there is the possibility to accept an invalid signature
+// see: https://crypto.stackexchange.com/questions/56288/is-bls-signature-scheme-strongly-unforgeable/56290
+// for a description of why each message must be unique.
+func BatchVerify(suite pairing.Suite, publics []kyber.Point, msgs [][]byte, sig []byte) error {
+	if !distinct(msgs) {
+		return fmt.Errorf("bls: error, messages must be distinct")
+	}
+
+	s := suite.G1().Point()
+	if err := s.UnmarshalBinary(sig); err != nil {
+		return err
+	}
+
+	var aggregatedLeft kyber.Point
+	for i := range msgs {
+		hashable, ok := suite.G1().Point().(hashablePoint)
+		if !ok {
+			return errors.New("bls: point needs to implement hashablePoint")
+		}
+		hm := hashable.Hash(msgs[i])
+		pair := suite.Pair(hm, publics[i])
+
+		if i == 0 {
+			aggregatedLeft = pair
+		} else {
+			aggregatedLeft.Add(aggregatedLeft, pair)
+		}
+	}
+
+	right := suite.Pair(s, suite.G2().Point().Base())
+	if !aggregatedLeft.Equal(right) {
+		return errors.New("bls: invalid signature")
+	}
+	return nil
+}
+
+// Verify checks the given BLS signature S on the message m using the public
+// key X by verifying that the equality e(H(m), X) == e(H(m), x*B2) ==
+// e(x*H(m), B2) == e(S, B2) holds where e is the pairing operation and B2 is
+// the base point from curve G2.
+func Verify(suite pairing.Suite, X kyber.Point, msg, sig []byte) error {
+	hashable, ok := suite.G1().Point().(hashablePoint)
+	if !ok {
+		return errors.New("bls: point needs to implement hashablePoint")
+	}
+	HM := hashable.Hash(msg)
+	left := suite.Pair(HM, X)
+	s := suite.G1().Point()
+	if err := s.UnmarshalBinary(sig); err != nil {
+		return err
+	}
+	right := suite.Pair(s, suite.G2().Point().Base())
+	if !left.Equal(right) {
+		return errors.New("bls: invalid signature")
+	}
+	return nil
+}
+
+func distinct(msgs [][]byte) bool {
+	m := make(map[[32]byte]bool)
+	for _, msg := range msgs {
+		h := sha256.Sum256(msg)
+		if m[h] {
+			return false
+		}
+		m[h] = true
+	}
+	return true
+}
diff --git a/kyber/sign/bls/bls_test.go b/kyber/sign/bls/bls_test.go
new file mode 100644
index 0000000000..88ca54c6f0
--- /dev/null
+++ b/kyber/sign/bls/bls_test.go
@@ -0,0 +1,227 @@
+package bls
+
+import (
+	"crypto/rand"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/pairing/bn256"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+func TestBLS(t *testing.T) {
+	msg := []byte("Hello Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private, public := NewKeyPair(suite, random.New())
+	sig, err := Sign(suite, private, msg)
+	require.Nil(t, err)
+	err = Verify(suite, public, msg, sig)
+	require.Nil(t, err)
+}
+
+func TestBLSFailSig(t *testing.T) {
+	msg := []byte("Hello Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private, public := NewKeyPair(suite, random.New())
+	sig, err := Sign(suite, private, msg)
+	require.Nil(t, err)
+	sig[0] ^= 0x01
+	if Verify(suite, public, msg, sig) == nil {
+		t.Fatal("bls: verification succeeded unexpectedly")
+	}
+}
+
+func TestBLSFailKey(t *testing.T) {
+	msg := []byte("Hello Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private, _ := NewKeyPair(suite, random.New())
+	sig, err := Sign(suite, private, msg)
+	require.Nil(t, err)
+	_, public := NewKeyPair(suite, random.New())
+	if Verify(suite, public, msg, sig) == nil {
+		t.Fatal("bls: verification succeeded unexpectedly")
+	}
+}
+
+func TestBLSAggregateSignatures(t *testing.T) {
+	msg := []byte("Hello Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private1, public1 := NewKeyPair(suite, random.New())
+	private2, public2 := NewKeyPair(suite, random.New())
+	sig1, err := Sign(suite, private1, msg)
+	require.Nil(t, err)
+	sig2, err := Sign(suite, private2, msg)
+	require.Nil(t, err)
+	aggregatedSig, err := AggregateSignatures(suite, sig1, sig2)
+	require.Nil(t, err)
+
+	aggregatedKey := AggregatePublicKeys(suite, public1, public2)
+
+	err = Verify(suite, aggregatedKey, msg, aggregatedSig)
+	require.Nil(t, err)
+}
+
+func TestBLSFailAggregatedSig(t *testing.T) {
+	msg := []byte("Hello Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private1, public1 := NewKeyPair(suite, random.New())
+	private2, public2 := NewKeyPair(suite, random.New())
+	sig1, err := Sign(suite, private1, msg)
+	require.Nil(t, err)
+	sig2, err := Sign(suite, private2, msg)
+	require.Nil(t, err)
+	aggregatedSig, err := AggregateSignatures(suite, sig1, sig2)
+	require.Nil(t, err)
+	aggregatedKey := AggregatePublicKeys(suite, public1, public2)
+
+	aggregatedSig[0] ^= 0x01
+	if Verify(suite, aggregatedKey, msg, aggregatedSig) == nil {
+		t.Fatal("bls: verification succeeded unexpectedly")
+	}
+}
+func TestBLSFailAggregatedKey(t *testing.T) {
+	msg := []byte("Hello Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private1, public1 := NewKeyPair(suite, random.New())
+	private2, public2 := NewKeyPair(suite, random.New())
+	_, public3 := NewKeyPair(suite, random.New())
+	sig1, err := Sign(suite, private1, msg)
+	require.Nil(t, err)
+	sig2, err := Sign(suite, private2, msg)
+	require.Nil(t, err)
+	aggregatedSig, err := AggregateSignatures(suite, sig1, sig2)
+	require.Nil(t, err)
+	badAggregatedKey := AggregatePublicKeys(suite, public1, public2, public3)
+
+	if Verify(suite, badAggregatedKey, msg, aggregatedSig) == nil {
+		t.Fatal("bls: verification succeeded unexpectedly")
+	}
+}
+func TestBLSBatchVerify(t *testing.T) {
+	msg1 := []byte("Hello Boneh-Lynn-Shacham")
+	msg2 := []byte("Hello Dedis & Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private1, public1 := NewKeyPair(suite, random.New())
+	private2, public2 := NewKeyPair(suite, random.New())
+	sig1, err := Sign(suite, private1, msg1)
+	require.Nil(t, err)
+	sig2, err := Sign(suite, private2, msg2)
+	require.Nil(t, err)
+	aggregatedSig, err := AggregateSignatures(suite, sig1, sig2)
+	require.Nil(t, err)
+
+	err = BatchVerify(suite, []kyber.Point{public1, public2}, [][]byte{msg1, msg2}, aggregatedSig)
+	require.Nil(t, err)
+}
+func TestBLSFailBatchVerify(t *testing.T) {
+	msg1 := []byte("Hello Boneh-Lynn-Shacham")
+	msg2 := []byte("Hello Dedis & Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	private1, public1 := NewKeyPair(suite, random.New())
+	private2, public2 := NewKeyPair(suite, random.New())
+	sig1, err := Sign(suite, private1, msg1)
+	require.Nil(t, err)
+	sig2, err := Sign(suite, private2, msg2)
+	require.Nil(t, err)
+
+	t.Run("fails with a bad signature", func(t *testing.T) {
+		aggregatedSig, err := AggregateSignatures(suite, sig1, sig2)
+		require.Nil(t, err)
+		msg2[0] ^= 0x01
+		if BatchVerify(suite, []kyber.Point{public1, public2}, [][]byte{msg1, msg2}, aggregatedSig) == nil {
+			t.Fatal("bls: verification succeeded unexpectedly")
+		}
+	})
+
+	t.Run("fails with a duplicate msg", func(t *testing.T) {
+		private3, public3 := NewKeyPair(suite, random.New())
+		sig3, err := Sign(suite, private3, msg1)
+		require.Nil(t, err)
+		aggregatedSig, err := AggregateSignatures(suite, sig1, sig2, sig3)
+		require.Nil(t, err)
+
+		if BatchVerify(suite, []kyber.Point{public1, public2, public3}, [][]byte{msg1, msg2, msg1}, aggregatedSig) == nil {
+			t.Fatal("bls: verification succeeded unexpectedly")
+		}
+	})
+
+}
+
+func BenchmarkBLSKeyCreation(b *testing.B) {
+	suite := bn256.NewSuite()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		NewKeyPair(suite, random.New())
+	}
+}
+
+func BenchmarkBLSSign(b *testing.B) {
+	suite := bn256.NewSuite()
+	private, _ := NewKeyPair(suite, random.New())
+	msg := []byte("Hello many times Boneh-Lynn-Shacham")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		Sign(suite, private, msg)
+	}
+}
+
+func BenchmarkBLSAggregateSigs(b *testing.B) {
+	suite := bn256.NewSuite()
+	private1, _ := NewKeyPair(suite, random.New())
+	private2, _ := NewKeyPair(suite, random.New())
+	msg := []byte("Hello many times Boneh-Lynn-Shacham")
+	sig1, err := Sign(suite, private1, msg)
+	require.Nil(b, err)
+	sig2, err := Sign(suite, private2, msg)
+	require.Nil(b, err)
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		AggregateSignatures(suite, sig1, sig2)
+	}
+}
+
+func BenchmarkBLSVerifyAggregate(b *testing.B) {
+	suite := bn256.NewSuite()
+	private1, public1 := NewKeyPair(suite, random.New())
+	private2, public2 := NewKeyPair(suite, random.New())
+	msg := []byte("Hello many times Boneh-Lynn-Shacham")
+	sig1, err := Sign(suite, private1, msg)
+	require.Nil(b, err)
+	sig2, err := Sign(suite, private2, msg)
+	require.Nil(b, err)
+	sig, err := AggregateSignatures(suite, sig1, sig2)
+	key := AggregatePublicKeys(suite, public1, public2)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		Verify(suite, key, msg, sig)
+	}
+}
+
+func BenchmarkBLSVerifyBatchVerify(b *testing.B) {
+	suite := bn256.NewSuite()
+
+	numSigs := 100
+	privates := make([]kyber.Scalar, numSigs)
+	publics := make([]kyber.Point, numSigs)
+	msgs := make([][]byte, numSigs)
+	sigs := make([][]byte, numSigs)
+	for i := 0; i < numSigs; i++ {
+		private, public := NewKeyPair(suite, random.New())
+		privates[i] = private
+		publics[i] = public
+		msg := make([]byte, 64, 64)
+		rand.Read(msg)
+		msgs[i] = msg
+		sig, err := Sign(suite, private, msg)
+		require.Nil(b, err)
+		sigs[i] = sig
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		aggregateSig, _ := AggregateSignatures(suite, sigs...)
+		BatchVerify(suite, publics, msgs, aggregateSig)
+	}
+}
diff --git a/kyber/sign/cosi/cosi.go b/kyber/sign/cosi/cosi.go
new file mode 100644
index 0000000000..dbb38e78e3
--- /dev/null
+++ b/kyber/sign/cosi/cosi.go
@@ -0,0 +1,405 @@
+/*
+Package cosi implements the collective signing (CoSi) algorithm as presented in
+the paper "Keeping Authorities 'Honest or Bust' with Decentralized Witness
+Cosigning" by Ewa Syta et al. See https://arxiv.org/abs/1503.08768. This
+package only provides the functionality for the cryptographic operations of
+CoSi. All network-related operations have to be handled elsewhere. Below we
+describe a high-level overview of the CoSi protocol (using a star communication
+topology). We refer to the research paper for further details on communication
+over trees, exception mechanisms and signature verification policies.
+
+The CoSi protocol has four phases executed between a list of participants P
+having a protocol leader (index i = 0) and a list of other nodes (index i > 0).
+The secret key of node i is denoted by a_i and the public key by A_i = [a_i]G
+(where G is the base point of the underlying group and [...] denotes scalar
+multiplication). The aggregate public key is given as A = \sum{i ∈ P}(A_i).
+
+1. Announcement: The leader broadcasts an announcement to the other nodes
+optionally including the message M to be signed. Upon receiving an announcement
+message, a node starts its commitment phase.
+
+2. Commitment: Each node i (including the leader) picks a random scalar v_i,
+computes its commitment V_i = [v_i]G and sends V_i back to the leader. The
+leader waits until it has received enough commitments (according to some
+policy) from the other nodes or a timer has run out. Let P' be the nodes that
+have sent their commitments. The leader computes an aggregate commitment V from
+all commitments he has received, i.e., V = \sum{j ∈ P'}(V_j) and creates a
+participation bitmask Z. The leader then broadcasts V and Z to the other
+participations together with the message M if it was not sent in phase 1. Upon
+receiving a commitment message, a node starts the challenge phase.
+
+3. Challenge: Each node i computes the collective challenge c = H(V || A || M)
+using a cryptographic hash function H (here: SHA512), computes its
+response r_i = v_i + c*a_i and sends it back to the leader.
+
+4. Response: The leader waits until he has received replies from all nodes in
+P' or a timer has run out. If he has not enough replies he aborts. Finally,
+the leader computes the aggregate response r = \sum{j ∈ P'}(r_j) and publishes
+(V,r,Z) as the signature for the message M.
+*/
+package cosi
+
+import (
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Commit returns a random scalar v, generated from the given suite,
+// and a corresponding commitment V = [v]G. If the given cipher stream is nil,
+// a random stream is used.
+func Commit(suite Suite) (v kyber.Scalar, V kyber.Point) {
+	random := suite.Scalar().Pick(suite.RandomStream())
+	commitment := suite.Point().Mul(random, nil)
+	return random, commitment
+}
+
+// AggregateCommitments returns the sum of the given commitments and the
+// bitwise OR of the corresponding masks.
+func AggregateCommitments(suite Suite, commitments []kyber.Point, masks [][]byte) (sum kyber.Point, commits []byte, err error) {
+	if len(commitments) != len(masks) {
+		return nil, nil, errors.New("mismatching lengths of commitment and mask slices")
+	}
+	aggCom := suite.Point().Null()
+	aggMask := make([]byte, len(masks[0]))
+
+	for i := range commitments {
+		aggCom = suite.Point().Add(aggCom, commitments[i])
+		aggMask, err = AggregateMasks(aggMask, masks[i])
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	return aggCom, aggMask, nil
+}
+
+// Challenge creates the collective challenge from the given aggregate
+// commitment V, aggregate public key A, and message M, i.e., it returns
+// c = H(V || A || M).
+func Challenge(suite Suite, commitment, public kyber.Point, message []byte) (kyber.Scalar, error) {
+	if commitment == nil {
+		return nil, errors.New("no commitment provided")
+	}
+	if message == nil {
+		return nil, errors.New("no message provided")
+	}
+	hash := suite.Hash()
+	if _, err := commitment.MarshalTo(hash); err != nil {
+		return nil, err
+	}
+	if _, err := public.MarshalTo(hash); err != nil {
+		return nil, err
+	}
+	hash.Write(message)
+	return suite.Scalar().SetBytes(hash.Sum(nil)), nil
+}
+
+// Response creates the response from the given random scalar v, (collective)
+// challenge c, and private key a, i.e., it returns r = v + c*a.
+func Response(suite Suite, private, random, challenge kyber.Scalar) (kyber.Scalar, error) {
+	if private == nil {
+		return nil, errors.New("no private key provided")
+	}
+	if random == nil {
+		return nil, errors.New("no random scalar provided")
+	}
+	if challenge == nil {
+		return nil, errors.New("no challenge provided")
+	}
+	ca := suite.Scalar().Mul(private, challenge)
+	return ca.Add(random, ca), nil
+}
+
+// AggregateResponses returns the sum of given responses.
+func AggregateResponses(suite Suite, responses []kyber.Scalar) (kyber.Scalar, error) {
+	if responses == nil {
+		return nil, errors.New("no responses provided")
+	}
+	r := suite.Scalar().Zero()
+	for i := range responses {
+		r = r.Add(r, responses[i])
+	}
+	return r, nil
+}
+
+// Sign returns the collective signature from the given (aggregate) commitment
+// V, (aggregate) response r, and participation bitmask Z using the EdDSA
+// format, i.e., the signature is V || r || Z.
+func Sign(suite Suite, commitment kyber.Point, response kyber.Scalar, mask *Mask) ([]byte, error) {
+	if commitment == nil {
+		return nil, errors.New("no commitment provided")
+	}
+	if response == nil {
+		return nil, errors.New("no response provided")
+	}
+	if mask == nil {
+		return nil, errors.New("no mask provided")
+	}
+	lenV := suite.PointLen()
+	lenSig := lenV + suite.ScalarLen()
+	VB, err := commitment.MarshalBinary()
+	if err != nil {
+		return nil, errors.New("marshalling of commitment failed")
+	}
+	RB, err := response.MarshalBinary()
+	if err != nil {
+		return nil, errors.New("marshalling of signature failed")
+	}
+	sig := make([]byte, lenSig+mask.Len())
+	copy(sig[:], VB)
+	copy(sig[lenV:lenSig], RB)
+	copy(sig[lenSig:], mask.mask)
+	return sig, nil
+}
+
+// Verify checks the given cosignature on the provided message using the list
+// of public keys and cosigning policy.
+func Verify(suite Suite, publics []kyber.Point, message, sig []byte, policy Policy) error {
+	if publics == nil {
+		return errors.New("no public keys provided")
+	}
+	if message == nil {
+		return errors.New("no message provided")
+	}
+	if sig == nil {
+		return errors.New("no signature provided")
+	}
+	if policy == nil {
+		policy = CompletePolicy{}
+	}
+
+	lenCom := suite.PointLen()
+	if len(sig) < lenCom {
+		return errors.New("signature too short")
+	}
+	VBuff := sig[:lenCom]
+	V := suite.Point()
+	if err := V.UnmarshalBinary(VBuff); err != nil {
+		return errors.New("unmarshalling of commitment failed")
+	}
+
+	// Unpack the aggregate response
+	lenRes := lenCom + suite.ScalarLen()
+	if len(sig) < lenRes {
+		return errors.New("signature too short")
+	}
+	rBuff := sig[lenCom:lenRes]
+	r := suite.Scalar().SetBytes(rBuff)
+
+	// Unpack the participation mask and get the aggregate public key
+	mask, err := NewMask(suite, publics, nil)
+	if err != nil {
+		return err
+	}
+	mask.SetMask(sig[lenRes:])
+	A := mask.AggregatePublic
+	ABuff, err := A.MarshalBinary()
+	if err != nil {
+		return errors.New("marshalling of aggregate public key failed")
+	}
+
+	// Recompute the challenge
+	hash := suite.Hash()
+	hash.Write(VBuff)
+	hash.Write(ABuff)
+	hash.Write(message)
+	buff := hash.Sum(nil)
+	k := suite.Scalar().SetBytes(buff)
+
+	// k * -aggPublic + s * B = k*-A + s*B
+	// from s = k * a + r => s * B = k * a * B + r * B <=> s*B = k*A + r*B
+	// <=> s*B + k*-A = r*B
+	minusPublic := suite.Point().Neg(A)
+	kA := suite.Point().Mul(k, minusPublic)
+	sB := suite.Point().Mul(r, nil)
+	left := suite.Point().Add(kA, sB)
+
+	if !left.Equal(V) {
+		return errors.New("recreated response is different from signature")
+	}
+	if !policy.Check(mask) {
+		return errors.New("the policy is not fulfilled")
+	}
+
+	return nil
+}
+
+// Mask represents a cosigning participation bitmask.
+type Mask struct {
+	mask            []byte
+	publics         []kyber.Point
+	AggregatePublic kyber.Point
+}
+
+// NewMask returns a new participation bitmask for cosigning where all
+// cosigners are disabled by default. If a public key is given it verifies that
+// it is present in the list of keys and sets the corresponding index in the
+// bitmask to 1 (enabled).
+func NewMask(suite Suite, publics []kyber.Point, myKey kyber.Point) (*Mask, error) {
+	m := &Mask{
+		publics: publics,
+	}
+	m.mask = make([]byte, m.Len())
+	m.AggregatePublic = suite.Point().Null()
+	if myKey != nil {
+		found := false
+		for i, key := range publics {
+			if key.Equal(myKey) {
+				m.SetBit(i, true)
+				found = true
+				break
+			}
+		}
+		if !found {
+			return nil, errors.New("key not found")
+		}
+	}
+	return m, nil
+}
+
+// Mask returns a copy of the participation bitmask.
+func (m *Mask) Mask() []byte {
+	clone := make([]byte, len(m.mask))
+	copy(clone[:], m.mask)
+	return clone
+}
+
+// Len returns the mask length in bytes.
+func (m *Mask) Len() int {
+	return (len(m.publics) + 7) >> 3
+}
+
+// SetMask sets the participation bitmask according to the given byte slice
+// interpreted in little-endian order, i.e., bits 0-7 of byte 0 correspond to
+// cosigners 0-7, bits 0-7 of byte 1 correspond to cosigners 8-15, etc.
+func (m *Mask) SetMask(mask []byte) error {
+	if m.Len() != len(mask) {
+		return fmt.Errorf("mismatching mask lengths")
+	}
+	for i := range m.publics {
+		byt := i >> 3
+		msk := byte(1) << uint(i&7)
+		if ((m.mask[byt] & msk) == 0) && ((mask[byt] & msk) != 0) {
+			m.mask[byt] ^= msk // flip bit in mask from 0 to 1
+			m.AggregatePublic.Add(m.AggregatePublic, m.publics[i])
+		}
+		if ((m.mask[byt] & msk) != 0) && ((mask[byt] & msk) == 0) {
+			m.mask[byt] ^= msk // flip bit in mask from 1 to 0
+			m.AggregatePublic.Sub(m.AggregatePublic, m.publics[i])
+		}
+	}
+	return nil
+}
+
+// SetBit enables (enable: true) or disables (enable: false) the bit
+// in the participation mask of the given cosigner.
+func (m *Mask) SetBit(i int, enable bool) error {
+	if i >= len(m.publics) {
+		return errors.New("index out of range")
+	}
+	byt := i >> 3
+	msk := byte(1) << uint(i&7)
+	if ((m.mask[byt] & msk) == 0) && enable {
+		m.mask[byt] ^= msk // flip bit in mask from 0 to 1
+		m.AggregatePublic.Add(m.AggregatePublic, m.publics[i])
+	}
+	if ((m.mask[byt] & msk) != 0) && !enable {
+		m.mask[byt] ^= msk // flip bit in mask from 1 to 0
+		m.AggregatePublic.Sub(m.AggregatePublic, m.publics[i])
+	}
+	return nil
+}
+
+// IndexEnabled checks whether the given index is enabled in the mask or not.
+func (m *Mask) IndexEnabled(i int) (bool, error) {
+	if i >= len(m.publics) {
+		return false, errors.New("index out of range")
+	}
+	byt := i >> 3
+	msk := byte(1) << uint(i&7)
+	return ((m.mask[byt] & msk) != 0), nil
+}
+
+// KeyEnabled checks whether the index, corresponding to the given key, is
+// enabled in the mask or not.
+func (m *Mask) KeyEnabled(public kyber.Point) (bool, error) {
+	for i, key := range m.publics {
+		if key.Equal(public) {
+			return m.IndexEnabled(i)
+		}
+	}
+	return false, errors.New("key not found")
+}
+
+// CountEnabled returns the number of enabled nodes in the CoSi participation
+// mask.
+func (m *Mask) CountEnabled() int {
+	// hw is hamming weight
+	hw := 0
+	for i := range m.publics {
+		byt := i >> 3
+		msk := byte(1) << uint(i&7)
+		if (m.mask[byt] & msk) != 0 {
+			hw++
+		}
+	}
+	return hw
+}
+
+// CountTotal returns the total number of nodes this CoSi instance knows.
+func (m *Mask) CountTotal() int {
+	return len(m.publics)
+}
+
+// AggregateMasks computes the bitwise OR of the two given participation masks.
+func AggregateMasks(a, b []byte) ([]byte, error) {
+	if len(a) != len(b) {
+		return nil, errors.New("mismatching mask lengths")
+	}
+	m := make([]byte, len(a))
+	for i := range m {
+		m[i] = a[i] | b[i]
+	}
+	return m, nil
+}
+
+// Policy represents a fully customizable cosigning policy deciding what
+// cosigner sets are and aren't sufficient for a collective signature to be
+// considered acceptable to a verifier. The Check method may inspect the set of
+// participants that cosigned by invoking cosi.Mask and/or cosi.MaskBit, and may
+// use any other relevant contextual information (e.g., how security-critical
+// the operation relying on the collective signature is) in determining whether
+// the collective signature was produced by an acceptable set of cosigners.
+type Policy interface {
+	Check(m *Mask) bool
+}
+
+// CompletePolicy is the default policy requiring that all participants have
+// cosigned to make a collective signature valid.
+type CompletePolicy struct {
+}
+
+// Check verifies that all participants have contributed to a collective
+// signature.
+func (p CompletePolicy) Check(m *Mask) bool {
+	return m.CountEnabled() == m.CountTotal()
+}
+
+// ThresholdPolicy allows to specify a simple t-of-n policy requring that at
+// least the given threshold number of participants t have cosigned to make a
+// collective signature valid.
+type ThresholdPolicy struct {
+	thold int
+}
+
+// NewThresholdPolicy returns a new ThresholdPolicy with the given threshold.
+func NewThresholdPolicy(thold int) *ThresholdPolicy {
+	return &ThresholdPolicy{thold: thold}
+}
+
+// Check verifies that at least a threshold number of participants have
+// contributed to a collective signature.
+func (p ThresholdPolicy) Check(m *Mask) bool {
+	return m.CountEnabled() >= p.thold
+}
diff --git a/kyber/sign/cosi/cosi_test.go b/kyber/sign/cosi/cosi_test.go
new file mode 100644
index 0000000000..437e11e984
--- /dev/null
+++ b/kyber/sign/cosi/cosi_test.go
@@ -0,0 +1,190 @@
+package cosi
+
+import (
+	"crypto/cipher"
+	"crypto/sha512"
+	"errors"
+	"hash"
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/sign/eddsa"
+	"go.dedis.ch/kyber/v3/util/key"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+)
+
+// Specify cipher suite using AES-128, SHA512, and the Edwards25519 curve.
+type cosiSuite struct {
+	Suite
+	r kyber.XOF
+}
+
+func (m *cosiSuite) Hash() hash.Hash {
+	return sha512.New()
+}
+func (m *cosiSuite) RandomStream() cipher.Stream { return m.r }
+
+var testSuite = &cosiSuite{edwards25519.NewBlakeSHA256Ed25519(), blake2xb.New(nil)}
+
+func TestCoSi(t *testing.T) {
+	testCoSi(t, 2, 0)
+	testCoSi(t, 5, 0)
+	testCoSi(t, 5, 2)
+	testCoSi(t, 5, 4)
+}
+
+func testCoSi(t *testing.T, n, f int) {
+	message := []byte("Hello World Cosi")
+
+	// Generate key pairs
+	var kps []*key.Pair
+	var privates []kyber.Scalar
+	var publics []kyber.Point
+	for i := 0; i < n; i++ {
+		kp := key.NewKeyPair(testSuite)
+		kps = append(kps, kp)
+		privates = append(privates, kp.Private)
+		publics = append(publics, kp.Public)
+	}
+
+	// Init masks
+	var masks []*Mask
+	var byteMasks [][]byte
+	for i := 0; i < n-f; i++ {
+		m, err := NewMask(testSuite, publics, publics[i])
+		if err != nil {
+			t.Fatal(err)
+		}
+		masks = append(masks, m)
+		byteMasks = append(byteMasks, masks[i].Mask())
+	}
+
+	// Compute commitments
+	var v []kyber.Scalar // random
+	var V []kyber.Point  // commitment
+	for i := 0; i < n-f; i++ {
+		x, X := Commit(testSuite)
+		v = append(v, x)
+		V = append(V, X)
+	}
+
+	// Aggregate commitments
+	aggV, aggMask, err := AggregateCommitments(testSuite, V, byteMasks)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Set aggregate mask in nodes
+	for i := 0; i < n-f; i++ {
+		masks[i].SetMask(aggMask)
+	}
+
+	// Compute challenge
+	var c []kyber.Scalar
+	for i := 0; i < n-f; i++ {
+		ci, err := Challenge(testSuite, aggV, masks[i].AggregatePublic, message)
+		if err != nil {
+			t.Fatal(err)
+		}
+		c = append(c, ci)
+	}
+
+	// Compute responses
+	var r []kyber.Scalar
+	for i := 0; i < n-f; i++ {
+		ri, _ := Response(testSuite, privates[i], v[i], c[i])
+		r = append(r, ri)
+	}
+
+	// Aggregate responses
+	aggr, err := AggregateResponses(testSuite, r)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for i := 0; i < n-f; i++ {
+		// Sign
+		sig, err := Sign(testSuite, aggV, aggr, masks[i])
+		if err != nil {
+			t.Fatal(err)
+		}
+		// Set policy depending on threshold f and then Verify
+		var p Policy
+		if f == 0 {
+			p = nil
+		} else {
+			p = NewThresholdPolicy(n - f)
+		}
+		// send a short sig in, expect an error
+		if err := Verify(testSuite, publics, message, sig[0:10], p); err == nil {
+			t.Fatal("expected error on short sig")
+		}
+		if err := Verify(testSuite, publics, message, sig, p); err != nil {
+			t.Fatal(err)
+		}
+		// cosi signature should follow the same format as EdDSA except it has no mask
+		maskLen := len(masks[i].Mask())
+		if err := eddsa.Verify(masks[i].AggregatePublic, message, sig[0:len(sig)-maskLen]); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+func TestMask(t *testing.T) {
+	n := 17
+
+	// Generate key pairs
+	var kps []*key.Pair
+	var privates []kyber.Scalar
+	var publics []kyber.Point
+	for i := 0; i < n; i++ {
+		kp := key.NewKeyPair(testSuite)
+		kps = append(kps, kp)
+		privates = append(privates, kp.Private)
+		publics = append(publics, kp.Public)
+	}
+
+	// Init masks and aggregate them
+	var masks []*Mask
+	var aggr []byte
+	for i := 0; i < n; i++ {
+		m, err := NewMask(testSuite, publics, publics[i])
+		if err != nil {
+			t.Fatal(err)
+		}
+		masks = append(masks, m)
+
+		if i == 0 {
+			aggr = masks[i].Mask()
+		} else {
+			aggr, err = AggregateMasks(aggr, masks[i].Mask())
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	// Set and check aggregate mask
+	if err := masks[0].SetMask(aggr); err != nil {
+		t.Fatal(err)
+	}
+
+	if masks[0].CountEnabled() != n {
+		t.Fatal(errors.New("unexpected number of active indices"))
+	}
+
+	if _, err := masks[0].KeyEnabled(masks[0].AggregatePublic); err == nil {
+		t.Fatal(err)
+	}
+
+	for i := 0; i < n; i++ {
+		b, err := masks[0].KeyEnabled(publics[i])
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !b {
+			t.Fatal(errors.New("mask bit not properly set"))
+		}
+	}
+}
diff --git a/kyber/sign/cosi/suite.go b/kyber/sign/cosi/suite.go
new file mode 100644
index 0000000000..91529379bf
--- /dev/null
+++ b/kyber/sign/cosi/suite.go
@@ -0,0 +1,10 @@
+package cosi
+
+import "go.dedis.ch/kyber/v3"
+
+// Suite specifies the cryptographic building blocks required for the cosi package.
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.Random
+}
diff --git a/kyber/sign/dss/dss.go b/kyber/sign/dss/dss.go
new file mode 100644
index 0000000000..4a899d5b7c
--- /dev/null
+++ b/kyber/sign/dss/dss.go
@@ -0,0 +1,245 @@
+// Package dss implements the Distributed Schnorr Signature protocol from the
+// paper "Provably Secure Distributed Schnorr Signatures and a (t, n)
+// Threshold Scheme for Implicit Certificates".
+// https://dl.acm.org/citation.cfm?id=678297
+// To generate a distributed signature from a group of participants, the group
+// must first generate one longterm distributed secret with the share/dkg
+// package, and then one random secret to be used only once.
+// Each participant then creates a DSS struct, that can issue partial signatures
+// with `dss.PartialSignature()`. These partial signatures can be broadcasted to
+// the whole group or to a trusted combiner. Once one has collected enough
+// partial signatures, it is possible to compute the distributed signature with
+// the `Signature` method.
+// The resulting signature is compatible with the EdDSA verification function.
+// against the longterm distributed key.
+package dss
+
+import (
+	"bytes"
+	"crypto/sha512"
+	"errors"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/kyber/v3/sign/eddsa"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+)
+
+// Suite represents the functionalities needed by the dss package
+type Suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.Random
+}
+
+// DistKeyShare is an abstraction to allow one to use distributed key share
+// from different schemes easily into this distributed threshold Schnorr
+// signature framework.
+type DistKeyShare interface {
+	PriShare() *share.PriShare
+	Commitments() []kyber.Point
+}
+
+// DSS holds the information used to issue partial signatures as well as to
+// compute the distributed schnorr signature.
+type DSS struct {
+	suite        Suite
+	secret       kyber.Scalar
+	public       kyber.Point
+	index        int
+	participants []kyber.Point
+	T            int
+	long         DistKeyShare
+	random       DistKeyShare
+	longPoly     *share.PubPoly
+	randomPoly   *share.PubPoly
+	msg          []byte
+	partials     []*share.PriShare
+	partialsIdx  map[int]bool
+	signed       bool
+	sessionID    []byte
+}
+
+// PartialSig is partial representation of the final distributed signature. It
+// must be sent to each of the other participants.
+type PartialSig struct {
+	Partial   *share.PriShare
+	SessionID []byte
+	Signature []byte
+}
+
+// NewDSS returns a DSS struct out of the suite, the longterm secret of this
+// node, the list of participants, the longterm and random distributed key
+// (generated by the dkg package), the message to sign and finally the T
+// threshold. It returns an error if the public key of the secret can't be found
+// in the list of participants.
+func NewDSS(suite Suite, secret kyber.Scalar, participants []kyber.Point,
+	long, random DistKeyShare, msg []byte, T int) (*DSS, error) {
+	public := suite.Point().Mul(secret, nil)
+	var i int
+	var found bool
+	for j, p := range participants {
+		if p.Equal(public) {
+			found = true
+			i = j
+			break
+		}
+	}
+	if !found {
+		return nil, errors.New("dss: public key not found in list of participants")
+	}
+	return &DSS{
+		suite:        suite,
+		secret:       secret,
+		public:       public,
+		index:        i,
+		participants: participants,
+		long:         long,
+		longPoly:     share.NewPubPoly(suite, suite.Point().Base(), long.Commitments()),
+		random:       random,
+		randomPoly:   share.NewPubPoly(suite, suite.Point().Base(), random.Commitments()),
+		msg:          msg,
+		T:            T,
+		partialsIdx:  make(map[int]bool),
+		sessionID:    sessionID(suite, long, random),
+	}, nil
+}
+
+// PartialSig generates the partial signature related to this DSS. This
+// PartialSig can be broadcasted to every other participant or only to a
+// trusted combiner as described in the paper.
+// The signature format is compatible with EdDSA verification implementations.
+func (d *DSS) PartialSig() (*PartialSig, error) {
+	// following the notations from the paper
+	alpha := d.long.PriShare().V
+	beta := d.random.PriShare().V
+	hash := d.hashSig()
+	right := d.suite.Scalar().Mul(hash, alpha)
+	ps := &PartialSig{
+		Partial: &share.PriShare{
+			V: right.Add(right, beta),
+			I: d.index,
+		},
+		SessionID: d.sessionID,
+	}
+	var err error
+	ps.Signature, err = schnorr.Sign(d.suite, d.secret, ps.Hash(d.suite))
+	if !d.signed {
+		d.partialsIdx[d.index] = true
+		d.partials = append(d.partials, ps.Partial)
+		d.signed = true
+	}
+	return ps, err
+}
+
+// ProcessPartialSig takes a PartialSig from another participant and stores it
+// for generating the distributed signature. It returns an error if the index is
+// wrong, or the signature is invalid or if a partial signature has already been
+// received by the same peer. To know whether the distributed signature can be
+// computed after this call, one can use the `EnoughPartialSigs` method.
+func (d *DSS) ProcessPartialSig(ps *PartialSig) error {
+	public, ok := findPub(d.participants, ps.Partial.I)
+	if !ok {
+		return errors.New("dss: partial signature with invalid index")
+	}
+
+	if err := schnorr.Verify(d.suite, public, ps.Hash(d.suite), ps.Signature); err != nil {
+		return err
+	}
+
+	// nothing secret here
+	if !bytes.Equal(ps.SessionID, d.sessionID) {
+		return errors.New("dss: session id do not match")
+	}
+
+	if _, ok := d.partialsIdx[ps.Partial.I]; ok {
+		return errors.New("dss: partial signature already received from peer")
+	}
+
+	hash := d.hashSig()
+	idx := ps.Partial.I
+	randShare := d.randomPoly.Eval(idx)
+	longShare := d.longPoly.Eval(idx)
+	right := d.suite.Point().Mul(hash, longShare.V)
+	right.Add(randShare.V, right)
+	left := d.suite.Point().Mul(ps.Partial.V, nil)
+	if !left.Equal(right) {
+		return errors.New("dss: partial signature not valid")
+	}
+	d.partialsIdx[ps.Partial.I] = true
+	d.partials = append(d.partials, ps.Partial)
+	return nil
+}
+
+// EnoughPartialSig returns true if there are enough partial signature to compute
+// the distributed signature. It returns false otherwise. If there are enough
+// partial signatures, one can issue the signature with `Signature()`.
+func (d *DSS) EnoughPartialSig() bool {
+	return len(d.partials) >= d.T
+}
+
+// Signature computes the distributed signature from the list of partial
+// signatures received. It returns an error if there are not enough partial
+// signatures. The signature is compatible with the EdDSA verification
+// alrogithm.
+func (d *DSS) Signature() ([]byte, error) {
+	if !d.EnoughPartialSig() {
+		return nil, errors.New("dkg: not enough partial signatures to sign")
+	}
+	gamma, err := share.RecoverSecret(d.suite, d.partials, d.T, len(d.participants))
+	if err != nil {
+		return nil, err
+	}
+	// RandomPublic || gamma
+	var buff bytes.Buffer
+	_, _ = d.random.Commitments()[0].MarshalTo(&buff)
+	_, _ = gamma.MarshalTo(&buff)
+	return buff.Bytes(), nil
+}
+
+func (d *DSS) hashSig() kyber.Scalar {
+	// H(R || A || msg) with
+	//  * R = distributed random "key"
+	//  * A = distributed public key
+	//  * msg = msg to sign
+	h := sha512.New()
+	_, _ = d.random.Commitments()[0].MarshalTo(h)
+	_, _ = d.long.Commitments()[0].MarshalTo(h)
+	_, _ = h.Write(d.msg)
+	return d.suite.Scalar().SetBytes(h.Sum(nil))
+}
+
+// Verify takes a public key, a message and a signature and returns an error if
+// the signature is invalid.
+func Verify(public kyber.Point, msg, sig []byte) error {
+	return eddsa.Verify(public, msg, sig)
+}
+
+// Hash returns the hash representation of this PartialSig to be used in a
+// signature.
+func (ps *PartialSig) Hash(s Suite) []byte {
+	h := s.Hash()
+	_, _ = h.Write(ps.Partial.Hash(s))
+	_, _ = h.Write(ps.SessionID)
+	return h.Sum(nil)
+}
+
+func findPub(list []kyber.Point, i int) (kyber.Point, bool) {
+	if i >= len(list) {
+		return nil, false
+	}
+	return list[i], true
+}
+
+func sessionID(s Suite, a, b DistKeyShare) []byte {
+	h := s.Hash()
+	for _, p := range a.Commitments() {
+		_, _ = p.MarshalTo(h)
+	}
+
+	for _, p := range b.Commitments() {
+		_, _ = p.MarshalTo(h)
+	}
+
+	return h.Sum(nil)
+}
diff --git a/kyber/sign/dss/dss_test.go b/kyber/sign/dss/dss_test.go
new file mode 100644
index 0000000000..4dc891a13b
--- /dev/null
+++ b/kyber/sign/dss/dss_test.go
@@ -0,0 +1,225 @@
+package dss
+
+import (
+	"crypto/rand"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	dkg "go.dedis.ch/kyber/v3/share/dkg/rabin"
+	"go.dedis.ch/kyber/v3/sign/eddsa"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+)
+
+var suite = edwards25519.NewBlakeSHA256Ed25519()
+
+var nbParticipants = 7
+var t = nbParticipants/2 + 1
+
+var partPubs []kyber.Point
+var partSec []kyber.Scalar
+
+var longterms []*dkg.DistKeyShare
+var randoms []*dkg.DistKeyShare
+
+var dss []*DSS
+
+func init() {
+	partPubs = make([]kyber.Point, nbParticipants)
+	partSec = make([]kyber.Scalar, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		sec, pub := genPair()
+		partPubs[i] = pub
+		partSec[i] = sec
+	}
+	longterms = genDistSecret()
+	randoms = genDistSecret()
+}
+
+func TestDSSNew(t *testing.T) {
+	dss, err := NewDSS(suite, partSec[0], partPubs, longterms[0], randoms[0], []byte("hello"), 4)
+	assert.NotNil(t, dss)
+	assert.Nil(t, err)
+
+	dss, err = NewDSS(suite, suite.Scalar().Zero(), partPubs, longterms[0], randoms[0], []byte("hello"), 4)
+	assert.Nil(t, dss)
+	assert.Error(t, err)
+}
+
+func TestDSSPartialSigs(t *testing.T) {
+	dss0 := getDSS(0)
+	dss1 := getDSS(1)
+	ps0, err := dss0.PartialSig()
+	assert.Nil(t, err)
+	assert.NotNil(t, ps0)
+	assert.Len(t, dss0.partials, 1)
+	// second time should not affect list
+	ps0, err = dss0.PartialSig()
+	assert.Nil(t, err)
+	assert.NotNil(t, ps0)
+	assert.Len(t, dss0.partials, 1)
+
+	// wrong index
+	goodI := ps0.Partial.I
+	ps0.Partial.I = 100
+	assert.Error(t, dss1.ProcessPartialSig(ps0))
+	ps0.Partial.I = goodI
+
+	// wrong Signature
+	goodSig := ps0.Signature
+	ps0.Signature = randomBytes(len(ps0.Signature))
+	assert.Error(t, dss1.ProcessPartialSig(ps0))
+	ps0.Signature = goodSig
+
+	// invalid partial sig
+	goodV := ps0.Partial.V
+	ps0.Partial.V = suite.Scalar().Zero()
+	ps0.Signature, err = schnorr.Sign(suite, dss0.secret, ps0.Hash(suite))
+	require.Nil(t, err)
+	err = dss1.ProcessPartialSig(ps0)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "not valid")
+	ps0.Partial.V = goodV
+	ps0.Signature = goodSig
+
+	// fine
+	err = dss1.ProcessPartialSig(ps0)
+	assert.Nil(t, err)
+
+	// already received
+	assert.Error(t, dss1.ProcessPartialSig(ps0))
+
+	// if not enough partial signatures, can't generate signature
+	buff, err := dss1.Signature()
+	assert.Nil(t, buff)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "not enough")
+
+	// enough partial sigs ?
+	for i := 2; i < nbParticipants; i++ {
+		dss := getDSS(i)
+		ps, err := dss.PartialSig()
+		require.Nil(t, err)
+		require.Nil(t, dss1.ProcessPartialSig(ps))
+	}
+	assert.True(t, dss1.EnoughPartialSig())
+}
+
+func TestDSSSignature(t *testing.T) {
+	dsss := make([]*DSS, nbParticipants)
+	pss := make([]*PartialSig, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		dsss[i] = getDSS(i)
+		ps, err := dsss[i].PartialSig()
+		require.Nil(t, err)
+		require.NotNil(t, ps)
+		pss[i] = ps
+	}
+	for i, dss := range dsss {
+		for j, ps := range pss {
+			if i == j {
+				continue
+			}
+			require.Nil(t, dss.ProcessPartialSig(ps))
+		}
+	}
+	// issue and verify signature
+	dss0 := dsss[0]
+	buff, err := dss0.Signature()
+	assert.NotNil(t, buff)
+	assert.Nil(t, err)
+	err = eddsa.Verify(longterms[0].Public(), dss0.msg, buff)
+	assert.Nil(t, err)
+	assert.Nil(t, Verify(longterms[0].Public(), dss0.msg, buff))
+}
+
+func getDSS(i int) *DSS {
+	dss, err := NewDSS(suite, partSec[i], partPubs, longterms[i], randoms[i], []byte("hello"), t)
+	if dss == nil || err != nil {
+		panic("nil dss")
+	}
+	return dss
+}
+
+func genDistSecret() []*dkg.DistKeyShare {
+	dkgs := make([]*dkg.DistKeyGenerator, nbParticipants)
+	for i := 0; i < nbParticipants; i++ {
+		dkg, err := dkg.NewDistKeyGenerator(suite, partSec[i], partPubs, nbParticipants/2+1)
+		if err != nil {
+			panic(err)
+		}
+		dkgs[i] = dkg
+	}
+	// full secret sharing exchange
+	// 1. broadcast deals
+	resps := make([]*dkg.Response, 0, nbParticipants*nbParticipants)
+	for _, dkg := range dkgs {
+		deals, err := dkg.Deals()
+		if err != nil {
+			panic(err)
+		}
+		for i, d := range deals {
+			resp, err := dkgs[i].ProcessDeal(d)
+			if err != nil {
+				panic(err)
+			}
+			if !resp.Response.Approved {
+				panic("wrong approval")
+			}
+			resps = append(resps, resp)
+		}
+	}
+	// 2. Broadcast responses
+	for _, resp := range resps {
+		for h, dkg := range dkgs {
+			// ignore all messages from ourself
+			if resp.Response.Index == uint32(h) {
+				continue
+			}
+			j, err := dkg.ProcessResponse(resp)
+			if err != nil || j != nil {
+				panic("wrongProcessResponse")
+			}
+		}
+	}
+	// 4. Broadcast secret commitment
+	for i, dkg := range dkgs {
+		scs, err := dkg.SecretCommits()
+		if err != nil {
+			panic("wrong SecretCommits")
+		}
+		for j, dkg2 := range dkgs {
+			if i == j {
+				continue
+			}
+			cc, err := dkg2.ProcessSecretCommits(scs)
+			if err != nil || cc != nil {
+				panic("wrong ProcessSecretCommits")
+			}
+		}
+	}
+
+	// 5. reveal shares
+	dkss := make([]*dkg.DistKeyShare, len(dkgs))
+	for i, dkg := range dkgs {
+		dks, err := dkg.DistKeyShare()
+		if err != nil {
+			panic(err)
+		}
+		dkss[i] = dks
+	}
+	return dkss
+
+}
+func genPair() (kyber.Scalar, kyber.Point) {
+	sc := suite.Scalar().Pick(suite.RandomStream())
+	return sc, suite.Point().Mul(sc, nil)
+}
+
+func randomBytes(n int) []byte {
+	var buff = make([]byte, n)
+	_, _ = rand.Read(buff[:])
+	return buff
+}
diff --git a/kyber/sign/eddsa/eddsa.go b/kyber/sign/eddsa/eddsa.go
new file mode 100644
index 0000000000..cfeeb78fc4
--- /dev/null
+++ b/kyber/sign/eddsa/eddsa.go
@@ -0,0 +1,171 @@
+// Package eddsa implements the EdDSA signature algorithm according to
+// RFC8032.
+package eddsa
+
+import (
+	"crypto/cipher"
+	"crypto/sha512"
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+var group = new(edwards25519.Curve)
+
+// EdDSA is a structure holding the data necessary to make a series of
+// EdDSA signatures.
+type EdDSA struct {
+	// Secret being already hashed + bit tweaked
+	Secret kyber.Scalar
+	// Public is the corresponding public key
+	Public kyber.Point
+
+	seed   []byte
+	prefix []byte
+}
+
+// NewEdDSA will return a freshly generated key pair to use for generating
+// EdDSA signatures.
+func NewEdDSA(stream cipher.Stream) *EdDSA {
+	if stream == nil {
+		panic("stream is required")
+	}
+	var buffer [32]byte
+	random.Bytes(buffer[:], stream)
+
+	scalar := hashSeed(buffer[:])
+
+	secret := group.Scalar().SetBytes(scalar[:32])
+	public := group.Point().Mul(secret, nil)
+
+	return &EdDSA{
+		seed:   buffer[:],
+		prefix: scalar[32:],
+		Secret: secret,
+		Public: public,
+	}
+}
+
+// MarshalBinary will return the representation used by the reference
+// implementation of SUPERCOP ref10, which is "seed || Public".
+func (e *EdDSA) MarshalBinary() ([]byte, error) {
+	pBuff, err := e.Public.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+
+	eddsa := make([]byte, 64)
+	copy(eddsa, e.seed)
+	copy(eddsa[32:], pBuff)
+	return eddsa, nil
+}
+
+// UnmarshalBinary transforms a slice of bytes into a EdDSA signature.
+func (e *EdDSA) UnmarshalBinary(buff []byte) error {
+	if len(buff) != 64 {
+		return errors.New("wrong length for decoding EdDSA private")
+	}
+
+	e.seed = buff[:32]
+	scalar := hashSeed(e.seed)
+	e.prefix = scalar[32:]
+	e.Secret = group.Scalar().SetBytes(scalar[:32])
+	e.Public = group.Point().Mul(e.Secret, nil)
+	return nil
+}
+
+// Sign will return a EdDSA signature of the message msg using Ed25519.
+func (e *EdDSA) Sign(msg []byte) ([]byte, error) {
+	hash := sha512.New()
+	_, _ = hash.Write(e.prefix)
+	_, _ = hash.Write(msg)
+
+	// deterministic random secret and its commit
+	r := group.Scalar().SetBytes(hash.Sum(nil))
+	R := group.Point().Mul(r, nil)
+
+	// challenge
+	// H( R || Public || Msg)
+	hash.Reset()
+	Rbuff, err := R.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	Abuff, err := e.Public.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+
+	_, _ = hash.Write(Rbuff)
+	_, _ = hash.Write(Abuff)
+	_, _ = hash.Write(msg)
+
+	h := group.Scalar().SetBytes(hash.Sum(nil))
+
+	// response
+	// s = r + h * s
+	s := group.Scalar().Mul(e.Secret, h)
+	s.Add(r, s)
+
+	sBuff, err := s.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+
+	// return R || s
+	var sig [64]byte
+	copy(sig[:], Rbuff)
+	copy(sig[32:], sBuff)
+
+	return sig[:], nil
+}
+
+// Verify uses a public key, a message and a signature. It will return nil if
+// sig is a valid signature for msg created by key public, or an error otherwise.
+func Verify(public kyber.Point, msg, sig []byte) error {
+	if len(sig) != 64 {
+		return fmt.Errorf("signature length invalid, expect 64 but got %v", len(sig))
+	}
+
+	R := group.Point()
+	if err := R.UnmarshalBinary(sig[:32]); err != nil {
+		return fmt.Errorf("got R invalid point: %s", err)
+	}
+
+	s := group.Scalar()
+	if err := s.UnmarshalBinary(sig[32:]); err != nil {
+		return fmt.Errorf("schnorr: s invalid scalar %s", err)
+	}
+
+	// reconstruct h = H(R || Public || Msg)
+	Pbuff, err := public.MarshalBinary()
+	if err != nil {
+		return err
+	}
+	hash := sha512.New()
+	_, _ = hash.Write(sig[:32])
+	_, _ = hash.Write(Pbuff)
+	_, _ = hash.Write(msg)
+
+	h := group.Scalar().SetBytes(hash.Sum(nil))
+	// reconstruct S == k*A + R
+	S := group.Point().Mul(s, nil)
+	hA := group.Point().Mul(h, public)
+	RhA := group.Point().Add(R, hA)
+
+	if !RhA.Equal(S) {
+		return errors.New("reconstructed S is not equal to signature")
+	}
+	return nil
+}
+
+func hashSeed(seed []byte) (hash [64]byte) {
+	hash = sha512.Sum512(seed)
+	hash[0] &= 0xf8
+	hash[31] &= 0x3f
+	hash[31] |= 0x40
+	return
+}
diff --git a/kyber/sign/eddsa/eddsa_test.go b/kyber/sign/eddsa/eddsa_test.go
new file mode 100644
index 0000000000..bacf2c68f9
--- /dev/null
+++ b/kyber/sign/eddsa/eddsa_test.go
@@ -0,0 +1,181 @@
+package eddsa
+
+import (
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"crypto/cipher"
+	"encoding/hex"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// EdDSATestVectors taken from RFC8032 section 7.1
+var EdDSATestVectors = []struct {
+	private   string
+	public    string
+	message   string
+	signature string
+}{
+	{"9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
+		"d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+		"",
+		"e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b"},
+	{"4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
+		"3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+		"72",
+		"92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00"},
+	{"c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7",
+		"fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+		"af82",
+		"6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a"},
+	{"f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
+		"278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+		"08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0",
+		"0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03"},
+	{"833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
+		"ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
+		"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
+		"dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704"},
+}
+
+// Tests if marshalling and unmarshalling an EdDSA signature gives us the same
+// signature
+func TestEdDSAMarshalling(t *testing.T) {
+	for _, vec := range EdDSATestVectors {
+		seed, err := hex.DecodeString(vec.private)
+		assert.Nil(t, err)
+
+		stream := ConstantStream(seed)
+		edDSA := NewEdDSA(stream)
+		marshalled, err := edDSA.MarshalBinary()
+		assert.Nil(t, err)
+		assert.NotNil(t, marshalled)
+
+		unmarshalled := &EdDSA{}
+		err = unmarshalled.UnmarshalBinary(marshalled)
+		assert.Nil(t, err)
+		assert.Equal(t, edDSA, unmarshalled)
+	}
+}
+
+// Comparing our implementation with the test vectors of the RFC
+func TestEdDSASigning(t *testing.T) {
+	for i, vec := range EdDSATestVectors {
+		seed, err := hex.DecodeString(vec.private)
+		assert.Nil(t, err)
+		if len(vec.private) != 64 || len(seed) != 32 {
+			t.Fatal("len vec.private")
+		}
+
+		stream := ConstantStream(seed)
+
+		ed := NewEdDSA(stream)
+
+		data, _ := ed.Public.MarshalBinary()
+		if hex.EncodeToString(data) != vec.public {
+			t.Error("Public not equal")
+		}
+		if len(vec.public) != 64 {
+			t.Fatal("len vec.private")
+		}
+
+		msg, _ := hex.DecodeString(vec.message)
+
+		sig, err := ed.Sign(msg)
+		assert.Nil(t, err)
+
+		if hex.EncodeToString(sig) != vec.signature {
+			t.Error("Test", i, "Signature wrong", hex.EncodeToString(sig), vec.signature)
+		}
+		assert.Nil(t, Verify(ed.Public, msg, sig))
+	}
+}
+
+type constantStream struct {
+	seed []byte
+}
+
+// ConstantStream is a cipher.Stream which always returns
+// the same value.
+func ConstantStream(buff []byte) cipher.Stream {
+	return &constantStream{buff}
+}
+
+// XORKexStream implements the cipher.Stream interface
+func (cs *constantStream) XORKeyStream(dst, src []byte) {
+	copy(dst, cs.seed)
+}
+
+// Adapted from golang.org/x/crypto/ed25519.
+func TestGolden(t *testing.T) {
+	// sign.input.gz is a selection of test cases from
+	// https://ed25519.cr.yp.to/python/sign.input
+	testDataZ, err := os.Open("testdata/sign.input.gz")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer testDataZ.Close()
+	testData, err := gzip.NewReader(testDataZ)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer testData.Close()
+
+	scanner := bufio.NewScanner(testData)
+	lineNo := 0
+
+	const SignatureSize = 64
+	const PublicKeySize = 32
+	const PrivateKeySize = 32
+
+	for scanner.Scan() {
+		lineNo++
+
+		line := scanner.Text()
+		parts := strings.Split(line, ":")
+		if len(parts) != 5 {
+			t.Fatalf("bad number of parts on line %d", lineNo)
+		}
+
+		privBytes, _ := hex.DecodeString(parts[0])
+		pubKey, _ := hex.DecodeString(parts[1])
+		msg, _ := hex.DecodeString(parts[2])
+		sig, _ := hex.DecodeString(parts[3])
+		// The signatures in the test vectors also include the message
+		// at the end, but we just want R and S.
+		sig = sig[:SignatureSize]
+
+		if l := len(pubKey); l != PublicKeySize {
+			t.Fatalf("bad public key length on line %d: got %d bytes", lineNo, l)
+		}
+
+		var priv [PrivateKeySize]byte
+		copy(priv[:], privBytes)
+		copy(priv[32:], pubKey)
+
+		stream := ConstantStream(privBytes)
+		ed := NewEdDSA(stream)
+
+		data, _ := ed.Public.MarshalBinary()
+		if !bytes.Equal(data, pubKey) {
+			t.Error("Public not equal")
+		}
+
+		sig2, err := ed.Sign(msg)
+		assert.Nil(t, err)
+
+		if !bytes.Equal(sig, sig2[:]) {
+			t.Errorf("different signature result on line %d: %x vs %x", lineNo, sig, sig2)
+		}
+
+		assert.Nil(t, Verify(ed.Public, msg, sig2))
+	}
+
+	if err := scanner.Err(); err != nil {
+		t.Fatalf("error reading test data: %s", err)
+	}
+}
diff --git a/kyber/sign/eddsa/testdata/sign.input.gz b/kyber/sign/eddsa/testdata/sign.input.gz
new file mode 100644
index 0000000000..6c30678638
Binary files /dev/null and b/kyber/sign/eddsa/testdata/sign.input.gz differ
diff --git a/kyber/sign/schnorr/schnorr.go b/kyber/sign/schnorr/schnorr.go
new file mode 100644
index 0000000000..def76095b1
--- /dev/null
+++ b/kyber/sign/schnorr/schnorr.go
@@ -0,0 +1,108 @@
+/*
+Package schnorr implements the vanilla Schnorr signature scheme.
+See https://en.wikipedia.org/wiki/Schnorr_signature.
+
+The only difference regarding the vanilla reference is the computation of
+the response. This implementation adds the random component with the
+challenge times private key while the Wikipedia article substracts them.
+
+The resulting signature is compatible with EdDSA verification algorithm
+when using the edwards25519 group, and by extension the CoSi verification algorithm.
+*/
+package schnorr
+
+import (
+	"bytes"
+	"crypto/sha512"
+	"errors"
+	"fmt"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Suite represents the set of functionalities needed by the package schnorr.
+type Suite interface {
+	kyber.Group
+	kyber.Random
+}
+
+// Sign creates a Sign signature from a msg and a private key. This
+// signature can be verified with VerifySchnorr. It's also a valid EdDSA
+// signature when using the edwards25519 Group.
+func Sign(s Suite, private kyber.Scalar, msg []byte) ([]byte, error) {
+	var g kyber.Group = s
+	// create random secret k and public point commitment R
+	k := g.Scalar().Pick(s.RandomStream())
+	R := g.Point().Mul(k, nil)
+
+	// create hash(public || R || message)
+	public := g.Point().Mul(private, nil)
+	h, err := hash(g, public, R, msg)
+	if err != nil {
+		return nil, err
+	}
+
+	// compute response s = k + x*h
+	xh := g.Scalar().Mul(private, h)
+	S := g.Scalar().Add(k, xh)
+
+	// return R || s
+	var b bytes.Buffer
+	if _, err := R.MarshalTo(&b); err != nil {
+		return nil, err
+	}
+	if _, err := S.MarshalTo(&b); err != nil {
+		return nil, err
+	}
+	return b.Bytes(), nil
+}
+
+// Verify verifies a given Schnorr signature. It returns nil iff the
+// given signature is valid.
+func Verify(g kyber.Group, public kyber.Point, msg, sig []byte) error {
+	R := g.Point()
+	s := g.Scalar()
+	pointSize := R.MarshalSize()
+	scalarSize := s.MarshalSize()
+	sigSize := scalarSize + pointSize
+	if len(sig) != sigSize {
+		return fmt.Errorf("schnorr: signature of invalid length %d instead of %d", len(sig), sigSize)
+	}
+	if err := R.UnmarshalBinary(sig[:pointSize]); err != nil {
+		return err
+	}
+	if err := s.UnmarshalBinary(sig[pointSize:]); err != nil {
+		return err
+	}
+	// recompute hash(public || R || msg)
+	h, err := hash(g, public, R, msg)
+	if err != nil {
+		return err
+	}
+
+	// compute S = g^s
+	S := g.Point().Mul(s, nil)
+	// compute RAh = R + A^h
+	Ah := g.Point().Mul(h, public)
+	RAs := g.Point().Add(R, Ah)
+
+	if !S.Equal(RAs) {
+		return errors.New("schnorr: invalid signature")
+	}
+
+	return nil
+}
+
+func hash(g kyber.Group, public, r kyber.Point, msg []byte) (kyber.Scalar, error) {
+	h := sha512.New()
+	if _, err := r.MarshalTo(h); err != nil {
+		return nil, err
+	}
+	if _, err := public.MarshalTo(h); err != nil {
+		return nil, err
+	}
+	if _, err := h.Write(msg); err != nil {
+		return nil, err
+	}
+	return g.Scalar().SetBytes(h.Sum(nil)), nil
+}
diff --git a/kyber/sign/schnorr/schnorr_test.go b/kyber/sign/schnorr/schnorr_test.go
new file mode 100644
index 0000000000..43d9855bac
--- /dev/null
+++ b/kyber/sign/schnorr/schnorr_test.go
@@ -0,0 +1,98 @@
+package schnorr
+
+import (
+	"math/rand"
+	"reflect"
+	"testing"
+	"testing/quick"
+
+	"github.com/stretchr/testify/assert"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/sign/eddsa"
+	"go.dedis.ch/kyber/v3/util/key"
+)
+
+func TestSchnorrSignature(t *testing.T) {
+	msg := []byte("Hello Schnorr")
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	kp := key.NewKeyPair(suite)
+
+	s, err := Sign(suite, kp.Private, msg)
+	if err != nil {
+		t.Fatalf("Couldn't sign msg: %s: %v", msg, err)
+	}
+	err = Verify(suite, kp.Public, msg, s)
+	if err != nil {
+		t.Fatalf("Couldn't verify signature: \n%+v\nfor msg:'%s'. Error:\n%v", s, msg, err)
+	}
+
+	// wrong size
+	larger := append(s, []byte{0x01, 0x02}...)
+	assert.Error(t, Verify(suite, kp.Public, msg, larger))
+
+	// wrong challenge
+	wrongEncoding := []byte{243, 45, 180, 140, 73, 23, 41, 212, 250, 87, 157, 243,
+		242, 19, 114, 161, 145, 47, 76, 26, 174, 150, 22, 177, 78, 79, 122, 30, 74,
+		42, 156, 203}
+	wrChall := make([]byte, len(s))
+	copy(wrChall[:32], wrongEncoding)
+	copy(wrChall[32:], s[32:])
+	assert.Error(t, Verify(suite, kp.Public, msg, wrChall))
+
+	// wrong response
+	wrResp := make([]byte, len(s))
+	copy(wrResp[32:], wrongEncoding)
+	copy(wrResp[:32], s[:32])
+	assert.Error(t, Verify(suite, kp.Public, msg, wrResp))
+
+	// wrong public key
+	wrKp := key.NewKeyPair(suite)
+	assert.Error(t, Verify(suite, wrKp.Public, msg, s))
+}
+
+func TestEdDSACompatibility(t *testing.T) {
+	msg := []byte("Hello Schnorr")
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	kp := key.NewKeyPair(suite)
+
+	s, err := Sign(suite, kp.Private, msg)
+	if err != nil {
+		t.Fatalf("Couldn't sign msg: %s: %v", msg, err)
+	}
+	err = eddsa.Verify(kp.Public, msg, s)
+	if err != nil {
+		t.Fatalf("Couldn't verify signature: \n%+v\nfor msg:'%s'. Error:\n%v", s, msg, err)
+	}
+
+}
+
+// Simple random stream using the random instance provided by the testing tool
+type quickstream struct {
+	rand *rand.Rand
+}
+
+func (s *quickstream) XORKeyStream(dst, src []byte) {
+	s.rand.Read(dst)
+}
+
+func (s *quickstream) Generate(rand *rand.Rand, size int) reflect.Value {
+	return reflect.ValueOf(&quickstream{rand: rand})
+}
+
+func TestQuickSchnorrSignature(t *testing.T) {
+	f := func(rand *quickstream, msg []byte) bool {
+		suite := edwards25519.NewBlakeSHA256Ed25519WithRand(rand)
+		kp := key.NewKeyPair(suite)
+
+		s, err := Sign(suite, kp.Private, msg)
+		if err != nil {
+			return false
+		}
+
+		return Verify(suite, kp.Public, msg, s) == nil
+	}
+
+	if err := quick.Check(f, nil); err != nil {
+		t.Error(err)
+	}
+}
diff --git a/kyber/sign/tbls/tbls.go b/kyber/sign/tbls/tbls.go
new file mode 100644
index 0000000000..8d12511e31
--- /dev/null
+++ b/kyber/sign/tbls/tbls.go
@@ -0,0 +1,107 @@
+// Package tbls implements the (t,n)-threshold Boneh-Lynn-Shacham signature
+// scheme. During setup a group of n participants runs a distributed key
+// generation algorithm (see kyber/share/dkg) to compute a joint public signing
+// key X and one secret key share xi for each of the n signers. To compute a
+// signature S on a message m, at least t ouf of n signers have to provide
+// partial (BLS) signatures Si on m using their individual key shares xi which
+// can then be used to recover the full (regular) BLS signature S via Lagrange
+// interpolation. The signature S can be verified with the initially
+// established group key X. Signatures are points on curve G1 and public keys
+// are points on curve G2.
+package tbls
+
+import (
+	"bytes"
+	"encoding/binary"
+
+	"go.dedis.ch/kyber/v3/pairing"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/kyber/v3/sign/bls"
+)
+
+// SigShare encodes a threshold BLS signature share Si = i || v where the 2-byte
+// big-endian value i corresponds to the share's index and v represents the
+// share's value. The signature share Si is a point on curve G1.
+type SigShare []byte
+
+// Index returns the index i of the TBLS share Si.
+func (s SigShare) Index() (int, error) {
+	var index uint16
+	buf := bytes.NewReader(s)
+	err := binary.Read(buf, binary.BigEndian, &index)
+	if err != nil {
+		return -1, err
+	}
+	return int(index), nil
+}
+
+// Value returns the value v of the TBLS share Si.
+func (s *SigShare) Value() []byte {
+	return []byte(*s)[2:]
+}
+
+// Sign creates a threshold BLS signature Si = xi * H(m) on the given message m
+// using the provided secret key share xi.
+func Sign(suite pairing.Suite, private *share.PriShare, msg []byte) ([]byte, error) {
+	buf := new(bytes.Buffer)
+	if err := binary.Write(buf, binary.BigEndian, uint16(private.I)); err != nil {
+		return nil, err
+	}
+	s, err := bls.Sign(suite, private.V, msg)
+	if err != nil {
+		return nil, err
+	}
+	if err := binary.Write(buf, binary.BigEndian, s); err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// Verify checks the given threshold BLS signature Si on the message m using
+// the public key share Xi that is associated to the secret key share xi. This
+// public key share Xi can be computed by evaluating the public sharing
+// polynonmial at the share's index i.
+func Verify(suite pairing.Suite, public *share.PubPoly, msg, sig []byte) error {
+	s := SigShare(sig)
+	i, err := s.Index()
+	if err != nil {
+		return err
+	}
+	return bls.Verify(suite, public.Eval(i).V, msg, s.Value())
+}
+
+// Recover reconstructs the full BLS signature S = x * H(m) from a threshold t
+// of signature shares Si using Lagrange interpolation. The full signature S
+// can be verified through the regular BLS verification routine using the
+// shared public key X. The shared public key can be computed by evaluating the
+// public sharing polynomial at index 0.
+func Recover(suite pairing.Suite, public *share.PubPoly, msg []byte, sigs [][]byte, t, n int) ([]byte, error) {
+	pubShares := make([]*share.PubShare, 0)
+	for _, sig := range sigs {
+		s := SigShare(sig)
+		i, err := s.Index()
+		if err != nil {
+			return nil, err
+		}
+		if err = bls.Verify(suite, public.Eval(i).V, msg, s.Value()); err != nil {
+			return nil, err
+		}
+		point := suite.G1().Point()
+		if err := point.UnmarshalBinary(s.Value()); err != nil {
+			return nil, err
+		}
+		pubShares = append(pubShares, &share.PubShare{I: i, V: point})
+		if len(pubShares) >= t {
+			break
+		}
+	}
+	commit, err := share.RecoverCommit(suite.G1(), pubShares, t, n)
+	if err != nil {
+		return nil, err
+	}
+	sig, err := commit.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	return sig, nil
+}
diff --git a/kyber/sign/tbls/tbls_test.go b/kyber/sign/tbls/tbls_test.go
new file mode 100644
index 0000000000..5254bb7f6a
--- /dev/null
+++ b/kyber/sign/tbls/tbls_test.go
@@ -0,0 +1,31 @@
+package tbls
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3/pairing/bn256"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/kyber/v3/sign/bls"
+)
+
+func TestTBLS(test *testing.T) {
+	var err error
+	msg := []byte("Hello threshold Boneh-Lynn-Shacham")
+	suite := bn256.NewSuite()
+	n := 10
+	t := n/2 + 1
+	secret := suite.G1().Scalar().Pick(suite.RandomStream())
+	priPoly := share.NewPriPoly(suite.G2(), t, secret, suite.RandomStream())
+	pubPoly := priPoly.Commit(suite.G2().Point().Base())
+	sigShares := make([][]byte, 0)
+	for _, x := range priPoly.Shares(n) {
+		sig, err := Sign(suite, x, msg)
+		require.Nil(test, err)
+		sigShares = append(sigShares, sig)
+	}
+	sig, err := Recover(suite, pubPoly, msg, sigShares, t, n)
+	require.Nil(test, err)
+	err = bls.Verify(suite, pubPoly.Commit(), msg, sig)
+	require.Nil(test, err)
+}
diff --git a/kyber/suites/all.go b/kyber/suites/all.go
new file mode 100644
index 0000000000..616235d3ed
--- /dev/null
+++ b/kyber/suites/all.go
@@ -0,0 +1,22 @@
+package suites
+
+import (
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+	"go.dedis.ch/kyber/v3/group/nist"
+	"go.dedis.ch/kyber/v3/pairing"
+	"go.dedis.ch/kyber/v3/pairing/bn256"
+)
+
+func init() {
+	// Those are variable time suites that shouldn't be used
+	// in production environment when possible
+	register(nist.NewBlakeSHA256P256())
+	register(nist.NewBlakeSHA256QR512())
+	register(bn256.NewSuiteG1())
+	register(bn256.NewSuiteG2())
+	register(bn256.NewSuiteGT())
+	register(pairing.NewSuiteBn256())
+	// This is a constant time implementation that should be
+	// used as much as possible
+	register(edwards25519.NewBlakeSHA256Ed25519())
+}
diff --git a/kyber/suites/suites.go b/kyber/suites/suites.go
new file mode 100644
index 0000000000..ab95395c46
--- /dev/null
+++ b/kyber/suites/suites.go
@@ -0,0 +1,67 @@
+// Package suites allows callers to look up Kyber suites by name.
+//
+// Currently, only the "ed25519" suite is available with a constant
+// time implementation and the other ones use variable time algorithms.
+package suites
+
+import (
+	"errors"
+	"strings"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Suite is the sum of all suites mix-ins in Kyber.
+type Suite interface {
+	kyber.Encoding
+	kyber.Group
+	kyber.HashFactory
+	kyber.XOFFactory
+	kyber.Random
+}
+
+var suites = map[string]Suite{}
+
+var requireConstTime = false
+
+// register is called by suites to make themselves known to Kyber.
+//
+func register(s Suite) {
+	suites[strings.ToLower(s.String())] = s
+}
+
+// ErrUnknownSuite indicates that the suite was not one of the
+// registered suites.
+var ErrUnknownSuite = errors.New("unknown suite")
+
+// Find looks up a suite by name.
+func Find(name string) (Suite, error) {
+	if s, ok := suites[strings.ToLower(name)]; ok {
+		if requireConstTime && strings.ToLower(s.String()) != "ed25519" {
+			return nil, errors.New("requested suite exists but is not implemented with constant time algorithms as required by suites.RequireConstantTime")
+		}
+		return s, nil
+	}
+	return nil, ErrUnknownSuite
+}
+
+// MustFind looks up a suite by name and panics if it is not found.
+func MustFind(name string) Suite {
+	s, err := Find(name)
+	if err != nil {
+		panic("Suite " + name + " not found.")
+	}
+	return s
+}
+
+// RequireConstantTime causes all future calls to Find and MustFind to only
+// search for suites where the implementation is constant time.
+// It should be called in an init() function for the main package
+// of users of Kyber who need to be sure to avoid variable time implementations.
+// Once constant time implementations are required, there is no way to
+// turn it back off (by design).
+//
+// At this time, the only constant time crypto suite is "Ed25519".
+func RequireConstantTime() {
+	requireConstTime = true
+}
diff --git a/kyber/suites/suites_test.go b/kyber/suites/suites_test.go
new file mode 100644
index 0000000000..3027a92f22
--- /dev/null
+++ b/kyber/suites/suites_test.go
@@ -0,0 +1,40 @@
+package suites
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSuites_Find(t *testing.T) {
+	ss := []string{
+		"ed25519",
+		"bn256.G1",
+		"bn256.G2",
+		"bn256.GT",
+		"P256",
+		"Residue512",
+	}
+
+	for _, name := range ss {
+		s, err := Find(name)
+		require.NotNil(t, s, "missing "+name)
+		require.NoError(t, err)
+
+		s = MustFind(name)
+		require.NotNil(t, s, "missing "+name)
+	}
+}
+
+func TestSuites_ConstTime(t *testing.T) {
+	RequireConstantTime()
+	defer func() { requireConstTime = false }()
+
+	s, err := Find("bn256.G1")
+	require.Error(t, err)
+	require.Nil(t, s)
+
+	s, err = Find("ed25519")
+	require.NoError(t, err)
+	require.NotNil(t, s)
+}
diff --git a/kyber/util/encoding/encoding.go b/kyber/util/encoding/encoding.go
new file mode 100644
index 0000000000..f1f86b6d15
--- /dev/null
+++ b/kyber/util/encoding/encoding.go
@@ -0,0 +1,96 @@
+// Package encoding package provides helper functions to encode/decode a Point/Scalar in
+// hexadecimal.
+package encoding
+
+import (
+	"encoding/hex"
+	"errors"
+	"io"
+	"strings"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// ReadHexPoint reads a point from r in hex representation.
+func ReadHexPoint(group kyber.Group, r io.Reader) (kyber.Point, error) {
+	point := group.Point()
+	buf, err := getHex(r, point.MarshalSize())
+	if err != nil {
+		return nil, err
+	}
+	err = point.UnmarshalBinary(buf)
+	return point, err
+}
+
+// WriteHexPoint writes a point in hex representation to w.
+func WriteHexPoint(group kyber.Group, w io.Writer, point kyber.Point) error {
+	buf, err := point.MarshalBinary()
+	if err != nil {
+		return err
+	}
+	out := hex.EncodeToString(buf)
+	_, err = w.Write([]byte(out))
+	return err
+}
+
+// ReadHexScalar takes a hex-encoded scalar and returns that scalar,
+// optionally an error
+func ReadHexScalar(group kyber.Group, r io.Reader) (kyber.Scalar, error) {
+	s := group.Scalar()
+	buf, err := getHex(r, s.MarshalSize())
+	if err != nil {
+		return nil, err
+	}
+	s.UnmarshalBinary(buf)
+	return s, nil
+}
+
+// WriteHexScalar converts a scalar key to a hex-string
+func WriteHexScalar(group kyber.Group, w io.Writer, scalar kyber.Scalar) error {
+	buf, err := scalar.MarshalBinary()
+	if err != nil {
+		return err
+	}
+	out := hex.EncodeToString(buf)
+	_, err = w.Write([]byte(out))
+	return err
+}
+
+// PointToStringHex converts a point to a hexadecimal representation
+func PointToStringHex(group kyber.Group, point kyber.Point) (string, error) {
+	pbuf, err := point.MarshalBinary()
+	return hex.EncodeToString(pbuf), err
+}
+
+// StringHexToPoint reads a hexadecimal representation of a point from a string.
+func StringHexToPoint(group kyber.Group, s string) (kyber.Point, error) {
+	return ReadHexPoint(group, strings.NewReader(s))
+}
+
+// ScalarToStringHex encodes a scalar to hexadecimal.
+func ScalarToStringHex(group kyber.Group, scalar kyber.Scalar) (string, error) {
+	sbuf, err := scalar.MarshalBinary()
+	return hex.EncodeToString(sbuf), err
+}
+
+// StringHexToScalar reads a scalar in hexadecimal from string
+func StringHexToScalar(group kyber.Group, str string) (kyber.Scalar, error) {
+	return ReadHexScalar(group, strings.NewReader(str))
+}
+
+func getHex(r io.Reader, l int) ([]byte, error) {
+	bufHex := make([]byte, l*2)
+	bufByte := make([]byte, l)
+	n, err := r.Read(bufHex)
+	if err != nil {
+		return nil, err
+	}
+	if n < len(bufHex) {
+		return nil, errors.New("didn't get enough bytes from stream")
+	}
+	_, err = hex.Decode(bufByte, bufHex)
+	if err != nil {
+		return nil, err
+	}
+	return bufByte, nil
+}
diff --git a/kyber/util/encoding/encoding_test.go b/kyber/util/encoding/encoding_test.go
new file mode 100644
index 0000000000..f1a0cccdc6
--- /dev/null
+++ b/kyber/util/encoding/encoding_test.go
@@ -0,0 +1,62 @@
+package encoding
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+)
+
+var s = edwards25519.NewBlakeSHA256Ed25519()
+
+func ErrFatal(err error) {
+	if err == nil {
+		return
+	}
+	panic(err)
+}
+
+func TestPubHexStream(t *testing.T) {
+	b := &bytes.Buffer{}
+	p := s.Point().Pick(s.RandomStream())
+	ErrFatal(WriteHexPoint(s, b, p))
+	ErrFatal(WriteHexPoint(s, b, p))
+	p2, err := ReadHexPoint(s, b)
+	ErrFatal(err)
+	require.Equal(t, p.String(), p2.String())
+	p2, err = ReadHexPoint(s, b)
+	ErrFatal(err)
+	require.Equal(t, p.String(), p2.String())
+}
+
+func TestScalarHexStream(t *testing.T) {
+	b := &bytes.Buffer{}
+	sc := s.Scalar().Pick(s.RandomStream())
+	ErrFatal(WriteHexScalar(s, b, sc))
+	ErrFatal(WriteHexScalar(s, b, sc))
+	s2, err := ReadHexScalar(s, b)
+	ErrFatal(err)
+	require.True(t, sc.Equal(s2))
+	s2, err = ReadHexScalar(s, b)
+	ErrFatal(err)
+	require.True(t, sc.Equal(s2))
+}
+
+func TestPubHexString(t *testing.T) {
+	p := s.Point().Pick(s.RandomStream())
+	pstr, err := PointToStringHex(s, p)
+	ErrFatal(err)
+	p2, err := StringHexToPoint(s, pstr)
+	ErrFatal(err)
+	require.Equal(t, p.String(), p2.String())
+}
+
+func TestScalarHexString(t *testing.T) {
+	sc := s.Scalar().Pick(s.RandomStream())
+	scstr, err := ScalarToStringHex(s, sc)
+	ErrFatal(err)
+	s2, err := StringHexToScalar(s, scstr)
+	ErrFatal(err)
+	require.True(t, sc.Equal(s2))
+}
diff --git a/kyber/util/key/key.go b/kyber/util/key/key.go
new file mode 100644
index 0000000000..f77c2d20ee
--- /dev/null
+++ b/kyber/util/key/key.go
@@ -0,0 +1,49 @@
+// Package key creates asymmetric key pairs.
+package key
+
+import (
+	"crypto/cipher"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+// Generator is a type that needs to implement a special case in order
+// to correctly choose a key.
+type Generator interface {
+	NewKey(random cipher.Stream) kyber.Scalar
+}
+
+// Suite represents the list of functionalities needed by this package.
+type Suite interface {
+	kyber.Group
+	kyber.Random
+}
+
+// Pair represents a public/private keypair together with the
+// ciphersuite the key was generated from.
+type Pair struct {
+	Public  kyber.Point  // Public key
+	Private kyber.Scalar // Private key
+}
+
+// NewKeyPair directly creates a secret/public key pair
+func NewKeyPair(suite Suite) *Pair {
+	kp := new(Pair)
+	kp.Gen(suite)
+	return kp
+}
+
+// Gen creates a fresh public/private keypair with the given
+// ciphersuite, using a given source of cryptographic randomness. If
+// suite implements key.Generator, then suite.NewKey is called
+// to generate the private key, otherwise the normal technique
+// of choosing a random scalar from the group is used.
+func (p *Pair) Gen(suite Suite) {
+	random := suite.RandomStream()
+	if g, ok := suite.(Generator); ok {
+		p.Private = g.NewKey(random)
+	} else {
+		p.Private = suite.Scalar().Pick(random)
+	}
+	p.Public = suite.Point().Mul(p.Private, nil)
+}
diff --git a/kyber/util/key/key_test.go b/kyber/util/key/key_test.go
new file mode 100644
index 0000000000..406032d7b8
--- /dev/null
+++ b/kyber/util/key/key_test.go
@@ -0,0 +1,39 @@
+package key
+
+import (
+	"crypto/cipher"
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+)
+
+func TestNewKeyPair(t *testing.T) {
+	suite := edwards25519.NewBlakeSHA256Ed25519()
+	keypair := NewKeyPair(suite)
+	pub := suite.Point().Mul(keypair.Private, nil)
+	if !pub.Equal(keypair.Public) {
+		t.Fatal("Public and private keys don't match")
+	}
+	t.Log(pub)
+}
+
+// A type to test interface Generator by intentionally creating a fixed private key.
+type fixedPrivSuiteEd25519 edwards25519.SuiteEd25519
+
+func (s *fixedPrivSuiteEd25519) NewKey(stream cipher.Stream) kyber.Scalar {
+	return s.Scalar().SetInt64(33)
+}
+
+// This is never called anyway, so it doesn't matter what it returns.
+func (s *fixedPrivSuiteEd25519) RandomStream() cipher.Stream { return nil }
+
+func TestNewKeyPairGen(t *testing.T) {
+	suite := &fixedPrivSuiteEd25519{}
+	key := NewKeyPair(suite)
+
+	scalar33 := suite.Scalar().SetInt64(33)
+	if !key.Private.Equal(scalar33) {
+		t.Fatalf("expected fixed private key, got %v", key.Private)
+	}
+}
diff --git a/kyber/util/random/rand.go b/kyber/util/random/rand.go
new file mode 100644
index 0000000000..0fcee6fedc
--- /dev/null
+++ b/kyber/util/random/rand.go
@@ -0,0 +1,78 @@
+// Package random provides facilities for generating
+// random or pseudorandom cryptographic objects.
+package random
+
+import (
+	"crypto/cipher"
+	"crypto/rand"
+	"math/big"
+)
+
+// Bits chooses a uniform random BigInt with a given maximum BitLen.
+// If 'exact' is true, choose a BigInt with _exactly_ that BitLen, not less
+func Bits(bitlen uint, exact bool, rand cipher.Stream) []byte {
+	b := make([]byte, (bitlen+7)/8)
+	rand.XORKeyStream(b, b)
+	highbits := bitlen & 7
+	if highbits != 0 {
+		b[0] &= ^(0xff << highbits)
+	}
+	if exact {
+		if highbits != 0 {
+			b[0] |= 1 << (highbits - 1)
+		} else {
+			b[0] |= 0x80
+		}
+	}
+	return b
+}
+
+// Int chooses a uniform random big.Int less than a given modulus
+func Int(mod *big.Int, rand cipher.Stream) *big.Int {
+	bitlen := uint(mod.BitLen())
+	i := new(big.Int)
+	for {
+		i.SetBytes(Bits(bitlen, false, rand))
+		if i.Sign() > 0 && i.Cmp(mod) < 0 {
+			return i
+		}
+	}
+}
+
+// Bytes fills a slice with random bytes from rand.
+func Bytes(b []byte, rand cipher.Stream) {
+	rand.XORKeyStream(b, b)
+}
+
+type randstream struct {
+}
+
+func (r *randstream) XORKeyStream(dst, src []byte) {
+	// This function works only on local data, so it is
+	// safe against race conditions, as long as crypto/rand
+	// is as well. (It is.)
+
+	l := len(dst)
+	if len(src) != l {
+		panic("XORKeyStream: mismatched buffer lengths")
+	}
+
+	buf := make([]byte, l)
+	n, err := rand.Read(buf)
+	if err != nil {
+		panic(err)
+	}
+	if n < len(buf) {
+		panic("short read on infinite random stream!?")
+	}
+
+	for i := 0; i < l; i++ {
+		dst[i] = src[i] ^ buf[i]
+	}
+}
+
+// New returns a new cipher.Stream that gets random data from Go's crypto/rand package.
+// The resulting cipher.Stream can be used in multiple threads.
+func New() cipher.Stream {
+	return &randstream{}
+}
diff --git a/kyber/util/test/doc.go b/kyber/util/test/doc.go
new file mode 100644
index 0000000000..efb143b533
--- /dev/null
+++ b/kyber/util/test/doc.go
@@ -0,0 +1,3 @@
+// Package test contains generic testing and benchmarking infrastructure
+// for cryptographic groups and ciphersuites.
+package test
diff --git a/kyber/util/test/group.go b/kyber/util/test/group.go
new file mode 100644
index 0000000000..1aa4cf6ba1
--- /dev/null
+++ b/kyber/util/test/group.go
@@ -0,0 +1,150 @@
+package test
+
+import (
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+// GroupBench is a generic benchmark suite for kyber.groups.
+type GroupBench struct {
+	g kyber.Group
+
+	// Random secrets and points for testing
+	x, y kyber.Scalar
+	X, Y kyber.Point
+	xe   []byte // encoded Scalar
+	Xe   []byte // encoded Point
+}
+
+// NewGroupBench returns a new GroupBench.
+func NewGroupBench(g kyber.Group) *GroupBench {
+	var gb GroupBench
+	rng := random.New()
+	gb.g = g
+	gb.x = g.Scalar().Pick(rng)
+	gb.y = g.Scalar().Pick(rng)
+	gb.xe, _ = gb.x.MarshalBinary()
+	gb.X = g.Point().Pick(rng)
+	gb.Y = g.Point().Pick(rng)
+	gb.Xe, _ = gb.X.MarshalBinary()
+	return &gb
+}
+
+// ScalarAdd benchmarks the addition operation for scalars
+func (gb GroupBench) ScalarAdd(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Add(gb.x, gb.y)
+	}
+}
+
+// ScalarSub benchmarks the substraction operation for scalars
+func (gb GroupBench) ScalarSub(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Sub(gb.x, gb.y)
+	}
+}
+
+// ScalarNeg benchmarks the negation operation for scalars
+func (gb GroupBench) ScalarNeg(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Neg(gb.x)
+	}
+}
+
+// ScalarMul benchmarks the multiplication operation for scalars
+func (gb GroupBench) ScalarMul(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Mul(gb.x, gb.y)
+	}
+}
+
+// ScalarDiv benchmarks the division operation for scalars
+func (gb GroupBench) ScalarDiv(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Div(gb.x, gb.y)
+	}
+}
+
+// ScalarInv benchmarks the inverse operation for scalars
+func (gb GroupBench) ScalarInv(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Inv(gb.x)
+	}
+}
+
+// ScalarPick benchmarks the Pick operation for scalars
+func (gb GroupBench) ScalarPick(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.x.Pick(random.New())
+	}
+}
+
+// ScalarEncode benchmarks the marshalling operation for scalars
+func (gb GroupBench) ScalarEncode(iters int) {
+	for i := 1; i < iters; i++ {
+		_, _ = gb.x.MarshalBinary()
+	}
+}
+
+// ScalarDecode benchmarks the unmarshalling operation for scalars
+func (gb GroupBench) ScalarDecode(iters int) {
+	for i := 1; i < iters; i++ {
+		_ = gb.x.UnmarshalBinary(gb.xe)
+	}
+}
+
+// PointAdd benchmarks the addition operation for points
+func (gb GroupBench) PointAdd(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.X.Add(gb.X, gb.Y)
+	}
+}
+
+// PointSub benchmarks the substraction operation for points
+func (gb GroupBench) PointSub(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.X.Sub(gb.X, gb.Y)
+	}
+}
+
+// PointNeg benchmarks the negation operation for points
+func (gb GroupBench) PointNeg(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.X.Neg(gb.X)
+	}
+}
+
+// PointMul benchmarks the multiplication operation for points
+func (gb GroupBench) PointMul(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.X.Mul(gb.y, gb.X)
+	}
+}
+
+// PointBaseMul benchmarks the base multiplication operation for points
+func (gb GroupBench) PointBaseMul(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.X.Mul(gb.y, nil)
+	}
+}
+
+// PointPick benchmarks the pick-ing operation for points
+func (gb GroupBench) PointPick(iters int) {
+	for i := 1; i < iters; i++ {
+		gb.X.Pick(random.New())
+	}
+}
+
+// PointEncode benchmarks the encoding operation for points
+func (gb GroupBench) PointEncode(iters int) {
+	for i := 1; i < iters; i++ {
+		_, _ = gb.X.MarshalBinary()
+	}
+}
+
+// PointDecode benchmarks the decoding operation for points
+func (gb GroupBench) PointDecode(iters int) {
+	for i := 1; i < iters; i++ {
+		_ = gb.X.UnmarshalBinary(gb.Xe)
+	}
+}
diff --git a/kyber/util/test/test.go b/kyber/util/test/test.go
new file mode 100644
index 0000000000..f63a436c49
--- /dev/null
+++ b/kyber/util/test/test.go
@@ -0,0 +1,433 @@
+package test
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"testing"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/key"
+	"go.dedis.ch/kyber/v3/util/random"
+)
+
+// Suite represents the functionalities that this package can test
+type suite interface {
+	kyber.Group
+	kyber.HashFactory
+	kyber.XOFFactory
+	kyber.Random
+}
+
+type suiteStable struct {
+	suite
+	xof kyber.XOF
+}
+
+func newSuiteStable(s suite) *suiteStable {
+	return &suiteStable{
+		suite: s,
+		xof:   s.XOF(nil),
+	}
+}
+
+func (ss *suiteStable) RandomStream() cipher.Stream {
+	return ss.xof
+}
+
+func testEmbed(t *testing.T, g kyber.Group, rand cipher.Stream, points *[]kyber.Point,
+	s string) {
+	// println("embedding: ", s)
+	b := []byte(s)
+
+	p := g.Point().Embed(b, rand)
+	x, err := p.Data()
+	if err != nil {
+		t.Errorf("Point extraction failed for %v: %v", p, err)
+	}
+	//println("extracted data (", len(x), " bytes): ", string(x))
+	//println("EmbedLen(): ", g.Point().EmbedLen())
+	max := g.Point().EmbedLen()
+	if max > len(b) {
+		max = len(b)
+	}
+	if !bytes.Equal(append(x, b[max:]...), b) {
+		t.Errorf("Point embedding corrupted the data")
+	}
+
+	*points = append(*points, p)
+}
+
+func testPointSet(t *testing.T, g kyber.Group, rand cipher.Stream) {
+	N := 1000
+	null := g.Point().Null()
+	for i := 0; i < N; i++ {
+		P1 := g.Point().Pick(rand)
+		P2 := g.Point()
+		P2.Set(P1)
+		if !P1.Equal(P2) {
+			t.Errorf("Set() set to a different point: %v != %v", P1, P2)
+		}
+		if !P1.Equal(null) {
+			P1.Add(P1, P1)
+			if P1.Equal(P2) {
+				t.Errorf("Modifying P1 shouldn't modify P2: %v == %v", P1, P2)
+			}
+		}
+	}
+}
+
+func testPointClone(t *testing.T, g kyber.Group, rand cipher.Stream) {
+	N := 1000
+	null := g.Point().Null()
+	for i := 0; i < N; i++ {
+		P1 := g.Point().Pick(rand)
+		P2 := P1.Clone()
+		if !P1.Equal(P2) {
+			t.Errorf("Clone didn't work for point: %v != %v", P1, P2)
+		}
+		if !P1.Equal(null) {
+			P1.Add(P1, P1)
+			if P1.Equal(P2) {
+				t.Errorf("Modifying P1 shouldn't modify P2: %v == %v", P1, P2)
+			}
+		}
+	}
+}
+
+func testScalarSet(t *testing.T, g kyber.Group, rand cipher.Stream) {
+	N := 1000
+	zero := g.Scalar().Zero()
+	one := g.Scalar().One()
+	for i := 0; i < N; i++ {
+		s1 := g.Scalar().Pick(rand)
+		s2 := g.Scalar().Set(s1)
+		if !s1.Equal(s2) {
+			t.Errorf("Set() set to a different scalar: %v != %v", s1, s2)
+		}
+		if !s1.Equal(zero) && !s1.Equal(one) {
+			s1.Mul(s1, s1)
+			if s1.Equal(s2) {
+				t.Errorf("Modifying s1 shouldn't modify s2: %v == %v", s1, s2)
+			}
+		}
+	}
+}
+
+func testScalarClone(t *testing.T, g kyber.Group, rand cipher.Stream) {
+	N := 1000
+	zero := g.Scalar().Zero()
+	one := g.Scalar().One()
+	for i := 0; i < N; i++ {
+		s1 := g.Scalar().Pick(rand)
+		s2 := s1.Clone()
+		if !s1.Equal(s2) {
+			t.Errorf("Clone didn't work for scalar: %v != %v", s1, s2)
+		}
+		if !s1.Equal(zero) && !s1.Equal(one) {
+			s1.Mul(s1, s1)
+			if s1.Equal(s2) {
+				t.Errorf("Modifying s1 shouldn't modify s2: %v == %v", s1, s2)
+			}
+		}
+	}
+}
+
+// Apply a generic set of validation tests to a cryptographic Group,
+// using a given source of [pseudo-]randomness.
+//
+// Returns a log of the pseudorandom Points produced in the test,
+// for comparison across alternative implementations
+// that are supposed to be equivalent.
+//
+func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point {
+	t.Logf("\nTesting group '%s': %d-byte Point, %d-byte Scalar\n",
+		g.String(), g.PointLen(), g.ScalarLen())
+
+	points := make([]kyber.Point, 0)
+	ptmp := g.Point()
+	stmp := g.Scalar()
+	pzero := g.Point().Null()
+	szero := g.Scalar().Zero()
+	sone := g.Scalar().One()
+
+	// Do a simple Diffie-Hellman test
+	s1 := g.Scalar().Pick(rand)
+	s2 := g.Scalar().Pick(rand)
+	if s1.Equal(szero) {
+		t.Errorf("first secret is scalar zero %v", s1)
+	}
+	if s2.Equal(szero) {
+		t.Errorf("second secret is scalar zero %v", s2)
+	}
+	if s1.Equal(s2) {
+		t.Errorf("not getting unique secrets: picked %s twice", s1)
+	}
+
+	gen := g.Point().Base()
+	points = append(points, gen)
+
+	// Sanity-check relationship between addition and multiplication
+	p1 := g.Point().Add(gen, gen)
+	p2 := g.Point().Mul(stmp.SetInt64(2), nil)
+	if !p1.Equal(p2) {
+		t.Errorf("multiply by two doesn't work: %v == %v (+) %[2]v != %[2]v (x) 2 == %v", p1, gen, p2)
+	}
+	p1.Add(p1, p1)
+	p2.Mul(stmp.SetInt64(4), nil)
+	if !p1.Equal(p2) {
+		t.Errorf("multiply by four doesn't work: %v (+) %[1]v != %v (x) 4 == %v",
+			g.Point().Add(gen, gen), gen, p2)
+	}
+	points = append(points, p1)
+
+	// Find out if this curve has a prime order:
+	// if the curve does not offer a method IsPrimeOrder,
+	// then assume that it is.
+	type canCheckPrimeOrder interface {
+		IsPrimeOrder() bool
+	}
+	primeOrder := true
+	if gpo, ok := g.(canCheckPrimeOrder); ok {
+		primeOrder = gpo.IsPrimeOrder()
+	}
+
+	// Verify additive and multiplicative identities of the generator.
+	ptmp.Mul(stmp.SetInt64(-1), nil).Add(ptmp, gen)
+	if !ptmp.Equal(pzero) {
+		t.Errorf("generator additive identity doesn't work: %v (x) -1 (+) %v != %v the group point identity",
+			ptmp.Mul(stmp.SetInt64(-1), nil), gen, pzero)
+	}
+	// secret.Inv works only in prime-order groups
+	if primeOrder {
+		ptmp.Mul(stmp.SetInt64(2), nil).Mul(stmp.Inv(stmp), ptmp)
+		if !ptmp.Equal(gen) {
+			t.Errorf("generator multiplicative identity doesn't work:\n%v (x) %v = %v\n%[3]v (x) %v = %v",
+				ptmp.Base().String(), stmp.SetInt64(2).String(),
+				ptmp.Mul(stmp.SetInt64(2), nil).String(),
+				stmp.Inv(stmp).String(),
+				ptmp.Mul(stmp.SetInt64(2), nil).Mul(stmp.Inv(stmp), ptmp).String())
+		}
+	}
+
+	p1.Mul(s1, gen)
+	p2.Mul(s2, gen)
+	if p1.Equal(p2) {
+		t.Errorf("encryption isn't producing unique points: %v (x) %v == %v (x) %[2]v == %[4]v", s1, gen, s2, p1)
+	}
+	points = append(points, p1)
+
+	dh1 := g.Point().Mul(s2, p1)
+	dh2 := g.Point().Mul(s1, p2)
+	if !dh1.Equal(dh2) {
+		t.Errorf("Diffie-Hellman didn't work: %v == %v (x) %v != %v (x) %v == %v", dh1, s2, p1, s1, p2, dh2)
+	}
+	points = append(points, dh1)
+	t.Logf("shared secret = %v", dh1)
+
+	// Test secret inverse to get from dh1 back to p1
+	if primeOrder {
+		ptmp.Mul(g.Scalar().Inv(s2), dh1)
+		if !ptmp.Equal(p1) {
+			t.Errorf("Scalar inverse didn't work: %v != (-)%v (x) %v == %v", p1, s2, dh1, ptmp)
+		}
+	}
+
+	// Zero and One identity secrets
+	//println("dh1^0 = ",ptmp.Mul(dh1, szero).String())
+	if !ptmp.Mul(szero, dh1).Equal(pzero) {
+		t.Errorf("Encryption with secret=0 didn't work: %v (x) %v == %v != %v", szero, dh1, ptmp, pzero)
+	}
+	if !ptmp.Mul(sone, dh1).Equal(dh1) {
+		t.Errorf("Encryption with secret=1 didn't work: %v (x) %v == %v != %[2]v", sone, dh1, ptmp)
+	}
+
+	// Additive homomorphic identities
+	ptmp.Add(p1, p2)
+	stmp.Add(s1, s2)
+	pt2 := g.Point().Mul(stmp, gen)
+	if !pt2.Equal(ptmp) {
+		t.Errorf("Additive homomorphism doesn't work: %v + %v == %v, %[3]v (x) %v == %v != %v == %v (+) %v",
+			s1, s2, stmp, gen, pt2, ptmp, p1, p2)
+	}
+	ptmp.Sub(p1, p2)
+	stmp.Sub(s1, s2)
+	pt2.Mul(stmp, gen)
+	if !pt2.Equal(ptmp) {
+		t.Errorf("Additive homomorphism doesn't work: %v - %v == %v, %[3]v (x) %v == %v != %v == %v (-) %v",
+			s1, s2, stmp, gen, pt2, ptmp, p1, p2)
+	}
+	st2 := g.Scalar().Neg(s2)
+	st2.Add(s1, st2)
+	if !stmp.Equal(st2) {
+		t.Errorf("Scalar.Neg doesn't work: -%v == %v, %[2]v + %v == %v != %v",
+			s2, g.Scalar().Neg(s2), s1, st2, stmp)
+	}
+	pt2.Neg(p2).Add(pt2, p1)
+	if !pt2.Equal(ptmp) {
+		t.Errorf("Point.Neg doesn't work: (-)%v == %v, %[2]v (+) %v == %v != %v",
+			p2, g.Point().Neg(p2), p1, pt2, ptmp)
+	}
+
+	// Multiplicative homomorphic identities
+	stmp.Mul(s1, s2)
+	if !ptmp.Mul(stmp, gen).Equal(dh1) {
+		t.Errorf("Multiplicative homomorphism doesn't work: %v * %v == %v, %[2]v (x) %v == %v != %v",
+			s1, s2, stmp, gen, ptmp, dh1)
+	}
+	if primeOrder {
+		st2.Inv(s2)
+		st2.Mul(st2, stmp)
+		if !st2.Equal(s1) {
+			t.Errorf("Scalar division doesn't work: %v^-1 * %v == %v * %[2]v == %[4]v != %v",
+				s2, stmp, g.Scalar().Inv(s2), st2, s1)
+		}
+		st2.Div(stmp, s2)
+		if !st2.Equal(s1) {
+			t.Errorf("Scalar division doesn't work: %v / %v == %v != %v",
+				stmp, s2, st2, s1)
+		}
+	}
+
+	// Test randomly picked points
+	last := gen
+	for i := 0; i < 5; i++ {
+		rgen := g.Point().Pick(rand)
+		if rgen.Equal(last) {
+			t.Errorf("Pick() not producing unique points: got %v twice", rgen)
+		}
+		last = rgen
+
+		ptmp.Mul(stmp.SetInt64(-1), rgen).Add(ptmp, rgen)
+		if !ptmp.Equal(pzero) {
+			t.Errorf("random generator fails additive identity: %v (x) %v == %v, %v (+) %[3]v == %[5]v != %v",
+				g.Scalar().SetInt64(-1), rgen, g.Point().Mul(g.Scalar().SetInt64(-1), rgen),
+				rgen, g.Point().Mul(g.Scalar().SetInt64(-1), rgen), pzero)
+		}
+		if primeOrder {
+			ptmp.Mul(stmp.SetInt64(2), rgen).Mul(stmp.Inv(stmp), ptmp)
+			if !ptmp.Equal(rgen) {
+				t.Errorf("random generator fails multiplicative identity: %v (x) (2 (x) %v) == %v != %[2]v",
+					stmp, rgen, ptmp)
+			}
+		}
+		points = append(points, rgen)
+	}
+
+	// Test embedding data
+	testEmbed(t, g, rand, &points, "Hi!")
+	testEmbed(t, g, rand, &points, "The quick brown fox jumps over the lazy dog")
+
+	// Test verifiable secret sharing
+
+	// Test encoding and decoding
+	buf := new(bytes.Buffer)
+	for i := 0; i < 5; i++ {
+		buf.Reset()
+		s := g.Scalar().Pick(rand)
+		if _, err := s.MarshalTo(buf); err != nil {
+			t.Errorf("encoding of secret fails: " + err.Error())
+		}
+		if _, err := stmp.UnmarshalFrom(buf); err != nil {
+			t.Errorf("decoding of secret fails: " + err.Error())
+		}
+		if !stmp.Equal(s) {
+			t.Errorf("decoding produces different secret than encoded")
+		}
+
+		buf.Reset()
+		p := g.Point().Pick(rand)
+		if _, err := p.MarshalTo(buf); err != nil {
+			t.Errorf("encoding of point fails: " + err.Error())
+		}
+		if _, err := ptmp.UnmarshalFrom(buf); err != nil {
+			t.Errorf("decoding of point fails: " + err.Error())
+		}
+		if !ptmp.Equal(p) {
+			t.Errorf("decoding produces different point than encoded")
+		}
+	}
+
+	// Test that we can marshal/ unmarshal null point
+	pzero = g.Point().Null()
+	b, _ := pzero.MarshalBinary()
+	repzero := g.Point()
+	err := repzero.UnmarshalBinary(b)
+	if err != nil {
+		t.Errorf("Could not unmarshall binary %v: %v", b, err)
+	}
+
+	testPointSet(t, g, rand)
+	testPointClone(t, g, rand)
+	testScalarSet(t, g, rand)
+	testScalarClone(t, g, rand)
+
+	return points
+}
+
+// GroupTest applies a generic set of validation tests to a cryptographic Group.
+func GroupTest(t *testing.T, g kyber.Group) {
+	testGroup(t, g, random.New())
+}
+
+// CompareGroups tests two group implementations that are supposed to be equivalent,
+// and compare their results.
+func CompareGroups(t *testing.T, fn func(key []byte) kyber.XOF, g1, g2 kyber.Group) {
+
+	// Produce test results from the same pseudorandom seed
+	r1 := testGroup(t, g1, fn(nil))
+	r2 := testGroup(t, g2, fn(nil))
+
+	// Compare resulting Points
+	for i := range r1 {
+		b1, _ := r1[i].MarshalBinary()
+		b2, _ := r2[i].MarshalBinary()
+		if !bytes.Equal(b1, b2) {
+			t.Errorf("unequal result-pair %v\n1: %v\n2: %v",
+				i, r1[i], r2[i])
+		}
+	}
+}
+
+// SuiteTest tests a standard set of validation tests to a ciphersuite.
+func SuiteTest(t *testing.T, suite suite) {
+
+	// Try hashing something
+	h := suite.Hash()
+	l := h.Size()
+	//println("HashLen: ", l)
+
+	_, _ = h.Write([]byte("abc"))
+	hb := h.Sum(nil)
+	//println("Hash:")
+	//println(hex.Dump(hb))
+	if h.Size() != l || len(hb) != l {
+		t.Errorf("inconsistent hash output length: %v vs %v vs %v", l, h.Size(), len(hb))
+	}
+
+	// Generate some pseudorandom bits
+	x := suite.XOF(hb)
+	sb := make([]byte, 128)
+	x.Read(sb)
+	//fmt.Println("Stream:")
+	//fmt.Println(hex.Dump(sb))
+
+	// Test if it generates two fresh keys
+	p1 := key.NewKeyPair(suite)
+	p2 := key.NewKeyPair(suite)
+	if p1.Private.Equal(p2.Private) {
+		t.Errorf("NewKeyPair returns the same secret key twice: %v", p1)
+	}
+
+	// Test if it creates the same key with the same seed
+	p1 = new(key.Pair)
+	p2 = new(key.Pair)
+
+	p1.Gen(newSuiteStable(suite))
+	p2.Gen(newSuiteStable(suite))
+	if !p1.Private.Equal(p2.Private) {
+		t.Errorf("NewKeyPair returns different keys for same seed: %v != %v", p1, p2)
+	}
+
+	// Test the public-key group arithmetic
+	GroupTest(t, suite)
+}
diff --git a/kyber/xof.go b/kyber/xof.go
new file mode 100644
index 0000000000..b1f4b735a8
--- /dev/null
+++ b/kyber/xof.go
@@ -0,0 +1,50 @@
+package kyber
+
+import (
+	"crypto/cipher"
+	"io"
+)
+
+// An XOF is an extendable output function, which is a cryptographic
+// primitive that can take arbitrary input in the same way a hash
+// function does, and then create a stream of output, up to a limit
+// determined by the size of the internal state of the hash function
+// the underlies the XOF.
+//
+// When XORKeyStream is called with zeros for the source, an XOF
+// also acts as a PRNG. If it is seeded with an appropriate amount
+// of keying material, it is a cryptographically secure source of random
+// bits.
+type XOF interface {
+	// Write absorbs more data into the hash's state. It panics if called
+	// after Read. Use Reseed() to reset the XOF into a state where more data
+	// can be absorbed via Write.
+	io.Writer
+
+	// Read reads more output from the hash. It returns io.EOF if the
+	// limit of available data for reading has been reached.
+	io.Reader
+
+	// An XOF implements cipher.Stream, so that callers can use XORKeyStream
+	// to encrypt/decrypt data. The key stream is read from the XOF using
+	// the io.Reader interface. If Read returns an error, then XORKeyStream
+	// will panic.
+	cipher.Stream
+
+	// Reseed makes an XOF writeable again after it has been read from
+	// by sampling a key from it's output and initializing a fresh XOF implementation
+	// with that key.
+	Reseed()
+
+	// Clone returns a copy of the XOF in its current state.
+	Clone() XOF
+}
+
+// An XOFFactory is an interface that can be mixed in to local suite definitions.
+type XOFFactory interface {
+	// XOF creates a new XOF, feeding seed to it via it's Write method. If seed
+	// is nil or []byte{}, the XOF is left unseeded, it will produce a fixed, predictable
+	// stream of bits (Caution: this behavior is useful for testing but fatal for
+	// production use).
+	XOF(seed []byte) XOF
+}
diff --git a/kyber/xof/blake2xb/blake.go b/kyber/xof/blake2xb/blake.go
new file mode 100644
index 0000000000..9fdfeb049f
--- /dev/null
+++ b/kyber/xof/blake2xb/blake.go
@@ -0,0 +1,85 @@
+// Package blake2xb provides an implementation of kyber.XOF based on the
+// Blake2xb construction.
+package blake2xb
+
+import (
+	"go.dedis.ch/kyber/v3"
+	"golang.org/x/crypto/blake2b"
+)
+
+type xof struct {
+	impl blake2b.XOF
+	// key is here to not make excess garbage during repeated calls
+	// to XORKeyStream.
+	key []byte
+}
+
+// New creates a new XOF using the Blake2b hash.
+func New(seed []byte) kyber.XOF {
+	seed1 := seed
+	var seed2 []byte
+	if len(seed) > blake2b.Size {
+		seed1 = seed[0:blake2b.Size]
+		seed2 = seed[blake2b.Size:]
+	}
+	b, err := blake2b.NewXOF(blake2b.OutputLengthUnknown, seed1)
+	if err != nil {
+		panic("blake2b.NewXOF should not return error: " + err.Error())
+	}
+
+	if seed2 != nil {
+		_, err := b.Write(seed2)
+		if err != nil {
+			panic("blake2b.XOF.Write should not return error: " + err.Error())
+		}
+	}
+	return &xof{impl: b}
+}
+
+func (x *xof) Clone() kyber.XOF {
+	return &xof{impl: x.impl.Clone()}
+}
+
+func (x *xof) Read(dst []byte) (int, error) {
+	return x.impl.Read(dst)
+}
+
+func (x *xof) Write(src []byte) (int, error) {
+	return x.impl.Write(src)
+}
+
+func (x *xof) Reseed() {
+	// Use New to create a new one seeded with output from the old one.
+	if len(x.key) < 128 {
+		x.key = make([]byte, 128)
+	} else {
+		x.key = x.key[0:128]
+	}
+	x.Read(x.key)
+	y := New(x.key)
+	// Steal the XOF implementation, and put it inside of x.
+	x.impl = y.(*xof).impl
+}
+
+func (x *xof) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		panic("dst too short")
+	}
+	if len(x.key) < len(src) {
+		x.key = make([]byte, len(src))
+	} else {
+		x.key = x.key[0:len(src)]
+	}
+
+	n, err := x.Read(x.key)
+	if err != nil {
+		panic("blake xof error: " + err.Error())
+	}
+	if n != len(src) {
+		panic("short read on key")
+	}
+
+	for i := range src {
+		dst[i] = src[i] ^ x.key[i]
+	}
+}
diff --git a/kyber/xof/blake2xs/blake.go b/kyber/xof/blake2xs/blake.go
new file mode 100644
index 0000000000..8a91862d31
--- /dev/null
+++ b/kyber/xof/blake2xs/blake.go
@@ -0,0 +1,85 @@
+// Package blake2xs provides an implementation of kyber.XOF based on the
+// Blake2xs construction.
+package blake2xs
+
+import (
+	"go.dedis.ch/kyber/v3"
+	"golang.org/x/crypto/blake2s"
+)
+
+type xof struct {
+	impl blake2s.XOF
+	// key is here to not make excess garbage during repeated calls
+	// to XORKeyStream.
+	key []byte
+}
+
+// New creates a new XOF using the blake2s hash.
+func New(seed []byte) kyber.XOF {
+	seed1 := seed
+	var seed2 []byte
+	if len(seed) > blake2s.Size {
+		seed1 = seed[0:blake2s.Size]
+		seed2 = seed[blake2s.Size:]
+	}
+	b, err := blake2s.NewXOF(blake2s.OutputLengthUnknown, seed1)
+	if err != nil {
+		panic("blake2s.NewXOF should not return error: " + err.Error())
+	}
+
+	if seed2 != nil {
+		_, err := b.Write(seed2)
+		if err != nil {
+			panic("blake2s.XOF.Write should not return error: " + err.Error())
+		}
+	}
+	return &xof{impl: b}
+}
+
+func (x *xof) Clone() kyber.XOF {
+	return &xof{impl: x.impl.Clone()}
+}
+
+func (x *xof) Read(dst []byte) (int, error) {
+	return x.impl.Read(dst)
+}
+
+func (x *xof) Write(src []byte) (int, error) {
+	return x.impl.Write(src)
+}
+
+func (x *xof) Reseed() {
+	// Use New to create a new one seeded with output from the old one.
+	if len(x.key) < 128 {
+		x.key = make([]byte, 128)
+	} else {
+		x.key = x.key[0:128]
+	}
+	x.Read(x.key)
+	y := New(x.key)
+	// Steal the XOF implementation, and put it inside of x.
+	x.impl = y.(*xof).impl
+}
+
+func (x *xof) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		panic("dst too short")
+	}
+	if len(x.key) < len(src) {
+		x.key = make([]byte, len(src))
+	} else {
+		x.key = x.key[0:len(src)]
+	}
+
+	n, err := x.Read(x.key)
+	if err != nil {
+		panic("blake xof error: " + err.Error())
+	}
+	if n != len(src) {
+		panic("short read on key")
+	}
+
+	for i := range src {
+		dst[i] = src[i] ^ x.key[i]
+	}
+}
diff --git a/kyber/xof/doc.go b/kyber/xof/doc.go
new file mode 100644
index 0000000000..3b415daa05
--- /dev/null
+++ b/kyber/xof/doc.go
@@ -0,0 +1,3 @@
+// Package xof holds implementations and testing code for the various
+// extendable output functions.
+package xof
diff --git a/kyber/xof/keccak/keccak.go b/kyber/xof/keccak/keccak.go
new file mode 100644
index 0000000000..d29e48c024
--- /dev/null
+++ b/kyber/xof/keccak/keccak.go
@@ -0,0 +1,68 @@
+// Package keccak provides an implementation of kyber.XOF based on the
+// Shake256 hash.
+package keccak
+
+import (
+	"go.dedis.ch/kyber/v3"
+	"golang.org/x/crypto/sha3"
+)
+
+type xof struct {
+	sh sha3.ShakeHash
+	// key is here to not make excess garbage during repeated calls
+	// to XORKeyStream.
+	key []byte
+}
+
+// New creates a new XOF using the Shake256 hash.
+func New(seed []byte) kyber.XOF {
+	sh := sha3.NewShake256()
+	sh.Write(seed)
+	return &xof{sh: sh}
+}
+
+func (x *xof) Clone() kyber.XOF {
+	return &xof{sh: x.sh.Clone()}
+}
+
+func (x *xof) Reseed() {
+	if len(x.key) < 128 {
+		x.key = make([]byte, 128)
+	} else {
+		x.key = x.key[0:128]
+	}
+	x.Read(x.key)
+	x.sh = sha3.NewShake256()
+	x.sh.Write(x.key)
+}
+
+func (x *xof) Read(dst []byte) (int, error) {
+	return x.sh.Read(dst)
+}
+
+func (x *xof) Write(src []byte) (int, error) {
+	return x.sh.Write(src)
+}
+
+func (x *xof) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		panic("dst too short")
+	}
+	if len(x.key) < len(src) {
+		x.key = make([]byte, len(src))
+	} else {
+		x.key = x.key[0:len(src)]
+	}
+
+	n, err := x.Read(x.key)
+	if err != nil {
+		panic("xof error getting key: " + err.Error())
+	}
+	if n != len(src) {
+		panic("short read on key")
+	}
+
+	for i := range src {
+		dst[i] = src[i] ^ x.key[i]
+	}
+}
diff --git a/kyber/xof/xof_test.go b/kyber/xof/xof_test.go
new file mode 100644
index 0000000000..e1e844ee1f
--- /dev/null
+++ b/kyber/xof/xof_test.go
@@ -0,0 +1,239 @@
+package xof
+
+import (
+	"bytes"
+	"math"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/xof/blake2xb"
+	"go.dedis.ch/kyber/v3/xof/keccak"
+)
+
+type blakeF struct{}
+
+func (b *blakeF) XOF(seed []byte) kyber.XOF { return blake2xb.New(seed) }
+
+type keccakF struct{}
+
+func (b *keccakF) XOF(seed []byte) kyber.XOF { return keccak.New(seed) }
+
+var impls = []kyber.XOFFactory{&blakeF{}, &keccakF{}}
+
+func TestEncDec(t *testing.T) {
+	lengths := []int{0, 1, 16, 1024, 8192}
+
+	for _, i := range impls {
+		for _, j := range lengths {
+			testEncDec(t, i, j)
+		}
+	}
+}
+
+func testEncDec(t *testing.T, s kyber.XOFFactory, size int) {
+	t.Logf("implementation %T sz %v", s, size)
+	key := []byte("key")
+
+	s1 := s.XOF(key)
+	s2 := s.XOF(key)
+
+	src := make([]byte, size)
+	copy(src, []byte("hello"))
+
+	dst := make([]byte, len(src)+1)
+	dst[len(dst)-1] = 0xff
+
+	s1.XORKeyStream(dst, src)
+	if len(src) > 0 && bytes.Equal(src, dst[0:len(src)]) {
+		t.Fatal("src/dst should not be equal")
+	}
+	if dst[len(dst)-1] != 0xff {
+		t.Fatal("last byte of dst chagned")
+	}
+
+	dst2 := make([]byte, len(src))
+	s2.XORKeyStream(dst2, dst[0:len(src)])
+	if !bytes.Equal(src, dst2) {
+		t.Fatal("src/dst2 should be equal", src, dst2)
+	}
+}
+
+func TestClone(t *testing.T) {
+	for _, i := range impls {
+		testClone(t, i)
+	}
+}
+
+func testClone(t *testing.T, s kyber.XOFFactory) {
+	t.Logf("implementation %T", s)
+	key := []byte("key")
+
+	s1 := s.XOF(key)
+	s2 := s1.Clone()
+
+	src := []byte("hello")
+	dst := make([]byte, len(src)+1)
+	dst[len(dst)-1] = 0xff
+
+	s1.XORKeyStream(dst, src)
+	if bytes.Equal(src, dst[0:len(src)]) {
+		t.Fatal("src/dst should not be equal")
+	}
+	if dst[len(dst)-1] != 0xff {
+		t.Fatal("last byte of dst chagned")
+	}
+
+	dst2 := make([]byte, len(src))
+	s2.XORKeyStream(dst2, dst[0:len(src)])
+	if !bytes.Equal(src, dst2) {
+		t.Fatal("src/dst2 should be equal", src, dst2)
+	}
+}
+
+func TestErrors(t *testing.T) {
+	for _, i := range impls {
+		testErrors(t, i)
+	}
+}
+
+func testErrors(t *testing.T, s kyber.XOFFactory) {
+	t.Logf("implementation %T", s)
+
+	// Write-after-read: panic
+	key := []byte("key")
+	s1 := s.XOF(key)
+	src := []byte("hello")
+	dst := make([]byte, 100)
+	s1.XORKeyStream(dst, src)
+	require.Panics(t, func() { s1.Write(src) })
+
+	// Dst too short: panic
+	require.Panics(t, func() { s1.XORKeyStream(dst[0:len(src)-1], src) })
+}
+
+func TestRandom(t *testing.T) {
+	for _, i := range impls {
+		testRandom(t, i)
+	}
+}
+
+func testRandom(t *testing.T, s kyber.XOFFactory) {
+	t.Logf("implementation %T", s)
+	xof1 := s.XOF(nil)
+
+	for i := 0; i < 1000; i++ {
+		dst1 := make([]byte, 1024)
+		xof1.Read(dst1)
+		dst2 := make([]byte, 1024)
+		xof1.Read(dst2)
+		d := bitDiff(dst1, dst2)
+		if math.Abs(d-0.50) > 0.1 {
+			t.Fatalf("bitDiff %v", d)
+		}
+	}
+
+	// Check that two seeds give expected mean bitdiff on first block
+	xof1 = s.XOF([]byte("a"))
+	xof2 := s.XOF([]byte("b"))
+	dst1 := make([]byte, 1024)
+	xof1.Read(dst1)
+	dst2 := make([]byte, 1024)
+	xof2.Read(dst2)
+	d := bitDiff(dst1, dst2)
+	if math.Abs(d-0.50) > 0.1 {
+		t.Fatalf("two seed bitDiff %v", d)
+	}
+}
+
+// bitDiff compares the bits between two arrays returning the fraction
+// of differences. If the two arrays are not of the same length
+// no comparison is made and a -1 is returned.
+func bitDiff(a, b []byte) float64 {
+	if len(a) != len(b) {
+		return -1
+	}
+
+	count := 0
+	for i := 0; i < len(a); i++ {
+		for j := 0; j < 8; j++ {
+			count += int(((a[i] ^ b[i]) >> uint(j)) & 1)
+		}
+	}
+
+	return float64(count) / float64(len(a)*8)
+}
+
+func TestNoSeed(t *testing.T) {
+	for _, i := range impls {
+		testNoSeed(t, i)
+	}
+}
+
+func testNoSeed(t *testing.T, s kyber.XOFFactory) {
+	t.Logf("implementation %T", s)
+
+	xof1 := s.XOF(nil)
+	dst1 := make([]byte, 1024)
+	xof1.Read(dst1)
+
+	xof2 := s.XOF([]byte{})
+	dst2 := make([]byte, 1024)
+	xof2.Read(dst2)
+	if !bytes.Equal(dst1, dst2) {
+		t.Fatal("hash with two flavors of zero seed not same")
+	}
+}
+
+func TestReseed(t *testing.T) {
+	for _, i := range impls {
+		testReseed(t, i)
+	}
+}
+
+func testReseed(t *testing.T, s kyber.XOFFactory) {
+	t.Logf("implementation %T", s)
+	seed := []byte("seed")
+
+	xof1 := s.XOF(seed)
+	dst1 := make([]byte, 1024)
+	xof1.Read(dst1)
+	// Without Reseed: panic.
+	require.Panics(t, func() { xof1.Write(seed) })
+	// After Reseed, does not panic.
+	xof1.Reseed()
+	xof2 := xof1.Clone()
+	require.NotPanics(t, func() { xof1.Write(seed) })
+
+	dst2 := make([]byte, 1024)
+	xof2.Read(dst2)
+
+	d := bitDiff(dst1, dst2)
+	if math.Abs(d-0.50) > 0.1 {
+		t.Fatalf("reseed bitDiff %v", d)
+	}
+}
+
+func TestEncDecMismatch(t *testing.T) {
+	for _, i := range impls {
+		testEncDecMismatch(t, i)
+	}
+}
+
+func testEncDecMismatch(t *testing.T, s kyber.XOFFactory) {
+	t.Logf("implementation %T", s)
+	seed := []byte("seed")
+	x1 := s.XOF(seed)
+	x2 := s.XOF(seed)
+	msg := []byte("hello world")
+	enc := make([]byte, len(msg))
+	dec := make([]byte, len(msg))
+	x1.XORKeyStream(enc[0:3], msg[0:3])
+	x1.XORKeyStream(enc[3:4], msg[3:4])
+	x1.XORKeyStream(enc[4:], msg[4:])
+	x2.XORKeyStream(dec[0:5], enc[0:5])
+	x2.XORKeyStream(dec[5:], enc[5:])
+	if !bytes.Equal(msg, dec) {
+		t.Fatal("wrong decode")
+	}
+}
diff --git a/ocs/CHANGELOG.md b/ocs/CHANGELOG.md
new file mode 100644
index 0000000000..8d84599582
--- /dev/null
+++ b/ocs/CHANGELOG.md
@@ -0,0 +1,7 @@
+- multi_sig - work on ocs-module (2019-04-30):
+    - removed 'C' from ocs.ReencryptReply
+    - enable threshold > 1 for policies
+    - change CA dependencies to have independent CAs for CreateOCS and Reencrypt policies
+    - add AuthCreateOCS to ocs.CreateOCS call, which needs an ExtraExtension for the Policies
+    - changed Policy to PolicyCreate, PolicyReencrypt, and PolicyReshare
+    - correct use of PolicyReencrypt and PolicyReshare
\ No newline at end of file
diff --git a/ocs/Calypso-ocs-access.png b/ocs/Calypso-ocs-access.png
new file mode 100644
index 0000000000..fb9b172fe3
Binary files /dev/null and b/ocs/Calypso-ocs-access.png differ
diff --git a/ocs/README.md b/ocs/README.md
new file mode 100644
index 0000000000..c7390990f9
--- /dev/null
+++ b/ocs/README.md
@@ -0,0 +1,135 @@
+Navigation: [DEDIS](https://github.com/dedis/doc/tree/master/README.md) ::
+[Cothority](../README.md) ::
+[Applications](../doc/Applications.md) ::
+Onchain-Secrets
+
+# Onchain-Secrets (OCS)
+
+Calypso is a system to store secrets in plain sight, for example in a blockchain.
+It is composed in two parts, as described in the paper at
+[here](https://eprint.iacr.org/2018/209).
+![Workflow Overview](Calypso-ocs-access.png?raw=true "Workflow Overview")
+
+1. Access Control Cothority - implemented using Byzcoin in [Calypso](../calypso/README.md)
+2. Secret Management Cothority - implemented in this directory
+
+There is a simple demo the functionality of the system:
+[OCS Demo](demo/README.md)
+
+# Protocols
+
+The onet-framework uses protocols at its lowest level to define communication
+patterns betwen nodes. We use two protocols in the onchain-secrets service:
+
+- [DKG](../dkg/DKG.md) - Distributed Key Generation, an implementation of
+  the following paper: "Secure Distributed Key Generation for Discrete-Log
+  Based Cryptosystems" by R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin.
+- [ocs](Renecrypt.md) - the long-term secrets version of the on-chain secrets
+  protocol with server-side secret reconstruction described in
+  [CALYPSO](https://eprint.iacr.org/2018/209.pdf).
+
+## Distributed Key Generation
+
+The DKG protocol creates random shares of a secret key that are only
+stored at each node. Together these nodes create a public shared key
+without creating the secret shared key. As a group they can encrypt
+and decrypt data without the need to create the secret shared key,
+but with each node participating in part of the encryption or
+decryption. For more information, please see [here](../dkg/DKG.md).
+
+## Onchain-Secrets
+
+Based on the DKG, data that is ElGamal encrypted using the public
+shared key from the DKG can be re-encrypted under another public key
+without the data being in the clear at any given moment. This is used
+in the onchain-secrets skipchain when a reader wants to recover the
+symmetric key.
+
+# Variables used
+
+When going through the code, the variables follow the CALYPSO paper
+in the Appendix B under **Secret reconstruction at the trusted server**
+as far as possible.
+
+Here is a short recap of the different variable-names used in the
+re-encryption:
+
+- X: the aggregate public key of the OCS (LTS), also used as the
+ID of the OCS
+- C: the ElGamal part of the data, with maximal key-length of 232 bits for
+Ed25519
+- U: the encrypted random value for the ElGamal encryption, the commit
+- Xc: the public key of the reader under which U will be re-encrypted
+- XHatEnc: the re-encrypted random value for the ElGamal encryption
+
+# API
+
+This onet-service offers an API to interact with the OnChain-Secrets service
+and allows you to:
+
+- `AddPolicyCreateOCS` - define who is allowed to create new OCS-instances
+- `CreateOCS` - start a new OCS instance
+- `GetProofs` - returns a list of signatures from nodes on an OCS-instance
+- `Reencrypt` - request a reencryption on an encrypted secret
+- `Reshare` - not implemented - re-define the set of nodes holding an OCS-instance
+
+For all the policies and authentications, different Access Control Cothorities
+can be defined. Currently the two following ACCs are defined:
+
+- `ByzCoin` - using DARCs to define access control
+- `X509Cert` - using x509-certs to define who is allowed to access the system
+
+## AddPolicyCreateOCS
+
+This is the entry point to the OCS system. Every node needs to define under
+which policy he accepts new OCS instances. For the two ACCs, this is
+defined as follows:
+
+- `ByzCoin` - by giving a byzcoin-ID, CreateOCS will accept every proof of 
+an LTSInstance that can be verified using a stored byzcoin-ID
+- `X509Cert` - the CAs defined in this policy will be used to verify the
+authentication 
+
+## CreateOCS
+
+Using the CreateOCS endpoint, a client can request the system to set up a
+new OCS instance. The request is only accepted if the policy of one of the
+ACCs is fulfilled:
+
+- `ByzCoin` - the proof given in the `Reencrypt` policy must be verifiable
+with one of the stored byzcoin-IDs
+- `X509Cert` - a valid certificate signed by a threshold of CAs defined in
+`AddPolicyCreateOCS` must be present. Each certificate must include the
+`PolicyReencrypt`, `PolicyReshare`, and `Roster`
+
+The CreateOCS service endpoint returns a `LTSID` in the form of a 32 byte
+slice. This ID represents the group that created the distributed key. Any node
+can participate in as many DKGs as you want and will get a random `LTSID`
+assigned.
+
+## GetProofs
+
+Once an OCS instance has been created, this API endpoint can be called. The
+contacted node will send a request to sign the OCS-identity to all other nodes 
+and then return a list of all signatures, one per node.
+
+These signatures can be verified to make sure that the OCS-instance has been
+correctly set up and that the node contacted in `CreateOCS` didn't change
+the roster. 
+
+## Reshare - not yet implemented
+
+It is possible that the roster might change and the LTS shares must be
+re-distributed but without changing the LTS itself. We accomplish this in two
+steps.
+
+1. The authorised client(s) must update the LTS roster in the blockchain (an
+   instance of the LTS smart contract).
+2. Then, the client instructs the calypso conodes to run the resharing
+   protocol. The nodes in the new roster find and check the proof of
+   roster-change in ByzCoin, and then start the protocol to reshare the secret
+   between themselves.
+
+For this operation, all nodes must be online. By default, a threshold of 2/3 of
+the nodes must be present for the decryption.
+
diff --git a/ocs/Reencrypt.md b/ocs/Reencrypt.md
new file mode 100644
index 0000000000..c6f4b26249
--- /dev/null
+++ b/ocs/Reencrypt.md
@@ -0,0 +1,32 @@
+Navigation: [DEDIS](https://github.com/dedis/doc/tree/master/README.md) ::
+[Cothority](../README.md) ::
+[Building Blocks](../doc/BuildingBlocks.md) ::
+Distributed Reencryption
+
+# Distributed Reencryption
+
+Once a [DKG](../dkg/DKG.md) has been set up, its aggregated public key can
+be used to encrypt data, for example using ElGamal encryption. In some
+circumstances you don't want to directly decrypt that data, but merely give
+access to another user, without the distributed setup seeing what the original
+data is.
+
+We call this _re-encryption_, because it takes encrypted data and outputs
+an encrypted blob that can be decrypted by another private key than the one
+used in the DKG. This is done by having each node decrypting the data with
+his share of the key, and then encrypting it to the new key. As each no only
+has a share of the key, the original data is never revealed. However, the end
+result is encrypted to a new public key and can be decrypted using the corresponding
+private key.
+
+## Files
+
+The re-encryption protocol is called _ocs_ and is defined in the following files:
+- [ocs.go](ocs.go)
+- [ocs_struct.go](ocs_struct.go)
+- [ocs_test.go](ocs_test.go)
+
+## Research Papers
+
+- [CALYPSO](https://eprint.iacr.org/2018/209.pdf) - Auditable Sharing of
+  Private Data over Blockchains
diff --git a/ocs/api.go b/ocs/api.go
new file mode 100644
index 0000000000..9940527419
--- /dev/null
+++ b/ocs/api.go
@@ -0,0 +1,103 @@
+package ocs
+
+import (
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/network"
+)
+
+// TODO: think about authentication
+// TODO: add REST interface
+
+type OCSID []byte
+
+// Client is a class to communicate to the calypso service.
+type Client struct {
+	*onet.Client
+}
+
+// NewClient creates a new client to interact with the Calypso Service.
+func NewClient() *Client {
+	return &Client{Client: onet.NewClient(cothority.Suite, ServiceName)}
+}
+
+// AddPolicyCreateOCS stores who is allowed to create new OCS instances.
+//
+// This can only be called from localhost, except if the environment variable
+// COTHORITY_ALLOW_INSECURE_ADMIN is set to 'true'.
+func (c *Client) AddPolicyCreateOCS(si *network.ServerIdentity, policyCreate PolicyCreate) error {
+	return c.SendProtobuf(si, &AddPolicyCreateOCS{Create: policyCreate}, nil)
+}
+
+// CreateOCS starts a new Distributed Key Generation with the nodes in the roster and
+// returns the collective public key X. This X is also used later to identify the
+// LTS instance, as there can be more than one LTS group on a node.
+//
+// It also sets up an authorisation option for the nodes.
+//
+// In case of error, X is nil, and the error indicates what is wrong.
+// The `sig` returned is a collective signature on the following hash:
+//   sha256( X | protobuf.Encode(auth) )
+func (c *Client) CreateOCS(roster onet.Roster, auth AuthCreate, policyReencrypt PolicyReencrypt,
+	policyReshare PolicyReshare) (OcsID OCSID, err error) {
+	var ret CreateOCSReply
+	err = c.SendProtobuf(roster.List[0], &CreateOCS{
+		Roster:          roster,
+		Auth:            auth,
+		PolicyReencrypt: policyReencrypt,
+		PolicyReshare:   policyReshare,
+	}, &ret)
+	if err != nil {
+		return
+	}
+	return ret.OcsID, nil
+}
+
+// GetProofs calls all nodes in turn to get their view of the OCS given in the call. The
+// returned OCSProof contains all necessary material to convince an outside client that
+// the OCS is correctly set up. The client should be careful to verify that the returned
+// policies match the policies he knows to be good.
+func (c *Client) GetProofs(roster onet.Roster, OcsID OCSID) (op OCSProof, err error) {
+	for _, si := range roster.List {
+		var reply GetProofReply
+		err = c.SendProtobuf(si, &GetProof{OcsID}, &reply)
+		if err != nil {
+			err = Erret(err)
+			return
+		}
+		if len(op.Signatures) == 0 {
+			op = reply.Proof
+		} else {
+			op.Signatures = append(op.Signatures, reply.Proof.Signatures[0])
+		}
+	}
+	return op, op.Verify()
+}
+
+// Reencrypt requests the re-encryption of the secret stored in the authentication.
+// The authentication must also contain the ephemeral key to which the secret will be
+// reencrypted to.
+// Finally the authentication must contain information about how to verify that the
+// reencryption request is valid.
+//
+// This can be called from anywhere.
+//
+// If the authentication is valid, the reencrypted XHat is returned and err is nil. In case
+// of error, XHat is nil, and the error will be returned.
+func (c *Client) Reencrypt(roster onet.Roster, OcsID OCSID, auth AuthReencrypt) (XHatEnc kyber.Point, err error) {
+	var ret ReencryptReply
+	err = c.SendProtobuf(roster.RandomServerIdentity(), &Reencrypt{OcsID: OcsID, Auth: auth}, &ret)
+	if err != nil {
+		return
+	}
+	return ret.XhatEnc, nil
+}
+
+// Reshare requests the OCS X to share the private key to a new set of nodes given in newRoster.
+// The auth argument must give proof that this request is valid.
+//
+// If the request was successful, nil is returned, an error otherwise.
+func (c *Client) Reshare(oldRoster onet.Roster, X OCSID, newRoster onet.Roster, auth AuthReshare) error {
+	return c.SendProtobuf(oldRoster.RandomServerIdentity(), &Reshare{OcsID: X, NewRoster: newRoster, Auth: auth}, nil)
+}
diff --git a/ocs/api_test.go b/ocs/api_test.go
new file mode 100644
index 0000000000..5d2907e62a
--- /dev/null
+++ b/ocs/api_test.go
@@ -0,0 +1,84 @@
+package ocs
+
+import (
+	"testing"
+
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/kyber/v3/util/key"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/onet/v3"
+)
+
+// Creates an OCS and checks that all nodes have the same view of the OCS.
+func TestClient_GetProofs(t *testing.T) {
+	local := onet.NewLocalTest(tSuite)
+	defer local.CloseAll()
+	nbrNodes := 5
+	_, roster, _ := local.GenBigTree(nbrNodes, nbrNodes, nbrNodes, true)
+
+	cc := newCaCerts(2, 1, 1)
+
+	cl := NewClient()
+	for _, si := range roster.List {
+		err := cl.AddPolicyCreateOCS(si, cc.policyCreate)
+		require.NoError(t, err)
+	}
+	oid, err := cl.CreateOCS(*roster, cc.authCreate(1, *roster), cc.policyReencrypt, cc.policyReshare)
+	require.Error(t, err)
+	oid, err = cl.CreateOCS(*roster, cc.authCreate(2, *roster), cc.policyReencrypt, cc.policyReshare)
+	require.NoError(t, err)
+
+	op, err := cl.GetProofs(*roster, oid)
+	require.NoError(t, op.Verify())
+	require.Equal(t, len(op.Signatures), len(roster.List))
+}
+
+// Asks OCS for a reencryption of a secret
+func TestClient_Reencrypt(t *testing.T) {
+	local := onet.NewLocalTest(tSuite)
+	defer local.CloseAll()
+	nbrNodes := 5
+	_, roster, _ := local.GenBigTree(nbrNodes, nbrNodes, nbrNodes, true)
+
+	cc := newCaCerts(1, 2, 2)
+
+	cl := NewClient()
+	for _, si := range roster.List {
+		err := cl.AddPolicyCreateOCS(si, cc.policyCreate)
+		require.NoError(t, err)
+	}
+	var oid OCSID
+	var err error
+	for i := 0; i < 10; i++ {
+		oid, err = cl.CreateOCS(*roster, cc.authCreate(1, *roster), cc.policyReencrypt, cc.policyReshare)
+		require.NoError(t, err)
+	}
+
+	secret := []byte("ocs for everybody")
+	X, err := oid.X()
+	require.NoError(t, err)
+	U, C, err := EncodeKey(cothority.Suite, X, secret)
+	require.NoError(t, err)
+
+	kp := key.NewKeyPair(cothority.Suite)
+	wid, err := NewWriteID(X, U)
+	require.NoError(t, err)
+	auth := AuthReencrypt{
+		Ephemeral: kp.Public,
+		X509Cert: &AuthReencryptX509Cert{
+			U:            U,
+			Certificates: cc.authReencrypt(1, wid, kp.Public),
+		},
+	}
+	_, err = cl.Reencrypt(*roster, oid, auth)
+	require.Error(t, err)
+	auth.X509Cert.Certificates = cc.authReencrypt(2, wid, kp.Public)
+	for i := 0; i < 10; i++ {
+		XhatEnc, err := cl.Reencrypt(*roster, oid, auth)
+		require.NoError(t, err)
+		secretRec, err := DecodeKey(cothority.Suite, X, C, XhatEnc, kp.Private)
+		require.NoError(t, err)
+		require.Equal(t, secret, secretRec)
+	}
+}
diff --git a/ocs/auth.go b/ocs/auth.go
new file mode 100644
index 0000000000..83464e31e5
--- /dev/null
+++ b/ocs/auth.go
@@ -0,0 +1,258 @@
+package ocs
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/asn1"
+	"errors"
+	"strings"
+
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/protobuf"
+
+	"go.dedis.ch/onet/v3"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+func (cocs CreateOCS) verifyAuth(policies []PolicyCreate) error {
+	for _, p := range policies {
+		if err := p.verify(cocs.Auth, cocs.PolicyReencrypt, cocs.PolicyReshare, cocs.Roster); err == nil {
+			return nil
+		}
+	}
+	return errors.New("no policy matches against the authorization")
+}
+
+func (pc PolicyCreate) verify(auth AuthCreate, pRC PolicyReencrypt, pRS PolicyReshare, roster onet.Roster) error {
+	if pc.X509Cert != nil && auth.X509Cert != nil && pRC.X509Cert != nil && pRS.X509Cert != nil {
+		return pc.X509Cert.verify(auth.X509Cert.Certificates, func(vo x509.VerifyOptions, cert *x509.Certificate) error {
+			return VerifyCreate(vo, cert, pRC.X509Cert, pRS.X509Cert, roster)
+		})
+	}
+	if pc.ByzCoin != nil && auth.ByzCoin != nil && pRC.ByzCoin != nil && pRS.ByzCoin != nil {
+		return errors.New("byzcoin verification not implemented yet")
+	}
+	return errors.New("no matching policy/auth found")
+}
+
+func (pc PolicyReencrypt) verify(auth AuthReencrypt, X, U kyber.Point) error {
+	if X == nil || U == nil {
+		return errors.New("need both X and U for verification")
+	}
+	if pc.X509Cert != nil && auth.X509Cert != nil {
+		return pc.X509Cert.verify(auth.X509Cert.Certificates, func(vo x509.VerifyOptions, cert *x509.Certificate) error {
+			return VerifyReencrypt(vo, cert, X, U)
+		})
+	}
+	if pc.ByzCoin != nil && auth.ByzCoin != nil {
+		return errors.New("byzcoin verification not implemented yet")
+	}
+	return errors.New("no matching policy/auth found")
+}
+
+func (pc PolicyReshare) verify(auth AuthReshare, r onet.Roster) error {
+	if len(r.List) < 2 {
+		return errors.New("roster must have at least 2 nodes")
+	}
+	if pc.X509Cert != nil && auth.X509Cert != nil {
+		return pc.X509Cert.verify(auth.X509Cert.Certificates, func(vo x509.VerifyOptions, cert *x509.Certificate) error {
+			return VerifyReshare(vo, cert, r)
+		})
+	}
+	if pc.ByzCoin != nil && auth.ByzCoin != nil {
+		return errors.New("byzcoin verification not implemented yet")
+	}
+	return errors.New("no matching policy/auth found")
+}
+
+type verifyFunc func(vo x509.VerifyOptions, cert *x509.Certificate) error
+
+func (p509 PolicyX509Cert) verify(certBufs [][]byte, vf verifyFunc) error {
+	var certs []*x509.Certificate
+	for _, certBuf := range certBufs {
+		cert, err := x509.ParseCertificate(certBuf)
+		if err != nil {
+			return err
+		}
+		certs = append(certs, cert)
+	}
+	count := 0
+	var errs []string
+	for _, caBuf := range p509.CA {
+		ca, err := x509.ParseCertificate(caBuf)
+		if err != nil {
+			return err
+		}
+		roots := x509.NewCertPool()
+		roots.AddCert(ca)
+		opt := x509.VerifyOptions{Roots: roots}
+		for _, cert := range certs {
+			if err := vf(opt, cert); err == nil {
+				count++
+				break
+			} else {
+				errs = append(errs, err.Error())
+			}
+		}
+	}
+	if count >= p509.Threshold {
+		return nil
+	}
+	return errors.New("didn't reach threshold - errs: " + strings.Join(errs, "\n -- "))
+}
+
+var (
+	// selection of OID numbers is not random See documents
+	// https://tools.ietf.org/html/rfc5280#page-49
+	// https://tools.ietf.org/html/rfc7229
+	OIDWriteId         = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 1}
+	OIDEphemeralKey    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 2}
+	OIDPolicyReencrypt = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 3}
+	OIDPolicyReshare   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 4}
+	OIDRoster          = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 5}
+)
+
+// VerifyReencrypt takes a root certificate and the certificate to verify. It then verifies
+// the certificates with regard to the signature of the root-certificate to the
+// authCert.
+// ocsID is the ID of the LTS cothority, while U is the commitment to the secret.
+func VerifyReencrypt(vo x509.VerifyOptions, cert *x509.Certificate, X kyber.Point, U kyber.Point) (err error) {
+	wid, err := GetExtensionFromCert(cert, OIDWriteId)
+	if err != nil {
+		return Erret(err)
+	}
+	err = WriteID(wid).Verify(X, U)
+	if err != nil {
+		return Erret(err)
+	}
+
+	unmarkUnhandledCriticalExtension(cert, OIDWriteId)
+	unmarkUnhandledCriticalExtension(cert, OIDEphemeralKey)
+
+	_, err = cert.Verify(vo)
+	return Erret(err)
+}
+
+// VerifyCreate takes a root certificate and the certificate to verify. It then verifies
+// the certificates with regard to the signature of the root-certificate to the
+// authCert.
+// ocsID is the ID of the LTS cothority, while U is the commitment to the secret.
+func VerifyCreate(vo x509.VerifyOptions, cert *x509.Certificate, policyReencrypt, policyReshare *PolicyX509Cert,
+	roster onet.Roster) (err error) {
+	pRcBuf, err := GetExtensionFromCert(cert, OIDPolicyReencrypt)
+	if err != nil {
+		return Erret(err)
+	}
+	pBuf, err := protobuf.Encode(policyReencrypt)
+	if err != nil {
+		return Erret(err)
+	}
+	if bytes.Compare(pRcBuf, pBuf) != 0 {
+		return errors.New("reencryption-policy doesn't match policy in certificate")
+	}
+
+	pRsBuf, err := GetExtensionFromCert(cert, OIDPolicyReshare)
+	if err != nil {
+		return Erret(err)
+	}
+	pBuf, err = protobuf.Encode(policyReshare)
+	if err != nil {
+		return Erret(err)
+	}
+	if bytes.Compare(pRsBuf, pBuf) != 0 {
+		return errors.New("reshare-policy doesn't match policy in certificate")
+	}
+
+	rosterBuf, err := GetExtensionFromCert(cert, OIDRoster)
+	if err != nil {
+		return Erret(err)
+	}
+	rBuf, err := protobuf.Encode(&roster)
+	if err != nil {
+		return Erret(err)
+	}
+	if bytes.Compare(rosterBuf, rBuf) != 0 {
+		return errors.New("roster doesn't match roster in certificate")
+	}
+
+	unmarkUnhandledCriticalExtension(cert, OIDPolicyReencrypt)
+	unmarkUnhandledCriticalExtension(cert, OIDPolicyReshare)
+	unmarkUnhandledCriticalExtension(cert, OIDRoster)
+
+	_, err = cert.Verify(vo)
+	return Erret(err)
+}
+
+func VerifyReshare(vo x509.VerifyOptions, cert *x509.Certificate, r onet.Roster) (err error) {
+	return errors.New("reshare verification not yet implemented")
+}
+
+// WriteID is the ID that will be revealed to the X509 verification method.
+type WriteID []byte
+
+func NewWriteID(X, U kyber.Point) (WriteID, error) {
+	if X == nil || U == nil {
+		return nil, errors.New("X or U is missing")
+	}
+	wid := sha256.New()
+	_, err := X.MarshalTo(wid)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	_, err = U.MarshalTo(wid)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	return wid.Sum(nil), nil
+}
+
+func (wid WriteID) Verify(X, U kyber.Point) error {
+	other, err := NewWriteID(X, U)
+	if err != nil {
+		return Erret(err)
+	}
+	if bytes.Compare(wid, other) != 0 {
+		return errors.New("not the same writeID")
+	}
+	return nil
+}
+
+func GetPointFromCert(certBuf []byte, extID asn1.ObjectIdentifier) (kyber.Point, error) {
+	cert, err := x509.ParseCertificate(certBuf)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	secret := cothority.Suite.Point()
+	secretBuf, err := GetExtensionFromCert(cert, extID)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	err = secret.UnmarshalBinary(secretBuf)
+	return secret, Erret(err)
+}
+
+func GetExtensionFromCert(cert *x509.Certificate, extID asn1.ObjectIdentifier) ([]byte, error) {
+	var buf []byte
+	for _, ext := range cert.Extensions {
+		if ext.Id.Equal(extID) {
+			buf = ext.Value
+			break
+		}
+	}
+	if buf == nil {
+		return nil, errors.New("didn't find extension in certificate")
+	}
+	return buf, nil
+}
+
+func unmarkUnhandledCriticalExtension(cert *x509.Certificate, id asn1.ObjectIdentifier) {
+	for i, extension := range cert.UnhandledCriticalExtensions {
+		if id.Equal(extension) {
+			cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[0:i],
+				cert.UnhandledCriticalExtensions[i+1:]...)
+			return
+		}
+	}
+}
diff --git a/ocs/db.go b/ocs/db.go
new file mode 100644
index 0000000000..517a390de0
--- /dev/null
+++ b/ocs/db.go
@@ -0,0 +1,85 @@
+package ocs
+
+import (
+	"errors"
+	"sync"
+
+	dkgprotocol "go.dedis.ch/cothority/v3/dkg/pedersen"
+	dkg "go.dedis.ch/kyber/v3/share/dkg/pedersen"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/log"
+)
+
+const dbVersion = 1
+
+// storageKey reflects the data we're storing - we could store more
+// than one structure.
+var storageKey = []byte("storage")
+
+// storage is used to save all elements of the DKG.
+type storage struct {
+	Element         map[string]*storageElement
+	PolicyCreateOCS []PolicyCreate
+
+	sync.Mutex
+}
+
+type storageElement struct {
+	PolicyReencrypt PolicyReencrypt
+	PolicyReshare   PolicyReshare
+	Shared          dkgprotocol.SharedSecret
+	Polys           pubPoly
+	Roster          onet.Roster
+	DKS             dkg.DistKeyShare
+}
+
+// saves all data.
+func (s *Service) save() error {
+	s.storage.Lock()
+	defer s.storage.Unlock()
+	err := s.Save(storageKey, s.storage)
+	if err != nil {
+		log.Error("Couldn't save data:", err)
+		return err
+	}
+	return nil
+}
+
+// Tries to load the configuration and updates the data in the service
+// if it finds a valid config-file.
+func (s *Service) tryLoad() error {
+	s.storage = &storage{}
+	ver, err := s.LoadVersion()
+	if err != nil {
+		return err
+	}
+
+	// Make sure we don't have any unallocated maps.
+	defer func() {
+		if len(s.storage.Element) == 0 {
+			s.storage.Element = make(map[string]*storageElement)
+		}
+	}()
+
+	// In the future, we'll make database upgrades below.
+	if ver < dbVersion {
+		// There is no version 0. Save empty storage and update version number.
+		if err = s.save(); err != nil {
+			return err
+		}
+		return s.SaveVersion(dbVersion)
+	}
+	msg, err := s.Load(storageKey)
+	if err != nil {
+		return err
+	}
+	if msg == nil {
+		return nil
+	}
+	var ok bool
+	s.storage, ok = msg.(*storage)
+	if !ok {
+		return errors.New("data of wrong type")
+	}
+	return nil
+}
diff --git a/ocs/demo/.gitignore b/ocs/demo/.gitignore
new file mode 100644
index 0000000000..ac6b375235
--- /dev/null
+++ b/ocs/demo/.gitignore
@@ -0,0 +1,3 @@
+data/*db
+data/log
+data/running
diff --git a/ocs/demo/Makefile b/ocs/demo/Makefile
new file mode 100644
index 0000000000..c527e69bf5
--- /dev/null
+++ b/ocs/demo/Makefile
@@ -0,0 +1,15 @@
+all: run_conodes run_main
+
+run_main:
+	go run main.go data/public.toml
+
+run_conodes: compile_conode stop_conodes
+	docker run -p 7770-7775:7770-7775 --rm -v$$(pwd)/data:/conode_data -e COTHORITY_ALLOW_INSECURE_ADMIN=true \
+		--name conode_test c4dt/ocs:dev ./run_nodes.sh -n 3 -v 2 -c -d /conode_data &
+	sleep 5
+
+compile_conode:
+	make -C ../../conode docker_dev
+
+stop_conodes:
+	docker rm -f conode_test || true
diff --git a/ocs/demo/README.md b/ocs/demo/README.md
new file mode 100644
index 0000000000..4e97857857
--- /dev/null
+++ b/ocs/demo/README.md
@@ -0,0 +1,36 @@
+Navigation: [DEDIS](https://github.com/dedis/doc/tree/master/README.md) ::
+[Cothority](../README.md) ::
+[Applications](../doc/Applications.md) ::
+[Onchain-Secrets](../README.md) ::
+Demo
+
+# OCS Demo
+
+This demo does a simple run to show how to use the OCS with the X509
+certificates. To run it, you first need to run the docker image
+to start 3 nodes locally. This command supposes you are in the 
+`ocs/demo` directory.
+
+```bash
+docker pull c4dt/ocs:dev
+docker run -it -p 7770-7775:7770-7775 --rm -v$(pwd)/data:/conode_data -e COTHORITY_ALLOW_INSECURE_ADMIN=true c4dt/ocs:dev ./run_nodes.sh -n 3 -v 2 -c -d /conode_data
+```
+
+This creates 3 nodes that are listening on the localhost using the ports 7770-7775.
+All data is stored in the `$(pwd)/data` directory. Once the nodes are up and running,
+the demo can be started. This command supposes you are in the `ocs/demo` directory.
+
+```bash
+go run main.go data/public.toml
+```
+
+The demo will do the following:
+
+1. set up a root CA that is stored in the service as being allowed to create new OCS-instances
+2. Create a new OCS-instance with a reencryption policy being set by a node-certificate
+3. Encrypt a symmetric key to the OCS-instance public key
+4. Ask the OCS-instance to re-encrypt the key to an ephemeral key
+5. Decrypt the symmetric key
+
+All communication is done over the network, the same way as it has to be done in
+a real system.
diff --git a/ocs/demo/data/co1/private.toml b/ocs/demo/data/co1/private.toml
new file mode 100644
index 0000000000..43e7e3df2b
--- /dev/null
+++ b/ocs/demo/data/co1/private.toml
@@ -0,0 +1,24 @@
+# This file contains your private key.
+# Do not give it away lightly!
+Suite = "Ed25519"
+Public = "c4efdc8ac09e40f1a34345f7964ad020d446ffa0745cbafc0b30113cb7529825"
+Private = "0d680d146821f37c6b33d8291e5c0e5b9adec969395625732eedb7999d40e40b"
+Address = "tls://localhost:7770"
+ListenAddress = ""
+Description = "Conode_1"
+WebSocketTLSCertificate = ""
+WebSocketTLSCertificateKey = ""
+
+[Services]
+  [Services.ByzCoin]
+    Suite = "bn256.adapter"
+    Public = "6527fcb277c43ae042011b7db5bb86722fd6c89c9c9e18a31a2b5ed62b2ca7ae832e718d6b1c50172d836366097435d4522f2765c367bfe68e3db7450142c41c22a6a99bcee7257c96e04aae9e15353b1e1da1c2bce878652aa67cbd66baf4967401d04a79039a5c5e67f42ebceb6c97063bc72f48a64067b15a65a938f63a84"
+    Private = "668058a926e86b13afd96240027c01b50c4d60d629e6f5bbdf1b5eca55565c0a"
+  [Services.OCS]
+    Suite = "Ed25519"
+    Public = "8a43093fd9dc22249552e40b8e895112722785372a0fcd777bf09c66b5cbdc14"
+    Private = "1c758d426d63ce188112a2c821c97db8301b350d3a5bd7c0dac235509cb05007"
+  [Services.Skipchain]
+    Suite = "bn256.adapter"
+    Public = "053636059f263f4c6eea8c0175a2e4886f1f8999f7bff8bd5791976e1ea8e03d0e5567f71e95dc196387767e4373ca580ff43498ceccef582ecabfcca08b683175f9f0100283236dfba5e242f90b9e75db0c12f1dd5d3f1cc3eb110baab48e4204736ef14018b40da4218055859a0a8b9fbb732300a63c0df89a75123c0ec3e3"
+    Private = "47018e12482e42de967939855e5c66086e4ca55e69d7d9714d1f6cff38397bdb"
diff --git a/ocs/demo/data/co1/public.toml b/ocs/demo/data/co1/public.toml
new file mode 100644
index 0000000000..d3fa2e7970
--- /dev/null
+++ b/ocs/demo/data/co1/public.toml
@@ -0,0 +1,15 @@
+[[servers]]
+  Address = "tls://localhost:7770"
+  Suite = "Ed25519"
+  Public = "c4efdc8ac09e40f1a34345f7964ad020d446ffa0745cbafc0b30113cb7529825"
+  Description = "Conode_1"
+  [servers.Services]
+    [servers.Services.ByzCoin]
+      Public = "6527fcb277c43ae042011b7db5bb86722fd6c89c9c9e18a31a2b5ed62b2ca7ae832e718d6b1c50172d836366097435d4522f2765c367bfe68e3db7450142c41c22a6a99bcee7257c96e04aae9e15353b1e1da1c2bce878652aa67cbd66baf4967401d04a79039a5c5e67f42ebceb6c97063bc72f48a64067b15a65a938f63a84"
+      Suite = "bn256.adapter"
+    [servers.Services.OCS]
+      Public = "8a43093fd9dc22249552e40b8e895112722785372a0fcd777bf09c66b5cbdc14"
+      Suite = "Ed25519"
+    [servers.Services.Skipchain]
+      Public = "053636059f263f4c6eea8c0175a2e4886f1f8999f7bff8bd5791976e1ea8e03d0e5567f71e95dc196387767e4373ca580ff43498ceccef582ecabfcca08b683175f9f0100283236dfba5e242f90b9e75db0c12f1dd5d3f1cc3eb110baab48e4204736ef14018b40da4218055859a0a8b9fbb732300a63c0df89a75123c0ec3e3"
+      Suite = "bn256.adapter"
diff --git a/ocs/demo/data/co2/private.toml b/ocs/demo/data/co2/private.toml
new file mode 100644
index 0000000000..c1f39af652
--- /dev/null
+++ b/ocs/demo/data/co2/private.toml
@@ -0,0 +1,24 @@
+# This file contains your private key.
+# Do not give it away lightly!
+Suite = "Ed25519"
+Public = "745e4b38435ee95063e00131aeeaaec5e7d020b96e91191c03bc2c8bfda1e99e"
+Private = "f4f83a5ea70f95562d7fed51dad13f0bb3255e96d9d6dffe0b4c3b3492aff104"
+Address = "tls://localhost:7772"
+ListenAddress = ""
+Description = "Conode_2"
+WebSocketTLSCertificate = ""
+WebSocketTLSCertificateKey = ""
+
+[Services]
+  [Services.ByzCoin]
+    Suite = "bn256.adapter"
+    Public = "5007870767e42c866e628ae10d81db110dc9d07f1d2a613ba5c3fb4c1f69039507ee38e26c50588452c5603cea0eaaadf8137b83bae8eb5a0ae5555a4e0808ec52c005e20e4eacc5d26547811a899046c0b0e72578199252ad8655561015e2f61e4f0751058d90aa8743a4b0781ecfe60ad55b234e55a2e3554146294ed0fd47"
+    Private = "3ac75a0f4bd1d769fc8dbf84010882a488c2a23edf8280f6541b645277c0e28d"
+  [Services.OCS]
+    Suite = "Ed25519"
+    Public = "007d538282a8e0ca6bfd7fa9690f744b08ff36edc5c7be960088ca94b4eec3cd"
+    Private = "0cdd2daddcc471b02865d47bcd67f9cedbfe4d04ec377ad55521d828e8a0180d"
+  [Services.Skipchain]
+    Suite = "bn256.adapter"
+    Public = "8bf59a9c5227c84346f9701488d5cbf469a3f600481e3233217699c8d42642c05369613a20e35988bac7d1743d35800014470c9b8e5ff04ed1f40d0aace81ee91e4ea1a1f2a6fd0b2f669da19e312d53229331a05c20f48f9e19eedc19c2a8345d7ecb52ed6b53bdf6c3d7058833ddb4202504462ef83665cdd72f20406f5d9c"
+    Private = "7cc33dea17f6606c27f34a6b14e1af123e6bb207f3d7f1aa0e68812b0a1c7ae8"
diff --git a/ocs/demo/data/co2/public.toml b/ocs/demo/data/co2/public.toml
new file mode 100644
index 0000000000..47d1fbe024
--- /dev/null
+++ b/ocs/demo/data/co2/public.toml
@@ -0,0 +1,15 @@
+[[servers]]
+  Address = "tls://localhost:7772"
+  Suite = "Ed25519"
+  Public = "745e4b38435ee95063e00131aeeaaec5e7d020b96e91191c03bc2c8bfda1e99e"
+  Description = "Conode_2"
+  [servers.Services]
+    [servers.Services.ByzCoin]
+      Public = "5007870767e42c866e628ae10d81db110dc9d07f1d2a613ba5c3fb4c1f69039507ee38e26c50588452c5603cea0eaaadf8137b83bae8eb5a0ae5555a4e0808ec52c005e20e4eacc5d26547811a899046c0b0e72578199252ad8655561015e2f61e4f0751058d90aa8743a4b0781ecfe60ad55b234e55a2e3554146294ed0fd47"
+      Suite = "bn256.adapter"
+    [servers.Services.OCS]
+      Public = "007d538282a8e0ca6bfd7fa9690f744b08ff36edc5c7be960088ca94b4eec3cd"
+      Suite = "Ed25519"
+    [servers.Services.Skipchain]
+      Public = "8bf59a9c5227c84346f9701488d5cbf469a3f600481e3233217699c8d42642c05369613a20e35988bac7d1743d35800014470c9b8e5ff04ed1f40d0aace81ee91e4ea1a1f2a6fd0b2f669da19e312d53229331a05c20f48f9e19eedc19c2a8345d7ecb52ed6b53bdf6c3d7058833ddb4202504462ef83665cdd72f20406f5d9c"
+      Suite = "bn256.adapter"
diff --git a/ocs/demo/data/co3/private.toml b/ocs/demo/data/co3/private.toml
new file mode 100644
index 0000000000..4e49b3acc3
--- /dev/null
+++ b/ocs/demo/data/co3/private.toml
@@ -0,0 +1,24 @@
+# This file contains your private key.
+# Do not give it away lightly!
+Suite = "Ed25519"
+Public = "9e7e85c908ef170d68f2820945905cf9e8eeae563e4a7c15af8d889b021e4537"
+Private = "8fd568f157ea1032ae018d7b8b1f39a6cd570ea9dc1b90bac6e2d991dcc65004"
+Address = "tls://localhost:7774"
+ListenAddress = ""
+Description = "Conode_3"
+WebSocketTLSCertificate = ""
+WebSocketTLSCertificateKey = ""
+
+[Services]
+  [Services.ByzCoin]
+    Suite = "bn256.adapter"
+    Public = "4de98971d890a0ab48e7703a9c82edacabbee45e45e25670b10fc738a2c0eb9d85b729bf2fa0f1af753940ea2355f8aab2848b1a5f745820721606105a8b5acd8d8cf15d069a46a82d4349bd8322a5618569ce559a433f7ae570913a578e9b0e0cd8466668aa1fdaacb91cb74058c8afe135e2c541b2a8234f3a669c8a22bbe3"
+    Private = "5a6e55227ffb1d770c8a4a7b7525b682eab178bfa912be051aec2378a3f8366f"
+  [Services.OCS]
+    Suite = "Ed25519"
+    Public = "e8f63c82676019971398ff4738ee4b6e9e85f56eab9f83f8773718d8a555a685"
+    Private = "72b1f4f61cce1c92451ad3e2a13c244628d09bab0af2c1eab16eda921472a20a"
+  [Services.Skipchain]
+    Suite = "bn256.adapter"
+    Public = "5644cb44572f053e0dcd42ff1a4bca9f04eb8e987a7f065dd098507517193a533bb790fa59ff114f082509f9884b24e6d6761753b3c3f01de3c1af9609e150eb764433303d3b44dd6d3e56a75f67165c10965a08399faecd46a07c158779491a4f8e9e294e22a1fd68df2cd68cdc6866ff8cfcd1070b0c394f00062ecc7c4894"
+    Private = "2aa8d8bb5bb1245cea793cf1a0df7529cd0930ae565133fca9124ccf71f63071"
diff --git a/ocs/demo/data/co3/public.toml b/ocs/demo/data/co3/public.toml
new file mode 100644
index 0000000000..0dbd0feb44
--- /dev/null
+++ b/ocs/demo/data/co3/public.toml
@@ -0,0 +1,15 @@
+[[servers]]
+  Address = "tls://localhost:7774"
+  Suite = "Ed25519"
+  Public = "9e7e85c908ef170d68f2820945905cf9e8eeae563e4a7c15af8d889b021e4537"
+  Description = "Conode_3"
+  [servers.Services]
+    [servers.Services.ByzCoin]
+      Public = "4de98971d890a0ab48e7703a9c82edacabbee45e45e25670b10fc738a2c0eb9d85b729bf2fa0f1af753940ea2355f8aab2848b1a5f745820721606105a8b5acd8d8cf15d069a46a82d4349bd8322a5618569ce559a433f7ae570913a578e9b0e0cd8466668aa1fdaacb91cb74058c8afe135e2c541b2a8234f3a669c8a22bbe3"
+      Suite = "bn256.adapter"
+    [servers.Services.OCS]
+      Public = "e8f63c82676019971398ff4738ee4b6e9e85f56eab9f83f8773718d8a555a685"
+      Suite = "Ed25519"
+    [servers.Services.Skipchain]
+      Public = "5644cb44572f053e0dcd42ff1a4bca9f04eb8e987a7f065dd098507517193a533bb790fa59ff114f082509f9884b24e6d6761753b3c3f01de3c1af9609e150eb764433303d3b44dd6d3e56a75f67165c10965a08399faecd46a07c158779491a4f8e9e294e22a1fd68df2cd68cdc6866ff8cfcd1070b0c394f00062ecc7c4894"
+      Suite = "bn256.adapter"
diff --git a/ocs/demo/data/public.toml b/ocs/demo/data/public.toml
new file mode 100644
index 0000000000..b3e4531f5d
--- /dev/null
+++ b/ocs/demo/data/public.toml
@@ -0,0 +1,45 @@
+[[servers]]
+  Address = "tls://localhost:7774"
+  Suite = "Ed25519"
+  Public = "9e7e85c908ef170d68f2820945905cf9e8eeae563e4a7c15af8d889b021e4537"
+  Description = "Conode_3"
+  [servers.Services]
+    [servers.Services.ByzCoin]
+      Public = "4de98971d890a0ab48e7703a9c82edacabbee45e45e25670b10fc738a2c0eb9d85b729bf2fa0f1af753940ea2355f8aab2848b1a5f745820721606105a8b5acd8d8cf15d069a46a82d4349bd8322a5618569ce559a433f7ae570913a578e9b0e0cd8466668aa1fdaacb91cb74058c8afe135e2c541b2a8234f3a669c8a22bbe3"
+      Suite = "bn256.adapter"
+    [servers.Services.OCS]
+      Public = "e8f63c82676019971398ff4738ee4b6e9e85f56eab9f83f8773718d8a555a685"
+      Suite = "Ed25519"
+    [servers.Services.Skipchain]
+      Public = "5644cb44572f053e0dcd42ff1a4bca9f04eb8e987a7f065dd098507517193a533bb790fa59ff114f082509f9884b24e6d6761753b3c3f01de3c1af9609e150eb764433303d3b44dd6d3e56a75f67165c10965a08399faecd46a07c158779491a4f8e9e294e22a1fd68df2cd68cdc6866ff8cfcd1070b0c394f00062ecc7c4894"
+      Suite = "bn256.adapter"
+[[servers]]
+  Address = "tls://localhost:7772"
+  Suite = "Ed25519"
+  Public = "745e4b38435ee95063e00131aeeaaec5e7d020b96e91191c03bc2c8bfda1e99e"
+  Description = "Conode_2"
+  [servers.Services]
+    [servers.Services.ByzCoin]
+      Public = "5007870767e42c866e628ae10d81db110dc9d07f1d2a613ba5c3fb4c1f69039507ee38e26c50588452c5603cea0eaaadf8137b83bae8eb5a0ae5555a4e0808ec52c005e20e4eacc5d26547811a899046c0b0e72578199252ad8655561015e2f61e4f0751058d90aa8743a4b0781ecfe60ad55b234e55a2e3554146294ed0fd47"
+      Suite = "bn256.adapter"
+    [servers.Services.OCS]
+      Public = "007d538282a8e0ca6bfd7fa9690f744b08ff36edc5c7be960088ca94b4eec3cd"
+      Suite = "Ed25519"
+    [servers.Services.Skipchain]
+      Public = "8bf59a9c5227c84346f9701488d5cbf469a3f600481e3233217699c8d42642c05369613a20e35988bac7d1743d35800014470c9b8e5ff04ed1f40d0aace81ee91e4ea1a1f2a6fd0b2f669da19e312d53229331a05c20f48f9e19eedc19c2a8345d7ecb52ed6b53bdf6c3d7058833ddb4202504462ef83665cdd72f20406f5d9c"
+      Suite = "bn256.adapter"
+[[servers]]
+  Address = "tls://localhost:7770"
+  Suite = "Ed25519"
+  Public = "c4efdc8ac09e40f1a34345f7964ad020d446ffa0745cbafc0b30113cb7529825"
+  Description = "Conode_1"
+  [servers.Services]
+    [servers.Services.ByzCoin]
+      Public = "6527fcb277c43ae042011b7db5bb86722fd6c89c9c9e18a31a2b5ed62b2ca7ae832e718d6b1c50172d836366097435d4522f2765c367bfe68e3db7450142c41c22a6a99bcee7257c96e04aae9e15353b1e1da1c2bce878652aa67cbd66baf4967401d04a79039a5c5e67f42ebceb6c97063bc72f48a64067b15a65a938f63a84"
+      Suite = "bn256.adapter"
+    [servers.Services.OCS]
+      Public = "8a43093fd9dc22249552e40b8e895112722785372a0fcd777bf09c66b5cbdc14"
+      Suite = "Ed25519"
+    [servers.Services.Skipchain]
+      Public = "053636059f263f4c6eea8c0175a2e4886f1f8999f7bff8bd5791976e1ea8e03d0e5567f71e95dc196387767e4373ca580ff43498ceccef582ecabfcca08b683175f9f0100283236dfba5e242f90b9e75db0c12f1dd5d3f1cc3eb110baab48e4204736ef14018b40da4218055859a0a8b9fbb732300a63c0df89a75123c0ec3e3"
+      Suite = "bn256.adapter"
diff --git a/ocs/demo/main.go b/ocs/demo/main.go
new file mode 100644
index 0000000000..f622764c60
--- /dev/null
+++ b/ocs/demo/main.go
@@ -0,0 +1,178 @@
+// Demo of how the new OCS service works from an outside, non-go-test caller. It does the following steps:
+//  1. set up a root CA that is stored in the service as being allowed to create new OCS-instances
+//  2. Create a new OCS-instance with a reencryption policy being set by a node-certificate
+//  3. Encrypt a symmetric key to the OCS-instance public key
+//  4. Ask the OCS-instance to re-encrypt the key to an ephemeral key
+//  5. Decrypt the symmetric key
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"math/big"
+	"os"
+	"strings"
+
+	"go.dedis.ch/kyber/v3/group/edwards25519"
+
+	"go.dedis.ch/kyber/v3"
+
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/cothority/v3/byzcoin/bcadmin/lib"
+	"go.dedis.ch/cothority/v3/ocs"
+	"go.dedis.ch/kyber/v3/util/key"
+	"go.dedis.ch/onet/v3/log"
+)
+
+func main() {
+	if len(os.Args) < 2 {
+		log.Error("Please give a roster.toml as first parameter")
+		printSamples()
+		return
+	}
+	roster, err := lib.ReadRoster(os.Args[1])
+	log.ErrFatal(err)
+
+	log.Info("1. Creating createOCS cert and setting OCS-create policy")
+	cl := ocs.NewClient()
+	caCreate1 := ocs.NewBCCA("Create OCS - 1")
+	caCreate2 := ocs.NewBCCA("Create OCS - 2")
+	for _, si := range roster.List {
+		err = cl.AddPolicyCreateOCS(si, ocs.PolicyCreate{X509Cert: &ocs.PolicyX509Cert{
+			CA:        [][]byte{caCreate1.Certificate.Raw, caCreate2.Certificate.Raw},
+			Threshold: 2,
+		}})
+		log.ErrFatal(err)
+	}
+
+	log.Info("2.a) Creating new OCS")
+	caReenc1 := ocs.NewBCCA("Reencrypt - 1")
+	caReenc2 := ocs.NewBCCA("Reencrypt - 2")
+	pxReenc := ocs.PolicyReencrypt{
+		X509Cert: &ocs.PolicyX509Cert{
+			CA: [][]byte{caReenc1.Certificate.Raw,
+				caReenc2.Certificate.Raw},
+			Threshold: 2,
+		},
+	}
+	pxReshare := ocs.PolicyReshare{
+		X509Cert: &ocs.PolicyX509Cert{
+			CA: [][]byte{caReenc1.Certificate.Raw,
+				caReenc2.Certificate.Raw},
+			Threshold: 2,
+		},
+	}
+	cert1 := caCreate1.CreateOCS(pxReenc.X509Cert, pxReshare.X509Cert, *roster).Certificate.Raw
+	cert2 := caCreate2.CreateOCS(pxReenc.X509Cert, pxReshare.X509Cert, *roster).Certificate.Raw
+	authCreate := ocs.AuthCreate{
+		X509Cert: &ocs.AuthCreateX509Cert{
+			Certificates: [][]byte{cert1, cert2},
+		},
+	}
+
+	ocsID, err := cl.CreateOCS(*roster, authCreate, pxReenc, pxReshare)
+	log.ErrFatal(err)
+	log.Infof("New OCS created with ID: %x", ocsID)
+
+	log.Info("2.b) Get proofs of all nodes")
+	proof, err := cl.GetProofs(*roster, ocsID)
+	log.ErrFatal(err)
+	log.ErrFatal(proof.Verify())
+	log.Info("Proof got verified successfully on nodes:")
+	for i, sig := range proof.Signatures {
+		log.Infof("Signature %d of %s: %x", i, proof.Roster.List[i].Address, sig)
+	}
+
+	log.Info("3.a) Creating secret key and encrypting it with the OCS-key")
+	secret := []byte("ocs for everybody")
+	X, err := ocsID.X()
+	log.ErrFatal(err)
+	U, C, err := ocs.EncodeKey(cothority.Suite, X, secret)
+	log.ErrFatal(err)
+
+	log.Info("3.b) Creating 2 certificates for the re-encryption")
+	ephemeralKeyPair := key.NewKeyPair(cothority.Suite)
+	wid, err := ocs.NewWriteID(X, U)
+	log.ErrFatal(err)
+	reencryptCert1, err := ocs.CreateCertReencrypt(caReenc1.Certificate, caReenc1.Private,
+		wid, ephemeralKeyPair.Public)
+	log.ErrFatal(err)
+	reencryptCert2, err := ocs.CreateCertReencrypt(caReenc2.Certificate, caReenc2.Private,
+		wid, ephemeralKeyPair.Public)
+	log.ErrFatal(err)
+
+	log.Info("4. Asking OCS to re-encrypt the secret to an ephemeral key")
+	authRe := ocs.AuthReencrypt{
+		Ephemeral: ephemeralKeyPair.Public,
+		X509Cert: &ocs.AuthReencryptX509Cert{
+			U:            U,
+			Certificates: [][]byte{reencryptCert1.Raw, reencryptCert2.Raw},
+		},
+	}
+	XhatEnc, err := cl.Reencrypt(*roster, ocsID, authRe)
+	log.ErrFatal(err)
+
+	log.Info("5. Decrypt the symmetric key")
+	secretRec, err := ocs.DecodeKey(cothority.Suite, X, C, XhatEnc, ephemeralKeyPair.Private)
+	log.ErrFatal(err)
+	if bytes.Compare(secret, secretRec) != 0 {
+		log.Fatal("Recovered secret is not the same")
+	}
+
+	log.Info("Successfully re-encrypted the key")
+}
+
+func printSamples() {
+	s := cothority.Suite.Scalar().SetInt64(1)
+	p := cothority.Suite.Point().Base()
+	printScalar("* A scalar of '1':", s)
+	printPoint("* The base point:", p)
+	printScalar("* A scalar of '2':", s.Add(s, s))
+	printPoint("* The base point added to himself:", p.Add(p, p))
+	printPoint("* 2 x base:", p.Mul(s, nil))
+	var allF0 [32]byte
+	for i := range allF0 {
+		allF0[i] = 0xf0
+	}
+	s.SetBytes(allF0[:])
+	printScalar("* A reduced all-F0 scalar:", s)
+	printScalar("* A reduced all-F0 scalar added to itself:", s.Add(s, s))
+}
+
+func bigEndianToDecimal(buf []byte) *big.Int {
+	bi := &big.Int{}
+	bi.SetBytes(buf)
+	return bi
+}
+
+func LEBytesToDecimal(buf []byte) *big.Int {
+	if len(buf)%2 != 0 {
+		log.Fatal("can only convert even length slices")
+	}
+	for i := 0; i < len(buf)/2; i++ {
+		buf[i], buf[len(buf)-i-1] = buf[len(buf)-i-1], buf[i]
+	}
+	return bigEndianToDecimal(buf)
+}
+
+func printScalar(msg string, s kyber.Scalar) {
+	buf, err := s.MarshalBinary()
+	log.ErrFatal(err)
+	var str []string
+	str = append(str, fmt.Sprint("Representation of a scalar:"))
+	str = append(str, fmt.Sprintf("\tLittle-endian: %x", buf))
+	str = append(str, fmt.Sprintf("\tDecimal: %s", LEBytesToDecimal(buf).String()))
+	log.Info(msg, strings.Join(str, "\n"))
+}
+
+func printPoint(msg string, p kyber.Point) {
+	ped := p.(*edwards25519.Point)
+	var str []string
+	str = append(str, fmt.Sprint("Representations of a point:"))
+	str = append(str, fmt.Sprintf("\tCompressed: %s", ped.String()))
+	str = append(str, fmt.Sprintf("\tLittle-endian X / Y:\n\t\tX: %x\n\t\tY: %x", ped.X_LE(), ped.Y_LE()))
+	str = append(str, fmt.Sprintf("\tDecimal X / Y:\n\t\tX: %s\n\t\tY: %s",
+		LEBytesToDecimal(ped.X_LE()).String(),
+		LEBytesToDecimal(ped.Y_LE()).String()))
+	log.Info(msg, strings.Join(str, "\n"))
+}
diff --git a/ocs/helper.go b/ocs/helper.go
new file mode 100644
index 0000000000..bf43847a1a
--- /dev/null
+++ b/ocs/helper.go
@@ -0,0 +1,236 @@
+package ocs
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"fmt"
+	"math/big"
+	"runtime"
+	"strings"
+	"time"
+
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/protobuf"
+
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/suites"
+	"go.dedis.ch/onet/v3/log"
+)
+
+// EncodeKey can be used by the writer to an onchain-secret skipchain
+// to encode his symmetric key under the collective public key created
+// by the DKG.
+// As this method uses `Pick` to encode the key, depending on the key-length
+// more than one point is needed to encode the data.
+//
+// Input:
+//   - suite - the cryptographic suite to use
+//   - X - the aggregate public key of the DKG
+//   - key - the symmetric key for the document
+//
+// Output:
+//   - U - the schnorr commit
+//   - C - encrypted key
+func EncodeKey(suite suites.Suite, X kyber.Point, key []byte) (U kyber.Point, C kyber.Point, err error) {
+	if len(key) > suite.Point().EmbedLen() {
+		return nil, nil, errors.New("got more data than can fit into one point")
+	}
+	r := suite.Scalar().Pick(suite.RandomStream())
+	C = suite.Point().Mul(r, X)
+	log.Lvl3("C:", C.String())
+	U = suite.Point().Mul(r, nil)
+	log.Lvl3("U is:", U.String())
+
+	kp := suite.Point().Embed(key, suite.RandomStream())
+	log.Lvl3("Keypoint:", kp.String())
+	log.Lvl3("X:", X.String())
+	C.Add(C, kp)
+	return
+}
+
+// DecodeKey can be used by the reader of an onchain-secret to convert the
+// re-encrypted secret back to a symmetric key that can be used later to
+// decode the document.
+//
+// Input:
+//   - suite - the cryptographic suite to use
+//   - X - the aggregate public key of the DKG
+//   - C - the encrypted key
+//   - XhatEnc - the re-encrypted schnorr-commit
+//   - xc - the private key of the reader
+//
+// Output:
+//   - key - the re-assembled key
+//   - err - an eventual error when trying to recover the data from the points
+func DecodeKey(suite kyber.Group, X kyber.Point, C kyber.Point, XhatEnc kyber.Point,
+	xc kyber.Scalar) (key []byte, err error) {
+	log.Lvl3("xc:", xc)
+	xcInv := suite.Scalar().Neg(xc)
+	log.Lvl3("xcInv:", xcInv)
+	sum := suite.Scalar().Add(xc, xcInv)
+	log.Lvl3("xc + xcInv:", sum, "::", xc)
+	log.Lvl3("X:", X)
+	XhatDec := suite.Point().Mul(xcInv, X)
+	log.Lvl3("XhatDec:", XhatDec)
+	log.Lvl3("XhatEnc:", XhatEnc)
+	Xhat := suite.Point().Add(XhatEnc, XhatDec)
+	log.Lvl3("Xhat:", Xhat)
+	XhatInv := suite.Point().Neg(Xhat)
+	log.Lvl3("XhatInv:", XhatInv)
+
+	// Decrypt C to keyPointHat
+	log.Lvl3("C:", C)
+	keyPointHat := suite.Point().Add(C, XhatInv)
+	log.Lvl3("keyPointHat:", keyPointHat)
+	key, err = keyPointHat.Data()
+	if err != nil {
+		return nil, Erret(err)
+	}
+	log.Lvl3("key:", key)
+	return
+}
+
+func Erret(err error) error {
+	if err == nil {
+		return nil
+	}
+	pc, _, line, _ := runtime.Caller(1)
+	errStr := err.Error()
+	if strings.HasPrefix(errStr, "Erret") {
+		errStr = "\n\t" + errStr
+	}
+	return fmt.Errorf("Erret at %s: %d -> %s", runtime.FuncForPC(pc).Name(), line, errStr)
+}
+
+// Helper functions to create x509-certificates.
+//
+//   CertNode - can be given as a CA for Reencryption and Resharing
+//   +-> CertReencrypt - indicates who is allowed to reencrypt and gives the ephemeral key
+
+// BCCert is used as a structure in testing - this is not secure enough to be used in production.
+type BCCert struct {
+	Private     *ecdsa.PrivateKey
+	Certificate *x509.Certificate
+}
+
+// NewBCCert is the general method to create a certificate for testing.
+func NewBCCert(cn string, dur time.Duration, kus x509.KeyUsage, isCA bool,
+	eext []pkix.Extension, root *x509.Certificate, rootPriv *ecdsa.PrivateKey) BCCert {
+	notBefore := time.Now()
+	notAfter := notBefore.Add(dur)
+	serialNumber := big.NewInt(int64(1))
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: cn,
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		KeyUsage:              kus,
+		BasicConstraintsValid: true,
+		MaxPathLen:            2,
+		IsCA:                  isCA,
+	}
+	if eext != nil {
+		template.ExtraExtensions = eext
+	}
+	bcc := BCCert{}
+	var err error
+	bcc.Private, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	log.ErrFatal(err)
+	if root == nil {
+		root = &template
+		rootPriv = bcc.Private
+	}
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, root, &bcc.Private.PublicKey, rootPriv)
+	log.ErrFatal(err)
+
+	bcc.Certificate, err = x509.ParseCertificate(derBytes)
+	log.ErrFatal(err)
+	return bcc
+}
+
+// CADur is the duration for a CA - here artificially restricted to 24 hours, because it is for testing only.
+var CADur = 24 * time.Hour
+
+// NewBCCA creates a CA cert.
+func NewBCCA(cn string) BCCert {
+	return NewBCCert(cn, CADur, x509.KeyUsageCertSign|x509.KeyUsageDataEncipherment, true,
+		nil, nil, nil)
+}
+
+// CreateSubCA creates a CA that is signed by the CA of the given bcc.
+func (bcc BCCert) CreateSubCA(cn string) BCCert {
+	return NewBCCert(cn, CADur, x509.KeyUsageCertSign|x509.KeyUsageDataEncipherment, true,
+		nil, bcc.Certificate, bcc.Private)
+}
+
+// Sign is a general signing method that creates a new certificate, which is not a CA.
+func (bcc BCCert) Sign(cn string, eext []pkix.Extension) BCCert {
+	return NewBCCert(cn, time.Hour, x509.KeyUsageKeyEncipherment, false, eext, bcc.Certificate, bcc.Private)
+}
+
+// Reencrypt is a specific reencryption certificate created with extrafields that are used by Calypso.
+func (bcc BCCert) Reencrypt(writeID []byte, ephemeralPublicKey kyber.Point) BCCert {
+	writeIdExt := pkix.Extension{
+		Id:       OIDWriteId,
+		Critical: true,
+		Value:    writeID,
+	}
+
+	ephemeralKeyExt := pkix.Extension{
+		Id:       OIDEphemeralKey,
+		Critical: true,
+	}
+	var err error
+	ephemeralKeyExt.Value, err = ephemeralPublicKey.MarshalBinary()
+	log.ErrFatal(err)
+
+	return bcc.Sign("reencryt", []pkix.Extension{writeIdExt, ephemeralKeyExt})
+}
+
+// CreateOCS returns a certificate that can be used to authenticate for OCS creation.
+func (bcc BCCert) CreateOCS(policyReencrypt, policyReshare *PolicyX509Cert, roster onet.Roster) BCCert {
+	pReencBuf, err := protobuf.Encode(policyReencrypt)
+	log.ErrFatal(err)
+	pReshareBuf, err := protobuf.Encode(policyReshare)
+	log.ErrFatal(err)
+	rosterBuf, err := protobuf.Encode(&roster)
+	log.ErrFatal(err)
+	return bcc.Sign("createOCS", []pkix.Extension{
+		{
+			Id:       OIDPolicyReencrypt,
+			Critical: true,
+			Value:    pReencBuf,
+		},
+		{
+			Id:       OIDPolicyReshare,
+			Critical: true,
+			Value:    pReshareBuf,
+		},
+		{
+			Id:       OIDRoster,
+			Critical: true,
+			Value:    rosterBuf,
+		},
+	})
+}
+
+// CreateCertCa is used for tests and returns a new private key, as well as a CA certificate.
+func CreateCertCa() (caPrivKey *ecdsa.PrivateKey, cert *x509.Certificate, err error) {
+	bcc := NewBCCA("ByzGen signer org1")
+	return bcc.Private, bcc.Certificate, nil
+}
+
+// CreateCertReencrypt is used for tests and can create a certificate for a reencryption request.
+func CreateCertReencrypt(caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey,
+	writeID []byte, ephemeralPublicKey kyber.Point) (*x509.Certificate, error) {
+	bcc := BCCert{Certificate: caCert, Private: caPrivKey}.Reencrypt(writeID, ephemeralPublicKey)
+	return bcc.Certificate, nil
+}
diff --git a/ocs/proto.go b/ocs/proto.go
new file mode 100644
index 0000000000..3ce8f31856
--- /dev/null
+++ b/ocs/proto.go
@@ -0,0 +1,242 @@
+package ocs
+
+import (
+	"time"
+
+	"go.dedis.ch/cothority/v3/darc"
+
+	"go.dedis.ch/cothority/v3/byzcoin"
+	"go.dedis.ch/cothority/v3/skipchain"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/onet/v3"
+)
+
+// PROTOSTART
+// type :skipchain.SkipBlockID:bytes
+// type :time.Time:uint64
+// type :byzcoin.Proof:bytes
+// type :OCSID:bytes
+// package ocs;
+// import "onet.proto";
+// import "darc.proto";
+//
+// option java_package = "ch.epfl.dedis.lib.proto";
+// option java_outer_classname = "OCS";
+
+// ***
+// API calls
+// ***
+
+// AddPolicyCreateOCS is sent by a local admin to add a rule to define who is
+// authorized to create a new OCS.
+type AddPolicyCreateOCS struct {
+	Create PolicyCreate
+}
+
+// AddPolicyCreateOCSReply is an empty reply if the policy has been successfully
+// created.
+type AddPolicyCreateOCSReply struct {
+}
+
+// CreateOCS is sent to the service to request a new OCS cothority.
+// It holds the two policies necessary to define an OCS: how to
+// authenticate a reencryption request, and how to authenticate a
+// resharing request.
+// In the current form, both policies point to the same structure. If at
+// a later moment a new access control backend is added, it might be that
+// the policies will differ for this new backend.
+type CreateOCS struct {
+	Roster          onet.Roster
+	Auth            AuthCreate
+	PolicyReencrypt PolicyReencrypt
+	PolicyReshare   PolicyReshare
+}
+
+// CreateOCSReply is the reply sent by the conode if the OCS has been
+// setup correctly. It contains the ID of the OCS, which is the binary
+// representation of the aggregate public key. It also has the Sig, which
+// is the collective signature of all nodes on the aggregate public key
+// and the authentication.
+type CreateOCSReply struct {
+	OcsID OCSID
+}
+
+// GetProof is sent to a node to have him sign his definition of the
+// given OCS.
+type GetProof struct {
+	OcsID OCSID
+}
+
+// GetProofReply contains the additional info that node has on the given
+// OCS, as well as a signature using the services private key.
+type GetProofReply struct {
+	Proof OCSProof
+}
+
+// Reencrypt is sent to the service to request a re-encryption of the
+// secret given in AuthReencrypt. AuthReencrypt must also contain the proof that the
+// request is valid, as well as the ephemeral key, to which the secret
+// will be re-encrypted.
+type Reencrypt struct {
+	OcsID OCSID
+	Auth  AuthReencrypt
+}
+
+// MessageReencryptReply is the reply if the re-encryption is successful, and
+// it contains XHat, which is the secret re-encrypted to the ephemeral
+// key given in AuthReencrypt.
+type ReencryptReply struct {
+	X       kyber.Point
+	XhatEnc kyber.Point
+}
+
+// Reshare is called to ask OCS to change the roster. It needs a valid
+// authentication before the private keys are re-distributed over the new
+// roster.
+// TODO: should NewRoster be always present in AuthReshare? It will be present
+// TODO: at least in AuthReshareByzCoin, but might not in other AuthReshares
+type Reshare struct {
+	OcsID     OCSID
+	NewRoster onet.Roster
+	Auth      AuthReshare
+}
+
+// ReshareReply is returned if the resharing has been completed successfully
+// and contains the collective signature on the message
+//   sha256( X | NewRoster )
+type ReshareReply struct {
+	Sig []byte
+}
+
+// ***
+// Common structures
+// ***
+
+// PolicyCreate holds all possible policy structures for creation of a new OCS.
+// Only one of the fields must be non-nil, else the policy is invalid.
+type PolicyCreate struct {
+	ByzCoin  *PolicyByzCoin
+	X509Cert *PolicyX509Cert
+}
+
+// PolicyReencrypt holds all possible policy structures for creation of a new OCS.
+// Only one of the fields must be non-nil, else the policy is invalid.
+type PolicyReencrypt struct {
+	ByzCoin  *PolicyByzCoin
+	X509Cert *PolicyX509Cert
+}
+
+// PolicyReshare holds all possible policy structures for creation of a new OCS.
+// Only one of the fields must be non-nil, else the policy is invalid.
+type PolicyReshare struct {
+	ByzCoin  *PolicyByzCoin
+	X509Cert *PolicyX509Cert
+}
+
+// PolicyByzCoin holds the information necessary to authenticate a byzcoin request.
+// In the ByzCoin model, all requests are valid as long as they are stored in the
+// blockchain with the given ID.
+// The TTL is to avoid that too old requests are re-used. If it is 0, it is disabled.
+type PolicyByzCoin struct {
+	ByzCoinID skipchain.SkipBlockID
+	TTL       time.Time
+}
+
+// X509Cert holds the information necessary to authenticate a HyperLedger/Fabric
+// request. In its simplest form, it is simply the CA that will have to sign the
+// certificates of the requesters.
+// The Threshold indicates how many clients must have signed the request before it
+// is accepted.
+type PolicyX509Cert struct {
+	// Slice of ASN.1 encoded X509 certificates.
+	CA        [][]byte
+	Threshold int
+}
+
+// AuthCreate prooves that the caller has the right to create a new OCS
+// instance.
+type AuthCreate struct {
+	ByzCoin  *AuthCreateByzCoin
+	X509Cert *AuthCreateX509Cert
+}
+
+// AuthCreateByzCoin must give the ByzcoinID and the proof to the LTSInstance
+// for the creation of a new OCS.
+type AuthCreateByzCoin struct {
+	ByzcoinID   skipchain.SkipBlockID
+	LTSInstance byzcoin.Proof
+}
+
+// AuthCreateX509Cert must give one or more certificates rooted in the CreatePolicy certificate
+// to proof that the caller has the right to create a new OCS. The number of certificates
+// needed is defined by the Threshold field of the CreatePolicy. Each certificate must come
+// from another CA.
+type AuthCreateX509Cert struct {
+	Certificates [][]byte
+}
+
+// AuthReencrypt holds one of the possible authentication proofs for a reencryption request. Each
+// authentication proof must hold the secret to be reencrypted, the ephemeral key, as well
+// as the proof itself that the request is valid. For each of the authentication
+// schemes, this proof will be different.
+type AuthReencrypt struct {
+	Ephemeral kyber.Point
+	ByzCoin   *AuthReencryptByzCoin
+	X509Cert  *AuthReencryptX509Cert
+}
+
+// AuthReencryptByzCoin holds the proof of the write instance, holding the secret itself.
+// The proof of the read instance holds the ephemeral key. Both proofs can be
+// verified using one of the stored ByzCoinIDs.
+type AuthReencryptByzCoin struct {
+	// Write is the proof containing the write request.
+	Write byzcoin.Proof
+	// Read is the proof that he has been accepted to read the secret.
+	Read byzcoin.Proof
+	// Ephemeral can be non-nil to point to a key to which the data needs to be
+	// re-encrypted to, but then Signature also needs to be non-nil.
+	Ephemeral kyber.Point
+	// If Ephemeral si non-nil, it must be signed by the darc responsible for the
+	// Read instance to make sure it's a valid reencryption-request.
+	Signature *darc.Signature
+}
+
+// AuthReencryptX509Cert holds the proof that at least a threshold number of clients
+// accepted the reencryption.
+// For each client, there must exist a certificate that can be verified by the
+// CA certificate from X509Cert. Additionally, each client must sign the
+// following message:
+//   sha256( Secret | Ephemeral | Time )
+type AuthReencryptX509Cert struct {
+	U            kyber.Point
+	Certificates [][]byte
+}
+
+// AuthReshare holds the proof that at least a threshold number of clients accepted the
+// request to reshare the secret key. The authentication must hold the new roster, as
+// well as the proof that the new roster should be applied to a given OCS.
+type AuthReshare struct {
+	ByzCoin  *AuthReshareByzCoin
+	X509Cert *AuthReshareX509Cert
+}
+
+// AuthReshareByzCoin holds the byzcoin-proof that contains the latest OCS-instance
+// which includes the roster. The OCS-nodes will make sure that the version of the
+// OCS-instance is bigger than the current version.
+type AuthReshareByzCoin struct {
+	Reshare byzcoin.Proof
+}
+
+// AuthReshareX509Cert holds the X509 proof that the new roster is valid.
+type AuthReshareX509Cert struct {
+	Certificates [][]byte
+}
+
+// OCSProof can be used to proof
+type OCSProof struct {
+	OcsID           OCSID
+	Roster          onet.Roster
+	PolicyReencrypt PolicyReencrypt
+	PolicyReshare   PolicyReshare
+	Signatures      [][]byte
+}
diff --git a/ocs/protocol.go b/ocs/protocol.go
new file mode 100644
index 0000000000..c417930829
--- /dev/null
+++ b/ocs/protocol.go
@@ -0,0 +1,219 @@
+package ocs
+
+/*
+The onchain-protocol implements the key-reencryption described in Lefteris'
+paper-draft about onchain-secrets (called BlockMage).
+*/
+
+import (
+	"crypto/sha256"
+	"errors"
+	"sync"
+	"time"
+
+	"go.dedis.ch/cothority/v3"
+	dkgprotocol "go.dedis.ch/cothority/v3/dkg/pedersen"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/log"
+)
+
+func init() {
+	onet.GlobalProtocolRegister(NameOCS, NewOCS)
+}
+
+// OCS is only used to re-encrypt a public point. Before calling `Start`,
+// DKG and U must be initialized by the caller.
+type OCS struct {
+	*onet.TreeNodeInstance
+	Shared    *dkgprotocol.SharedSecret // Shared represents the private key
+	Poly      *share.PubPoly            // Represents all public keys
+	U         kyber.Point               // U is the encrypted secret
+	Xc        kyber.Point               // The client's public key
+	Threshold int                       // How many replies are needed to re-create the secret
+	// VerificationData is given to the VerifyRequest and has to hold everything
+	// needed to verify the request is valid.
+	VerificationData []byte
+	Failures         int // How many failures occured so far
+	// Can be set by the service to decide whether or not to
+	// do the reencryption
+	Verify VerifyRequest
+	// Reencrypted receives a 'true'-value when the protocol finished successfully,
+	// or 'false' if not enough shares have been collected.
+	Reencrypted chan bool
+	Uis         []*share.PubShare // re-encrypted shares
+	// private fields
+	replies  []MessageReencryptReply
+	timeout  *time.Timer
+	doneOnce sync.Once
+}
+
+// NewOCS initialises the structure for use in one round
+func NewOCS(n *onet.TreeNodeInstance) (onet.ProtocolInstance, error) {
+	o := &OCS{
+		TreeNodeInstance: n,
+		Reencrypted:      make(chan bool, 1),
+		Threshold:        len(n.Roster().List) - (len(n.Roster().List)-1)/3,
+	}
+
+	err := o.RegisterHandlers(o.reencrypt, o.reencryptReply)
+	if err != nil {
+		return nil, err
+	}
+	return o, nil
+}
+
+// Start asks all children to reply with a shared reencryption
+func (o *OCS) Start() error {
+	log.Lvl3("Starting Protocol")
+	o.timeout = time.AfterFunc(1*time.Minute, func() {
+		log.Lvl1("OCS protocol timeout")
+		o.finish(false)
+	})
+	if o.Shared == nil {
+		o.finish(false)
+		return errors.New("please initialize Shared first")
+	}
+	if o.U == nil {
+		o.finish(false)
+		return errors.New("please initialize U first")
+	}
+	if o.Xc == nil {
+		o.finish(false)
+		return errors.New("please initialize Xc first")
+	}
+	rc := &MessageReencrypt{
+		U:  o.U,
+		Xc: o.Xc,
+	}
+	if len(o.VerificationData) > 0 {
+		rc.VerificationData = &o.VerificationData
+	}
+	if o.Verify != nil {
+		if !o.Verify(rc) {
+			o.finish(false)
+			return errors.New("refused to reencrypt")
+		}
+	}
+	errs := o.Broadcast(rc)
+	if len(errs) > (len(o.Roster().List)-1)/3 {
+		log.Errorf("Some nodes failed with error(s) %v", errs)
+		return errors.New("too many nodes failed in broadcast")
+	}
+	return nil
+}
+
+// Reencrypt is received by every node to give his part of
+// the share
+func (o *OCS) reencrypt(r structReencrypt) error {
+	log.Lvl3(o.Name() + ": starting reencrypt")
+	defer o.Done()
+
+	ui, err := o.getUI(r.U, r.Xc)
+	if err != nil {
+		return nil
+	}
+
+	if o.Verify != nil {
+		if !o.Verify(&r.MessageReencrypt) {
+			log.Lvl2(o.ServerIdentity(), "refused to reencrypt")
+			return o.SendToParent(&MessageReencryptReply{})
+		}
+	}
+
+	// Calculating proofs
+	si := cothority.Suite.Scalar().Pick(o.Suite().RandomStream())
+	uiHat := cothority.Suite.Point().Mul(si, cothority.Suite.Point().Add(r.U, r.Xc))
+	hiHat := cothority.Suite.Point().Mul(si, nil)
+	hash := sha256.New()
+	ui.V.MarshalTo(hash)
+	uiHat.MarshalTo(hash)
+	hiHat.MarshalTo(hash)
+	ei := cothority.Suite.Scalar().SetBytes(hash.Sum(nil))
+
+	return o.SendToParent(&MessageReencryptReply{
+		Ui: ui,
+		Ei: ei,
+		Fi: cothority.Suite.Scalar().Add(si, cothority.Suite.Scalar().Mul(ei, o.Shared.V)),
+	})
+}
+
+// reencryptReply is the root-node waiting for all replies and generating
+// the reencryption key.
+func (o *OCS) reencryptReply(rr structReencryptReply) error {
+	if rr.MessageReencryptReply.Ui == nil {
+		log.Lvl2("Node", rr.ServerIdentity, "refused to reply")
+		o.Failures++
+		if o.Failures > len(o.Roster().List)-o.Threshold {
+			log.Lvl2(rr.ServerIdentity, "couldn't get enough shares")
+			o.finish(false)
+		}
+		return nil
+	}
+	o.replies = append(o.replies, rr.MessageReencryptReply)
+
+	// minus one to exclude the root
+	if len(o.replies) >= int(o.Threshold-1) {
+		o.Uis = make([]*share.PubShare, len(o.List()))
+		var err error
+		ui, err := o.getUI(o.U, o.Xc)
+		if err != nil {
+			return err
+		}
+		o.Uis[ui.I] = ui
+
+		for _, r := range o.replies {
+			// Verify proofs
+			ufi := cothority.Suite.Point().Mul(r.Fi, cothority.Suite.Point().Add(o.U, o.Xc))
+			uiei := cothority.Suite.Point().Mul(cothority.Suite.Scalar().Neg(r.Ei), r.Ui.V)
+			uiHat := cothority.Suite.Point().Add(ufi, uiei)
+
+			gfi := cothority.Suite.Point().Mul(r.Fi, nil)
+			gxi := o.Poly.Eval(r.Ui.I).V
+			hiei := cothority.Suite.Point().Mul(cothority.Suite.Scalar().Neg(r.Ei), gxi)
+			hiHat := cothority.Suite.Point().Add(gfi, hiei)
+			hash := sha256.New()
+			r.Ui.V.MarshalTo(hash)
+			uiHat.MarshalTo(hash)
+			hiHat.MarshalTo(hash)
+			e := cothority.Suite.Scalar().SetBytes(hash.Sum(nil))
+			if e.Equal(r.Ei) {
+				o.Uis[r.Ui.I] = r.Ui
+			} else {
+				log.Lvl1("Received invalid share from node", r.Ui.I)
+			}
+		}
+		o.finish(true)
+	}
+
+	// If we are leaving by here it means that we do not have
+	// enough replies yet. We must eventually trigger a finish()
+	// somehow. It will either happen because we get another
+	// reply, and now we have enough, or because we get enough
+	// failures and know to give up, or because o.timeout triggers
+	// and calls finish(false) in it's callback function.
+
+	return nil
+}
+
+func (o *OCS) getUI(U, Xc kyber.Point) (*share.PubShare, error) {
+	v := cothority.Suite.Point().Mul(o.Shared.V, U)
+	v.Add(v, cothority.Suite.Point().Mul(o.Shared.V, Xc))
+	return &share.PubShare{
+		I: o.Shared.Index,
+		V: v,
+	}, nil
+}
+
+func (o *OCS) finish(result bool) {
+	o.timeout.Stop()
+	select {
+	case o.Reencrypted <- result:
+		// suceeded
+	default:
+		// would have blocked because some other call to finish()
+		// beat us.
+	}
+	o.doneOnce.Do(func() { o.Done() })
+}
diff --git a/ocs/protocol_struct.go b/ocs/protocol_struct.go
new file mode 100644
index 0000000000..fffa8e1627
--- /dev/null
+++ b/ocs/protocol_struct.go
@@ -0,0 +1,53 @@
+package ocs
+
+/*
+OCS_struct holds all messages for the onchain-secret protocol.
+*/
+
+import (
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/network"
+)
+
+// NameOCS can be used from other packages to refer to this protocol.
+const NameOCS = "OCS"
+
+func init() {
+	network.RegisterMessages(&MessageReencrypt{}, &MessageReencryptReply{})
+}
+
+// VerifyRequest is a callback-function that can be set by a service.
+// Whenever a reencryption request is received, this function will be
+// called and its return-value used to determine whether or not to
+// allow reencryption.
+type VerifyRequest func(rc *MessageReencrypt) bool
+
+// Reencrypt asks for a re-encryption share from a node
+type MessageReencrypt struct {
+	// U is the point from the write-request
+	U kyber.Point
+	// Xc is the public key of the reader
+	Xc kyber.Point
+	// VerificationData is optional and can be any slice of bytes, so that each
+	// node can verify if the reencryption request is valid or not.
+	VerificationData *[]byte
+}
+
+type structReencrypt struct {
+	*onet.TreeNode
+	MessageReencrypt
+}
+
+// MessageReencryptReply returns the share to re-encrypt from one node
+type MessageReencryptReply struct {
+	Ui *share.PubShare
+	Ei kyber.Scalar
+	Fi kyber.Scalar
+}
+
+type structReencryptReply struct {
+	*onet.TreeNode
+	MessageReencryptReply
+}
diff --git a/ocs/protocol_test.go b/ocs/protocol_test.go
new file mode 100644
index 0000000000..9df2f9a8d9
--- /dev/null
+++ b/ocs/protocol_test.go
@@ -0,0 +1,377 @@
+package ocs
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"errors"
+	"io"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/cothority/v3"
+	dkgprotocol "go.dedis.ch/cothority/v3/dkg/pedersen"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	dkg "go.dedis.ch/kyber/v3/share/dkg/pedersen"
+	"go.dedis.ch/kyber/v3/suites"
+	"go.dedis.ch/kyber/v3/util/key"
+	"go.dedis.ch/kyber/v3/util/random"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/log"
+)
+
+var tSuite = cothority.Suite
+
+// Used for tests
+var testServiceID onet.ServiceID
+
+const testServiceName = "ServiceOCS"
+
+func init() {
+	var err error
+	testServiceID, err = onet.RegisterNewService(testServiceName, newTestService)
+	log.ErrFatal(err)
+}
+
+// Tests a 3, 5 and 13-node system.
+func TestOCS(t *testing.T) {
+	nodes := []int{3}
+	// nodes := []int{3, 5, 10}
+	for _, nbrNodes := range nodes {
+		log.Lvlf1("Starting setupDKG with %d nodes", nbrNodes)
+		ocs(t, nbrNodes, nbrNodes-1, 29, 0, false)
+	}
+}
+
+// Tests a system with failing nodes
+func TestFail(t *testing.T) {
+	ocs(t, 4, 2, 29, 2, false)
+}
+
+// Tests what happens if the nodes refuse to send their share
+func TestRefuse(t *testing.T) {
+	log.Lvl1("Starting setupDKG with 3 nodes and refusing to sign")
+	ocs(t, 3, 2, 29, 0, true)
+}
+
+func TestOCSKeyLengths(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Testing all keylengths takes some time...")
+	}
+	for keylen := 1; keylen <= 29; keylen += 2 {
+		log.Lvl1("Testing keylen of", keylen)
+		ocs(t, 3, 2, keylen, 0, false)
+	}
+}
+
+var suite = suites.MustFind("Ed25519")
+
+func TestOnchain(t *testing.T) {
+	// 1 - share generation
+	nbrPeers := 5
+	threshold := 3
+	dkgs, err := CreateDKGs(suite.(dkg.Suite), nbrPeers, threshold)
+	log.ErrFatal(err)
+
+	// Get aggregate public share
+	dks, err := dkgs[0].DistKeyShare()
+	log.ErrFatal(err)
+	X := dks.Public()
+
+	// 5.1.2 - Encryption
+	data := []byte("Very secret Message to be encrypted")
+	var k [16]byte
+	random.Bytes(k[:], random.New())
+
+	encData, err := aeadSeal(k[:], data)
+	if err != nil {
+		t.Fatal(err)
+	}
+	U, C, err := EncodeKey(suite, X, k[:])
+	require.NoError(t, err)
+	// U and C is shared with everybody
+
+	// Reader's keypair
+	xc := key.NewKeyPair(cothority.Suite)
+
+	// Decryption
+	Ui := make([]*share.PubShare, nbrPeers)
+	for i := range Ui {
+		dks, err := dkgs[i].DistKeyShare()
+		log.ErrFatal(err)
+		v := suite.Point().Mul(dks.Share.V, U)
+		v.Add(v, suite.Point().Mul(dks.Share.V, xc.Public))
+		Ui[i] = &share.PubShare{
+			I: i,
+			V: v,
+		}
+	}
+
+	// XhatEnc is the re-encrypted share under the reader's public key
+	XhatEnc, err := share.RecoverCommit(suite, Ui, threshold, nbrPeers)
+	log.ErrFatal(err)
+
+	// Decrypt XhatEnc
+	keyHat, err := DecodeKey(suite, X, C, XhatEnc, xc.Private)
+	log.ErrFatal(err)
+
+	// Extract the message - keyHat is the recovered key
+	log.Lvl2(encData)
+	dataHat, err := aeadOpen(keyHat, encData)
+	if err != nil {
+		t.Fatal(err)
+	}
+	require.Equal(t, data, dataHat)
+	log.Lvl1("Original data", string(data))
+	log.Lvl1("Recovered data", string(dataHat))
+}
+
+// CreateDKGs is used for testing to set up a set of DKGs.
+//
+// Input:
+//   - suite - the suite to use
+//   - nbrNodes - how many nodes to set up
+//   - threshold - how many nodes can recover the secret
+//
+// Output:
+//   - dkgs - a slice of dkg-structures
+//   - err - an eventual error
+func CreateDKGs(suite dkg.Suite, nbrNodes, threshold int) (dkgs []*dkg.DistKeyGenerator, err error) {
+	// 1 - share generation
+	dkgs = make([]*dkg.DistKeyGenerator, nbrNodes)
+	scalars := make([]kyber.Scalar, nbrNodes)
+	points := make([]kyber.Point, nbrNodes)
+	// 1a - initialisation
+	for i := range scalars {
+		scalars[i] = suite.Scalar().Pick(suite.RandomStream())
+		points[i] = suite.Point().Mul(scalars[i], nil)
+	}
+
+	// 1b - key-sharing
+	for i := range dkgs {
+		dkgs[i], err = dkg.NewDistKeyGenerator(suite,
+			scalars[i], points, threshold)
+		if err != nil {
+			return
+		}
+	}
+	// Exchange of Deals
+	responses := make([][]*dkg.Response, nbrNodes)
+	for i, p := range dkgs {
+		responses[i] = make([]*dkg.Response, nbrNodes)
+		deals, err := p.Deals()
+		if err != nil {
+			return nil, err
+		}
+		for j, d := range deals {
+			responses[i][j], err = dkgs[j].ProcessDeal(d)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	// ProcessResponses
+	for i, resp := range responses {
+		for j, r := range resp {
+			for k, p := range dkgs {
+				if r != nil && j != k {
+					log.Lvl3("Response from-to-peer:", i, j, k)
+					justification, err := p.ProcessResponse(r)
+					if err != nil {
+						return nil, err
+					}
+					if justification != nil {
+						return nil, errors.New("there should be no justification")
+					}
+				}
+			}
+		}
+	}
+
+	// Verify if all is OK
+	for _, p := range dkgs {
+		if !p.Certified() {
+			return nil, errors.New("one of the dkgs is not finished yet")
+		}
+	}
+	return
+}
+
+// These functions encapsulate the kind-of messy-to-use
+// Go stdlib AEAD functions. We used to use the AEAD from crypto.v0,
+// but it has been removed in preference to the standard one for now.
+//
+// If we want to use it in more places, it should be cleaned up,
+// and moved to a permanent home.
+
+// This suggested length is from https://godoc.org/crypto/cipher#NewGCM example
+const nonceLen = 12
+
+func aeadSeal(symKey, data []byte) ([]byte, error) {
+	block, err := aes.NewCipher(symKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
+	nonce := make([]byte, nonceLen)
+	_, err = io.ReadFull(rand.Reader, nonce)
+	if err != nil {
+		return nil, err
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	encData := aesgcm.Seal(nil, nonce, data, nil)
+	encData = append(encData, nonce...)
+	return encData, nil
+}
+
+func aeadOpen(key, ciphertext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	log.ErrFatal(err)
+
+	if len(ciphertext) < 12 {
+		return nil, errors.New("ciphertext too short")
+	}
+	nonce := ciphertext[len(ciphertext)-nonceLen:]
+	out, err := aesgcm.Open(nil, nonce, ciphertext[0:len(ciphertext)-nonceLen], nil)
+	return out, err
+}
+
+func ocs(t *testing.T, nbrNodes, threshold, keylen, fail int, refuse bool) {
+	local := onet.NewLocalTest(tSuite)
+	defer local.CloseAll()
+	servers, _, tree := local.GenBigTree(nbrNodes, nbrNodes, nbrNodes, true)
+	log.Lvl3(tree.Dump())
+
+	// 1 - setting up - in real life uses Setup-protocol
+	// Store the dkgs in the services
+	dkgs, err := CreateDKGs(tSuite.(dkg.Suite), nbrNodes, threshold)
+	require.Nil(t, err)
+	services := local.GetServices(servers, testServiceID)
+	for i := range services {
+		services[i].(*testService).Shared, _, err = dkgprotocol.NewSharedSecret(dkgs[i])
+		require.Nil(t, err)
+	}
+
+	// Get the collective public key
+	dks, err := dkgs[0].DistKeyShare()
+	require.Nil(t, err)
+	X := dks.Public()
+
+	// 2 - writer - Encrypt a symmetric key and publish U, C
+	k := make([]byte, keylen)
+	random.Bytes(k, random.New())
+	U, C, err := EncodeKey(tSuite, X, k)
+	require.NoError(t, err)
+
+	// 3 - reader - Makes a request to U by giving his public key Xc
+	// xc is the client's private/publick key pair
+	xc := key.NewKeyPair(cothority.Suite)
+
+	// 4 - service - starts the protocol -
+	// as every node needs to have its own DKG, we
+	// use a service to give the corresponding DKGs to the nodes.
+
+	// First stop the nodes that should fail
+	for _, s := range servers[1 : 1+fail] {
+		log.Lvl1("Pausing", s.ServerIdentity)
+		s.Pause()
+	}
+	pi, err := services[0].(*testService).createOCS(tree, threshold)
+	require.Nil(t, err)
+	protocol := pi.(*OCS)
+	protocol.U = U
+	protocol.Xc = xc.Public
+	protocol.Poly = share.NewPubPoly(suite, suite.Point().Base(), dks.Commits)
+	if !refuse {
+		protocol.VerificationData = []byte("correct block")
+	}
+	// timeout := network.WaitRetry * time.Duration(network.MaxRetryConnect*nbrNodes*2) * time.Millisecond
+	require.Nil(t, protocol.Start())
+	select {
+	case <-protocol.Reencrypted:
+		log.Lvl2("root-node is done")
+		// Wait for other nodes
+	case <-time.After(time.Second):
+		t.Fatal("Didn't finish in time")
+	}
+
+	// 5 - service - Lagrange interpolate the Uis - the reader will only
+	// get XhatEnc
+	var XhatEnc kyber.Point
+	if refuse {
+		require.Nil(t, protocol.Uis, "Reencrypted request that should've been refused")
+		return
+	}
+
+	require.NotNil(t, protocol.Uis)
+	XhatEnc, err = share.RecoverCommit(suite, protocol.Uis, threshold, nbrNodes)
+	require.Nil(t, err, "Reencryption failed")
+
+	// 6 - reader - gets the resulting symmetric key, encrypted under Xc
+	keyHat, err := DecodeKey(suite, X, C, XhatEnc, xc.Private)
+	require.Nil(t, err)
+
+	require.Equal(t, k, keyHat)
+}
+
+// testService allows setting the dkg-field of the protocol.
+type testService struct {
+	// We need to embed the ServiceProcessor, so that incoming messages
+	// are correctly handled.
+	*onet.ServiceProcessor
+
+	// Has to be initialised by the test
+	Shared *dkgprotocol.SharedSecret
+	Poly   *share.PubPoly
+}
+
+// Creates a service-protocol and returns the ProtocolInstance.
+func (s *testService) createOCS(t *onet.Tree, threshold int) (onet.ProtocolInstance, error) {
+	pi, err := s.CreateProtocol(NameOCS, t)
+	pi.(*OCS).Shared = s.Shared
+	pi.(*OCS).Poly = s.Poly
+	pi.(*OCS).Threshold = threshold
+	return pi, err
+}
+
+// Store the dkg in the protocol
+func (s *testService) NewProtocol(tn *onet.TreeNodeInstance, conf *onet.GenericConfig) (onet.ProtocolInstance, error) {
+	switch tn.ProtocolName() {
+	case NameOCS:
+		pi, err := NewOCS(tn)
+		if err != nil {
+			return nil, err
+		}
+		ocs := pi.(*OCS)
+		ocs.Shared = s.Shared
+		ocs.Verify = func(rc *MessageReencrypt) bool {
+			return rc.VerificationData != nil
+		}
+		return ocs, nil
+	default:
+		return nil, errors.New("unknown protocol for this service")
+	}
+}
+
+// starts a new service. No function needed.
+func newTestService(c *onet.Context) (onet.Service, error) {
+	s := &testService{
+		ServiceProcessor: onet.NewServiceProcessor(c),
+	}
+	return s, nil
+}
diff --git a/ocs/service.go b/ocs/service.go
new file mode 100644
index 0000000000..a49c872a78
--- /dev/null
+++ b/ocs/service.go
@@ -0,0 +1,638 @@
+// Package OCS is a general-purpose re-encryption service that can be used
+// either in ByzCoin with the Calypso-service and its contracts, or with
+// Ethereum/Fabric. It is extensible to work also with other kind of
+// Access-control backends, e.g., Ethereum.
+package ocs
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+
+	"go.dedis.ch/kyber/v3/suites"
+
+	"go.dedis.ch/cothority/v3"
+	dkgprotocol "go.dedis.ch/cothority/v3/dkg/pedersen"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/share"
+	dkg "go.dedis.ch/kyber/v3/share/dkg/pedersen"
+	"go.dedis.ch/kyber/v3/util/key"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/log"
+	"go.dedis.ch/onet/v3/network"
+	"go.dedis.ch/protobuf"
+)
+
+// ServiceName of the secret-management part of Calypso.
+const ServiceName = "OCS"
+
+// dkgTimeout is how long the system waits for the DKG to finish
+const propagationTimeout = 20 * time.Second
+
+const calypsoReshareProto = "ocs_reshare_proto"
+
+var disableLoopbackCheck = false
+
+func init() {
+	var err error
+	_, err = onet.GlobalProtocolRegister(calypsoReshareProto, dkgprotocol.NewSetup)
+	log.ErrFatal(err)
+	_, err = onet.RegisterNewServiceWithSuite(ServiceName, suites.MustFind("ed25519"), newService)
+	log.ErrFatal(err)
+	network.RegisterMessages(&storage{}, &storageElement{})
+
+	// The loopback check makes Java testing not work, because Java client commands
+	// come from outside of the docker container. The Java testing Docker
+	// container runs with this variable set.
+	if os.Getenv("COTHORITY_ALLOW_INSECURE_ADMIN") != "" {
+		log.Warn("COTHORITY_ALLOW_INSECURE_ADMIN is set; Calypso admin actions allowed from the public network.")
+		disableLoopbackCheck = true
+	}
+}
+
+// Service is our calypso-service. It stores all created LTSs.
+type Service struct {
+	*onet.ServiceProcessor
+	storage      *storage
+	afterReshare func() // for use by testing only
+}
+
+// pubPoly is a serializable version of share.PubPoly
+type pubPoly struct {
+	B       kyber.Point
+	Commits []kyber.Point
+}
+
+// ProcessClientRequest implements onet.Service. We override the version
+// we normally get from embedding onet.ServiceProcessor in order to
+// hook it and get a look at the http.Request.
+func (s *Service) ProcessClientRequest(req *http.Request, path string, buf []byte) ([]byte, *onet.StreamingTunnel, error) {
+	if !disableLoopbackCheck && path == "AddPolicyCreateOCS" {
+		h, _, err := net.SplitHostPort(req.RemoteAddr)
+		if err != nil {
+			return nil, nil, err
+		}
+		ip := net.ParseIP(h)
+
+		if !ip.IsLoopback() {
+			return nil, nil, errors.New("authorise is only allowed on loopback")
+		}
+	}
+
+	return s.ServiceProcessor.ProcessClientRequest(req, path, buf)
+}
+
+// AddPolicyCreateOCS defines who is allowed to create new OCS instances. Per default
+// it only accepts requests on the localhost interface. But this can be overridden
+// by the COTHORITY_ALLOW_INSECURE_ADMIN variable.
+func (s *Service) AddPolicyCreateOCS(req *AddPolicyCreateOCS) (reply *AddPolicyCreateOCSReply, err error) {
+	s.storage.Lock()
+	s.storage.PolicyCreateOCS = append(s.storage.PolicyCreateOCS, req.Create)
+	s.storage.Unlock()
+	return &AddPolicyCreateOCSReply{}, s.save()
+}
+
+// CreateOCS takes as input a roster with a list of all nodes that should
+// participate in the DKG. Every node will store its private key and wait for
+// decryption requests.
+func (s *Service) CreateOCS(req *CreateOCS) (reply *CreateOCSReply, err error) {
+	s.storage.Lock()
+	policies := s.storage.PolicyCreateOCS
+	s.storage.Unlock()
+	if err = req.verifyAuth(policies); err != nil {
+		return nil, Erret(err)
+	}
+	if len(req.Roster.List) <= 1 {
+		return nil, errors.New("need at least 2 nodes for DKG")
+	}
+
+	tree := req.Roster.GenerateNaryTreeWithRoot(len(req.Roster.List), s.ServerIdentity())
+	cfgBuf, err := protobuf.Encode(req)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	pi, err := s.CreateProtocol(dkgprotocol.Name, tree)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	setupDKG := pi.(*dkgprotocol.Setup)
+	setupDKG.Wait = true
+	err = setupDKG.SetConfig(&onet.GenericConfig{Data: cfgBuf})
+	if err != nil {
+		return nil, Erret(err)
+	}
+	setupDKG.KeyPair = s.getKeyPair()
+
+	if err := pi.Start(); err != nil {
+		return nil, Erret(err)
+	}
+
+	log.Lvl3("Started DKG-protocol - waiting for done", len(req.Roster.List))
+	var oid []byte
+	select {
+	case <-setupDKG.Finished:
+		shared, dks, err := setupDKG.SharedSecret()
+		if err != nil {
+			return nil, Erret(err)
+		}
+		ocsID, err := NewOCSID(shared.X)
+		if err != nil {
+			return nil, Erret(err)
+		}
+		reply = &CreateOCSReply{
+			OcsID: ocsID,
+		}
+		oid, err = shared.X.MarshalBinary()
+		if err != nil {
+			return nil, Erret(err)
+		}
+		s.storage.Lock()
+		s.storage.Element[string(oid)] = &storageElement{
+			PolicyReencrypt: req.PolicyReencrypt,
+			PolicyReshare:   req.PolicyReshare,
+			Shared:          *shared,
+			Polys:           pubPoly{s.Suite().Point().Base(), dks.Commits},
+			Roster:          req.Roster,
+			DKS:             *dks,
+		}
+		s.storage.Unlock()
+		err = s.save()
+		if err != nil {
+			return nil, err
+		}
+		log.Lvlf2("%v Created LTS with ID (=^pubKey): %x", s.ServerIdentity(), oid)
+	case <-time.After(propagationTimeout):
+		return nil, errors.New("new-dkg didn't finish in time")
+	}
+	return
+}
+
+// GetProof returns a signed proof of the requested OcsID.
+func (s *Service) GetProof(req *GetProof) (reply *GetProofReply, err error) {
+	s.storage.Lock()
+	es, found := s.storage.Element[string(req.OcsID)]
+	if !found {
+		return nil, errors.New("didn't find the given OCS")
+	}
+	s.storage.Unlock()
+	reply = &GetProofReply{
+		Proof: OCSProof{
+			OcsID:           req.OcsID,
+			Roster:          es.Roster,
+			PolicyReencrypt: es.PolicyReencrypt,
+			PolicyReshare:   es.PolicyReshare,
+		},
+	}
+	msg, err := reply.Proof.Message()
+	if err != nil {
+		return nil, Erret(err)
+	}
+	sig, err := schnorr.Sign(cothority.Suite, s.ServerIdentity().ServicePrivate(ServiceName), msg)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	reply.Proof.Signatures = [][]byte{sig}
+	return
+}
+
+// Reencrypt takes as an input a Read- and a Write-proof. Proofs contain
+// everything necessary to verify that a given instance is correct and
+// stored in ByzCoin.
+// Using the Read and the Write-instance, this method verifies that the
+// requests match and then re-encrypts the secret to the public key given
+// in the Read-instance.
+func (s *Service) Reencrypt(dkr *Reencrypt) (reply *ReencryptReply, err error) {
+	reply = &ReencryptReply{}
+	log.Lvl2(s.ServerIdentity(), "Re-encrypt the key to the public key of the reader")
+
+	s.storage.Lock()
+	es, found := s.storage.Element[string(dkr.OcsID)]
+	s.storage.Unlock()
+	if !found {
+		return nil, errors.New("didn't find this OCS")
+	}
+
+	var threshold int
+	var nodes int
+	var ocsProto *OCS
+	err = func() error {
+		// Start the ocs-protocol to re-encrypt the data under the public key of the reader.
+		nodes = len(es.Roster.List)
+		threshold = nodes - (nodes-1)/3
+		tree := es.Roster.GenerateNaryTreeWithRoot(nodes, s.ServerIdentity())
+		pi, err := s.CreateProtocol(NameOCS, tree)
+		if err != nil {
+			return Erret(err)
+		}
+		ocsProto = pi.(*OCS)
+		ocsProto.U, err = dkr.Auth.U()
+		if err != nil {
+			return Erret(err)
+		}
+		X, err := dkr.OcsID.X()
+		if err != nil {
+			return Erret(err)
+		}
+		if err = es.PolicyReencrypt.verify(dkr.Auth, X, ocsProto.U); err != nil {
+			return Erret(err)
+		}
+		ocsProto.Xc, err = dkr.Auth.Xc()
+		if err != nil {
+			return Erret(err)
+		}
+		log.Lvlf2("%v Public key is: %s", s.ServerIdentity(), ocsProto.Xc)
+		ocsProto.VerificationData, err = protobuf.Encode(&dkr.Auth)
+		if err != nil {
+			return errors.New("couldn't marshal verification data: " + err.Error())
+		}
+
+		// Make sure everything used from the s.Storage structure is copied, so
+		// there will be no races.
+		ocsProto.Shared = &es.Shared
+		pp := es.Polys
+		reply.X = es.Shared.X.Clone()
+		var commits []kyber.Point
+		for _, c := range pp.Commits {
+			commits = append(commits, c.Clone())
+		}
+		ocsProto.Poly = share.NewPubPoly(s.Suite(), pp.B.Clone(), commits)
+		return nil
+	}()
+	if err != nil {
+		if ocsProto != nil {
+			ocsProto.Done()
+		}
+		return nil, err
+	}
+
+	log.Lvl3("Starting reencryption protocol", ocsProto.TreeNodeInstance.TokenID())
+	err = ocsProto.SetConfig(&onet.GenericConfig{Data: dkr.OcsID})
+	if err != nil {
+		return nil, Erret(err)
+	}
+	err = ocsProto.Start()
+	if err != nil {
+		return nil, Erret(err)
+	}
+	if !<-ocsProto.Reencrypted {
+		return nil, errors.New("reencryption got refused")
+	}
+	log.Lvl3("Reencryption protocol is done.")
+	reply.XhatEnc, err = share.RecoverCommit(cothority.Suite, ocsProto.Uis,
+		threshold, nodes)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	if err != nil {
+		return nil, Erret(err)
+	}
+	log.Lvl3("Successfully reencrypted the key")
+	return
+}
+
+// ReshareLTS starts a request to reshare the LTS. The new roster which holds
+// the new secret shares must exist in the proof specified by the request.
+// All hosts must be online in this step.
+func (s *Service) ReshareLTS(req *Reshare) (*ReshareReply, error) {
+	return nil, errors.New("not yet implemented")
+	//// Verify the request
+	//roster, id, err := s.getLtsRoster(&req.Proof)
+	//if err != nil {
+	//	return nil, err
+	//}
+	//if err := s.verifyProof(&req.Proof, roster); err != nil {
+	//	return nil, err
+	//}
+	//
+	//// Initialise the protocol
+	//setupDKG, err := func() (*dkgprotocol.Setup, error) {
+	//	s.storage.Lock()
+	//	defer s.storage.Unlock()
+	//
+	//	// Check that we know the shared secret, otherwise don't do re-sharing
+	//	if s.storage.Shared[id] == nil || s.storage.DKS[id] == nil {
+	//		return nil, errors.New("cannot start resharing without an LTS")
+	//	}
+	//
+	//	// NOTE: the roster stored in ByzCoin must have myself.
+	//	tree := roster.GenerateNaryTreeWithRoot(len(roster.List), s.ServerIdentity())
+	//	cfg := reshareLtsConfig{
+	//		Proof: req.Proof,
+	//		// We pass the public coefficients out with the protocol,
+	//		// because new nodes will need it for their dkg.Config.PublicCoeffs.
+	//		Commits:  s.storage.DKS[id].Commits,
+	//		OldNodes: s.storage.Rosters[id].Publics(),
+	//	}
+	//	cfgBuf, err := protobuf.Encode(&cfg)
+	//	if err != nil {
+	//		return nil, err
+	//	}
+	//	pi, err := s.CreateProtocol(calypsoReshareProto, tree)
+	//	if err != nil {
+	//		return nil, err
+	//	}
+	//	setupDKG := pi.(*dkgprotocol.Setup)
+	//	setupDKG.Wait = true
+	//	setupDKG.KeyPair = s.getKeyPair()
+	//	setupDKG.SetConfig(&onet.GenericConfig{Data: cfgBuf})
+	//
+	//	// Because we are the node starting the resharing protocol, by
+	//	// definition, we are inside the old group. (Checked first thing
+	//	// in this function.) So we have only Share, not PublicCoeffs.
+	//	n := len(roster.List)
+	//	c := &dkg.Config{
+	//		Suite:     cothority.Suite,
+	//		Longterm:  setupDKG.KeyPair.Private,
+	//		OldNodes:  s.storage.Rosters[id].Publics(),
+	//		NewNodes:  roster.Publics(),
+	//		Share:     s.storage.DKS[id],
+	//		Threshold: n - (n-1)/3,
+	//	}
+	//	setupDKG.NewDKG = func() (*dkg.DistKeyGenerator, error) {
+	//		d, err := dkg.NewDistKeyHandler(c)
+	//		return d, err
+	//	}
+	//	return setupDKG, nil
+	//}()
+	//if err != nil {
+	//	return nil, err
+	//}
+	//if err := setupDKG.Start(); err != nil {
+	//	return nil, err
+	//}
+	//log.Lvl3(s.ServerIdentity(), "Started resharing DKG-protocol - waiting for done")
+	//
+	//var pk kyber.Point
+	//select {
+	//case <-setupDKG.Finished:
+	//	shared, dks, err := setupDKG.SharedSecret()
+	//	if err != nil {
+	//		return nil, err
+	//	}
+	//	pk = shared.X
+	//	s.storage.Lock()
+	//	// Check the secret shares are different
+	//	if shared.V.Equal(s.storage.Shared[id].V) {
+	//		s.storage.Unlock()
+	//		return nil, errors.New("the reshared secret is the same")
+	//	}
+	//	// Check the public key remains the same
+	//	if !shared.X.Equal(s.storage.Shared[id].X) {
+	//		s.storage.Unlock()
+	//		return nil, errors.New("the reshared public point is different")
+	//	}
+	//	s.storage.Shared[id] = shared
+	//	s.storage.Polys[id] = &pubPoly{s.Suite().Point().Base(), dks.Commits}
+	//	s.storage.Rosters[id] = roster
+	//	s.storage.DKS[id] = dks
+	//	s.storage.Unlock()
+	//	s.save()
+	//	if s.afterReshare != nil {
+	//		s.afterReshare()
+	//	}
+	//case <-time.After(propagationTimeout):
+	//	return nil, errors.New("resharing-dkg didn't finish in time")
+	//}
+	//
+	//log.Lvl2(s.ServerIdentity(), "resharing protocol finished")
+	//log.Lvlf2("%v Reshared LTS with ID: %v, pk %v", s.ServerIdentity(), id, pk)
+	//return &ReshareLTSReply{}, nil
+}
+
+func (s *Service) getKeyPair() *key.Pair {
+	return &key.Pair{
+		Public:  s.ServerIdentity().Public,
+		Private: s.ServerIdentity().GetPrivate(),
+	}
+}
+
+// NewProtocol intercepts the DKG and OCS protocols to retrieve the values
+func (s *Service) NewProtocol(tn *onet.TreeNodeInstance, conf *onet.GenericConfig) (onet.ProtocolInstance, error) {
+	log.Lvl3(s.ServerIdentity(), tn.ProtocolName(), len(conf.Data), tn.TokenID())
+	switch tn.ProtocolName() {
+	case dkgprotocol.Name:
+		var cfg CreateOCS
+		if err := protobuf.DecodeWithConstructors(conf.Data, &cfg, network.DefaultConstructors(cothority.Suite)); err != nil {
+			return nil, err
+		}
+		s.storage.Lock()
+		defer s.storage.Unlock()
+		if err := cfg.verifyAuth(s.storage.PolicyCreateOCS); err != nil {
+			return nil, err
+		}
+
+		pi, err := dkgprotocol.NewSetup(tn)
+		if err != nil {
+			return nil, err
+		}
+		setupDKG := pi.(*dkgprotocol.Setup)
+		setupDKG.KeyPair = s.getKeyPair()
+
+		go func() {
+			<-setupDKG.Finished
+			shared, dks, err := setupDKG.SharedSecret()
+			if err != nil {
+				log.Error(err)
+				return
+			}
+			idBuf, err := shared.X.MarshalBinary()
+			if err != nil {
+				log.Error(err)
+				return
+			}
+			id := string(idBuf)
+			log.Lvlf3("%v got shared %v on inst %v", s.ServerIdentity(), shared, id)
+			s.storage.Lock()
+			s.storage.Element[string(id)] = &storageElement{
+				PolicyReencrypt: cfg.PolicyReencrypt,
+				PolicyReshare:   cfg.PolicyReshare,
+				Shared:          *shared,
+				Polys:           pubPoly{s.Suite().Point().Base(), dks.Commits},
+				Roster:          *tn.Roster(),
+				DKS:             *dks,
+			}
+			s.storage.Unlock()
+			err = s.save()
+			if err != nil {
+				log.Error(err)
+			}
+		}()
+		return pi, nil
+
+	case calypsoReshareProto:
+		// Decode and verify config
+		var cfg Reshare
+		if err := protobuf.DecodeWithConstructors(conf.Data, &cfg, network.DefaultConstructors(cothority.Suite)); err != nil {
+			return nil, err
+		}
+		s.storage.Lock()
+		id := string(cfg.OcsID)
+		es, found := s.storage.Element[id]
+		s.storage.Unlock()
+		if !found {
+			// TODO: we might not have this yet - so probably we need to put the old roster in cfg, too.
+			return nil, errors.New("this OCSID is not known here")
+		}
+		if err := es.PolicyReshare.verify(cfg.Auth, cfg.NewRoster); err != nil {
+			return nil, err
+		}
+
+		// Set up the protocol
+		pi, err := dkgprotocol.NewSetup(tn)
+		if err != nil {
+			return nil, err
+		}
+		setupDKG := pi.(*dkgprotocol.Setup)
+		setupDKG.KeyPair = s.getKeyPair()
+
+		oldNodes := es.Roster.Publics()
+		n := len(tn.Roster().List)
+		c := &dkg.Config{
+			Suite:     cothority.Suite,
+			Longterm:  setupDKG.KeyPair.Private,
+			NewNodes:  tn.Roster().Publics(),
+			OldNodes:  oldNodes,
+			Threshold: n - (n-1)/3,
+		}
+
+		// Set Share and PublicCoeffs according to if we are an old node or a new one.
+		inOld := pointInList(setupDKG.KeyPair.Public, oldNodes)
+		if inOld {
+			c.Share = &es.DKS
+		} else {
+			// TODO: add commits here
+			//c.PublicCoeffs = cfg.Commits
+		}
+
+		setupDKG.NewDKG = func() (*dkg.DistKeyGenerator, error) {
+			d, err := dkg.NewDistKeyHandler(c)
+			return d, err
+		}
+
+		if err != nil {
+			return nil, err
+		}
+
+		// Wait for DKG in reshare mode to end
+		go func() {
+			<-setupDKG.Finished
+			shared, dks, err := setupDKG.SharedSecret()
+			if err != nil {
+				log.Error(err)
+				return
+			}
+
+			s.storage.Lock()
+			es, found := s.storage.Element[id]
+			// If we had an old share, check the new share before saving it.
+			if found {
+				// Check the secret shares are different
+				if shared.V.Equal(es.Shared.V) {
+					s.storage.Unlock()
+					log.Error("the reshared secret is the same")
+					return
+				}
+
+				// Check the public key remains the same
+				if !shared.X.Equal(es.Shared.X) {
+					s.storage.Unlock()
+					log.Error("the reshared public point is different")
+					return
+				}
+			} else {
+				es = &storageElement{}
+			}
+			// TODO: what happens with Polys here?
+			es.Roster = cfg.NewRoster
+			es.Shared = *shared
+			es.DKS = *dks
+
+			s.storage.Unlock()
+			err = s.save()
+			if err != nil {
+				log.Error("Couldn't save storage")
+			}
+			if s.afterReshare != nil {
+				s.afterReshare()
+			}
+		}()
+		return setupDKG, nil
+
+	case NameOCS:
+		id := string(conf.Data)
+		s.storage.Lock()
+		es, ok := s.storage.Element[id]
+		s.storage.Unlock()
+		if !ok {
+			return nil, fmt.Errorf("didn't find OCSID %v", id)
+		}
+		pi, err := NewOCS(tn)
+		if err != nil {
+			return nil, err
+		}
+		ocs := pi.(*OCS)
+		ocs.Shared = es.Shared.Clone()
+		ocs.Verify = s.verifyReencryption
+		return ocs, nil
+	}
+	return nil, nil
+}
+
+func pointInList(p1 kyber.Point, l []kyber.Point) bool {
+	for _, p2 := range l {
+		if p2.Equal(p1) {
+			return true
+		}
+	}
+	return false
+}
+
+// verifyReencryption checks that the read and the write instances match.
+func (s *Service) verifyReencryption(rc *MessageReencrypt) bool {
+	err := func() error {
+		if rc.VerificationData == nil {
+			return errors.New("need verification data")
+		}
+		var arc AuthReencrypt
+		err := protobuf.DecodeWithConstructors(*rc.VerificationData, &arc, network.DefaultConstructors(cothority.Suite))
+		if err != nil {
+			return Erret(err)
+		}
+		Xc, err := arc.Xc()
+		if err != nil {
+			return Erret(err)
+		}
+		if !Xc.Equal(rc.Xc) {
+			return errors.New("xcs don't match up")
+		}
+		return nil
+	}()
+	if err != nil {
+		log.Error(err)
+		return false
+	}
+	return true
+}
+
+// newService receives the context that holds information about the node it's
+// running on. Saving and loading can be done using the context. The data will
+// be stored in memory for tests and simulations, and on disk for real deployments.
+func newService(c *onet.Context) (onet.Service, error) {
+	s := &Service{
+		ServiceProcessor: onet.NewServiceProcessor(c),
+	}
+	if err := s.RegisterHandlers(s.CreateOCS, s.ReshareLTS, s.Reencrypt,
+		s.GetProof, s.AddPolicyCreateOCS); err != nil {
+		return nil, errors.New("couldn't register messages")
+	}
+	if err := s.tryLoad(); err != nil {
+		log.Error(err)
+		return nil, err
+	}
+	return s, nil
+}
diff --git a/ocs/service_test.go b/ocs/service_test.go
new file mode 100644
index 0000000000..c5f4fd6587
--- /dev/null
+++ b/ocs/service_test.go
@@ -0,0 +1,179 @@
+package ocs
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/kyber/v3"
+	"go.dedis.ch/kyber/v3/util/key"
+	"go.dedis.ch/onet/v3"
+	"go.dedis.ch/onet/v3/log"
+)
+
+func TestMain(m *testing.M) {
+	log.MainTest(m, 2)
+}
+
+// Test creation of a new OCS, both with a valid and with an invalid certificate.
+func TestService_CreateOCS(t *testing.T) {
+	local := onet.NewLocalTest(tSuite)
+	defer local.CloseAll()
+	nbrNodes := 2
+	servers, roster, _ := local.GenBigTree(nbrNodes, nbrNodes, nbrNodes, true)
+
+	cc := newCaCerts(2, 2, 2)
+	cc.addPolicy(servers)
+
+	// Test setting up a new OCS with a valid X509
+	s1 := servers[0].Service(ServiceName).(*Service)
+
+	log.Lvl1("Start with insufficient number of authentications")
+	co := &CreateOCS{
+		Roster:          *roster,
+		Auth:            cc.authCreate(1, *roster),
+		PolicyReencrypt: cc.policyReencrypt,
+		PolicyReshare:   cc.policyReshare,
+	}
+	_, err := servers[0].Service(ServiceName).(*Service).CreateOCS(co)
+
+	log.Lvl1("Continue with copied authentication")
+	ac := cc.authCreate(1, *roster)
+	co.Auth.X509Cert.Certificates = append(co.Auth.X509Cert.Certificates, ac.X509Cert.Certificates[0])
+	cor, err := s1.CreateOCS(co)
+	require.Error(t, err)
+
+	log.Lvl1("Correct authentication")
+	co.Auth = cc.authCreate(2, *roster)
+	cor, err = s1.CreateOCS(co)
+	require.NoError(t, err)
+	require.NotNil(t, cor)
+	require.NotNil(t, cor.OcsID)
+}
+
+// Encrypt some data and then re-encrypt it to another public key.
+func TestService_Reencrypt(t *testing.T) {
+	local := onet.NewLocalTest(tSuite)
+	defer local.CloseAll()
+	nbrNodes := 5
+	servers, roster, _ := local.GenBigTree(nbrNodes, nbrNodes, nbrNodes, true)
+
+	cc := newCaCerts(1, 2, 2)
+	cor := cc.createOCS(servers, *roster)
+
+	// Test setting up a new OCS with a valid X509
+	s1 := servers[0].Service(ServiceName).(*Service)
+
+	secret := []byte("ocs for all")
+	X, err := cor.OcsID.X()
+	require.NoError(t, err)
+	U, C, err := EncodeKey(cothority.Suite, X, secret)
+	require.NoError(t, err)
+
+	kp := key.NewKeyPair(cothority.Suite)
+	wid, err := NewWriteID(X, U)
+	require.NoError(t, err)
+	req := &Reencrypt{
+		OcsID: cor.OcsID,
+		Auth: AuthReencrypt{
+			Ephemeral: kp.Public,
+			X509Cert: &AuthReencryptX509Cert{
+				U:            U,
+				Certificates: cc.authReencrypt(1, wid, kp.Public),
+			},
+		},
+	}
+	rr, err := s1.Reencrypt(req)
+	require.Error(t, err)
+
+	req.Auth.X509Cert.Certificates = cc.authReencrypt(2, wid, kp.Public)
+	rr, err = s1.Reencrypt(req)
+	require.NoError(t, err)
+
+	require.NoError(t, err)
+	secretRec, err := DecodeKey(cothority.Suite, X, C, rr.XhatEnc, kp.Private)
+	require.NoError(t, err)
+	require.Equal(t, secret, secretRec)
+}
+
+type caCerts struct {
+	caCreate        []BCCert
+	caReencrypt     []BCCert
+	caReshare       []BCCert
+	policyCreate    PolicyCreate
+	policyReencrypt PolicyReencrypt
+	policyReshare   PolicyReshare
+}
+
+func newCaCerts(nbrCr, nbrReenc, nbrReshare int) caCerts {
+	cc := caCerts{}
+	var cas [][]byte
+	for i := 0; i < nbrCr; i++ {
+		ca := NewBCCA(fmt.Sprintf("CA-Create %d", i))
+		cc.caCreate = append(cc.caCreate, ca)
+		cas = append(cas, ca.Certificate.Raw)
+	}
+	cc.policyCreate.X509Cert = &PolicyX509Cert{CA: cas, Threshold: nbrCr}
+
+	cas = [][]byte{}
+	for i := 0; i < nbrReenc; i++ {
+		ca := NewBCCA(fmt.Sprintf("CA-Reencrypt %d", i))
+		cc.caReencrypt = append(cc.caReencrypt, ca)
+		cas = append(cas, ca.Certificate.Raw)
+	}
+	cc.policyReencrypt.X509Cert = &PolicyX509Cert{CA: cas, Threshold: nbrReenc}
+
+	cas = [][]byte{}
+	for i := 0; i < nbrReshare; i++ {
+		ca := NewBCCA(fmt.Sprintf("CA-Reshare %d", i))
+		cc.caReshare = append(cc.caReshare, ca)
+		cas = append(cas, ca.Certificate.Raw)
+	}
+	cc.policyReshare.X509Cert = &PolicyX509Cert{CA: cas, Threshold: nbrReshare}
+	return cc
+}
+
+func (cc caCerts) addPolicy(servers []*onet.Server) {
+	for _, s := range servers {
+		_, err := s.Service(ServiceName).(*Service).AddPolicyCreateOCS(&AddPolicyCreateOCS{Create: cc.policyCreate})
+		log.ErrFatal(err)
+	}
+}
+
+func (cc caCerts) createOCS(servers []*onet.Server, roster onet.Roster) *CreateOCSReply {
+	cc.addPolicy(servers)
+	co := &CreateOCS{
+		Roster:          roster,
+		Auth:            cc.authCreate(1, roster),
+		PolicyReencrypt: cc.policyReencrypt,
+		PolicyReshare:   cc.policyReshare,
+	}
+	cor, err := servers[0].Service(ServiceName).(*Service).CreateOCS(co)
+	log.ErrFatal(err)
+	return cor
+}
+
+func (cc caCerts) authCreate(nbr int, r onet.Roster) (ac AuthCreate) {
+	if nbr > len(cc.caCreate) {
+		log.Fatal("asked for too many certificates")
+	}
+	acx := &AuthCreateX509Cert{}
+	for _, ca := range cc.caCreate[0:nbr] {
+		auth := ca.CreateOCS(cc.policyReencrypt.X509Cert, cc.policyReshare.X509Cert, r)
+		acx.Certificates = append(acx.Certificates, auth.Certificate.Raw)
+	}
+	ac.X509Cert = acx
+	return
+}
+
+func (cc caCerts) authReencrypt(nbr int, wrID []byte, ephKey kyber.Point) (certs [][]byte) {
+	if nbr > len(cc.caReencrypt) {
+		log.Fatal("asked for too many certificates")
+	}
+	for _, ca := range cc.caReencrypt[0:nbr] {
+		auth := ca.Reencrypt(wrID, ephKey)
+		certs = append(certs, auth.Certificate.Raw)
+	}
+	return
+}
diff --git a/ocs/struct.go b/ocs/struct.go
new file mode 100644
index 0000000000..25a94aa96b
--- /dev/null
+++ b/ocs/struct.go
@@ -0,0 +1,75 @@
+package ocs
+
+import (
+	"crypto/sha256"
+	"errors"
+
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/kyber/v3/sign/schnorr"
+	"go.dedis.ch/protobuf"
+
+	"go.dedis.ch/kyber/v3"
+)
+
+func (op OCSProof) Verify() error {
+	if len(op.Signatures) != len(op.Roster.List) {
+		return errors.New("length of signatures is not equal to roster list length")
+	}
+	msg, err := op.Message()
+	if err != nil {
+		return Erret(err)
+	}
+	for i, si := range op.Roster.List {
+		err := schnorr.Verify(cothority.Suite, si.ServicePublic(ServiceName), msg, op.Signatures[i])
+		if err != nil {
+			return Erret(err)
+		}
+	}
+	return nil
+}
+
+func (op OCSProof) Message() ([]byte, error) {
+	hash := sha256.New()
+	hash.Write(op.OcsID)
+	coc := CreateOCS{
+		Roster:          op.Roster,
+		PolicyReencrypt: op.PolicyReencrypt,
+		PolicyReshare:   op.PolicyReshare,
+	}
+	buf, err := protobuf.Encode(&coc)
+	if err != nil {
+		return nil, Erret(err)
+	}
+	hash.Write(buf)
+	return hash.Sum(nil), nil
+}
+
+func (ar AuthReencrypt) Xc() (kyber.Point, error) {
+	if ar.X509Cert != nil {
+		return GetPointFromCert(ar.X509Cert.Certificates[0], OIDEphemeralKey)
+	}
+	if ar.ByzCoin != nil {
+		return nil, errors.New("can't get ephemeral key from ByzCoin yet")
+	}
+	return nil, errors.New("need to have authentication for X509 or ByzCoin")
+}
+
+func (ar AuthReencrypt) U() (kyber.Point, error) {
+	if ar.X509Cert != nil {
+		return ar.X509Cert.U, nil
+	}
+	if ar.ByzCoin != nil {
+		return nil, errors.New("can't get secret from ByzCoin yet")
+	}
+	return nil, errors.New("need to have authentication for X509 or ByzCoin")
+}
+
+func NewOCSID(X kyber.Point) (OCSID, error) {
+	return X.MarshalBinary()
+}
+
+func (ocs OCSID) X() (kyber.Point, error) {
+	X := cothority.Suite.Point()
+	err := Erret(X.UnmarshalBinary(ocs))
+	return X, err
+}
diff --git a/ocs/struct_test.go b/ocs/struct_test.go
new file mode 100644
index 0000000000..b510ee2ecb
--- /dev/null
+++ b/ocs/struct_test.go
@@ -0,0 +1,36 @@
+package ocs
+
+import (
+	"testing"
+
+	"go.dedis.ch/cothority/v3"
+	"go.dedis.ch/onet/v3"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestStruct_MultiSign makes sure that with 3 CAs and a threshold of 2, verification outputs:
+//  - OK for 2 certificates signed by any two different CAs
+//  - OK for 3 certificates signed by any two different CAs
+//  - FALSE for 2 certificates signed by the same CA
+//  - FALSE for 1 certificate
+func TestStruct_MultiSign(t *testing.T) {
+	l := onet.NewLocalTest(cothority.Suite)
+	_, r, _ := l.GenTree(2, true)
+	defer l.CloseAll()
+	cc := newCaCerts(3, 3, 3)
+	cc.policyCreate.X509Cert.Threshold = 2
+
+	auth := cc.authCreate(1, *r)
+	require.Error(t, cc.policyCreate.verify(auth, cc.policyReencrypt, cc.policyReshare, *r))
+	auth2 := cc.authCreate(1, *r)
+	auth.X509Cert.Certificates = append(auth.X509Cert.Certificates, auth2.X509Cert.Certificates[0])
+	require.Error(t, cc.policyCreate.verify(auth, cc.policyReencrypt, cc.policyReshare, *r))
+
+	auth = cc.authCreate(3, *r)
+	require.NoError(t, cc.policyCreate.verify(auth, cc.policyReencrypt, cc.policyReshare, *r))
+	auth.X509Cert.Certificates = auth.X509Cert.Certificates[1:]
+	require.NoError(t, cc.policyCreate.verify(auth, cc.policyReencrypt, cc.policyReshare, *r))
+	auth.X509Cert.Certificates = append(auth.X509Cert.Certificates, auth.X509Cert.Certificates[0])
+	require.NoError(t, cc.policyCreate.verify(auth, cc.policyReencrypt, cc.policyReshare, *r))
+}
diff --git a/proto.sh b/proto.sh
index 6116421198..562658fe12 100755
--- a/proto.sh
+++ b/proto.sh
@@ -6,8 +6,8 @@ set -u
 struct_files=(`find . -name proto.go | sort`)
 
 pv=`protoc --version`
-if [ "$pv" != "libprotoc 3.6.1" ]; then
-	echo "Protoc version $pv is not supported."
+if [ "$pv" != "libprotoc 3.6.1" -a "$pv" != "libprotoc 3.7.1" ]; then
+	echo "Protoc version $pv is not supported. Please install 3.6.1 or 3.7.1"
 	exit 1
 fi
 
diff --git a/skipchain/msgs.go b/skipchain/msgs.go
index 5b0a1362d7..bcc9481762 100644
--- a/skipchain/msgs.go
+++ b/skipchain/msgs.go
@@ -293,8 +293,8 @@ type EmptyReply struct{}
 
 // SettingAuthentication sets the authentication bit that enables restriction
 // of the skipchains that are accepted. It needs to be signed by one of the
-// clients. The signature is on []byte{0} if Authentication is false and on
-// []byte{1} if the Authentication is true.
+// clients. The signature is on []byte{0} if Policy is false and on
+// []byte{1} if the Policy is true.
 // TODO: perhaps we need to protect this against replay-attacks by adding a
 // monotonically increasing nonce that is also stored on the conode.
 type SettingAuthentication struct {
diff --git a/skipchain/skipchain.go b/skipchain/skipchain.go
index eaca84c3d0..be3030453d 100644
--- a/skipchain/skipchain.go
+++ b/skipchain/skipchain.go
@@ -650,7 +650,7 @@ func (s *Service) CreateLinkPrivate(link *CreateLinkPrivate) (*EmptyReply, error
 }
 
 // Unlink removes a public key from the list of linked nodes.
-// Authentication to unlink is done by a signature on the
+// Policy to unlink is done by a signature on the
 // following message:
 // "unlink:" + byte representation of the public key to be
 // removed