A Cryptographer’s Conspiracy Santa

In Conspiracy Santa, a variant of Secret Santa, a group of people oﬀer each other Christmas gifts, where each member of the group receives a gift from the other members of the group. To that end, the members of the group form conspiracies, to decide on appropriate gifts, and usually divide the cost of each gift among all participants of that conspiracy. This requires to settle the shared expenses per conspiracy, so Conspiracy Santa can actually be seen as an aggregation of several shared expenses problems. First, we show that the problem of ﬁnding a minimal number of transaction when settling shared expenses is NP-complete. Still, there exists good greedy approximations. Second, we present a greedy distributed secure solution to Conspiracy Santa. This solution allows a group of people to share the expenses for the gifts in such a way that no participant learns the price of his gift, but at the same time notably reduces the number of transactions with respect to a naive aggregation. Furthermore, our solution does not require a trusted third party, and can either be implemented physically (the participants are in the same room and exchange money using envelopes) or, virtually, using a cryptocurrency.


Introduction
Secret Santa is a Christmas tradition, where members of a group are randomly assigned to another person, to whom they have to offer a gift.The identity of the person offering the present is usually secret, as well as the price of the present.
In Conspiracy Santa, a variant of Secret Santa, for each participant, the other members of the group collude and jointly decide on an appropriate gift.The gift is then usually bought by one of the colluding participants, and the expenses are shared among the colluding participants.
In this setting, the price of the gift must remain secret and, potentially, also who bought the present.At the same time, sharing the expenses usually results in numerous transactions.Existing results in the literature (e.g., [3,4,5,12]) aim at minimizing the number of transactions, but they assume that all expenses are public, that all participants are honest, and that communications are safe.Our goal is to propose a secure Conspiracy Santa algorithm for cryptographers that do not want to disclose the prices.

Contributions
We provide the following contributions: We show that the general problem of finding a solution with a minimal number of transactions when sharing expenses is NP-complete.
We provide a secure protocol for Conspiracy Santa.The algorithm ensures that no participant learns the price of his gift, nor who bought it.Moreover, the algorithm reduces the number of transactions necessary compared to a naive solution (although the solution in general is not optimal, as this could leak information).
Our secure algorithm is entirely distributed and does not require any trusted third party.To also realize the payments in a distributed fashion, a secure peer-to-peer cryptocurrency can be used.We also discuss a physical payment solution, using envelopes and bank notes.Our algorithm can also be used in the case where expenses are shared within multiple groups.There, some people belong to several of these groups and the goal is to reduce the number of transactions while still ensuring privacy: all participants only learn about the expenses of their groups, not the other groups.One can also see this problem as a variant of the dining cryptographers [7].However, instead of respecting the cryptographers' right to anonymously invite everybody, we here want to respect the cryptographers' right to privately share expenses of multiple diners with different groups.

Outline
The remainder of the paper is structured as follows: in Section 2, we analyze the complexity of the general problem of sharing expenses.In Section 3, we present our protocol to solve the problem of privately sharing expenses in Conspiracy Santa, in a peer-to-peer setting.We also discuss further applications of our solution, and how to realize the anonymous payments required by the algorithm.We then conclude in Section 4.

2
The Shared Expenses Problem and its Complexity Before analyzing the Conspiracy Santa problem in more detail, we now discuss the more general problem of settling shared expenses with a minimal number of transactions.This problem frequently arises, for example when a group of security researchers attends a FUN conference and wants to share common expenses such as taxis, restaurants etc. Reducing the overall number of transactions might then reduce the overall currency exchange fees paid by the researchers.In such a case, each participant covers some of the common expenses, and in the end of the conference, some transactions are necessary to ensure that all participants payed the same amount.Note for this first example, there are no privacy constraints, as all amounts are public.There are numerous applications implementing solutions to this problem (e.g., [3,4,5]), but it is unclear how they compute the transactions.Moreover, in these applications all expenses are public, making them unsuitable for Conspiracy Santa.
David Vávra wrote a master's thesis [12] about a similar smartphone application that allows to settle expenses within group.He discusses a greedy approximation algorithm (see below), and conjectures that the problem is N P-complete, but without giving a formal proof.
We start by formally defining the problem.

Definition 2. Shared Expenses Problem (SEP). Given a multiset of values
where a positive k i means that participant i has to pay money, and a negative k i means that i has to be reimbursed), is there a way to do all reimbursements using (strictly) less than n − 1 transactions?Note that there is always a solution using n−1 transactions using a greedy approach: given the values in K = {k 1 , . . ., k n }, let i be the index of the maximum value of K (i = arg max i (k i )) and let j be the index of the minimum value of K (j = arg min j (k j )), we use one transaction between i and j such that after the transaction either the participant i or j ends up at 0. I.e., if |k i | − |k j | > 0, then the participant j ends up at 0, otherwise the participant i ends up at 0. By then recursively applying the same procedure on the remaining n − 1 values, we can do all reimbursements.Overall, this greedy solution uses n − 1 transactions in the worst case.

F U N 2 0 1 8 13:4 A Cryptographer's Conspiracy Santa
It is easy to see that SEP ∈ N P: guess a list of (less than n − 1) transactions, and verify for each participant that in the end there are no debts or credits left.
We show that SEP is N P-complete, for this we use a reduction from the Subset Sum Problem [10] which can be seen as a special case of the well known knapsack problem [9].
The Subset Sum Problem is known to be N P-complete (see, e.g., [8]).
Theorem 4. The Shared Expenses Problem is N P-complete.

Proof. Consider the following reduction algorithm:
Given a Subset Sum Problem (SSP) instance, i.e., a multiset of values K = {k 1 , . . ., k n }, compute s = k∈K k.If s = 0, return yes, otherwise let K = K ∪ {−s} and return the answer of an oracle for the Shared Expenses Problem for K .
It is easy to see that the reduction is polynomial, as computing the sum is in O(n).
We now need to show that the reduction is correct.We consider the two following cases: Suppose the answer to the SSP is yes, then there is a subset K ⊆ K such that k∈K k = 0.If K = K, then the check in the reduction is true, and the algorithm returns yes.If K = K, then we can balance the expenses in the sets K and K \ K independently using the greedy algorithm explained above.This results in Thus there is a way to do all reimbursements using strictly less than |K | − 1 transactions, hence the answer will be yes.Suppose the answer to the SSP is no, then there is no subset K ⊆ K such that k∈K k = 0.This means that there is no subset K 3 ⊆ K such that the expenses within this set can be balanced independently of the other expenses.To see this, suppose it were possible to balance the expenses in K 3 independently, then we must have k∈K3 k = 0, contradicting the hypothesis that there is no such subset (note that w.l.o.g.K 3 ⊆ K, if it contains the added value one can simply choose K \ K 3 ).Hence any way of balancing the expenses has to involve all n participants, but building a connected graph with n nodes requires at least n − 1 edges.Thus there cannot be a solution with less than n − 1 transactions, and the oracle will answer no.

Cryptographer's Conspiracy Santa
Consider now the problem of organizing Conspiracy Santa, where no participant shall learn the price of his gift.Obviously we cannot simply apply, e.g., the greedy algorithm explained above on all the expenses, as this would imply that everybody learns all the prices.More formally, an instance of Conspiracy Santa with n participant consists of n shared expenses problem (sub-SEP), each with n − 1 participants and with non-empty intersections of the participants.In each sub-SEP, the n − 1 participants freely discuss, decide on a gift, its value v i and who pays it; then agree that their share for this gift is v i /(n − 1).Overall the share of each participant j is A participants balance p j is this share minus the values of the gifts she bought.

13:5
A simple solution would be to use a trusted third party, but most cryptographers are paranoid and do not like trusted third parties.A distributed solution would be to settle the expenses for each gift within the associated conspiracy group individually, but this then results in n instances of the problem, with n − 2 transactions each (assuming that only one person bought the gift), for a total of n × (n − 2) transactions.
Moreover, the problem becomes more complex if several groups with non-empty intersections want to minimize transactions all together while preserving the inter-group privacy.
Example 5. Example 1 continued.For the same conference, FUN'16, Alice, Bob and Dan shared a taxi from the airport and Bob paid for a total of 60e, that is 20e per person.There are two possibilities.Either Alice and Dan make two new transactions to reimburse Bob.Or, to minimize the overall number of transactions, they aggregate both accounts, i.e. those from Example 1 with those of the taxi ride.That is [−15, 88, −73, 0] + [20, −40, 0, 20] = [5, 48, −73, 20].Overall Alice thus gives 5 e to Carole, Bob reduces his debt to Carole to only 48e and Dan gives 20 e to Carole.The security issue, in this second case, is that maybe Alice and Bob did not want Dan to know that they were having lunch with Carole, nor that they had a debt of more than 20 e, etc.
In the next part we present our solution for the generalization of Conspiracy Santa as the aggregation of several shared expenses problems with non-empty intersections between the participants.This solution uses 3n transactions, preserves privacy, and does not require a trusted third party.

A Distributed Solution using Cryptocurrencies
We suppose that all participants know a fixed upper bound B for the value of any gift.Apart from the setup, the protocol has 3 rounds, each one with n transactions, and one initialization phase.
Note that we consider semi-honest participants in the sense that the participants follow honestly the protocol, but they try to exploit all intermediate information that they have received during the protocol to break privacy.

Initialization Phase
In the setup phase, the participants learn the price of the gifts in which they participate and can therefore compute their overall balance, p i .They also setup several anonymous addresses in a given public transaction cryptocurrency like Bitcoin [1], ZCash [6] or Monero [2].
Finally the participants create one anonymous address which is used as a piggy bank.They all have access to the secret key associated to that piggy bank address.For instance, they can exchange encrypted emails to share this secret key.Protocol 1 presents the details of this setup phase.

First Round
The idea is that the participants will round their debts or credits so that the different amounts become indistinguishable.For this, the participants perform transactions to adjust their balance to either 0, B or a negative multiple of B. The first participant randomly selects an initial value between 1 and B e, and sends it to the second participant.This transaction is realized via any private payment channel between the two participants (physical payment, bank transfer, cryptocurrency payment, . . ., as long as no other participant learns the 1: One anonymous currency address is created and the associated secret key is shared among all participants.2: for each exchange group do 3: for each payment within the group do 4: broadcast the amount paid to all members of the group; Sum all the paid amounts of all the participants; Divide by the number of participants in the group; This produces the in-group share by participant.end if 18: end for transferred amount).Then the second participant adds his balance to the received amount modulo B, and forwards the money (up to B, or such that its credit becomes a multiple of B) to the next participant, and so on.The last participant also adds his balance and sends the resulting amount to the first participant.In the end, all participants obtain a balance of a multiple of B, and the random amount chosen by the first participant has hidden the exact amounts.The details are described in Protocol 2.

Second Round
The second and third rounds of the protocol require anonymous payments, for which we use anonymous cryptocurrency addresses.These two rounds are presented in Protocol 3. In the second round, every participant makes one public transaction of B e to the piggy bank.

Third Round
Each creditor recovers their assets via pi B public transactions of B e from the piggy bank.Note that if a participant needs to withdraw more than B e he needs to perform several transactions.To ensure anonymity, he needs to use a different anonymous address for each transaction.In the end, the account is empty and the number of transactions corresponds exactly to the number of initial transactions used to credit the piggy bank's account.Theorem 6.For n participants, Protocols 1, 2, 3 are correct and require 3n transactions.Proof.Including the piggy bank, all the transactions are among participants, therefore the sum of all the debts and credits is invariant and zero.There remains to prove that in the end of the protocol all the debts and credits are also zero.The value of any gift is bounded by B, thus any initial debt for any gift is at most B/(n − 1).As participants participate to at most n − 1 gifts, the largest debt is thus lower than B e.Then, during the first round, all participants, except P 1 , round their credits or debts to multiples of B. But then, by the invariant, after the first round, the debt or credit of P 1 must also be a multiple of B. Furthermore, any debtor will thus either be at zero after the first round or at a debt of exactly B e.After the second round any debtor will then be either at zero or at a credit of exactly B e. Thus after the second round only the piggy bank has a debt.Since the piggy bank received exactly nB e, exactly n transactions of B e will make it zero and the invariant ensures that, after the third round, all the creditors must be zero too.
Remarks.It is important to use a cryptocurrency such as Bitcoin, Monero or ZCash in order to hide both the issuer and the receiver of each transaction in the third round.This ensures that nobody can identify the users.
Note that when using Bitcoin, users can potentially be tracked if the addresses are used for other transactions.Using Monero or Zcash can offer more privacy since the exchanged amount can also be anonymized.Moreover, to avoid leaking the fact that some persons need to withdraw Be multiple times, and are thus doing multiple transaction at the same time, all the withdrawals should be synchronized.If exact synchronization is difficult to achieve, one can decide on a common time interval, e.g., an hour, and all the transactions have to be P i : p i = 0.

11:
end if 12: end parfor done at random time points during this interval, independently, whether they are executed from the same or a different participant.
Example 7. We now have a look at the algorithm for our example with Alice, Bob, Carole and Dan.As in Example 5, the initial balance vector is [5, 48, −73, 20].They decide on an upper bound of B = 50 e (note that to provably ensure exactly 3n = 12 transactions they should take an upper bound larger than any expense, that is larger than 213 e, but 50 is sufficient for our example here).For the first round, Alice randomly selects 1 ≤ t 1 = 12 ≤ 50 and makes a first private transaction of t 1 = 12 e to Bob. Bob then makes a private transaction of t 2 = 12 + 48 mod 50 = 10 e to Carole; Carole makes a private transaction of t 3 = 10 − 73 mod 50 = 37 e to Dan; who makes a private transaction of t 4 = 37 + 20 mod 50 = 7 e to Alice.All these transactions are represented in Figure 1.The balance vector is thus now [0, 50, −100, 50], because for instance Bob had a balance of 48 e, received 12 e from Alice and sends 10 e to Carole, hence his new balance is 48+12−10 = 50 e.Everybody sends 50 e to the piggy bank address, so that the balance vector becomes [−50, 0, −150, 0].Finally there are four 50 e transactions, one to an address controlled by Alice and three to (different) addresses controlled by Carole.These two last rounds are illustrated in Figure 2. Note that we have exactly n = 4 transactions per round.

Security Proof
We now provide a formal security proof for our protocol.We use the standard multi-party computations definition of security against semi-honest adversaries [11].As stated above, we consider semi-honest adversaries in the sense that the entities run honestly the protocols, but they try to exploit all intermediate information that they have received during the protocol.
We start by formally defining the indistinguishability and the view of an entity.

Definition 8 (Indistinguishability).
Let η be a security parameter and X η and Y η two distributions.We say that X η and Y η are indistinguishable, denoted X η ≡ Y η , if for every 13:9 probabilistic distinguisher D we have: Definition 9 (view).Let π(I) be an n-parties protocol for the entities (P i ) 1≤i≤n using inputs I = (I i ) 1≤i≤n .The view of a party P i (I i ) (where 1 ≤ i ≤ n) during an execution of π, denoted view π(I) (P i (I i )), is the set of all values sent and received by P i during the protocol.
To prove that a party P learns nothing during execution of the protocol, we show that P can run a simulator algorithm that simulates the protocol, such that P (or any polynomially bounded algorithm) is not able to differentiate an execution of the simulator and an execution of the real protocol.The idea is the following: since the entity P is able to generate his view using the simulator without the secret inputs of other entities, P cannot extract any information from his view during the protocol.This notion is formalized in Definition 10.
Definition 10 (Security with respect to semi-honest behavior).Let π(I) be an n-parties protocol between the entites (P i ) 1≤i≤n using inputs I = (I i ) 1≤i≤n .We say that π is secure in the presence of semi-honest adversaries if for each P i (where 1 ≤ i ≤ n) there exists a protocol Sim i (I i ) where P i interacts with a polynomial time algorithm S i (I i ) such that: Theorem 11.Our conspiracy santa protocol is secure with respect to semi-honest behavior.F U N 2 0 1 8 13:10 A Cryptographer's Conspiracy Santa Proof.We denote our protocol by SCS n (I) (for Secure Conspiracy Santa).For all 1 ≤ i ≤ n, each entity P i has the input I i = (n, B, p i ), where I = (I i ) 1≤i≤n .For all 1 ≤ i ≤ n, we show how to build the protocol Sim i such that: Sim 1 is given in Simulator 4, and Sim i for 1 < i ≤ n is given in Simulator 5.
Simulator 4 Algorithm S 1 of the protocol Sim 1 (I 1 ).
Require: S 1 knows I 1 = (n, B, p 1 ) 1: S 1 receives t 1 e from P 1 ; S 1 sends B e to the shared anonymous address; 9: end for 10: if 0 ≤ (p 1 − t 1 ) then 11: S 1 makes the shared anonymous address pay B e to an anonymous address; 17: end for Simulator 5 Algorithm S i of the protocol Sim i (I i ), where 1 < i ≤ n.
Require: S i knows I 1 = (n, B, p i ) .B] ; 2: S i sends t i−1 e to P i ; 3: S i receives t i e from P i ; 4: for j = 1 to n − 1 do

5:
S i sends B e to the shared anonymous address; 6: end for S i makes the shared anonymous address pay B e to an anonymous address; 10: end for We first show that the view of P 1 in the real protocol SCS n is the same as in the protocol Sim 1 : At Instruction 1 of Simulator 4, S 1 receives t 1 e from P 1 such that 1 ≤ t 1 ≤ B, as at Instruction 3 of Protocol 2. At Instruction 15 of Protocol 2, P n sends t n e to P 1 such that: The balance of P 1 is a multiple of B.
We show that these two conditions hold in the simulator.At Instruction 2 of Protocol 2, the balance of P 1 is (p 1 − t 1 ).
We then have: 2. If the balance is negative, then S 1 sends (B − ((t 1 − p 1 ) mod B)) e to P 1 .We then have: Finally, we deduce that the view of P 1 in the real protocol SCS n is the the same as in the simulator Sim 1 : view Sim1(I1) (P 1 (I 1 )) ≡ view SCSn(I) (P 1 (I 1 )) We then show that the view of P i in the real protocol SCS n is the same as in the protocol Sim 1 for any 1 ≤ i ≤ n: At instruction 3 and 9 of Protocol 2, each user P i receives t i−1 e from P i−1 for any 1 ≤ i ≤ n such that 1 ≤ t i−1 ≤ B. We note that each t i−1 depends on the value t 1 chosen by P 1 .Moreover, t 1 comes form a uniform distribution and acts as a one-time pad on the values t i−1 , i.e., it randomizes t i−1 such that P i cannot distinguish whether t i−1 was correctly generated or comes from the uniform distribution on {1, . . ., B}.At instruction 1 of Simulator 5, S i chooses t i−1 at random in the uniform distribution on {1, . . ., B} and sends t i−1 to P i .At Instruction 3 of Simulator 5, S i receives t i e from P i such that 1 ≤ t 1 ≤ B, like at Instruction 9 of Protocol 2. At Instruction 5 of Simulator 5, S i sends B e to the shared anonymous address (n − 1) times, and P i sends B e to the shared anonymous address 1 time, so together they send B e n times to the shared anonymous address, as at Instruction 3 of Protocol 3. times.We note that p i + t i−1 − t i − B ≤ 0; indeed, we have t i = (p i + t i−1 ) mod B (Instruction 6 of Protocol 2).Since p i ≤ B and t i−1 ≤ B, then we have (p i + t i−1 ) − t i ≤ B, so we have p i + t i−1 − t i − B ≤ 0. Finally, P i and S i make the shared anonymous address pay B e to n anonymous addresses because: Finally, to conclude the proof, we deduce that for all 1 ≤ i ≤ n the view of P i in the real protocol SCS n is the the same as in the simulator Sim i : view Simi(Ii) (P i (I i )) ≡ view SCSn(I) (P i (I i )).

Physical Variant
If one does not wish to use cryptocurrencies, one can use the following physical variant of the protocol.In the first round each participant needs to transfer some money to another participant using a private channel.A simple physical solution is that they meet and perform the transfer face to face, while ensuring that nobody spies on them.For the second round, the balance of all participants is a multiple of B e.During the first part of this algorithm, everyone puts an envelope containing B e onto a stack that is in a secure room.By secure room, we mean a place where no other participants can spy what is going on inside.In the second part all participants enter this secure room one after the other and do the following according to their balance: If the balance is 0 then the participant does nothing.
If the balance is a multiple k of B e, the participant takes k envelopes from the top of the stack, opens them and collects the corresponding k * B e. Then he places, in each of the now empty k envelopes, a piece of paper that have the same shape and weight as a the B e.These envelopes are placed under the stack of envelopes.This method allows everyone to collect his money without revealing to the other ones how much they have taken.
We show that this protocol is secure with respect to semi-honest behavior.For this, we physically simulate the protocol for any participant.We first note that the first round of the protocol is the same as Protocol 2, so this round can be simulated exactly as in the proof of Theorem 11.We simulate the second round for any participant as follows.During the first part of the algorithm, the simulator enters n − 1 times the secure room and puts an envelope containing B e onto the stack.When it is his turn, the participant enters the room and puts an envelope containing B e onto the stack.Finally, there are n envelopes containing B e on a stack.In the second part the simulator enters the room n − 1 times and does nothing.When it is his turn, the participant enters the room and takes k envelopes from the top of the stack, opens them and collects the corresponding k * B e as in the real protocol, where 0 ≤ k ≤ n.Since each of the n envelopes contains B e, the simulation works for any 0 ≤ k ≤ n.
We deduce that the view of the participant during the simulation is the same as during the real protocol, which implies that our physical protocol is secure with respect to semi-honest behavior.

13:13
Remark.This physical protocol mimics exactly the solution using cryptocurrencies.One advantage, though, of the physical world is that it is easier to perform transactions with 0 e.Therefore there exists a simpler solution for the second round, where creditors do not have to give B e in advance: if the participant is in debt he puts an envelope containing B e onto the stack, otherwise he puts an envelope containing a piece of paper under the stack.
The first and third rounds are not modified, and the simulator for the security proof is not modified either.

Conclusion
In this paper we showed that the Shared Expenses Problem (SEP) is N P-complete.Moreover, we devised a privacy-preserving protocol to share expenses in a Conspiracy Santa setting where members of a group offer each other gifts.
Our protocol ensures that no participant learns the price of his gift, while reducing the number of transactions compared to a naive solution, and not relying on a trusted third party.We formally prove the security of our protocol and propose two variants, one relying on cryptocurrencies for anonymous payments, the other one using physical means, such as envelopes, to achieve anonymous payments.
Our protocol can also be used to share expenses among different groups with non-empty intersections, while still ensuring that each participant only learns the expenses of his group(s).

Example 1 .
Alice, Bob, and Carole attended FUN'16.The first night, Alice payed the restaurant for 155 e, and Bob the drinks at the bar for 52 e.The second day Carole payed the restaurant and drinks for a total of 213 e.The total sum is then 155 + 52 + 213 = 420 e, meaning 140 e per person.This means that Alice payed 140 − 155 = −15 e too much, Bob needs to pay 140 − 52 = 88 e more, and Carole has to receive 140 − 213 = −73 e.In this case, the optimal solution uses two transactions: Bob gives 15 e to Alice, and 73 e to Carole.

FProtocol 1
SEP broadcast setupRequire: An upper bound B on the value of any gift; Require: All expenses.Ensure: Each participant learns his balance p i .Ensure: Each participant creates 1 or several anonymous currency addresses.Ensure: A shared anonymous currency address.
for each participant in the group do 7:

Protocol 2
Secure rounding to multiple of the bound Require: An upper bound B on the value of any gift; Require: Each one of n participants knows his balance p i ; Require: n i=1 p i = 0. Ensure: Each one of n participants has a new balance p i , either 0, B or a negative multiple of B; Ensure: n i=1 p i = 0; Ensure: Each transaction is between 1 and B e; Ensure: The protocol is zero-knowledge.

FProtocol 3 7 : 8 :
Peer-to-peer secure debt resolution Require: An upper bound B on the value of any gift; Require: n participants each with a balance p i , either 0, B or a negative multiple of B. Ensure: All balances are zero; Ensure: The protocol is zero-knowledge.1: parfor i = 1 to n do Everybody sends B to the piggy bank 2: P i : p i -= B; 3: P i sends B e to the shared anonymous address; Public transaction of B 4: end parfor 5: parfor i = 1 to n do 6: if p i < 0 then Creditors recover their assets parfor j = 1 to −pi B do P i makes the shared anonymous address pay Be to one of his own anonymous addresses

Figure 1 Figure 2
Figure 1 First round of Example 7.

F
At Instruction 8 of Protocol 3, the users make the shared anonymous address pay B e to n anonymous addresses.At Instruction 9 of Simulator 5, the balance of P i is p i +t i−1 −t i −B.Hence P i receives B e from the shared anonymous address pi+ti−1−ti−B B times, and S i receives B e from the shared anonymous address n + pi+ti−1−ti−B B Subtract all own expenses to get p i ; 17:

1 :
P 1 : t 1 $ ←− [1..B] uniformly sampled at random; 2: P 1 : p 1 = p 1 − t 1 ; 3: P 1 sends t 1 e to P 2 ; Random transaction 1..B on a secure channel 4: P 2 : p 2 = p 2 + t 1 ; 5: for i = 2 to n − 1 do i : t i = p i mod B; 7:P i : if t i = 0 then t i = t i + B; end if 1 ≤ t i ≤B 8: P i : p i = p i − t i ; 9: P i sends t i e to P i+1 ; Random transaction 1..B on a secure channel 10: P i+1 : p i+1 = p i+1 + t i ; 11: end for 12: P n : t n = p n mod B; 13: P n : if t n = 0 then t n = t n + B; end if 1 ≤ t n ≤ B 14: P n : p n = p n − t n ; 15: P n sends t n e to P 1 ; Random transaction 1..B on a secure channel 16: P 1 : p 1 = p 1 + t n ; which is a multiple of B.At Instruction 8 of Simulator 4, S 1 sends B e to the shared anonymous address (n − 1) times, and P 1 sends B e to the shared anonymous address 1 time, so together they send B e n times to the shared anonymous address, as at Instruction 3 of Protocol 3. At Instruction 8 of Protocol 3, the users make the shared anonymous address pay B e to n anonymous addresses.At Instruction 16 of Simulator 4, the balance of P 1 is: 0 if 0 ≤ (p 1 − t 1 ) (because P 1 had B e and sent B e to the shared address).Otherwise, the balance ofP 1 is B − ((t 1 − p 1 ) mod B) + (p 1 − t 1 ) − B = ((t 1 − p 1 ) mod B) + (p 1 − t 1 ).Hence P 1 receives B e from the shared anonymous address We note that ((t 1 −p 1 ) mod B)+(p 1 −t 1 ) ≤ 0 because (p 1 − t 1 ) ≤ 0 and ((t 1 − p 1 ) mod B) ≤ −(p 1 − t 1 ).Finally, P 1 and S 1 make the shared anonymous address pay B e to n anonymous addresses because: