diff --git a/bibliography/bibliography.bib b/bibliography/bibliography.bib
index 4a957a9a2eb6e7e0d7a0f97f0229b554a8d0448a..034d68a2b387acb89122287c25970e4653ff1f73 100644
--- a/bibliography/bibliography.bib
+++ b/bibliography/bibliography.bib
@@ -8,8 +8,6 @@ pages = {258--273},
 year = {2008},
 publisher = {Taylor \& Francis},
 doi = {10.1080/03610910701790269},
-URL = {https://doi.org/10.1080/03610910701790269},
-eprint = {https://doi.org/10.1080/03610910701790269}
 }
 
 @BOOK{Forbes2010Statistical,
@@ -20,8 +18,6 @@ eprint = {https://doi.org/10.1080/03610910701790269}
   edition   =  4,
   month     =  nov,
   year      =  2010,
-  address   = "Hoboken, NJ",
-  language  = "en"
 }
 
 ï»¿@Article{Haber1991Timestamp,
@@ -37,5 +33,4 @@ pages={99-111},
 abstract={The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to time-stamp the data, not the medium. We propose computationally practical procedures for digital time-stamping of such documents so that it is infeasible for a user either to back-date or to forward-date his document, even with the collusion of a time-stamping service. Our procedures maintain complete privacy of the documents themselves, and require no record-keeping by the time-stamping service.},
 issn={1432-1378},
 doi={10.1007/BF00196791},
-url={https://doi.org/10.1007/BF00196791}
 }
\ No newline at end of file
diff --git a/chapters/01_introduction.tex b/chapters/01_introduction.tex
index 44a9cfe481c6cb3b7425c5ef8f73f8ac3710d5ef..3398e3c904cbda7fcfc5f92adc864dfc601579f7 100644
--- a/chapters/01_introduction.tex
+++ b/chapters/01_introduction.tex
@@ -4,7 +4,7 @@
 
 The simplest approach to digital time-stamping relies on a trusted third party (TTP).
 If Alice wants to time-stamp a document and prove the document's existence at the time-stamp's time to Bob at some later time, she can ask a time-stamp authority (TSA) to cryptographically sign a secure hash of her document together with the current time.
-Bob accepts the TSA's signature as proof of the document's existence at the specified time. \footfullcite{Haber1991Timestamp}
+Bob accepts the TSA's signature as proof of the document's existence at the specified time.\footfullcite{Haber1991Timestamp}
 
 This scheme requires complete trust of both Alice and Bob in the impartiality of the TSA.
 Bob needs to trust the TSA to keep its private key secure and to never produce time-stamps for the past (an attack which I will refer to as "backdating").
@@ -19,7 +19,7 @@ The notion of distributed trust will simplify matters considerably.
 
 \subsection{Distributed trust}
 
-\subsubsection{Publication and witnesses}
+\subsubsection{Building trust through publication}
 
 Trusted time-stamping requires complete trust in the time-stamp authority.
 This does not mean, however, that the TSA is actually \emph{trustworthy}.
@@ -74,7 +74,7 @@ The probability of a successful backdating attack is then given by the equation:
 \end{equation}
 
 \begin{figure}
-  \includegraphics{figures/backdating_probability_hypergeometric.png}
+  \includegraphics{figures/backdating_probability_hypergeometric.pdf}
   \caption{\label{figure::backdating_probability_hypergeometric}
     Probability of a successful backdating attack according to the hypergeometric distribution.
     $N=30$ witnesses keep records of the time-stamps issued by the TSA.
@@ -97,10 +97,10 @@ We can model this by introducing a weight parameter $\omega$, where a malicious
 $k$ then follows a noncentral hypergeometric distribution.
 
 Two distinct noncentral hypergeometric distributions exist in the literature.
-They are frequently confused, because their difference is subtle and both are regularly referred to as ``the'' noncentral hypergeometric distribution. \footfullcite{Fog2008Calculation}
+They are frequently confused, because their difference is subtle and both are regularly referred to as ``the'' noncentral hypergeometric distribution.\footfullcite{Fog2008Calculation}
 Fisher's noncentral hypergeometric distribution models the case where multiple balls are drawn from the urn at once and thus the probability of drawing one item is independent of the other items that are drawn.
 The precise sample size $n$ can not be known in advance in this case.
-Wallenius' noncentral hypergeometric distribution, on the other hand, models the case of sequentially drawing balls from the urn, for a total number of $n$ draws that has been determined in advance. \footnote{For a detailed discussion on the distinction between Wallenius' and Fisher's noncentral hypergeometric distribution, see: \fullcite{Fog2008Calculation}}
+Wallenius' noncentral hypergeometric distribution, on the other hand, models the case of sequentially drawing balls from the urn, for a total number of $n$ draws that has been determined in advance.\footnote{For a detailed discussion on the distinction between Wallenius' and Fisher's noncentral hypergeometric distribution, see: \fullcite{Fog2008Calculation}}
 
 As the client in our model determines the number $n$ of witnesses to consult in advance, $k$ follows Wallenius' noncentral hypergeometric distribution.
 The client selects witnesses in rounds.
@@ -115,7 +115,7 @@ The probability mass function for $k$ after selecting all $n$ witnesses is:
 
 \begin{align}
   \mathrm{wnchypg}(k;n,K,N,\omega)&=\binom{K}{k}\binom{N-K}{n-k}\cdot\int_0^1\left(1-t^{\omega/d}\right)^k\left(1-t^{1/d}\right)^{n-k}\mathop{dt}\\
-  d&=(K-k)\omega+(N-k)-(n-k)
+  d&=(K-k)\omega+(N-K)-(n-k)
 \end{align}
 
 The probability of a successful backdating attack is then:
@@ -124,8 +124,8 @@ The probability of a successful backdating attack is then:
   P(k=n)=\mathrm{wnchypg}(n;n,K,N,\omega)=\binom{K}{n}\cdot\int_0^1\left(1-t^{\omega/((K-n)\omega+N-n)}\right)^n\mathop{dt}
 \end{equation}
 
-\begin{figure}[!h]
-  \includegraphics{figures/backdating_probability_noncentral.png}
+\begin{figure}
+  \includegraphics{figures/backdating_probability_noncentral.pdf}
   \caption{\label{figure::backdating_probability_noncentral}
     Probability of a successful backdating attack according to Wallenius' noncentral hypergeometric distribution.
     $N=30$ witnesses keep records of the time-stamps issued by the TSA.
@@ -160,6 +160,58 @@ In a real distributed service, we can not assume that a client can always reach
 Network partitions or denial of service attacks may render witnesses temporarily unavailable.
 We include a new parameter $n'$ into our model to accomodate this possibility.
 While the client still asks $n$ randomly selected witnesses to verify a time-stamp, it accepts the time-stamp as soon as it receives $n'$ valid responses from the witnesses, with $n'<n$.
+
+Let $U$ be the total number of witnesses that are unavailable or refuse to confirm a legitimate time-stamp upon a client's request.
+Let $u$ be the number of unavailable witnesses included in the $n$ witnesses that were randomly selected by the client.
+A client will then not accept a legitimate time-stamp if $u>n-n'$.
+The probability of this happening according to the hypergeometric distribution is:
+
+\begin{equation}
+  \left. P(u>n-n')=\sum_{u=n-n'+1}^n\binom{U}{u}\binom{N-U}{n-u} \middle/ \binom{N}{n}\right.
+\end{equation}
+
+\begin{figure}
+  \includegraphics{figures/dos_hypergeometric.pdf}
+  \caption{\label{figure::dos_hypergeometric}
+    Probability of a client failing to accept a legitimate time-stamp in the face of witness unavailability.
+    $N=30$ witnesses keep records of the time-stamps issued by the TSA.
+    Of these witnesses, a number $U$ (plotted on the x-axis) is unavailable due to a network partition, a denial of service attack, a crash failure or some other reason.
+    To check a time-stamp's validity, a client consults $n=8$ randomly selected witnesses.
+    It accepts the time-stamp if it receives valid responses from $n'$ witnesses.
+    The client will fail to accept a legitimate time-stamp if more than $n-n'$ of the selected witnesses are unavailable.
+    Decreasing values of $n'$ protect against this happening, as can be observed from the different graph lines.
+  }
+\end{figure}
+
+Figure~\ref{figure::dos_hypergeometric} graphs this probability as a function of $U$ for different values of $n'$.
+
+If a client is more likely to select certain witnesses over others and we assume that an attacker can carry out a targeted denial of service attack on these witnesses, we need to model the probability of a successful DoS attack using Wallenius' noncentral hypergeometric distribution:
+
+\begin{align}
+  \begin{split}
+    P(u>n-n')=&\sum_{u=n-n'+1}^n\binom{U}{u}\binom{N-U}{n-u}\\
+    &\cdot\int_0^1\left(1-t^{\omega/d(u)}\right)^u\left(1-t^{1/d(u)}\right)^{n-u}\mathop{dt}
+  \end{split}\\
+  d(u)=&(U-u)\omega+(N-U)-(n-u)
+\end{align}
+
+\begin{figure}
+  \includegraphics{figures/dos_noncentral.pdf}
+  \caption{\label{figure::dos_noncentral}
+    Probability of a client failing to accept a legitimate time-stamp in the face of a targeted denial of service attack.
+    $N=30$ witnesses keep records of the time-stamps issued by the TSA.
+    Of these witnesses, a number $U$ (plotted on the x-axis) is unavailable due to a targeted DoS attack.
+    To check a time-stamp's validity, a client consults $n=8$ randomly selected witnesses.
+    The client is $\omega=10$ times more likely to select an unavailable witness than an available witness.
+    It accepts the time-stamp if it receives valid responses from $n'$ witnesses.
+    The client will fail to accept a legitimate time-stamp if more than $n-n'$ of the selected witnesses are unavailable.
+    Decreasing values of $n'$ protect against DoS attacks, as can be observed from the different graph lines.
+  }
+\end{figure}
+
+Figure~\ref{figure::dos_noncentral} graphs this probability as a function of $U$ for different values of $n'$.
+
+While the introduction of $n'$ increases availability in the face of network partitions or denial of service attacks, it compromises the security against backdating attacks.
 A backdating attack is now successful when $k\geq n'$.
 
 In the case of the hypergeometric distribution, this leaves us with the following equation.
@@ -168,12 +220,12 @@ In the case of the hypergeometric distribution, this leaves us with the followin
   \left. P(k\geq n')=\sum_{k=n'}^n\binom{K}{k}\binom{N-K}{n-k} \middle/ \binom{N}{n}\right.
 \end{equation}
 
-\begin{figure}[!h]
-  \includegraphics{figures/backdating_probability_hypergeometric_available.png}
+\begin{figure}
+  \includegraphics{figures/backdating_probability_hypergeometric_available.pdf}
   \caption{\label{figure::backdating_probability_hypergeometric_available}
     Probability of a successful backdating attack according to the hypergeometric distribution when allowing witness unavailability.
     $N=30$ witnesses keep records of the time-stamps issued by the TSA.
-    Of these witnesses, a number $E$ (plotted on the x-axis) maliciously collude with the TSA in order to backdate time-stamps.
+    Of these witnesses, a number $K$ (plotted on the x-axis) maliciously collude with the TSA in order to backdate time-stamps.
     To check a time-stamp's validity, a client consults $n=8$ randomly selected witnesses.
     It accepts the time-stamp if it receives valid responses from $n'$ witnesses.
     The backdating attack is successful if at least $n'$ of the selected witnesses are malicious.
@@ -187,11 +239,11 @@ The probability of a successful backdating attack according to Wallenius' distri
 
 \begin{align}
   P(k\geq n')&=\sum_{k=n'}^n\binom{K}{k}\binom{N-K}{n-k}\cdot\int_0^1\left(1-t^{\omega/d(k)}\right)^k\left(1-t^{1/d(k)}\right)^{n-k}\mathop{dt}\\
-  d(k)&=(K-k)\omega+(N-k)-(n-k)
+  d(k)&=(K-k)\omega+(N-K)-(n-k)
 \end{align}
 
-\begin{figure}[!h]
-  \includegraphics{figures/backdating_probability_noncentral_available.png}
+\begin{figure}
+  \includegraphics{figures/backdating_probability_noncentral_available.pdf}
   \caption{\label{figure::backdating_probability_noncentral_available}
     Probability of a successful backdating attack according to Wallenius' noncentral hypergeometric distribution when allowing witness unavailability.
     $N=30$ witnesses keep records of the time-stamps issued by the TSA.
@@ -205,3 +257,21 @@ The probability of a successful backdating attack according to Wallenius' distri
 \end{figure}
 
 Figure~\ref{figure::backdating_probability_noncentral_available} graphs this probability as a function of $K$ for different values of $n'$.
+
+\subsubsection{Protecting against Byzantine failures}
+
+We can regard both witness unavailability and the malicious collusion of witnesses for a backdating attack as types of Byzantine failures.
+Let $B$ be the number of Byzantine witnesses.
+Full protection against backdating as well as denial of service attacks is provided by the system if and only if:
+
+\begin{align}
+  n'>B &\quad\text{(Protection against backdating)}\\
+  n\geq n'+B > 2B &\quad\text{(Protection against DoS)}
+\end{align}
+
+If $n\leq 2B$, it is impossible to guarantee protection against both failure modes.
+In this case, there exists a fundamental trade-off concerning the choice of $n'$.
+Higher values provide better protection against backdating attacks, while lower values better protect against DoS.
+
+If the choice of $n$ does not guarantee protection against Byzantine failures, it is important that the client randomly selects witnesses without bias.
+If the client favors certain witnesses ($\omega>1$), this can vastly increase the chances of a successful attack, as can be observed by comparing Figure~\ref{figure::dos_hypergeometric} with Figure~\ref{figure::dos_noncentral}, or Figure~\ref{figure::backdating_probability_hypergeometric_available} with Figure~\ref{figure::backdating_probability_noncentral_available}.
diff --git a/figures/backdating_probability_hypergeometric.pdf b/figures/backdating_probability_hypergeometric.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..79b2ee1d29b5e756356a2a105ab340492a4b07f4
Binary files /dev/null and b/figures/backdating_probability_hypergeometric.pdf differ
diff --git a/figures/backdating_probability_hypergeometric.png b/figures/backdating_probability_hypergeometric.png
deleted file mode 100644
index beacd808a3dd923d3fb0f90e11c615187c8ff606..0000000000000000000000000000000000000000
Binary files a/figures/backdating_probability_hypergeometric.png and /dev/null differ
diff --git a/figures/backdating_probability_hypergeometric_available.pdf b/figures/backdating_probability_hypergeometric_available.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..2663a9b567c664b7d22f218e97b73924645e96ab
Binary files /dev/null and b/figures/backdating_probability_hypergeometric_available.pdf differ
diff --git a/figures/backdating_probability_hypergeometric_available.png b/figures/backdating_probability_hypergeometric_available.png
deleted file mode 100644
index f9d1f2ae506a9be7e569da31103a12c650975f81..0000000000000000000000000000000000000000
Binary files a/figures/backdating_probability_hypergeometric_available.png and /dev/null differ
diff --git a/figures/backdating_probability_noncentral.pdf b/figures/backdating_probability_noncentral.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..4c3d73fb3a1e309db16017e6f8c6fbfd9383bb3c
Binary files /dev/null and b/figures/backdating_probability_noncentral.pdf differ
diff --git a/figures/backdating_probability_noncentral.png b/figures/backdating_probability_noncentral.png
deleted file mode 100644
index b0ff20cc6084b8678203518520da535a33a2d6fb..0000000000000000000000000000000000000000
Binary files a/figures/backdating_probability_noncentral.png and /dev/null differ
diff --git a/figures/backdating_probability_noncentral_available.pdf b/figures/backdating_probability_noncentral_available.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..189001041fb181f5fe0e5ca1888abcad30c551de
Binary files /dev/null and b/figures/backdating_probability_noncentral_available.pdf differ
diff --git a/figures/backdating_probability_noncentral_available.png b/figures/backdating_probability_noncentral_available.png
deleted file mode 100644
index 8e5ff6c08ee8f9507c9e12f2c28d48269be7501d..0000000000000000000000000000000000000000
Binary files a/figures/backdating_probability_noncentral_available.png and /dev/null differ
diff --git a/figures/dos_hypergeometric.pdf b/figures/dos_hypergeometric.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..def597134d75a785887551066fcb95367a136630
Binary files /dev/null and b/figures/dos_hypergeometric.pdf differ
diff --git a/figures/dos_noncentral.pdf b/figures/dos_noncentral.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..0c23eb5c97da846f6aafb6a7ca8cfd3d180c869d
Binary files /dev/null and b/figures/dos_noncentral.pdf differ
diff --git a/figures/generate_figures.py b/figures/generate_figures.py
index b89bc6884344eaedbbc37a527f0c17d6f225a652..b4797ca3cc3bc57adad330cbce75fc1354182a62 100644
--- a/figures/generate_figures.py
+++ b/figures/generate_figures.py
@@ -27,7 +27,7 @@ plt.ylabel("Probability $P(k=n)$")
 plt.legend()
 plt.title("Backdating probability (Hypergeometric distribution, $N=%d$)" % N)
 plt.tight_layout()
-plt.savefig("backdating_probability_hypergeometric.png")
+plt.savefig("backdating_probability_hypergeometric.pdf")
 
 n = 8
 plt.figure(figsize=(WIDTH, WIDTH/2))
@@ -42,33 +42,61 @@ plt.ylabel("Probability $P(k=n)$")
 plt.legend()
 plt.title("Backdating probability (Wallenius' distribution $N=%d, n=%d$)" % (N, n))
 plt.tight_layout()
-plt.savefig("backdating_probability_noncentral.png")
+plt.savefig("backdating_probability_noncentral.pdf")
+
+plt.figure(figsize=(WIDTH, WIDTH/2))
+fmts = ["p-", "D-", "s-", "o-"]
+plot_dos_hypergeom = lambda nn: plt.plot(K, hypergeom.cdf(n, N, K, n) - hypergeom.cdf(n - nn, N, K, n), fmts.pop(), mec="w", label="$n'=%d$" % nn)
+plot_dos_hypergeom(8)
+plot_dos_hypergeom(5)
+plot_dos_hypergeom(3)
+plot_dos_hypergeom(1)
+plt.xlabel("\\# of unavailable witnesses $U$")
+plt.ylabel("Probability $P(u>n-n')$")
+plt.legend()
+plt.title("Witness unavailability (Hypergeometric distribution, $N=%d, n=%d$)" % (N, n))
+plt.tight_layout()
+plt.savefig("dos_hypergeometric.pdf")
+
+omega = 10
+plt.figure(figsize=(WIDTH, WIDTH/2))
+fmts = ["p-", "D-", "s-", "o-"]
+plot_dos_wallenius = lambda nn: plt.plot(K, nchypergeom_wallenius.cdf(n, N, K, n, omega) - nchypergeom_wallenius.cdf(n - nn, N, K, n, omega), fmts.pop(), mec="w", label="$n'=%d$" % nn)
+plot_dos_wallenius(8)
+plot_dos_wallenius(5)
+plot_dos_wallenius(3)
+plot_dos_wallenius(1)
+plt.xlabel("\\# of unavailable witnesses $U$")
+plt.ylabel("Probability $P(u>n'-n)$")
+plt.legend()
+plt.title("Denial of service (Wallenius' distribution, $N=%d, n=%d, \\omega=%d$)" % (N, n, omega))
+plt.tight_layout()
+plt.savefig("dos_noncentral.pdf")
 
 plt.figure(figsize=(WIDTH, WIDTH/2))
 fmts = ["p-", "D-", "s-", "o-"]
 plot_hypergeom_avail = lambda nn: plt.plot(K, hypergeom.cdf(n, N, K, n) - hypergeom.cdf(nn - 1, N, K, n), fmts.pop(), mec="w", label="$n'=%d$" % nn)
 plot_hypergeom_avail(8)
-plot_hypergeom_avail(4)
-plot_hypergeom_avail(2)
+plot_hypergeom_avail(5)
+plot_hypergeom_avail(3)
 plot_hypergeom_avail(1)
 plt.xlabel("\\# of colluding witnesses $K$")
 plt.ylabel("Probability $P(k\geq n')$")
 plt.legend()
 plt.title("Backdating vs. availability (Hypergeometric distribution, $N=%d, n=%d$)" % (N, n))
 plt.tight_layout()
-plt.savefig("backdating_probability_hypergeometric_available.png")
+plt.savefig("backdating_probability_hypergeometric_available.pdf")
 
-omega = 10
 plt.figure(figsize=(WIDTH, WIDTH/2))
 fmts = ["p-", "D-", "s-", "o-"]
 plot_wallenius_avail = lambda nn: plt.plot(K, nchypergeom_wallenius.cdf(n, N, K, n, omega) - nchypergeom_wallenius.cdf(nn - 1, N, K, n, omega), fmts.pop(), mec="w", label="$n'=%d$" % nn)
 plot_wallenius_avail(8)
-plot_wallenius_avail(6)
-plot_wallenius_avail(4)
+plot_wallenius_avail(5)
+plot_wallenius_avail(3)
 plot_wallenius_avail(1)
 plt.xlabel("\\# of colluding witnesses $K$")
 plt.ylabel("Probability $P(k\geq n')$")
 plt.legend()
 plt.title("Backdating vs. availability (Wallenius' distribution, $N=%d, n=%d, \\omega=%d$)" % (N, n, omega))
 plt.tight_layout()
-plt.savefig("backdating_probability_noncentral_available.png")
+plt.savefig("backdating_probability_noncentral_available.pdf")
diff --git a/thesis.pdf b/thesis.pdf
index baeea92fbc7c64130a3fbcf3cae15026e39d9dfe..82ae99afbea914cfd1bec6308683e97917ae02a4 100644
Binary files a/thesis.pdf and b/thesis.pdf differ