diff --git a/chap-ZK.tex b/chap-ZK.tex
index e3c937d..204f1cd 100644
--- a/chap-ZK.tex
+++ b/chap-ZK.tex
@@ -21,7 +21,7 @@ If these primitives flourish in the context of number-theory-based cryptography
   The aforementioned protocol should also verify the following properties.
   \begin{description}
     \item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
-    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, 
+    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
       $\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
       where $s$ is called the \textit{soundness error}.
     \item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
@@ -33,7 +33,7 @@ If these primitives flourish in the context of number-theory-based cryptography
 
   We can notice that the soundness error can be reduced by repeating the proof.
 
-  If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}. 
+  If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}.
 \end{definition}
 
 \begin{figure}
@@ -113,7 +113,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
       \]
       over the randomness of $\Commit$.
     \item[Binding.] For any $\ppt$ adversary $\adv$ against the binding experiment,
-      \[ 
+      \[
         \Pr\left[\Exp{\mathrm{binding}}{\adv}(\lambda) = 1 \right] \leq \negl[\lambda].
       \]
   \end{description}
@@ -129,7 +129,7 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
   A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
   \begin{description}
     \item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
-    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, 
+    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
       $\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
     \item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
   \end{description}
diff --git a/chap-proofs.tex b/chap-proofs.tex
index b95723a..3c9c272 100644
--- a/chap-proofs.tex
+++ b/chap-proofs.tex
@@ -42,7 +42,7 @@ Let us now define more formally the notions of reduction and computability using
   A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
 
   A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
-  
+
   A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
 
   A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
@@ -222,7 +222,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
       \procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
         (vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
         \mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\
-        \pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo 
+        \pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
         ;\\
         (m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
         \pcreturn (vk, \ensemble{sign},  m^\star, \sigma^\star)
@@ -255,7 +255,7 @@ Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which
 
 For EU-CMA, the advantage of an adversary $\adv$ is defined as
 \[
-  \advantage{\textrm{EU-CMA}}{\adv}(\lambda) 
+  \advantage{\textrm{EU-CMA}}{\adv}(\lambda)
   \triangleq
   \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right].
 \]
diff --git a/main.tex b/main.tex
index b4af357..3802653 100644
--- a/main.tex
+++ b/main.tex
@@ -89,7 +89,7 @@
 \mainmatter
 \pagestyle{ruled}
 
-\input chap-introduction 
+\input chap-introduction
 
 \part{Background}
 \label{pa:background}
diff --git a/sec-lattices.tex b/sec-lattices.tex
index 96c23cb..6c438a1 100644
--- a/sec-lattices.tex
+++ b/sec-lattices.tex
@@ -2,7 +2,7 @@
 % \section{Lattice-Based Cryptography} %
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
-During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography. 
+During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
 For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}.
 Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
 For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
@@ -82,9 +82,9 @@ In other words, it means that no polynomial time algorithms can solve those prob
 
 \begin{definition}[The $\SIS$ and $\ISIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution} \index{Lattices!Inhomogeneous \SIS}
   Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$.
-  The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$.
+  The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$.
 
-  The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$.
+  The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$.
 \end{definition}
 
 Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$.
@@ -96,8 +96,8 @@ Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the
 
 \begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors}
   Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$.
-  For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow  U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$.
-  The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
+  For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow  \U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$.
+  The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow \U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $\U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
 \end{definition}
 
 \begin{figure}
@@ -148,7 +148,7 @@ The following Lemma states that it is possible to efficiently compute a uniform~
 
 \begin{lemma}[{\cite[Th.~3.2]{AP09}}]
 \label{le:TrapGen}
-There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
+There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$\U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
 \end{lemma}
 
 \noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis.
diff --git a/sec-pairings.tex b/sec-pairings.tex
index 1438f43..cf00893 100644
--- a/sec-pairings.tex
+++ b/sec-pairings.tex
@@ -45,7 +45,7 @@ In the aforementioned chapter, we also rely on the following assumption, which g
   \label{de:SDL} \index{Pairings!SDL}
   In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$  of  prime order $p$,  the \emph {Symmetric  Discrete Logarithm} ($\SDL$) problem  consists in, given
   $\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
-  where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. 
+  where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
 \end{definition}
 
 This assumption is still a static and non-interactive assumption.