Add french TOC and ZK part

abstract.tex

@@ -1,6 +1,7 @@
 % vim: spl=fr
 \chapter*{Résumé}
 \addcontentsline{toc}{chapter}{Résumé}
+\addcontentsline{tof}{chapter}{Résumé}
 
 \begin{otherlanguage}{french}
   Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.
@@ -21,3 +22,4 @@
 {\Huge \textbf{\textsf{Abstract}}}
 \flushleftright
 \addcontentsline{toc}{chapter}{Abstract}
+\addcontentsline{tof}{chapter}{Résumé en anglais}

acknowledgements.tex

@@ -1,6 +1,9 @@
 \thispagestyle{empty}
 \chapter*{Remerciements}
 \addcontentsline{toc}{chapter}{Remerciements}
+\addcontentsline{tof}{chapter}{Remerciements}
+
+Merci.
 
 \begin{otherlanguage}{french}
 \end{otherlanguage}

chap-GS-LWE.tex

@@ -1 +1,2 @@
 \chapter{Lattice-Based Dynamic Group Signatures}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de réseaux euclidiens}

chap-ZK.tex

@@ -1,5 +1,96 @@
 \chapter{Zero-Knowledge Arguments}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Arguments à divulgation nulle de connaissance}
+
+A \textit{zero-knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover has the insurance that the verifier does not learn anything more that the authenticity of the statement.
+
+One of the early applications of ZK proofs in cryptography was for identification systems~\cite{FS86}.
+The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
+Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots
+
+If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world. In this section, we focus on presenting the different proofs systems in pairing and lattice-based cryptography.
+
+\section{Definitions}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions}
+
+
+\begin{definition}[Zero-knowledge proofs and arguments]
+  \label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
+  Let $R = \{ (x, w) \in \mathcal L \times \mathcal R \}$ be a binary relation.
+  A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
+  This is written as $\langle P(x,w) , V(x) \rangle = b$.
+  The aforementioned protocol should also verify the following properties.
+  \begin{description}
+    \item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
+    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, 
+      $\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
+      where $s$ is called the \textit{soundness error}.
+    \item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
+      There exists a $\ppt$ simulator $S$ such that for all $\ppt$ algorithm $V^\star$,
+      $\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable.
+  \end{description}
+
+  If in the soundness definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}.
+
+  We can notice that the soundness error can be reduced by repeating the proof.
+\end{definition}
+
+\begin{figure}
+  \centering
+  \footnotesize
+  \begin{tabular}{ccc}
+    $P(x,w)$ & & $V(x)$\\
+    \hline
+    $(\cmt, \mathsf{st}_P) \gets P_1(x,w)$ & & \\
+    & $\xrightarrow{\mathmakebox[2cm]{\cmt}}$ & \\
+    & & $(\chall, \mathsf{st}_V) \gets V_1(x, \cmt)$ \\
+    & $\xleftarrow{\mathmakebox[2cm]{\chall}}$ & \\
+    $\rsp \gets P_2(x,w,\chall, \mathsf{st}_P)$ & & \\
+    & $\xrightarrow{\mathmakebox[2cm]{\rsp}}$ & \\
+    & & return $b = V_2(x, \chall, \rsp, \mathsf{st}_V)$
+  \end{tabular}
+  \caption{$\Sigma$-protocol} \label{fig:sigma}
+\end{figure}
+
+Zero-knowledge proofs also exists in a non-interactive version.
+
+\begin{definition}[Non Interactive Zero Knowledge]
+  \index{Zero Knowledge!NIZK}
+  \label{de:nizk-proofs}
+  A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
+  \begin{description}
+    \item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
+    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, 
+      $\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
+    \item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
+  \end{description}
+\end{definition}
+
+In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform.
+
+\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
+  \index{Zero Knowledge!Fiat-Shamir Transform}
+  Let $(P, V)$ be a three-round zero-knowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
+
+  Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
+  \begin{enumerate}
+    \item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
+    \item Generate the challenge as $\chall \gets \mathcal H(\cmt)$;
+    \item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
+    \item Return the proof $\pi = (\cmt, \rsp)$.
+  \end{enumerate}
+
+  And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
+  \begin{enumerate}
+    \item Parse $\pi$ as $(\cmt, \rsp)$;
+    \item Generate the challenge $\chall = \mathcal H(\cmt)$;
+    \item Return $V_2(x, \chall, \rsp, \emptyset)$.
+  \end{enumerate}
+
+  Then $(\hat P, \hat V)$ forms a non-interactive zero-knowledge proof in the \ROM.
+\end{definition}
 
 \section{Schnorr Proofs}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
 
 \section{Stern-like Proofs}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern}

chap-conclusion.tex

@@ -1,2 +1,3 @@
 \chapter*{Conclusion}
 \addcontentsline{toc}{part}{Conclusion}
+\addcontentsline{tof}{part}{Conclusion}

chap-introduction.tex

@@ -1,2 +1,3 @@
 \chapter{Introduction}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction}
 

chap-proofs.tex

@@ -1,4 +1,5 @@
 \chapter{Security Proofs in Cryptography} \label{ch:proofs}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Les preuves de sécurité en cryptographie}
 
 Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
 To illustrate this notion, let us take the example of public-key encryption schemes.
@@ -17,6 +18,7 @@ Then we will define these security models.
 % Security Reductions %
 %%%%%%%%%%%%%%%%%%%%%%%
 \section{Security Reductions}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Réductions de sécurité}
 
 Provable security  providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}.
 The name ``reduction'' comes from computational complexity.
@@ -129,9 +131,9 @@ To illustrate this, let us consider the two following assumptions:
 \end{definition}
 
 \begin{restatable}[Decisional Diffie-Hellman]{definition}{defDDH}
-    \index{Discrete Logarithm!Decisional Diffie-Hellman} \label{de:DDH}
+  \index{Discrete Logarithm!Decisional Diffie-Hellman} \label{de:DDH}
   Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
-  Given the tuple $(g, g_1^{}, g_2^{}, g_3^{}) = (g, g^a_{}, g^b{}, g^c_{}) \in \GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$.
+  Given the tuple $\bigl(g, g_1^{}, g_2^{}, g_3^{}\bigr) = \bigl(g, g^a_{}, g^b{}, g^c_{}\bigr) \in \GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$.
 
   The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm.
 \end{restatable}
@@ -157,6 +159,7 @@ In other words, the context in which the proofs are made.
 This is the topic of the next section.
 
 \section{Random-Oracle Model and Standard Model} \label{se:models}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Modèle de l'oracle aléatoire et modèle standard}
 
 The most general model to do security proofs is the \textit{standard model}.
 In this model, nothing special is assumed, and every assumptions are explicit.
@@ -194,6 +197,7 @@ We now have defined the security structure on which we are working on and the ba
 The following section explains how to define the security of a cryptographic primitive.
 
 \section{Security Games and Simulation-Based Security} \label{se:games-sim}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves par jeux et preuves par simulation}
 
 Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
 An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.

chap-sigmasig.tex

@@ -1 +1,2 @@
 \chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}

chap-structures.tex

@@ -1,4 +1,5 @@
 \chapter{Underlying Structures}
+\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Structures sous-jacentes}
 \label{ch:structures}
 
 In the previous chapter, we saw that theoretical cryptography has to rely on \emph{computational hardness assumptions}.
@@ -16,11 +17,13 @@ An example is the multiplicative homomorphism of the ElGamal cryptosystem which
 In this chapter, we describe the different structures on which the cryptography primitives we design in this thesis are based on, namely bilinear groups and lattices.
 
 \section{Pairing-Based Cryptography}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage}
 \label{se:pairing}
 
 \input sec-pairings
 
 \section{Lattice-Based Cryptography}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de réseaux euclidiens}
 \label{se:lattices}
 
 \input sec-lattices

fig-lwe-sis.tex

@@ -0,0 +1,37 @@
+\medskip
+\hfill
+\begin{minipage}[t]{.45\textwidth}
+  \textbf{$\LWE_{n,q,\chi}$ problem:}\\Given $m \geq 1$, \\[.5em]
+  $\left(
+    \begin{tikzpicture}
+      \tikzstyle{matA}=[fill=blue!10]
+      \tikzstyle{vecS}=[color=red!70!black]
+      \tikzstyle{vecE}=[color=orange!70!black]
+      \path[use as bounding box] (-2.1, .5) rectangle (2.4, 1.8);
+      \draw[matA, xshift=-2cm, yshift=.5cm] (0,0) rectangle node {$\mathbf{A}$} (1.5,1);
+      \node at (-.2, .75) {$,$};
+      \draw[matA] (0,0) rectangle node {$\mathbf{A}^T_{}$} (1,1.5);
+      \draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf s$} ++(0, -1);
+      \node at (1.8, .75) {$+$};
+      \draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf e$} ++ (0, -1.5);
+    \end{tikzpicture}
+  \right)$\\[.5em]
+  $\in \Zq^{n \times m} \times \Zq^{m}$,
+  find $\textcolor{red!70!black}{\mathbf{s}} \in \Zq^n.$
+\end{minipage} \hfill
+\begin{minipage}[t]{.4\textwidth}
+  \textbf{$\SIS_{n,m,q,\beta}$ problem:}\\Given\\[.5em]
+  $\tikz[baseline=.3cm]{ \draw[fill=blue!10] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); } \in \Zq^{n \times m},$
+  find $\textcolor{red!70!black}{\mathbf x} \in \ZZ^m_{}$ such that\\[.5em]
+  $\begin{tikzpicture}[baseline=.25cm]
+    \tikzstyle{matA}=[fill=blue!10]
+    \tikzstyle{vecX}=[color=red!70!black]
+    \draw[matA] (0,0) rectangle node {$\mathbf{A}$} (1.5,1);
+    \draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf x$} ++ (0, -1.5);
+    \node at (2.4, .25) {$=$};
+    \draw[|-|] (2.8, 1) -- node[right] {$\mathbf 0^n$} ++ (0, -1);
+  \end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf x}\| \leq \beta$.
+\end{minipage}
+\hfill
+\medskip
+

frtoc.tex

@@ -0,0 +1,11 @@
+\makeatletter
+\newcommand\frenchtableofcontents{%
+  \selectlanguage{french}%
+  \chapter*{\contentsname
+    \@mkboth{%
+      \MakeUppercase\contentsname}{\MakeUppercase\contentsname}}%
+ \@starttoc{tof}%
+  \addcontentsline{tof}{chapter}{\contentsname}
+  \selectlanguage{english}%
+ }
+ \makeatother

garde.tex

@@ -75,9 +75,9 @@ Devant le jury composé de :
 
 %\bigskip
 
-\textsc{Agrawal} Shweta, Professeure, Indian Institute of Technology \hfill  Rapporteure
+\textsc{Agrawal} Shweta, Professeure, Indian Institute of Technology (Madras, Inde) \hfill  Rapporteur
 
-Nom Prénom, grade/qualité, établissement/entreprise \hfill Rapporteur
+\textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur
 
 Nom Prénom, grade/qualité, établissement/entreprise \hfill Examinateur
 

macros.tex

@@ -17,6 +17,11 @@
 \newcommand{\NIZK}{\textsf{NIZK}\xspace}
 \newcommand{\PKE}{\textsf{PKE}\xspace}
 \newcommand{\OT}{\textsf{OT}\xspace}
+%% ZK
+\newcommand{\trans}{\textsf{trans}\xspace}
+\newcommand{\cmt}{\textsf{cmt}\xspace}
+\newcommand{\chall}{\textsf{chall}\xspace}
+\newcommand{\rsp}{\textsf{response}\xspace}
 
 % Assumptions/Problems
 %% Pairings

main.tex

@@ -35,7 +35,7 @@
 \setlength{\parskip}{5pt}
 \usepackage{enumerate}
 
-\usepackage{amsmath, amssymb, mathrsfs}
+\usepackage{amsmath, amssymb, mathrsfs, mathtools}
 \usepackage{amsthm} % For theorem style
 \usepackage{thmtools}
 \usepackage{thm-restate}
@@ -54,6 +54,7 @@
 \usepackage{pdfpages}
 \usepackage{xspace}
 
+\input frtoc
 \input macros
 
 \title{Privacy-preserving cryptography from pairings and lattices}
@@ -78,6 +79,8 @@
 
 \input acknowledgements
 
+\cleardoublepage
+\frenchtableofcontents
 \cleardoublepage
 \tableofcontents
 
@@ -88,6 +91,9 @@
 \input chap-introduction 
 
 \part{Background}
+\label{pa:background}
+\addcontentsline{tof}{part}{\protect\numberline{\thepart} Préliminaires}
+
 \input chap-proofs
 
 \input chap-structures
@@ -96,12 +102,14 @@
 
 \part{Group Signatures and Anonymous Credentials}
 \label{pa:gs-ac}
+\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}
 
 \input chap-sigmasig
 
 \input chap-GS-LWE
 
 \part{Group Encryption and Adaptive Oblivious Transfer}
+\addcontentsline{tof}{part}{\protect\numberline{\thepart} Chiffrement de groupe et transfert inconscient adaptatif}
 
 \input chap-GE-LWE
 
@@ -111,8 +119,11 @@
 
 \bibliographystyle{alphaabbr}
 \bibliography{these.bib}
+\addcontentsline{tof}{part}{Bibliographie}
 \printindex
+\addcontentsline{tof}{part}{Index en anglais}
 \backmatter
 \listoffigures
+\addcontentsline{tof}{part}{Liste des figures}
 \end{document}
 % vim: spl=en

sec-lattices.tex

@@ -14,6 +14,7 @@ This gives us a good confidence in the lattice-based assumptions (given the \emp
 
 \subsection{Lattices and Hard Lattice Problems}
 \label{sse:lattice-problems}
+\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Réseaux euclidiens et problèmes difficiles}
 
 \begin{figure}
   \centering
@@ -57,7 +58,7 @@ In order to work with lattices in cryptography, hard lattice problems have to be
 This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
 These links are important as those are ``worst-case to average-case'' reductions.
 
-In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs.
+In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs.
 On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes.
 
 In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
@@ -74,7 +75,7 @@ This leads us to the $\SIVP$ problem, which is finding a set of sufficiently sho
   For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
 \end{definition}
 
-As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting.
+As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}.
 In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard.
 %As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
 
@@ -93,6 +94,13 @@ For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribut
 The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
 \end{definition}
 
+\begin{figure}
+  \centering
+  \input fig-lwe-sis
+  \caption{Illustration of the LWE and SIS problems.}
+  \label{fig:lwe-sis}
+\end{figure}
+
 If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}).
  % (see~\cite{Pei09,BLPRS13} for classical analogues).
 
@@ -101,17 +109,18 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \subsection{Lattice Trapdoors}
 \label{sse:lattice-trapdoors}
+\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Trappes d'un réseau euclidien}
 
 In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''.
 A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice.
 The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}.
 The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time.
-Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
+Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (statistically close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
 Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$.
 
 Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice.
 
-\scbf{Notation.} Given a matrix $\mathbf{A}$, let $\widetilde{\mathbf{A}}$ be the Gram-Schmidt orthogonalization of $\mathbf{A}$.
+\scbf{Recall.} Given a matrix $\mathbf{A}$, $\widetilde{\mathbf{A}}$ denotes the Gram-Schmidt orthogonalization of $\mathbf{A}$.
 
 \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
 \label{le:GPV}

sec-pairings.tex

@@ -43,8 +43,8 @@ In the aforementioned chapter, we also rely on the following assumption, which g
 
 \begin{definition}[$\SDL$]
   \label{de:SDL} \index{Pairings!SDL}
-  In bilinear groups $(\GG,\Gh,\GT^{})$  of  prime order $p$,  the \emph {Symmetric  Discrete Logarithm} ($\SDL$) problem  consists in, given
-  $(g,\hat{g},g^a,\hat{g}^a) \in \GG \times \Gh$
+  In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$  of  prime order $p$,  the \emph {Symmetric  Discrete Logarithm} ($\SDL$) problem  consists in, given
+  $\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
   where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. 
 \end{definition}
 

symbols.tex

@@ -1,11 +1,15 @@
 \chapter*{List of Symbols}
 \addcontentsline{toc}{chapter}{List of Symbols}
+\addcontentsline{tof}{chapter}{Liste des symboles et abréviations}
 
 \begin{tabular}{ll}
   \multicolumn{2}{l}{\scbf{General Notations}}          \\
   TM         & Turing Machine                           \\
   $\ppt$     & Probabilistic Polynomial Time            \\
   $\epsilon$ & empty word                               \\
+  $\mathbf A$ & bold uppercase letters represent matrices\\
+  $\mathbf b$ & bold lowercase letters represent vectors\\
+  $\widetilde{\mathbf A}$ & Gram-Schmidt orthogonalization of matrix $\mathbf A$\\
   [1ex] \multicolumn{2}{l}{\scbf{Protocols}}            \\
   $\PKE$     & Public Key Encryption                    \\
   $\ZK$      & Zero-Knowledge                           \\

these.bib

@@ -2449,4 +2449,12 @@
   publisher = {Springer},
 }
 
+@InProceedings{Blu86,
+  author    = {Blum, Manuel},
+  title     = {How to prove a theorem so no one else can claim it},
+  booktitle = {International Congress of Mathematicians},
+  year      = {1986},
+  pages     = {1444--1451},
+}
+
 @Comment{jabref-meta: databaseType:bibtex;}