From 4c75b2550912df4975bd43b046f5a41ba39ce567 Mon Sep 17 00:00:00 2001
From: Fabrice Mouhartem <fabrice.mouhartem@ens-lyon.org>
Date: Mon, 18 Jun 2018 14:11:43 +0200
Subject: [PATCH] bit->bin

---
 chap-GS-LWE.tex | 94 ++++++++++++++++++++++++-------------------------
 1 file changed, 47 insertions(+), 47 deletions(-)

diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex
index 06da885..a0ac988 100644
--- a/chap-GS-LWE.tex
+++ b/chap-GS-LWE.tex
@@ -72,7 +72,7 @@ $\mathsf{bin}(\mathbf{v}_i) $ of $\mathbf{v}_i$. The vector $\mathsf{bin}(\mathb
 $(\tau,\mathbf{v},\mathbf{s}) $ as a membership certificate, the group member is able to sign a message by proving that: (i) He holds a valid signature
 $(\tau,\mathbf{v},\mathbf{s})$ on some secret binary message $\mathsf{bin}(\mathbf{v}_i) $; (ii) The latter vector  $\mathsf{bin}(\mathbf{v}_i) $ is  the binary expansion of
 some syndrome $\mathbf{v}_i$ of which he knows a GPV pre-image $\mathbf{z}_i $. We remark that condition (ii)  can be proved by providing evidence that we have $
-\mathbf{v}_i = \mathbf{H} \cdot \bit(\mathbf{v}_i)    = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
+\mathbf{v}_i = \mathbf{H} \cdot \textsf{bin}(\mathbf{v}_i)    = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
 where $\mathbf{H}$ is the ``powers-of-$2$'' matrix.  Our  abstraction of Stern-like protocols \cite{Ste96,KTX08,LNSW13} allows us to efficiently argue such
 statements.  The fact that the underlying chameleon hash function smoothly interacts with Stern-like zero-knowledge arguments is  the property that maintains
 the user's capability of efficiently proving knowledge of the underlying secret key.
@@ -106,7 +106,7 @@ $\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$
  We assume that   messages are  vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where  each
 block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$.
 
-For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
+For each vector $\mathbf{v} \in \Zq^L$, we denote by $\textsf{bin}(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
 coordinate of $\mathbf{v}$ by its binary representation.
 
 
@@ -139,7 +139,7 @@ coordinate of $\mathbf{v}$ by its binary representation.
         \end{eqnarray}
       \item Sample a     vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma_1 }$. Compute   $\mathbf{c}_M \in \Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute
          $\mathbf{c}_M =       \mathbf{D}_{0} \cdot \mathbf{s}   + \sum_{k=1}^N   \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n} ,$ 
-        which is used to define  $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M) \in \Zq^n .$
+        which is used to define  $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M) \in \Zq^n .$
         Then,
         using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample  a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
     \end{enumerate}
@@ -148,7 +148,7 @@ coordinate of $\mathbf{v}$ by its binary representation.
     signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times  \ZZ^{2m} \times \ZZ^{2m}$,
     return $1$ if
     \begin{eqnarray} \label{ver-eq-block}
-      \mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} +  \mathbf{D} \cdot \bit(  \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N     \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
+      \mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} +  \mathbf{D} \cdot \textsf{bin}(  \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N     \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
     \end{eqnarray}
     and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{s} \| <  \sigma_1 \sqrt{2m}$.
 \end{description}
@@ -358,7 +358,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
       \begin{array}{c}
         \mathbf{v}_1 \\ \hline \mathbf{v}_2
     \end{array} \right]
-    -  \mathbf{D}  \cdot \bit( \mathbf{c}_M )  \bmod q$, where
+    -  \mathbf{D}  \cdot \textsf{bin}( \mathbf{c}_M )  \bmod q$, where
     \begin{eqnarray*}
       \mathbf{A}_{\tau^{(i^\dagger)}} &=&  \left[
         \begin{array}{c|c}   \mathbf{A} ~ & ~ \mathbf{A}_0 +
@@ -384,7 +384,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
         \end{eqnarray*}
         with $h_{\tau^{(i)}} = h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
         To this end, $\bdv$ first samples  a discrete Gaussian vector $\vec{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes  $\mathbf{u}_M \in \Zq^n$ as
-        $$\mathbf{u}_M  = \mathbf{u}  + \mathbf{D} \cdot \bit( \sum_{k=1}^N   \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} }  +   \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~  \bmod q.$$ Then,
+        $$\mathbf{u}_M  = \mathbf{u}  + \mathbf{D} \cdot \textsf{bin}( \sum_{k=1}^N   \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} }  +   \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~  \bmod q.$$ Then,
         using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, it samples  a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
         that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}).
       \item At the $i^\dagger$-th signing query $ (\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have
@@ -440,15 +440,15 @@ such that
 \begin{eqnarray} \label{second-sol}    \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
   \left[\begin{array}{c}
  \mathbf{v}_1 \\ \hline \mathbf{v}_2
-\end{array} \right] = \mathbf{u} +  \mathbf{D}  \cdot \bit( \mathbf{c}_M )  \bmod q. \end{eqnarray}
+\end{array} \right] = \mathbf{u} +  \mathbf{D}  \cdot \textsf{bin}( \mathbf{c}_M )  \bmod q. \end{eqnarray}
  Relation (\ref{sim-s}) implies that  $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
-+ \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} }  \bmod q$ by hypothesis. It follows  that  $\bit(\mathbf{c}_M) - \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
++ \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} }  \bmod q$ by hypothesis. It follows  that  $\textsf{bin}(\mathbf{c}_M) - \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
 + \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} } )  $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
 \begin{eqnarray*}
   \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c}
  \mathbf{v}_1^\star - \mathbf{v}_1  \\ \hline    \mathbf{v}_2^\star - \mathbf{v}_1
 \end{array} \right]
- &=&  \mathbf{D} \cdot \bigl(  \bit(\mathbf{c}_M) - \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ &=&  \mathbf{D} \cdot \bigl(  \textsf{bin}(\mathbf{c}_M) - \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
 + \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} } ) \bigr)  \mod q,
 \end{eqnarray*}
 which implies
@@ -456,22 +456,22 @@ which implies
     \left[
 \begin{array}{c|c}  \mathbf{D} \cdot  \mathbf{S}  ~ &~   \mathbf{D} \cdot (\mathbf{S}_0 +
 \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
-\end{array} \right]  \cdot  \left[ \begin{array}{c}  {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline   {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ =  \mathbf{D} \cdot \bigl(  \bit(\mathbf{c}_M) - \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+\end{array} \right]  \cdot  \left[ \begin{array}{c}  {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline   {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ =  \mathbf{D} \cdot \bigl(  \textsf{bin}(\mathbf{c}_M) - \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
 + \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} } ) \bigr)  \mod q .
 \end{multline}
   The above implies that the vector
 \begin{eqnarray} \nonumber
   \mathbf{w} &=&
   \mathbf{S}  \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0  + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2)  \\
-  \nonumber && \hspace{2.75cm} ~+ \bit \big(   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} }  \big) -  \bit(\mathbf{c}_M)
+  \nonumber && \hspace{2.75cm} ~+ \bit \big(   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} }  \big) -  \textsf{bin}(\mathbf{c}_M)
 \end{eqnarray}
 is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed,   its  norm can be bounded as  $\| \mathbf{w} \| \leq \beta'' = \sqrt{2}   (\ell+2)   \sigma^2  m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that
 $ \bit (   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
-+ \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} } ) - \bit(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
++ \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} } ) - \textsf{bin}(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
  $({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
 \begin{multline} \label{final-eq}
  \mathbf{S}  \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0  +
-\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \bit(\mathbf{c}_M)  -  \bit \big(   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \textsf{bin}(\mathbf{c}_M)  -  \bit \big(   \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
 + \sum_{k=1}^N   \mathbf{D}_k  \cdot {\mathfrak{m}_k^{\star} }  \big) \qquad
 \end{multline}
 holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}_1$ or $\mathbf{v}_2^\star \ne \mathbf{v}_2$, the left-hand-side member of (\ref{final-eq})
@@ -824,8 +824,8 @@ In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \ge
 \begin{eqnarray*}
  \mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil }  &=& \mathbf{I}_{\mathfrak{n}}  \otimes  [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
 \end{eqnarray*}
-Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
-Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
+Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\textsf{bin}(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
+Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \textsf{bin}(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
 
 In our scheme,  each   group membership certificate is a
 signature generated by the group manager on the user's public key.    Since the group manager only needs to sign known (rather than committed) messages, we can
@@ -847,7 +847,7 @@ identify $\mathcal{U}_i$.
 	providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
 	for which he also knows a short  $\mathbf{z}_i \in \ZZ^{4m}$
 	 such that
-  $  \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i)    = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
+  $  \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v}_i)    = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
 
 	Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
 		\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
@@ -925,7 +925,7 @@ $\mathbf{d}_i = \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end
 \mathbf{A}_{\mathsf{id}_i} \cdot \mathbf{d}_i    &=&     \left[ \begin{array}{c|c}  \mathbf{A} ~& ~    \mathbf{A}_0 +
 \sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
 \end{array} \right] \cdot \mathbf{d}_i\\
-\label{rel-cert} &=&  \mathbf{u}   +  \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_i)   + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr)  \bmod q. \quad
+\label{rel-cert} &=&  \mathbf{u}   +  \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_i)   + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr)  \bmod q. \quad
 \end{eqnarray}
 The triple $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is sent to $\mathcal{U}_i$.  Then,
 $\mathsf{J}_{\user}$  verifies that the received $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ satisfies (\ref{rel-cert}) and that
@@ -948,10 +948,10 @@ member $\mathcal{U}_i$ generates a one-time signature key pair $(\mathsf{VK},\ma
 
 \begin{itemize}
 \item[1.]  Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{ n \times 2m}$  and use it as an  IBE public key to encrypt
-$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
+$\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
 $\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i}  \in  \ZZ_q^m \times \ZZ_q^{2m}$ as
 \begin{eqnarray} \label{enc1}
-\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=&  \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~  \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor  \big) \qquad
+\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=&  \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~  \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \textsf{bin}(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor  \big) \qquad
 \end{eqnarray}
 for  randomly chosen $\mathbf{e}_0  \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2  \sample \chi^{2m}   $.
 Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$  can be interpreted as public keys for the multi-bit version
@@ -959,7 +959,7 @@ of the dual Regev encryption scheme.
 \item[2.]   Run the protocol in Section~\ref{subsection:zk-for-group-signature}   to prove the knowledge of  $\mathsf{id}_i
 \in \{0,1\}^{\ell}$,
 vectors $\mathbf{s}_i  \in \ZZ^{2m}, \mathbf{d}_{i,1},\mathbf{d}_{i,2} \in \ZZ^{m},\mathbf{z}_i \in \ZZ^{4m}$ with infinity norm bound $\beta $; $\mathbf{e}_0  \in \ZZ^n$, $\mathbf{x}_1 \in \ZZ^m, \mathbf{x}_2 \in \ZZ^{2m} $ with infinity norm bound $B$
-and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m},  \mathbf{w}_{i}  \in \{0,1\}^m$, that satisfy
+and $\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m},  \mathbf{w}_{i}  \in \{0,1\}^m$, that satisfy
 \eqref{enc1}   as well as
 \begin{eqnarray} \label{rel-deux}
 \mathbf{A} \cdot \mathbf{d}_{i,1} +   \mathbf{A}_0 \cdot  \mathbf{d}_{i,2} +  \sum_{j=1}^{\ell} ( \mathsf{id}_i[j] \cdot \mathbf{d}_{i,2}) \cdot \mathbf{A}_j
@@ -970,8 +970,8 @@ and
 \begin{eqnarray} \label{eq:rel-3}
 \left\{
 \begin{array}{l}
-\mathbf{H}_{2n \times m} \cdot  \mathbf{w}_{i}   =   \mathbf{D}_0 \cdot   \bit(\mathbf{v}_i)  + \mathbf{D}_1 \cdot \mathbf{s}_i  \in \ZZ_q^{2n} \\
-\mathbf{F} \cdot \mathbf{z}_i  =  \mathbf{H}_{4n \times 2m} \cdot  \bit(\mathbf{v}_i)  \in \ZZ_q^{4n}.
+\mathbf{H}_{2n \times m} \cdot  \mathbf{w}_{i}   =   \mathbf{D}_0 \cdot   \textsf{bin}(\mathbf{v}_i)  + \mathbf{D}_1 \cdot \mathbf{s}_i  \in \ZZ_q^{2n} \\
+\mathbf{F} \cdot \mathbf{z}_i  =  \mathbf{H}_{4n \times 2m} \cdot  \textsf{bin}(\mathbf{v}_i)  \in \ZZ_q^{4n}.
 \end{array}
 \right.
 \end{eqnarray}
@@ -1006,9 +1006,9 @@ in~(\ref{eq:sig-final}).   \smallskip
 Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{n \times 2m}$. Then, using  $\mathbf{T}_{\mathbf{B}}$
 to compute a small-norm matrix
 $\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$    such that $   \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}}  = \mathbf{G}_0 \bmod q  $.
-\item[2.]  Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt    $\mathbf{c}_{\mathbf{v}_i}$  to obtain a  string $\bit(\mathbf{v} ) \in \{0,1\}^{2m}$
+\item[2.]  Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt    $\mathbf{c}_{\mathbf{v}_i}$  to obtain a  string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
 (i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
-\item[3.] Determine if the     $\bit(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2  corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v} ) \bmod q$ that appears in a record   $\transcript_i=(\mathbf{v} , \crt_i,  i,\mathsf{upk}[i],sig_i)$ of  the database  $St_{trans}$ for some   $i$. If so,
+\item[3.] Determine if the     $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2  corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record   $\transcript_i=(\mathbf{v} , \crt_i,  i,\mathsf{upk}[i],sig_i)$ of  the database  $St_{trans}$ for some   $i$. If so,
 output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
 \end{itemize}
 \end{description}
@@ -1017,7 +1017,7 @@ We remark that the scheme readily extends to provide a mechanism whereby the ope
 The difference between the dynamic group signature models suggested by Kiayias and Yung \cite{KY06} and Bellare \textit{et al.} \cite{BSZ05} is that, in  the latter, the opening authority
  ($\mathsf{OA}$) must be  able to convince a judge that the $\mathsf{Open}$ algorithm was run correctly.
  Here, such a mechanism can be realized using the techniques of public-key encryption with non-interactive opening \cite{DHKT08}. Namely,  since
-$\bit(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}}  $,
+$\textsf{bin}(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}}  $,
 that satisfies $\mathbf{B} \cdot \mathbf{E}_{0,\vk} = \mathbf{G}_0 \bmod q$  (which corresponds to the verification of  a GPV signature) and allows the verifier to perform step 2 of the opening
 algorithm himself. The resulting construction is easily seen to satisfy the notion of opening soundness of Sakai \textit{et al.} \cite{SSE+12}.
 
@@ -1077,7 +1077,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
   extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
   The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of  $\Sigma^\star$) and running
   the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
-  such that $\mathbf{w}^\star= \bit(\mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
+  such that $\mathbf{w}^\star= \textsf{bin}(\mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
   \begin{eqnarray} \label{collide}
     \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
   \end{eqnarray}
@@ -1178,7 +1178,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
     \begin{bmatrix}
       \mathbf{d}_{i^\star,1} \\ \hline  \mathbf{d}_{i^\star,2}
     \end{bmatrix}
-    -   \mathbf{D} \cdot \bit(\mathbf{c}_M),
+    -   \mathbf{D} \cdot \textsf{bin}(\mathbf{c}_M),
   \end{eqnarray}
   where
   $\mathbf{c}_{M} \sample (\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
@@ -1208,7 +1208,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
   $\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, $\bdv$ samples $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma}$ and uses the trapdoor $\mathbf{T}_{\mathbf{C}}$ to compute  a short vector
   $\mathbf{d}_i=[\mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T]^T \in \ZZ^{2m}$ such that
   \begin{eqnarray} \label{sim-cert}
-    \mathbf{A}_{\mathsf{id}_i} \cdot  \begin{bmatrix}  \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix}  = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i}) +  \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
+    \mathbf{A}_{\mathsf{id}_i} \cdot  \begin{bmatrix}  \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix}  = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_{i}) +  \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
   \end{eqnarray}
   where $\mathbf{A}_{\mathsf{id}_i} \in \Zq^{n \times 2m}$ is the matrix in (\ref{sim-matr}). Note that $\bdv$ is able to compute such a vector using the $\mathsf{SampleRight}$
   algorithm of \cite{ABB10} (since the Hamming distance $h_{\mathsf{id}_i}$ between $\mathsf{id}_i$ and $\mathsf{id}^\star$ is non-zero).  The membership certificate
@@ -1235,7 +1235,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
       Since   $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
       $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of   $\Lambda_q^{\perp}(\mathbf{C})$ to compute  a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
       \begin{eqnarray*}
-        \mathbf{A}_{\mathsf{id}_i}  \cdot  \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix}  = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}_{i}) +  \mathbf{D}_1 \cdot \mathbf{s}_i  \bigr) ,
+        \mathbf{A}_{\mathsf{id}_i}  \cdot  \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix}  = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\textsf{bin}(\mathbf{v}_{i}) +  \mathbf{D}_1 \cdot \mathbf{s}_i  \bigr) ,
         \end{eqnarray*}
         where $\mathbf{v}_{i} \in \Zq^{4n}$ is the syndrome chosen by $\adv$ at step 1 of the joining protocol.
       \item[-] If $i = i^\star$, $\bdv$ undertakes to generate a membership certificate $\crt_{i^\star}$ for the $\ell$-bit identifier $\mathsf{id}^\dagger \in \{0,1\}^\ell$ that was
@@ -1244,9 +1244,9 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
         the vector $\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2}  \in \ZZ^m$ and $\mathbf{c}_M \in \Zq^{2n}$ that were used to define $\mathbf{u} \in \Zq^n$ in (\ref{def-u}) and using $\mathbf{T}_{\mathbf{D}_1}$. If $\adv$  provides a correct signature
         $sig_{i^\star}$ such that
         $\mathrm{Verify}_{\mathsf{upk}[i^\star]}(\mathbf{v}_{i^\star},sig_{i^\star})=1$,
-        $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \bmod q $,
+        $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star}) \bmod q $,
         satisfying
-        $$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) ~\bmod q , $$
+        $$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star}) ~\bmod q , $$
         before returning   $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T  \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
         to $\adv$.  From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
         any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
@@ -1261,7 +1261,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
 
     \textbf{Forgery.}  When $\adv$ halts, it outputs a
     signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star,  \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
-    trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
+    trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^m$.
 
     If we parse the proof  $\pi_K^\star$ as
     $(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$,
@@ -1301,7 +1301,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
     such that
     \begin{eqnarray*}
       \mathbf{A}_{\mathsf{id}^\star }  \cdot  \begin{bmatrix} \mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star \end{bmatrix}  &=& \mathbf{u} + \mathbf{D} \cdot \mathbf{w}^\star \\
-      \mathbf{w}^\star &=& 	\bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}^\star) +  \mathbf{D}_1 \cdot \mathbf{s}^\star  \bigr) ,
+      \mathbf{w}^\star &=& 	\bit \bigl( \mathbf{D}_0 \cdot (\textsf{bin}(\mathbf{v}^\star) +  \mathbf{D}_1 \cdot \mathbf{s}^\star  \bigr) ,
       \end{eqnarray*}
       At this point, $\bdv$ aborts and
       declares failure in the following situations:
@@ -1312,11 +1312,11 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
         \item[-] $coin=1$ but  $\mathsf{id}^\star \in \{0,1\}^\ell$ never appeared in a membership certificate returned by  the $\mathcal{Q}_{\ajoin}$ oracle.
         \item[-] $coin=1$ and $\mathsf{id}^\star \in \{0,1\}^{\ell}$ belongs to  some user in $U^a$, but this user is not the one introduced at the $i^\star$-th
           $\mathcal{Q}_{\ajoin}$-query (i.e., $i^\star \neq i^\dagger$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$).
-        \item[-] $coin=1$ and the knowledge extractor  revealed vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
+        \item[-] $coin=1$ and the knowledge extractor  revealed vectors $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
           satisfying the collision (\ref{collide}),
-          where $ \bit(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
+          where $ \textsf{bin}(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
           involved in  the $i^\star$-th  $\mathcal{Q}_{\ajoin}$ query.
-        \item[-] $coin=2$ and the knowledge extraction yields  vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
+        \item[-] $coin=2$ and the knowledge extraction yields  vectors $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
           (\ref{collide}) does not occur.
       \end{itemize}
       We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample (\{0,1,2\})$ and $i^\star \sample ([1,Q_a])$ are completely independent of $\adv$'s view,
@@ -1331,7 +1331,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
         \item If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$  and $\bdv$   knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u}  =     \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
       \begin{eqnarray*}
         \mathbf{h}  = {\mathbf{d}_1^\star} +   \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot  {\mathbf{d}_2^\star}    - \mathbf{Q}_D
-        \cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
+        \cdot \textsf{bin}(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
       \end{eqnarray*}
       such that $    \bar{\mathbf{A}}_1 \cdot \mathbf{h} = \mathbf{0}^m \bmod q$.  Moreover,
       we have $\mathbf{h} \neq \mathbf{0}^m$ w.h.p. since the syndrome $\mathbf{u} \in \Zq^n$ statistically hides
@@ -1340,9 +1340,9 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
       This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
 
     \item If $coin=1$,     the extracted
-      witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
-      satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
-      \neq  \bit( \mathbf{D}_0 \cdot  \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star}  $$
+      witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\textsf{bin}(\mathbf{v}^\star)$
+      satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \textsf{bin}( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
+      \neq  \textsf{bin}( \mathbf{D}_0 \cdot  \textsf{bin}(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star}  $$
       (since $\neg \mathsf{fail}$ implies that  the collision (\ref{collide}) did not occur if $coin=1$)
       and
       \begin{align}  \label{rel1}
@@ -1382,10 +1382,10 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
       so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance.
 
     \item If $coin=2$, $\bdv$ is done as well since  the collision (\ref{collide}) directly provides a  vector
-      $$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
+      $$\mathbf{h}=\textsf{bin}(\mathbf{v}^\star) - \textsf{bin}(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
       the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
       norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
-      given that $\bit(\mathbf{v}^\star) \neq  \bit(\mathbf{v}_i^\star)$ and  the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
+      given that $\textsf{bin}(\mathbf{v}^\star) \neq  \textsf{bin}(\mathbf{v}_i^\star)$ and  the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
   \end{itemize}
 \end{proof}
 
@@ -1431,7 +1431,7 @@ Then, $\bdv$ starts interacting with  $\adv$ as follows.
     $\bdv$ recalls the vector $\mathbf{z}_i \in \ZZ^{4m}$ that was chosen to define the syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i$ at step 1 of the $\mathsf{Join}$ protocol as well as
     the identifier $\mathsf{id}_i \in \{0,1\}^\ell$ and the short vectors $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i)  $
     that were supplied by $\adv$ in an earlier $Q_{\bjoin}$-query. It faithfully computes a signature by IBE-encrypting
-    $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$   and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$  to compute a witness indistinguishable proof   $\pi_K=(
+    $\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}$   and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$  to compute a witness indistinguishable proof   $\pi_K=(
     \{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$.
     Finally, $\bdv$ computes  a one-time signature
     $sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i},\pi_K))$ and returns the signature
@@ -1442,7 +1442,7 @@ $ \Sigma^\star  =   \big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \pi_
 for
 some   message $M^\star$, which opens to  ${i^\star} \in
 U^b$ although user $i^\star$ did not sign the message $M^\star$ at any time. Since $(M^\star,\Sigma^\star)$ supposedly frames user $i^\star$, the opening of
-$\Sigma^\star$ must reveal the $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$.  We note that the reduction $\bdv$ has
+$\Sigma^\star$ must reveal the $m$-bit string $\textsf{bin}(\mathbf{v}_{i^\star}) \in \{0,1\}^m$.  We note that the reduction $\bdv$ has
 recollection of a short vector $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ (of norm $\| \mathbf{z}_{i^\star} \| <  2\sigma \sqrt{m}$)
 such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$ which it
 chose when running  $\mathsf{J}_{\mathsf{user}}$ on behalf of user $i^\star$ when this user was introduced in the group.  Hence,
@@ -1481,9 +1481,9 @@ tuple  $  (M^\star,  \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star,  \{\maths
 pairwise distinct answers
 $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
 \mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$.  Since the forgeries of the $3$-fork all correspond to the tuple $ (M^\star,  \mathsf{VK}^\star ,
-\mathbf{c}_{\mathbf{v}}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
+\mathbf{c}_{\mathbf{v}}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\textsf{bin}(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
 which is  uniquely determined
-by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same  $\bit(\mathbf{v}_{i^\star})$
+by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same  $\textsf{bin}(\mathbf{v}_{i^\star})$
 at the second step of $\mathsf{Open}$.
 With probability $1-(7/9)^t$ it can be shown that there exists $j \in \{1,\ldots,t\}$ such that the $j$-th bits
 of  $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
@@ -1568,7 +1568,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
   Instead of using the real encryption algorithm of the GPV IBE to compute $\mathbf{c}_{\mathbf{v}_d}^\star$ as the encryption of $\mathbf{v}_d^\star = \mathbf{F} \cdot \mathbf{z}_d \in \Zq^{4n}$, we return truly random
   ciphertexts. In other words, we let
   \[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
-      \mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
+      \mathbf{r}_1 \\ \mathbf{r}_2 + \textsf{bin}(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
   \end{pmatrix}, \]
   %where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $,	and
   where $\mathbf{r}_1  \sample (\Zq^{m})$, $\mathbf{r}_2  \sample (\Zq^{2m})$ are uniformly random.