diff --git a/chap-GS-background.tex b/chap-GS-background.tex
index e4a3811..642a99e 100644
--- a/chap-GS-background.tex
+++ b/chap-GS-background.tex
@@ -224,15 +224,16 @@ following oracles:
     the prospective user in the join protocol. If this protocol successfully
     ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
     $n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
-    $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$.
+    $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
 %
   \item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
     to introduce new honest group members of its choice. The interface
-    triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
+    triggers an execution of $\langle \join_{\user},\join_{\GM} \rangle$ and runs $\join_{\user}$ in
     interaction with the adversary who runs $\join_{\GM}$. If the protocol
     successfully completes, the interface increments $n$, adds user $n$  to
-    $\mathsf{st}_{users}$ and $U^b$ and     sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n,
-    \transcript_n \rangle$. It stores the   membership certificate $\crt_{n  }$
+    $\mathsf{st}_{users}$ and $U^b$ and sets
+    $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
+    It stores the   membership certificate $\crt_{n  }$
     and the membership secret $\scr_{n }$ in a \textit{private} part of
     $\mathsf{state}_{\interface}$.
 %
diff --git a/chap-ZK.tex b/chap-ZK.tex
index dc4335a..317ebf6 100644
--- a/chap-ZK.tex
+++ b/chap-ZK.tex
@@ -16,13 +16,13 @@ In this section, we first present the general principles and basic tools to hand
 
 \begin{definition}[Zero-knowledge proofs and arguments]
   \label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
-  Let $R = \{ (x, w) \in \mathcal L \times \mathcal R \}$ be a binary relation.
+  Let $R = \{ (x, w) \in \mathcal{L} \times \mathcal{R} \}$ be a binary relation.
   A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
   This is written as $\langle P(x,w) , V(x) \rangle = b$.
   The aforementioned protocol should also verify the following properties.
   \begin{description}
     \item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
-    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
+    \item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
       $\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
       where $s$ is called the \textit{soundness error}.
     \item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
@@ -167,10 +167,10 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
 \begin{definition}[Non Interactive Zero Knowledge]
   \index{Zero Knowledge!NIZK}
   \label{de:nizk-proofs}
-  A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
+  A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal{L} \times \mathcal{R}\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal{L}$ and $w \in \mathcal{R}$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
   \begin{description}
     \item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
-    \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
+    \item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
       $\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
     \item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
   \end{description}
@@ -180,12 +180,12 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
 
 \begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
   \index{Zero Knowledge!Fiat-Shamir Transform}
-  Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
+  Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal{H}$ be a cryptographic hash function.
 
   Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
   \begin{enumerate}
     \item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
-    \item Generate the challenge as $\chall \gets \mathcal H(x,\cmt)$;
+    \item Generate the challenge as $\chall \gets \mathcal{H}(x,\cmt)$;
     \item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
     \item Return the proof $\pi = (\cmt, \rsp)$.
   \end{enumerate}
@@ -193,7 +193,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
   And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
   \begin{enumerate}
     \item Parse $\pi$ as $(\cmt, \rsp)$;
-    \item Generate the challenge $\chall = \mathcal H(x, \cmt)$;
+    \item Generate the challenge $\chall = \mathcal{H}(x, \cmt)$;
     \item Return $V_2(x, \chall, \rsp, \emptyset)$.
   \end{enumerate}
 
diff --git a/chap-proofs.tex b/chap-proofs.tex
index 305d092..b75981e 100644
--- a/chap-proofs.tex
+++ b/chap-proofs.tex
@@ -215,9 +215,9 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
   \centering
   \subfloat[\indcpa{} game for \PKE]{
     \fbox{\procedure{$\Exp{\indcpa}{\adv, b}(\lambda)$}{%
-        (pk,sk) \gets \mathcal E.\mathsf{keygen}(1^\lambda)\\
+        (pk,sk) \gets \mathcal{E}.\mathsf{keygen}(1^\lambda)\\
         (m_0, m_1) \gets \adv(pk, 1^\lambda)\\
-        \mathsf{ct} \gets \mathcal E.\mathsf{enc}(m_b)\\
+        \mathsf{ct} \gets \mathcal{E}.\mathsf{enc}(m_b)\\
         b' \gets \adv(pk, 1^\lambda, \mathsf{ct})\\
         \pcreturn b'
     }}
@@ -237,7 +237,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
 \end{figure}
 
 \index{Reduction!Advantage} \index{Encryption!IND-CPA}
-The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
+The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal{A}$ against this game is to distinguish between two messages from different distributions.
 To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
 \[
   \advantage{\indcpa}{\adv}(\lambda)
@@ -245,7 +245,7 @@ To model this, for any adversary $\adv$, we define a notion of \emph{advantage}
   \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.
 \]
 
-We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
+We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal{A}$ in the $\indcpa$ game is negligible with respect to $\lambda$.
 
 This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
 Which means that the adversary cannot get a single bit of information about the ciphertext.
@@ -288,7 +288,7 @@ there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal
 In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
 
 In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
-Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$.
+Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal{A}$ does not learn anything from $pk$.
 
 For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}.
 As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.