diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex
index eb6d216..c015de5 100644
--- a/chap-GS-LWE.tex
+++ b/chap-GS-LWE.tex
@@ -615,12 +615,149 @@ In our proofs, we mainly use the probability preservation to bound the
 probabilities during hybrid games where the two distributions are not close in terms of statistical distance.
 
 %--------- PROOF ----------
-\input merge
+\begin{proof} The proof is very similar to the proof of \cref{th:gs-lwe-security-cma-sig} and we will only explain the changes.
+
+  Assuming that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
+  we outline an algorithm $\bdv$ that solves a  $\mathsf{SIS}_{n,2m,q,\beta}$  instance $\bar{\mathbf{A}}$, where  $\bar{\mathbf{A}} =
+  [ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ]  \in \ZZ_q^{ n \times 2m}$  with
+  $\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \in U(\ZZ_q^{n \times   m})$. 
+
+  At the outset of the game, $\bdv$ generates the common parameters $\mathsf{par}$ by choosing
+  $\mathbf{B} \in_R \ZZ_q^{n \times m}$ and defining $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \ZZ_q^{n \times \ell }$, $\mathbf{G}_1  = \mathbf{B} \cdot \mathbf{E}_1  \in \ZZ_q^{n \times 2m}$.
+  The short Gaussian matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are retained for later use. Also, $\bdv$ flips a  coin $coin \in \{0,1,2\}$ as
+  a guess for the kind of attack that $\adv$ will mount. If $coin=0$, $\bdv$ expects a Type I forgery, where $\adv$'s forgery involves a new $\tau^\star \in \{0,1\}^\ell$ that
+  was never used by the signing oracle. If $coin=1$, $\bdv$ expects $\adv$ to   recycle  a tag $\tau^\star$ involved in some signing query in its forgery. Namely,
+  if $coin=1$, $\bdv$ expects an attack which is either a Type II forgery or a Type III forgery.
+  If $coin=2$,   $\bdv$ rather bets that $\adv$ will break the soundness of the interactive argument systems used in the signature issuing protocol or the $\mathsf{Prove}$ protocol.
+  Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in  different ways. \medskip
+
+  \noindent $\bullet$ If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
+  of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. To this end, it defines $\mathbf{A}=\bar{\mathbf{A}}_1$ and
+  generates $PK$ by computing $\{\mathbf{A}_j\}_{j=0}^\ell$ as re-randomizations of $\mathbf{A} \in \ZZ_q^{n \times m}$ as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}. This implies that $\bdv$ can always answer signing queries using the trapdoor $\mathbf{T}_{\mathbf{C}}
+  \in \ZZ^{m \times m}$ of the matrix $\mathbf{C}$ without even knowing the messages hidden in the commitments $ \mathbf{c}_{\mathfrak{m}}$ and $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{s'}$.
+  When the adversary generates a proof of possession of its own at the end of the game, $\bdv$ uses the matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$
+  as an extraction trapdoor to extract a plain message-signature pair $\big( (\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star),  (\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$
+  from the ciphertexts
+  $\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2^\star})$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ produced by $\adv$ as part of its forgery.
+  If the extracted $\tau^\star$ is not a new tag, then $\bdv$ aborts. Otherwise, it can solve the given  $\mathsf{SIS}$ instance exactly as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}.
+  \medskip
+
+  \noindent $\bullet$ If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
+  indistinguishable from \textsf{Game} $2$: instead, we rely on an argument based on the R\'enyi divergence.
+  In \textsf{Game} $3$, $\bdv$ generates $PK$ exactly as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}. This implies that $\bdv$ takes a guess $i^\dagger \leftarrow U(\{1,\ldots,Q\})$
+  with the hope that $\adv$ will choose to recycle the tag    $\tau^{(i^\dagger)}  $ of the $i^\dagger$-th signing query (i.e., $ \tau^\star =\tau^{(i^\dagger)} $).
+  As in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}, $\bdv$  defines $\mathbf{D}=\bar{\mathbf{A}}_1 \in \ZZ_q^{n \times m}$ and $\mathbf{A}= \bar{\mathbf{A}}_1 \cdot \mathbf{S} $ for a small-norm
+  matrix $\mathbf{S} \in \ZZ^{m \times m}$ with Gaussian entries. It also  ``programs'' the matrices $\{ \mathbf{A}_j\}_{j=0}^\ell$ in such a way that
+  the trapdoor precisely vanishes at the $i^\dagger$-th signing query: in other words,
+  the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
+  (of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
+  $\bdv$ also sets up a random  matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
+  $\mathbf{A}' \sample U(\ZZ_q^{n \times 2m})$  to define
+  \begin{eqnarray} \label{def-D0}
+    \mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
+  \end{eqnarray}
+  Then, it  computes $\mathbf{c}_M = \mathbf{D}_0 \cdot \mathbf{s}_0  \in \ZZ_q^{2n}$ for a short Gaussian vector
+  $\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
+  Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
+  $$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1   \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~  \in \ZZ_q^n.$$
+  In addition, $\bdv$  picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
+  are used  to define randomizations of $\mathbf{D}_0$ by computing  $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
+  The adversary is given public parameters $\mathsf{par}:=\{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK:=\big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
+
+  Using  $\mathbf{T}_{\mathbf{C}}$,
+  $\bdv$ can perfectly emulate the signing oracle  at all queries, except the $i^\dagger$-th query where the
+  vector ${\mathbf{s}''}^{(i^\dagger)}$ chosen by $\bdv$ is sampled from a distribution that departs from $D_{\ZZ^{2m},\sigma_0}$.  At the $i^\dagger$-th query,
+  $\bdv$ uses the extraction trapdoor $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ to obtain $ {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m}$ and $\{\mathfrak{m}_k\}_{k=1}^N$  -- which form a valid opening
+  of $\mathbf{c}_{\mathfrak{m}}$ unless the soundness of the proof system is broken (note that the latter case is addressed by the situation $coin=3$) -- from the ciphertexts
+  $\mathbf{c}_{s'}^{(i^\dagger)} $ and $\{ \mathbf{c}_k\}_{k=1}^N$ sent by $\adv$ at step 1 of the signing protocol. Then, $\bdv$
+  computes the vector  ${\mathbf{s}''}^{(i^\dagger)}$ as
+  \begin{eqnarray} \label{sim-s-prime}
+    {\mathbf{s}'' }^{(i^\dagger)}  = \mathbf{s}_0 - \sum_{k=1}^N \mathbf{R}_k \cdot \mathfrak{m}_k^{(i^\dagger)}  -  {\mathbf{s}' }^{(i^\dagger)}  \in \ZZ^{2m},
+  \end{eqnarray}
+  which satisfies $\mathbf{c}_M=\sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\dagger)} + \mathbf{D}_0 \cdot ({\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)} ) $ and
+  allows   returning $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},    {\mathbf{s}'' }^{(i^\dagger)}  )$  such that
+  $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},  {\mathbf{s}' }^{(i^\dagger)} +  {\mathbf{s}'' }^{(i^\dagger)}  )$   satisfies the verification
+  equation of the signature scheme. Moreover, we argue that, with noticeable probability, the integer
+  vector ${\mathbf{s} }^{(i^\dagger)} ={\mathbf{s}' }^{(i^\dagger)} +  {\mathbf{s}'' }^{(i^\dagger)}$ will be accepted by the verification algorithm since the R\'enyi divergence
+  between the simulated distribution of ${\mathbf{s}'' }^{(i^\dagger)}$ and its distribution in the real game will be sufficiently small.  Indeed, its distribution
+  is now that of a Gaussian vector $D_{\ZZ^{2m},\sigma_0,\mathbf{z}^\dagger }$ centered in $$\mathbf{z}^\dagger = - \sum_{k=1}^N
+  \mathbf{R}_k  \cdot  {\mathfrak{m}_k^{(i^\dagger)} }
+  - {\mathbf{s}' }^{(i^\dagger)}  \in \ZZ^{2m} ,$$ whose  norm is at most $\| \mathbf{z}^\dagger \|_2 \leq N \sigma  ({2m})^{3/2}  + \sigma (2m)^{1/2}$. By choosing the standard deviation $\sigma_0$ to
+  be at least
+  $\sigma_0> N \sigma  (2m)^{3/2}  + \sigma (2m)^{1/2} $,  the R\'enyi divergence between  the simulated
+  distribution  of ${\mathbf{s}'' }^{(i^\dagger)}$ (in \textsf{Game} $3$) and its real distribution (which is the one of \textsf{Game} $2$) can be kept constant: we have
+  \begin{eqnarray} \label{r-bound}
+    R_2( {\mathbf{s}'' }^{(i^\dagger),2} ||{\mathbf{s}'' }^{(i^\dagger),3} ) \leq \exp \big( 2\pi \cdot \frac{ \| \mathbf{z}^\dagger \|_2^2}{\sigma_0^2} \big) \leq \exp(2 \pi).
+  \end{eqnarray}
+  This ensures that, with noticeable
+  probability, $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},  {\mathbf{s}  }^{(i^\dagger)}   )$ will pass the verification test and lead $\adv$ to eventually output a valid forgery.
+  So, the success probability of $\adv$ in \textsf{Game} $3$ remains noticeable as (\ref{r-bound}) implies $\Pr[W_3] \geq \Pr[W_2]^2 / \exp(2\pi)$. 
+
+  When $W_3$ occurs in \textsf{Game} $3$, $\bdv$ uses the matrices $(\mathbf{E}_0,\mathbf{E}_1)$ to extract a plain message-signature pair $\big((\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star),(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$ from the extractable commitments
+  $\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2}^\star)$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ generated by $\adv$.
+  At this point, two cases can be distinguished. First, if $\mathbf{c}_M \neq \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star + \mathbf{D}_0 \cdot \mathbf{s}^\star \bmod q$, then algorithm
+  $\bdv$ can
+  find a short vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)=\Lambda_q^{\perp}( {\mathbf{D}})$  exactly as in the proof of Lemma~\ref{le:lwe-gs-type-II-attacks}.  In the event that $\mathbf{c}_M = \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star + \mathbf{D}_0 \cdot \mathbf{s}^\star $,
+  $\bdv$ can use the fact that  the collision $\mathbf{c}_M = \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } + \mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} }  $  allows computing
+  $$ \mathbf{w}=   \mathbf{s}^\star -{\mathbf{s}^{(i^\dagger)}}  + \sum_{k=1}^N \mathbf{R}_k \cdot \left(\mathfrak{m}_k^\star - \mathfrak{m}_k^{(i^\dagger)} \right)  ~ \in \ZZ^{2m} ,  $$
+  which belongs to   $\Lambda_q^{\perp}(\mathbf{D}_0)$ and has   norm $\| \mathbf{w} \|_2 \leq N \sigma (2m)^{3/2} + 4 \sigma_1 m^{3/2}  $. Moreover, it
+  is non-zero with overwhelming probability. Indeed, there exists at least one $k \in [1,N]$ such that  $\mathfrak{m}_k^{(i^\dagger)} \neq \mathfrak{m}_k^\star$. Let us assume w.l.o.g.
+  that they 	differ in their first two bits where  $\mathfrak{m}_k^{(i^\dagger)}$ contains a $0$  and  $\mathfrak{m}_k^\star$ contains a $1$ (recall that each bit $b$
+  is encoded as $(\bar{b},b)$ in both messages).
+  This implies that $ {\mathbf{s}'' }^{(i^\dagger)} $ (as computed in (\ref{sim-s-prime})) does not depend on the first column of $\mathbf{R}_k$ but $\mathbf{w}$ does.
+  Hence, given that the columns of $\mathbf{R}_k$ have at least $n$ bits of min-entropy conditionally on $\mathbf{D}_k =\mathbf{D}_0 \cdot \mathbf{R}_k$, the vector
+  $\mathbf{w} \in \ZZ^{2m}$ is unpredictable to the adversary.
+
+  Due to the definition of $\mathbf{D}_0 \in \ZZ_q^{2n \times 2m}$ in (\ref{def-D0}), we finally note that
+  $\mathbf{w} \in \ZZ^{2m}$ is also a short  non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$.
+
+  \medskip	
+
+  \noindent $\bullet$ If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
+  $(\mathbf{G}_0,\mathbf{G}_1)$. Note that $\adv$ can break the soundness of the proof system by either: (i) Generating ciphertexts
+  $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ that do not encrypt an opening of $\mathbf{c}_{\mathfrak{m}}$ in the signature issuing protocol; (ii) Generating ciphertexts
+  $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{\tau}$, $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ and $\mathbf{c}_{s}$ that do not encrypt a valid signature in the $\mathsf{Prove}$ protocol.
+  In either case, the reduction $\bdv$ is able to detect the event by decrypting dual Regev ciphertext using $(\mathbf{E}_0,\mathbf{E}_1)$ and create a breach in the
+  soundness of the argument system. \medskip
+
+  It it easy to see that, since $coin \in \{0,1,2 \}$ is chosen independently of $\adv$'s view, it turns out to be correct with probability $1/3$. As a consequence, if $\adv$'s  advantage
+  is non-negligible, so is $\bdv$'s.
+\end{proof}
 
 \begin{theorem} \label{anon-cred}
 The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
 \end{theorem}
 
+\begin{proof}
+  The proof is rather straightforward and consists of a sequence of three games.
+  \medskip
+
+  \begin{description}
+    \item[\textsf{Game} 0:] This is the real game. Namely, the adversary is given common public parameters $\mathsf{par}$ and comes up with a public key $PK$ of its own.
+      The adversary can run oblivious signing protocols with honest users. At each query, the adversary chooses a user index $i$ and triggers an execution of the signing protocol
+      with the challenger emulating the honest users. At some point, the adversary chooses some user index $i^\star$ for which the execution of the signing protocol ended successfully.
+      At this point, the challenger $\bdv$   runs the real $\mathsf{Prove}$ protocol on behalf of user $i$.   At the end of the game, the adversary outputs
+      a bit $b' \in \{0,1\}$. We define $W_0$ to be the event that
+      $b'=1$.
+      \smallskip
+
+    \item[\textsf{Game} 1:] This game is like  \textsf{Game} $0$ with the difference that, at each execution of the $\mathsf{Prove}$ protocol, the challenger runs the zero-knowledge
+      simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Damg00} is used) or
+      proceeds by programming the random oracle which allows implementing the Fiat-Shamir heuristic. In either case, the statistical zero-knowledge property ensures that the
+      adversary cannot distinguish \textsf{Game} $1$ from \textsf{Game} $0$ and $|\Pr[W_1] - \Pr[W_0] | \in \mathsf{negl}(\lambda)$.
+      \smallskip
+
+    \item[Game 3:]  This game is like \textsf{Game} $1$ except that, at each execution of the $\mathsf{Prove}$ protocol, the ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_s$, $\mathbf{c}_{\tau}$,
+      and $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ encrypt random messages instead of the actual witnesses.  The semantic security of the dual Regev cryptosystem ensures that,
+      under the $\LWE_{n,q,\chi}$ assumption, the adversary is unable to see the difference. Hence, we have $|\Pr[W_2] - \Pr[W_1]| \leq \mathbf{Adv}_{\bdv}^{\mathsf{LWE}}(\lambda)$.
+  \end{description}
+  \medskip
+
+  \noindent In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
+  any message-signature pair. We thus conclude that, under the $\LWE_{n,q,\chi}$ assumption, $\adv$'s view cannot distinguish a real proof of signature possession from a simulated proof
+  produced without any witness.
+\end{proof}
+
 \section{Subprotocols for Stern-like Argument}
 \addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern}
 \label{se:gs-lwe-stern}
@@ -954,3 +1091,6 @@ as the permutation that transforms $\mathbf{z}$ as follows:
 \end{enumerate}
 \end{itemize}
 It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.
+
+\section{A Dynamic Lattice-Based Group Signature}
+\input{merge}