diff --git a/ACNS/ACNS.tex b/ACNS/ACNS.tex
index 5920560f1df6de43eee13c11fe0b815fc61b4650..ffad161a585c9ffea85a6315290c290aa57c9221 100644
--- a/ACNS/ACNS.tex
+++ b/ACNS/ACNS.tex
@@ -4,6 +4,10 @@
 \newif\ifshamir
 \shamirtrue
 
+\newif\ifsubsection
+\subsectiontrue
+
+
 %\documentclass[conference]{IEEEtran}
 \documentclass[runningheads]{llncs}
 
@@ -24,21 +28,19 @@
 
 \titlerunning{On Actively Secure Access Structures from Isogeny Assumptions}
 \ifpublic
-\author{Philipp Muth\inst{1}
-\and
-Fabio Campos\inst{2,3}}
+\author{Fabio Campos\inst{1,2} \and Philipp Muth\inst{3}}
 
-\authorrunning{Philipp Muth, Fabio Campos}
+\authorrunning{}
 
 
 \institute{\relax
-  Technische Universität Darmstadt, Germany\\
-  \email{philipp.muth@tu-darmstadt.de}
-  \and
   RheinMain University of Applied Sciences, Wiesbaden, Germany
   \and
   Radboud University, Nijmegen, The Netherlands \\
   \email{campos@sopmac.de}
+  \and
+  Technische Universität Darmstadt, Germany\\
+  \email{philipp.muth@tu-darmstadt.de}
 }
 
 \else
@@ -101,7 +103,12 @@ By characterising the necessary properties, we open our schemes to a significant
 % of the abstract to achieve this. Many IEEE journals/conferences frown on
 % math in the abstract anyway.
 
-
+\begingroup
+\makeatletter
+\def\@thefnmark{} \@footnotetext{\relax
+Author list in alphabetical order; see
+\url{https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf}.}
+\endgroup
 
 %\tableofcontents
 %\input{roadmap}
diff --git a/ACNS/generalsss.tex b/ACNS/generalsss.tex
index 6a516fdb2c956b937f4f247a7ada98ea137fdbff..3f0cbb7318ea9f444476854cff2a186f71207153 100644
--- a/ACNS/generalsss.tex
+++ b/ACNS/generalsss.tex
@@ -1,10 +1,13 @@
 \section{Generalising the Secret Sharing Schemes}\label{sec.generalsss}
 
-We constructed the protocols above in the context of Shamir's secret sharing protocol \cite{Shamir:1979:HSS}. The key exchange mechanism in \secref{sec.kem} as well as the signature scheme in \secref{sec.signatures} can be extended to more general secret sharing schemes. In the following, we characterise the requirements that a secret sharing scheme has to meet in order to successfully implement the key exchange mechanism and the signature scheme.\\
+We constructed the protocols above in the context of Shamir's secret sharing protocol \cite{Shamir:1979:HSS}. The key exchange mechanism in \secref{sec.kem} as well as the signature scheme in \secref{sec.signatures} can be extended to more general secret sharing schemes. In the following, we characterise the requirements that a secret sharing scheme has to meet in order to successfully implement the key exchange mechanism and the signature scheme.
 %\subsection{Compatibility requirements}
 
-
+\ifsubsection
+\subsection{Compatibility Requirements}
+\else
 \noindent\textbf{\\Compatibility Requirements.}
+\fi
 \begin{definition}[Independent Reconstruction]
 	We say a secret sharing instance \(\mathcal S = \left(S, \Gamma, G\right)\) is \emph{independently reconstructible}, if, for any shared secret \(s \in G\), any \(S'\in\Gamma\) and any shareholder \(P_i\in S'\), \(P_i\)'s input to reconstructing \(s\) is independent of the share of each other engaged shareholder \(P_j\in S'\).
 \end{definition}
@@ -19,12 +22,15 @@ A secret sharing scheme compatible with our key exchange mechanism and signature
 It is necessary, that  \(G=\Z_p\) for some prime \(p\) holds to enable the mapping \(\cdot \mapsto [\cdot ]\). This requirement may be loosened by replacing \(\cdot \mapsto [\cdot]\) appropriately.
 To enable two-level sharing, it has to hold that for a share \(s_i \in \mathcal S.\share\paren* s\) of a secret \(s\), \(s_i \in G\) holds.
 %Also, for a secret \(s\) and any \(s_i \in \set{s_1,\ldots, s_k} \gets \mathcal S.\share\paren* s\), \(s_i \in G\) has to hold to enable key generation with two-level sharing.
-The secret sharing scheme also has to allow for a PVP scheme, that is compatible with a zero-knowledge proof for the GAIP.\\
+The secret sharing scheme also has to allow for a PVP scheme, that is compatible with a zero-knowledge proof for the GAIP.
 
 %And lastly, the access structure \(\Gamma\) for the secret sharing instance has to support superauthorised sets of shareholders. As we discussed in Section \ref{sec.kem}, this is necessary to ensure the soundness of the PVP.
 
-%\subsection{Examples of secret sharing schemes}
-\noindent\textbf{Examples of Secret Sharing Schemes.}
+\ifsubsection
+\subsection{Examples of secret sharing schemes}
+\else
+\noindent\textbf{\\Examples of Secret Sharing Schemes.}
+\fi
 
 \begin{itemize}
 	\item It is evident, that Shamir's approach fulfills all aforementioned requirements. In fact, the two-level sharing and the PVP have been tailored to Shamir's polynomial based secret sharing approach.
diff --git a/ACNS/keyexchange.tex b/ACNS/keyexchange.tex
index 5325c0039ac5986ae33cd31fba9ba201bfaea106..4ddf8e93b586690fbf87ec0c1765d230b6a6f4e9 100644
--- a/ACNS/keyexchange.tex
+++ b/ACNS/keyexchange.tex
@@ -2,10 +2,13 @@
 
 %\todo{argument for superauthorised sets}
 A key exchange mechanism is a cryptographic public key scheme that provides three protocols: \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). These enable a party to establish an ephemeral key between the holder of the secret key.
-We present our actively secure key exchange mechanism with private key that is secret shared among a set of shareholders. An authorised subset can execute the \(\mathsf{Decaps}\) protocol with reconstructing the secret key. \\
+We present our actively secure key exchange mechanism with private key that is secret shared among a set of shareholders. An authorised subset can execute the \(\mathsf{Decaps}\) protocol with reconstructing the secret key. 
 
-%\subsection{Public Parameters}
-\noindent\textbf{Public Parameters.}
+\ifsubsection
+\subsection{Public Parameters}
+\else
+\noindent\textbf{\\Public Parameters.}
+\fi
 We fix the following publically known  parameters.
 
 \begin{itemize}
@@ -15,10 +18,13 @@ We fix the following publically known  parameters.
     
 	\item A fixed element \(g \in\mathcal G\) with \(\mathsf{ord} g = p\) for the mapping \([\cdot] \cdot: \Z_p \times \mathcal E \to \mathcal E; s \mapsto g^s E\).
 \end{itemize} 
-We give our key exchange mechanism in the context of Shamir's secret sharing scheme and elaborate possible extensions to other, more general secret sharing schemes in \secref{sec.generalsss}.\\
+We give our key exchange mechanism in the context of Shamir's secret sharing scheme and elaborate possible extensions to other, more general secret sharing schemes in \secref{sec.generalsss}.
 
-%\subsection{Key Generation}
-\noindent\textbf{Key Generation.}
+\ifsubsection
+\subsection{Key Generation}
+\else
+\noindent\textbf{\\Key Generation.}
+\fi
 \ifshamir
 \todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
 A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \algoref{fig.keygen}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more with a sharing polynomial \(f_i\). Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(f_i\) and \(f_k\paren* i\), that is his share \(s_i\) of \(s\), the polynomial \(f_i\) and a share \(f_j\paren* i\) of each other \(s_j\), \(j \neq i\).
@@ -85,7 +91,7 @@ For ease of notation we denote the polynomial with which the secret key \(s\) wa
 \end{comment}
 
 \todo{added motivation}
-This key generation protocol can be regarded as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders. While this is not necessary for De Feo and Meyer's passively secure protocol, we require the two-level sharing in ensuring the active security of our key encapsulation mechanism.\\
+This key generation protocol can be regarded as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders. While this is not necessary for De Feo and Meyer's passively secure protocol, we require the two-level sharing in ensuring the active security of our key encapsulation mechanism.
 %A sketch of it can be found in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}.\\
 % \begin{figure}
 % 	\procedure[space = auto]{$\mathsf{KeyGen}$}{
@@ -103,9 +109,11 @@ This key generation protocol can be regarded as a "two-level sharing", where eac
 % 	\caption{The key generation protocol}
 % 	\label{fig.keygen}
 % \end{figure}
-
-%\subsection{Encapsulation}
-\noindent\textbf{Encapsulation.}
+\ifsubsection
+\subsection{Encapsulation}
+\else
+\noindent\textbf{\\Encapsulation.}
+\fi
 With a public key \(\pk \in \mathcal E\) as input, the encapsulation protocol returns an ephemeral key \(\mathcal K\in \mathcal E\) and a ciphertext \(c\in \mathcal E\). 
 Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus we just give a short sketch and refer to De Feo's and Meyer's work for the respective proofs of security.\\
 
@@ -135,9 +143,11 @@ Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus w
     \caption{Encapsulation}
     \label{fig.encaps}
 \end{algorithm}
-
-%\subsection{Decapsulation}
+\ifsubsection
+\subsection{Decapsulation}
+\else
 \noindent\textbf{Decapsulation.}
+\fi
 A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\).
 De Feo and Meyer \cite{FeoM20} applied the threshold group action (\algoref{fig.tga}) so that an authorised set \(S'\in\Gamma\) decapsulates a ciphertext \(c\) and produces an ephemeral key \(\left[s\right] c = \left[s\right] \left(b\ast E_0\right) = b \ast \left(\left[s\right] E_0\right)\).
 %\todo{Satz raffen}
@@ -147,9 +157,12 @@ For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\
 Their approach is simulatable. It does not leak any information on the shares \(s_i\), yet it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby manipulate the output of the computation towards incorrect results without the other parties recognising this deviation from the protocol.
 %\todo{clarify the round-robin approach to decaps}
 We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof layed out in \secref{sec.prelim}.
-\\
 
-\noindent\textbf{Amending the PVP.}
+\ifsubsection
+\subsection{Amending the PVP}
+\else
+\noindent\textbf{\\Amending the PVP.}
+\fi
 %The PVP does not fit our setting of threshold group action, hence we first discuss the necessary modifications to the PVP. We then present our actively secure decapsulation protocol.
 In the PVP protocol sketched in \secref{sec.prelim}, a prover produces a proof of knowledge for a witness polynomial \(f\) of the statement
 \(\left(\left(E_0,E_1\right),s_1, \ldots, s_n\right),\)
@@ -435,10 +448,12 @@ The correctness of our key exchange mechanism presented in \algoref{fig.keygen},
 \[\sk = \sum_{P_i \in S'} L_{i,S'} s_i.\]
 Furthermore, let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren* \pk\). To show correctness, \(\mathcal K' = \mathcal K\) has to hold, where \(\mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}\). Now, after executing \(\mathsf{Decaps}\paren*{c,S'}\), we have \(\mathcal K' = E^{\#S'}\) emerging as the result of the threshold group action applied to \(c\). This gives us
 \[ \mathcal K' = \left[\sum_{P_i \in S'} L_{i,S'}s_i \right] c = \left[\sk\right] \left(b\ast E_0\right) = b \ast \pk = \mathcal K.\]
-The decapsulation is executed by superauthorised sets \(S^\ast \in \Gamma^+ \subset \Gamma\). This shows that our key exchange mechanism is correct.\\
-
-%\subsection{Security}
-\noindent\textbf{Security.}
+The decapsulation is executed by superauthorised sets \(S^\ast \in \Gamma^+ \subset \Gamma\). This shows that our key exchange mechanism is correct.
+\ifsubsection
+\subsection{Security}
+\else
+\noindent\textbf{\\Security.}
+\fi
 There are two aspects of security to consider:
 \begin{itemize}[noitemsep,topsep=0pt]
 
@@ -446,8 +461,12 @@ There are two aspects of security to consider:
 
 	\item Simulatability: An adversary that corrupts an unauthorised set of shareholders cannot learn any information about the uncorrupted shareholders' inputs from an execution of the decapsulation protocol. We show this by proving the simulatability of \(\mathsf{Decaps}\).
 \end{itemize}
-
-\noindent\textbf{Active security.}
+\  
+\ifsubsection
+\subsection{Active security}
+\else
+\noindent\textbf{\\Active security.}
+\fi
 \begin{theorem}
 	Let \(S^\ast \in \Gamma^+\) and let \(\left(\pk,\sk\right) \gets \mathsf{KeyGen}\) be a public/secret key pair, where \(\sk\) has been shared. Also let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren*{\pk}\). Denote the transcript of \(\mathsf{Decaps}\paren*{c,S^\ast}\) by
 	\[\left(E^k,\left(R_k, R_k'\right),\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right), zk_k\right)_{k=1,\ldots, \#S^\ast} .\]
@@ -492,8 +511,11 @@ There are two aspects of security to consider:
 	Since \(f'\) has degree at most \(k-1\), it is well-defined from  \eqref{eq.interpol}. Thus, we have \(f' \equiv L_{i',S^\ast} f_{i'}\), where \(f_{i'}\) is the polynomial with which \(s_i\) was shared, i.e., \(f_{i'} \paren* 0 = s_i\). This gives us \(\alpha = f' \paren* 0 = L_{i',S^\ast} f_{i'} \paren* 0 = L_{i',S^\ast} s_{i'j}\). We arrive at a contradiction, assuming the soundness of the PVP.
 	\fi
 \end{proof}
-
+\ifsubsection
+\subsection{Simulatability}
+\else
 \noindent\textbf{Simulatability.}
+\fi
 We show that an adversary who corrupts an unauthorised subset of shareholder does not learn any additional information from an execution of the decapsulation protocol. %For that we prove the simulatability of the decapsulation.
 
 \begin{definition}[Simulatability]
@@ -598,8 +620,11 @@ The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\)
 	\(\simul^4\) outputs a transcript of the decapsulation protocol with input \(c\) and output \(\mathcal K\) that cannot be distinguished from the output of \(\simul^1\), which is indistinguishable from a real execution protocol.
 \fi
 \end{proof}
-%\subsection{Efficiency}
+\ifsubsection
+\subsection{Efficiency}
+\else
 \noindent\textbf{Efficiency.}
+\fi
 Each shareholder engaged in an execution of the decapsulation protocol has one round of messages to send. The messages of the \(k\)-th shareholder consist of the tuple \(\left(R_k,R_k'\right)\), a PVP proof \(\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right)\), the output \(E^k\) and the zero-knowledge proof \(zk\). Thus, the total size of a shareholder's messages is
 \begin{align*}
 	&2 x + 2c + \lambda k \log p + 2\lambda (\#S^\ast) + x + \lambda k \log p + \lambda\\
diff --git a/ACNS/preliminaries.tex b/ACNS/preliminaries.tex
index bee98fb4d958e5c5b1e326739a235e86209a6fc2..4531a8c0b4591bc0ce7c193f3bae2671e80dfa72 100644
--- a/ACNS/preliminaries.tex
+++ b/ACNS/preliminaries.tex
@@ -4,10 +4,13 @@
 Throughout this work we use a security parameter \(\lambda\in \N\). It is implicitly handed to a protocol whenever needed, that is protocols with computational security. Information theoretic schemes and protocols such as secret sharing schemes used in this work do not require a security parameter.%are not affected by this.
 
 %For a set \(X = \set{x_i}_{i \in I}\) with index set \(I\), we denote the projection onto a subset \(I'\subset I\) by \(X_{I'} = \set{x_i \in X : i\in I'}\). The same holds for indexed tuples \(\left(x_i\right)_{i\in I}\).\\
-For an indexed set \(X = \set{x_i}_{i \in I}\), we denote the projection onto a subset \(I'\subset I\) by \(X_{I'} = \set{x_i \in X : i\in I'}\). The same holds for indexed tuples \(\left(x_i\right)_{i\in I}\).\\
+For an indexed set \(X = \set{x_i}_{i \in I}\), we denote the projection onto a subset \(I'\subset I\) by \(X_{I'} = \set{x_i \in X : i\in I'}\). The same holds for indexed tuples \(\left(x_i\right)_{i\in I}\).
 
-%\subsection{Secret Sharing Schemes}
-\noindent\textbf{Secret Sharing Schemes.}
+\ifsubsection
+\subsection{Secret Sharing Schemes}
+\else
+\noindent\textbf{\\Secret Sharing Schemes.}
+\fi
 A secret sharing scheme is a cryptographic primitive that allows a dealer to share a secret among a set of shareholders. An instance is thus defined by  a secret space \(G\), a set of shareholders \(S\) and an access structure \(\Gamma_{\mathcal S}\).
 %An instance \(\mathcal S\) of a secret sharing scheme is a cryptographic primitive defined by a secret space \(G\), a set of shareholders \(S\) and an access structure \(\Gamma_{\mathcal S}\).
 A set \(S'\in\Gamma_{\mathcal S}\) is called \emph{authorised} and can from their respective shares reconstruct a shared secret. If the instance \(\mathcal S\) is clear from the context, we omit the index in the access structure \(\Gamma\). In this work, we consider monotone access structures, that is for any \(A\subset B \subset S\) with \(A\in\Gamma\), we also have \(B \in \Gamma\).
@@ -44,8 +47,11 @@ Any superauthorised set is also authorised.
 
 %We consider some additional properties of secret sharing schemes, that come into use when extending the key exchange mechanism so accommodate more general secret sharing schemes.
 
-%\subsection{Hard Homogeneous Spaces}
+\ifsubsection
+\subsection{Hard Homogeneous Spaces}
+\else
 \noindent\textbf{Hard Homogeneous Spaces.}
+\fi
 We present our key exchange mechanism and signature scheme in the context of \emph{hard homogeneous spaces} (HHS). HHS were first discussed by Couveignes \cite{DBLP:journals/iacr/Couveignes06} in 2006. He defines a HHS \(\left(\mathcal E, \mathcal G\right)\) as a set \(\mathcal E\) and a group \(\left(\mathcal G, \odot\right)\) equipped with a transitive action \( \ast : \mathcal G \times \mathcal E \to \mathcal E\). This action has the following properties:
 
 \begin{itemize}
@@ -132,9 +138,11 @@ The intuitive decisional continuation of this problem is as follows.
 \end{remark}
 \end{comment}
 
-
-%\subsection{Threshold Group Action}
+\ifsubsection
+\subsection{Threshold Group Action}
+\else
 \noindent\textbf{Threshold Group Action.}
+\fi
 Let \(s\) be a Shamir shared secret among shareholders \(P_1,\ldots,P_n\), that is each \(P_i\) holds a share \(s_i\) of \(s\), \(i=1,\ldots, n\). To compute \(E' = \left[s\right] E\) for an arbitrary but fixed \(E \in \mathcal E\) without reconstructing \(s\), we have an authorised set of shareholders execute \algoref{fig.tga}.
 If it is executed successfully, we have by the compatibility property of \(\ast\) and the repeated application of \(E^k \gets \left[L_{i,S'} s_i\right]E^{k-1}\) the result 
 \[E^{\# S'} = \left[\sum_{P_i \in S'} L_{i,S'} s_i \right] E = \left[ s\right] E.\]
@@ -159,8 +167,11 @@ If it is executed successfully, we have by the compatibility property of \(\ast\
 
 %\end{center}
 
-%\subsection{Piecewise Verifiable Proofs}
+\ifsubsection
+\subsection{Piecewise Verifiable Proofs}
+\else
 \noindent\textbf{Piecewise Verifiable Proofs.}
+\fi
 A piecewise verifiable proof (PVP) is a cryptographic primitive in the context of hard homogeneous spaces and was first introduced in \cite{DBLP:conf/pqcrypto/BeullensDPV21}. It is a compact non-interactive zero-knowledge proof of knowledge of a witness \(f \in \Z_q\left[X\right]\) for a statement
 \begin{equation}
 	x=\left(\left(E_0,E_1\right), s_1, \ldots, s_n\right),
@@ -190,7 +201,7 @@ Let \(\mathcal R = \set{\left(x,f\right)}\), where \(f\) is a witness for the st
 	is negligible in the security parameter \(\lambda\), where \(P\) is an oracle that upon input \(\left(x,f\right)\) returns \(\left(\pi,\set{\pi_j}_{j \in I}\right)\) with \(\left(\pi,\set{\pi_j}_{j =  0, \ldots, n}\right)\gets\mathsf{PVP}.P\paren*{f,x}\).
 \end{definition}
 We refer to \cite{DBLP:conf/pqcrypto/BeullensDPV21} for the precise proving and verifying protocols and the security thereof. In combination they state a complete, sound and zero-knowledge non-interactive PVP.
-A prover can hence show knowledge of a sharing polynomial \(f\) to a secret \(s_0 = f\paren* 0\) with shares \(s_i = f\paren* i\). In  \secref{sec.kem}, we adjust \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s proving protocol to our setting of threshold schemes, so that knowledge of a subset of interpolation points is proven instead of all interpolation points. \\
+A prover can hence show knowledge of a sharing polynomial \(f\) to a secret \(s_0 = f\paren* 0\) with shares \(s_i = f\paren* i\). In  \secref{sec.kem}, we adjust \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s proving protocol to our setting of threshold schemes, so that knowledge of a subset of interpolation points is proven instead of all interpolation points. 
 %Let \(\mathcal R= \set{\left(x,f\right)}\) denote the set of statements \(x\) of the form \eqref{eq.pvprelation}, for which \(f\) is a witness polynomial. For a subset \(I \subset \set{1,\ldots, n}\), we denote by \(\mathcal R_I\) the set of partial relations
 %\[\set{\left(x_I,f\right)\vert \exists x \colon \left(x,f\right) \in \mathcal R \wedge x_I = x\vert_I},\]
 %where \(x\vert_I\) is the projection of \(x\) to the coordinates contained in \(I\).
@@ -199,9 +210,11 @@ A prover can hence show knowledge of a sharing polynomial \(f\) to a secret \(s_
 
 %In this work, the prover is assumed to be a shareholder with index \(i\). Thus a PVP scheme consists of a proving and a verifying protocol. We denote the proving protocol by \(\mathsf{PVP}.P\), its input is the prover's index \(i\), the witness \(f\), a superauthorised set \(S'\) and the partial statement \(x_{S'}\). The verifying protocol \(\mathsf{PVP}.V\) has the prover's index \(i\), the verifyer's \(j\), the set \(S'\), the verifier's partial statement \(x_j\) and the proof piece \(\left(\pi,\pi_j\right)\) as input.  
 %The proving and verifying protocols for superauthorised sets of shareholders are given in \autoref{fig.tpvpp} and \autoref{fig.tpvpv}, respectively. 
-
-%\subsection{Zero-Knowledge Proofs for the GAIP}
-\noindent\textbf{Zero-Knowledge Proofs for the GAIP.}
+\ifsubsection
+\subsection{Zero-Knowledge Proofs for the GAIP}
+\else
+\noindent\textbf{\\Zero-Knowledge Proofs for the GAIP.}
+\fi
 We give a non-interactive zero-knowledge proof protocol for an element \(s\in\Z_p\) with respect to the group action inverse problem.
 %We define a proving and a verifying protocol to non-interactively prove knowledge of an element \(s\in\Z_p\) in zero-knowledge with respect to the group action inverse problem. 
 That is, a prover shows the knowledge of \(s\) so that
@@ -218,17 +231,21 @@ via a hash function \(\mathcal H : \mathcal E^{(2+\lambda)m}\to \set{0,1}^\lambd
 The verification protocol is straight forward: given a statement \(\left(E_i,E'_i\right)_{i=1,\ldots,m}\) and a proof \(\pi = \left(c_1,\ldots, c_\lambda, r_1,\ldots, r_\lambda\right)\), the verifier computes \(\tilde E_{i,j}\gets \left[r_j\right] E_i\) if \(c_j = 0\) and \(\tilde E_{i,j} \gets \left[r_j\right] E'_i\) otherwise, for \(i = 1, \ldots, m\) and \( j = 1, \ldots, \lambda\). He then generates verification bits \(\left(\tilde c_1 ,\ldots \tilde c_\lambda\right) \gets \mathcal H\paren*{E_1, E_1' , \ldots, E_m, E_m', \tilde E_{1,1} \ldots, \tilde E_{m,\lambda}}\) and accepts the proof if \(\left(c_1,\ldots, c_\lambda\right) = \left(\tilde c_1, \ldots, \tilde c_\lambda\right)\).
 
 We sketch the proving and verifying protocols in \algoref{fig.zkp} and \algoref{fig.zkv}, respectively.  
-Again, we refer to \cite{DBLP:conf/asiacrypt/BeullensKV19} for the proof of completeness, soundness and zero-knowledge  with respect to the security parameter \(\lambda\).\\
-
-%\subsection{The Adversary}
-\noindent\textbf{The Adversary.}
+Again, we refer to \cite{DBLP:conf/asiacrypt/BeullensKV19} for the proof of completeness, soundness and zero-knowledge  with respect to the security parameter \(\lambda\).
+\ifsubsection
+\subsection{The Adversary}
+\else
+\noindent\textbf{\\The Adversary.}
+\fi
 	We consider a static and active adversary. At the beginning of a protocol execution, the adversary corrupts a set of shareholders. The adversary is able to see their inputs and control their outputs. The set of corrupted shareholders cannot be changed throughout the execution of the protocol.
 
 	%The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to falsify the output of the execution of our protocol without being detected.\\
-	The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to manipulate the execution of our protocol towards an incorrect output without detection.\\
-
-%\subsection{Communication channels}
-\noindent\textbf{Communication Channels.}
+	The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to manipulate the execution of our protocol towards an incorrect output without detection.
+\ifsubsection
+\subsection{Communication channels}
+\else
+\noindent\textbf{\\Communication Channels.}
+\fi
 %Both our schemes assume the existence of a trusted dealer in addition to the shareholders engaged in a secret sharing instance.
 Both our schemes assume the existence of a trusted dealer in the secret sharing instance.
 %The dealer samples and shares a private key and publishes the according public key. The shareholders store the private key and execute the multiparty protocols for decapsulation in our key exchange mechanism (KEM) and signing in our signature scheme.
diff --git a/ACNS/signatures.tex b/ACNS/signatures.tex
index 4d0e58e9c0d21aabd4922546db99aeb5b6fa82a8..4ba3ae0667eda396abfd79cf936b386aba62a24e 100644
--- a/ACNS/signatures.tex
+++ b/ACNS/signatures.tex
@@ -105,7 +105,11 @@ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:
 \end{algorithm}
 \fi
 
-\noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
+\ifsubsection
+\subsection{Instantiations}
+\else
+\noindent \textbf{Instantiations.}
+\fi As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
 
 
 %Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.