diff --git a/ACNS/generalsss.tex b/ACNS/generalsss.tex
index 901545328205cff428fae7ca7d7c5ca8ed20a6ca..e1225ca4e8a7c7d4acef3a03089cc5f4935c24a0 100644
--- a/ACNS/generalsss.tex
+++ b/ACNS/generalsss.tex
@@ -16,9 +16,10 @@ A secret sharing scheme compatible with our key exchange mechanism and signature
 \end{definition}
 %If the secret space is \(\Z_p\), this means that the shareholders' inputs are combined via addition.
 
-It is furthermore necessary, that  \(G=\Z_p\) for some prime \(p\) holds to enable the mapping \(\cdot \mapsto [\cdot ]\). This requirement may be loosened by replacing \(\cdot \mapsto [\cdot]\) appropriately. Also, for a secret \(s\) and any \(s_i \in \set{s_1,\ldots, s_k} \gets \mathcal S.\share\paren* s\), \(s_i \in G\) has to hold to enable key generation with two-level sharing.
-
-Furthermore, the secret sharing scheme has to allow for a PVP scheme, that is compatible with a zero-knowledge proof for the GAIP.\\
+It is necessary, that  \(G=\Z_p\) for some prime \(p\) holds to enable the mapping \(\cdot \mapsto [\cdot ]\). This requirement may be loosened by replacing \(\cdot \mapsto [\cdot]\) appropriately.
+To enable two-level sharing, it has to hold that for a share \(s_i \in \mathcal S.\share\paren* s\) of a secret \(s\), \(s_i \in G\) holds.
+%Also, for a secret \(s\) and any \(s_i \in \set{s_1,\ldots, s_k} \gets \mathcal S.\share\paren* s\), \(s_i \in G\) has to hold to enable key generation with two-level sharing.
+The secret sharing scheme also has to allow for a PVP scheme, that is compatible with a zero-knowledge proof for the GAIP.\\
 
 %And lastly, the access structure \(\Gamma\) for the secret sharing instance has to support superauthorised sets of shareholders. As we discussed in Section \ref{sec.kem}, this is necessary to ensure the soundness of the PVP.
 
@@ -28,7 +29,7 @@ Furthermore, the secret sharing scheme has to allow for a PVP scheme, that is co
 \begin{itemize}
 	\item It is evident, that Shamir's approach fulfills all aforementioned requirements. In fact, the two-level sharing and the PVP have been tailored to Shamir's polynomial based secret sharing approach.
 	\item Tassa \cite{DBLP:conf/tcc/Tassa04} extended Shamir's approach of threshold secret sharing to a hierarchical access structure. To share a secret \(s\in\Z_p\) with prime \(p\), a polynomial \(f\) with constant term \(s\) is sampled. Shareholders of the top level of the hierarchy are assigned interpolation points of \(f\) as in Shamir's scheme. The \(k\)-th level of the hierarchy receives interpolation points of the \(k-1\)st derivative of \(f\). The shares of in Tassa's scheme are elements of \(\Z_p\) themselves. 
-		The key generation (\hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}) must be streamlined in that for any shareholder, instead of receiving the shares with which his share of the secret key was shared among the other shareholders, he receives a description of the polynomial utilised in sharing his share. Hence all derivatives utilised can easily be computed.
+		The key generation (\hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}) must be adapted so that a shareholder receives a description of the polynomial utilised in sharing his share, instead of receiving the shares with which his share of the secret key was shared. Hence all derivatives utilised can easily be computed.
 		%the shares The two-level sharing in the key generation protocol can be executed as given in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}. For any shareholder, the polynomial, with which his share of the secret key was again shared, is handed to him. Thus all derivatives used in the sharing  are known the respective shareholder.
 		Reconstructing a shared secret is achieved via Birkhoff interpolation, the execution of which is independent and self-contained. 
 		The zero-knowledge proof (\hyperref[fig.zkp]{Algorithm \ref{fig.zkp}} and \hyperref[fig.zkv]{Algorithm \ref{fig.zkv}}) as well as the piecewise verifiable proof (\hyperref[fig.tpvpp]{Algorithm \ref{fig.tpvpp}} and \hyperref[fig.tpvpv]{Algorithm \ref{fig.tpvpv}}) thus directly transfer to Tassa's approach utilising the appropriate derivatives in the verifying protocols.
diff --git a/ACNS/keyexchange.tex b/ACNS/keyexchange.tex
index bfa3322cf6ea854462c8b3681b4a4ef5792c705a..71070e2f9a662463c0c0e56e0d7034ba1463fecc 100644
--- a/ACNS/keyexchange.tex
+++ b/ACNS/keyexchange.tex
@@ -394,7 +394,9 @@ The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\)
 		\(\forall P_j \in \adv: f'_i \paren* i = s_{ij}\)
 		uniformly at random for each \(P_i \in S^\ast \setminus \adv\). Since \(\adv\) is unauthorised, \(f'_i\) exists.
 
-		\(\simul^1\) then proceeds by honestly producing the output of each \(P_i \in S^\ast\setminus \adv\) according to the decapsulation protocol, i.e., it samples \(R_k \sample \mathcal E\), computes \(R_k' \gets \left[L_{i,S^\ast} f_i'\paren* 0\right] R_k\) and outputs \[\mathsf{PVP}.P\paren*{i,f_i',S^\ast,\left(\left(R_k,R_k'\right),\left(L_{i,S^\ast}s_{ij}\right)_{P_j \in S^\ast}\right)}\], \(E^k \gets \left[L_{i,S^\ast} s'_i\right] E^{k-1}\) and \(\mathsf{ZK}.P\paren*{\left(R_k, R_k'\right),\left(E^{k-1},E^k\right),L_{i,S^\ast}f'_i\paren* 0}\), where \(k\) is the index of \(P_i\)'s output in the transcript, \(s_{ij}: = f_i'\paren* j\) for \(P_j \in S^\ast \setminus \adv\) and \(s'_i := f_i'\paren* 0\). Since, for all \(P_i \in S^\ast\setminus\adv\), \(s_i\) is information theoretically hidden to the adversary, the resulting transcript is identically distributed to a real transcript.
+		\(\simul^1\) then proceeds by honestly producing the output of each \(P_i \in S^\ast\setminus \adv\) according to the decapsulation protocol, i.e., it samples \(R_k \sample \mathcal E\), computes \(R_k' \gets \left[L_{i,S^\ast} f_i'\paren* 0\right] R_k\) and outputs 
+		\[\mathsf{PVP}.P\paren*{i,f_i',S^\ast,\left(\left(R_k,R_k'\right),\left(L_{i,S^\ast}s_{ij}\right)_{P_j \in S^\ast}\right)},\]
+		\(E^k \gets \left[L_{i,S^\ast} s'_i\right] E^{k-1}\) and \(\mathsf{ZK}.P\paren*{\left(R_k, R_k'\right),\left(E^{k-1},E^k\right),L_{i,S^\ast}f'_i\paren* 0}\), where \(k\) is the index of \(P_i\)'s output in the transcript, \(s_{ij}: = f_i'\paren* j\) for \(P_j \in S^\ast \setminus \adv\) and \(s'_i := f_i'\paren* 0\). Since, for all \(P_i \in S^\ast\setminus\adv\), \(s_i\) is information theoretically hidden to the adversary, the resulting transcript is identically distributed to a real transcript.
 
 	\item Let \(i'\) denote the index of the last honest party in the execution of the decapsulation protocol and \(k'\) the index of its output. \(\simul^2\) behaves exactly as \(\simul^1\) with the exception, that it does not compute the PVP itself but calls the simulator \(\simul^\mathsf{PVP}\) for the PVP to generate the proof \(\left(\pi^{k'},\set{\pi^{k'}_j}\right)\) for the statement \(\left(\left(R_{k'},R_{k'}'\right), \left(L_{i,S^\ast} s_{i'j}\right)_{P_j \in S^\ast}\right)\). Since the PVP is zero-knowledge, \(\simul^2\)'s output is indistinguishable from that of \(\simul^1\).
 
diff --git a/ACNS/signatures.tex b/ACNS/signatures.tex
index e59bcd6619f9a570211a9eaa86ae8894693d3286..c94e7e2e1c360434633df99554be3cc202f696af 100644
--- a/ACNS/signatures.tex
+++ b/ACNS/signatures.tex
@@ -5,8 +5,6 @@ A signature scheme consists of three protocols: key generation, signing and veri
 
 Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
 
-\noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
-
 \begin{algorithm}[]
     \DontPrintSemicolon
     \SetAlgoShortEnd
@@ -56,8 +54,7 @@ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:
     \label{fig.sign}
 \end{algorithm}
 
-
-
+\noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
 
 
 %Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.
@@ -104,9 +101,6 @@ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:
 % 	\label{fig.sign}
 % \end{figure}
 
-
-
-
 % \begin{figure}
 % 	\procedure[space= auto]{$\mathsf{Verify}\paren*{m,s,\pk}$}{
 % 		\text{parse } \left(c_1,\ldots, c_\lambda, z_1,\ldots, z_\lambda\right) \gets s\\
@@ -124,8 +118,6 @@ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:
 % 	\label{fig.ver}
 % \end{figure}
 
-
-
 \begin{comment}
 A signature scheme consists of three protocols for key generation, signing and verifying, respectively. We transfer the unmodified key generation protocol from the key exchange mechnism in \autoref{sec.kem} to our signature scheme. The signing and verifying protocols are given in \autoref{fig.sign} and \autoref{fig.ver}, respectively.