Copy edits (#1)

easy/src/copy-constraints.typ

@@ -5,7 +5,7 @@
 
 = Copy Constraints in PLONK <copy-constraints>
 
-The last step is to check the copy constraints.
+Now we elaborate on Step 3 which we deferred back in @copy-constraint-deferred.
 As an example, the constraints might be:
 $ a_1 = a_4 = c_4
   #h(1em) "and" #h(1em)
@@ -212,9 +212,9 @@ There are six initialization conditions
     F_a (omega^1) &= A(omega^1) + omega^1 mu + lambda \
     F_b (omega^1) &= B(omega^1) + eta omega^1 mu + lambda \
     F_c (omega^1) &= C(omega^1) + eta^2 omega^1 mu + lambda \
-    F_a (omega^1) &= A(omega^1) + sigma_a (omega^1) mu + lambda \
-    F_b (omega^1) &= B(omega^1) + sigma_b (omega^1) mu + lambda \
-    F_c (omega^1) &= C(omega^1) + sigma_c (omega^1) mu + lambda.
+    F_a' (omega^1) &= A(omega^1) + sigma_a (omega^1) mu + lambda \
+    F_b' (omega^1) &= B(omega^1) + sigma_b (omega^1) mu + lambda \
+    F_c' (omega^1) &= C(omega^1) + sigma_c (omega^1) mu + lambda.
   $
   <copycheck-init>
 ]

easy/src/ec.typ

@@ -402,7 +402,7 @@ build the KZG commitment scheme.
 
 == Example application: Pedersen commitments <pedersen>
 
-A _commitment scheme_ is a protocol where Alice wants to commit some value $x$ to Bob that is later revealed. Typically Alice gives Bob some "commitment" $c(x)$ and later reveals $x$. What we want is that this protocol is both _binding_ (Alice cannot change her mind about $x$ depending on Bob's later actions) and _hiding_ (Bob does not get any information about $x$ from $c(x)$). The KZG scheme we are building towards will be a commitment scheme for polynomials, but we can already use elliptic curves to commit *numbers* with something called a Pedersen commitment, which we will now describe.
+A _commitment scheme_ is a protocol where Alice wants to commit some value $x$ to Bob that is later revealed. Typically Alice gives Bob some "commitment" $Com(x)$ and later reveals $x$. What we want is that this protocol is both _binding_ (Alice cannot change her mind about $x$ depending on Bob's later actions) and _hiding_ (Bob does not get any information about $x$ from $Com(x)$). The KZG scheme we are building towards will be a commitment scheme for polynomials, but we can already use elliptic curves to commit *numbers* with something called a Pedersen commitment, which we will now describe.
 
 A multivariable generalization of @ddh is that if $g_1, ..., g_n in E$
 are a bunch of randomly chosen points of $E$ with order $q$,

easy/src/kzg.typ

@@ -51,7 +51,7 @@ Then anyone in the world can use the resulting sequence for KZG commitments.
   And so forth.
   In the end, the value $s$ will be the product of the secrets $s_i$
   chosen by the $i$ parties... so the only way they can break secrecy
-  is if all the "trusted parties" collaborate.
+  is if all the "trusted parties" collude.
 ]
 
 #pagebreak() // TODO manual pagebreak for printed easy; stopgap hack
@@ -150,7 +150,8 @@ Here's the problem statement:
 
 Peggy just needs to show is that $P_1-P_2$
 is divisible by $Z(X) := product_(z in S) (X-z)$.
-This can be done by committing the quotient $H(X) := (P_1(X) - P_2(X)) / Z(X)$.
+This can be done by committing the quotient
+$ H(X) := (P_1(X) - P_2(X)) / Z(X). $
 Victor then gives a random challenge $lambda in FF_q$,
 and then Peggy opens $Com(P_1)$, $Com(P_2)$, and $Com(H)$ at $lambda$.
 

easy/src/plonk.typ

@@ -23,9 +23,8 @@ equations.
     dots.v \
     Q_m (x_1 , dots, x_k) & = 0.
   $
-
   Of these $k$ variables,
-  the first $ell$ ($x_1, dots, x_ell$) have publicly known, fixed values;
+  the first $ell$ variables $x_1, dots, x_ell$ have publicly known, fixed values;
   the remaining $k - ell$ are unknown.
 
   PLONK will let Peggy prove to Victor the following claim:
@@ -44,7 +43,7 @@ If you are not familiar with this concept, the upshot is that Quad-SAT
 being NP-complete means it can serve as a reasonable arithmetization that can
 express most reasonable (NP) problems.
 
-#remark([Quad-SAT is NP-complete])[
+#remark([Example of Quad-SAT encoding 3-SAT])[
   We assume knowledge of 3-SAT and it being NP-complete.
   The following example instance illustrates how to convert
   any instance of 3-SAT into a Quad-SAT problem:
@@ -134,10 +133,10 @@ systems of quadratic equations of a very particular form:
   $ ( q_(L,i), q_(R,i), q_(O,i), q_(M,i), q_(C,i)) = ( 0, 0, -1, 1, 0 ), $
   we get a "multiplication" gate
   $a_i b_i = c_i.$
-  Finally, if $q$ is any constant, then
-  $ ( q_(L,i), q_(R,i), q_(O,i), q_(M,i), q_(C,i)) = ( 1, 0, 0, 0, -q ), $
+  Finally, if $kappa$ is any constant, then
+  $ ( q_(L,i), q_(R,i), q_(O,i), q_(M,i), q_(C,i)) = ( 1, 0, 0, 0, -kappa ), $
   gives the constraint
-  $a_i = q.$
+  $a_i = kappa.$
 
   Now imagine we want to encode some quadratic equation
   like
@@ -279,7 +278,7 @@ or there are at most $3n-4$ values for which it's true
 ]
 */
 
-== Step 3: Proving the copy constraints
+== Step 3: Proving the copy constraints <copy-constraint-deferred>
 
 The copy constraints are the trickiest step.
 There are a few moving parts to this idea, so we skip it for now and dedicate

easy/src/snark-takeaways.typ

@@ -2,7 +2,7 @@
 
 #takeaway[SNARK Takeaways][
 1. A _SNARK_ can be used to succinctly prove that a piece of computation has been done correctly; specifically, it proves to some Verifier that the Prover had the K(nowledge) of some information that worked as feasible inputs to some computational circuit.
-2. The _arithmetization_ of the circuit is a way of converting circuits to arithmetic. Specifically for PLONK (but also other SNARKs, e.g. Groth16), our arithmetization is systems of quadratic equations over $FF_q$, meaning that what PLONK does under the hood is proving that a system of these equations are satisfied.
+2. The _arithmetization_ of the circuit is a way of converting circuits to arithmetic. Specifically for PLONK (but also other SNARKs, e.g. Groth16), our arithmetization is systems of quadratic equations over $FF_q$, meaning that what PLONK does under the hood is prove that a system of these equations are satisfied.
 3. The work under the hood of PLONK comes down to polynomial commitments (specifically KZG). KZG allows PLONK's gate checks and copy checks.
 4. The N(oninteractivity) of SNARKs basically come down to the _Fiat-Shamir heuristic_, which is very common in this field. Generally speaking, the "meat" of zkSNARKs are mostly about S(uccinctness) of the AR(guments).
 ]

easy/src/zkintro.typ

@@ -12,12 +12,12 @@ is too lazy to redo the whole calculation himself.
   and she wants to prove that she found a solution
   without saying what the solution is.
 - Maybe it's just a really long, annoying calculation,
-  and Victor doesn't have the energy to check it all line-by-line.
+  and Victor does not have the energy to check it all line-by-line.
 
 A _SNARK_#h(0.05em) lets Peggy (the "prover")
 send Victor (the "verifier") a short proof
 that she has indeed done the calculation correctly.
-The proof will much shorter than the original calculation,
+The proof will be much shorter than the original calculation,
 and Victor's verification is much faster.
 (As a tradeoff, writing a SNARK proof of a calculation is much slower
 than just doing the calculation.)