change #link to #cite

easy/src/ec.typ

@@ -20,7 +20,7 @@ The roadmap goes roughly as follows:
   which we need to make to provide security to our protocols. As an example, in 
   @eddsa we describe how @ddh
   can be used to construct a signature scheme, namely
-  #link("https://en.wikipedia.org/wiki/EdDSA", "EdDSA").
+  #cite("https://en.wikipedia.org/wiki/EdDSA", "EdDSA").
 - The EdDSA idea will later grow up to be the KZG commitment scheme in @kzg.
 
 = Elliptic curves <ec>
@@ -29,7 +29,7 @@ Every modern cryptosystem rests on a hard problem
 -- a computationally infeasible challenge
 whose difficulty makes the protocol secure.
 The best-known example is
-#link("https://en.wikipedia.org/wiki/RSA_(cryptosystem)", "RSA"),
+#cite("https://en.wikipedia.org/wiki/RSA_(cryptosystem)", "RSA"),
 which is secure because
 it is hard to factor a composite number (like $6177$)
 into prime factors ($6177 = 71 dot 87$).
@@ -65,10 +65,10 @@ The BN254 specification fixes a specific#footnote[
 large prime $p approx 2^(254)$
 (and a second large prime $q approx 2^(254)$ that we define later)
 which has been specifically engineered to have certain properties
-(Jonathan Wang has a #link("https://hackmd.io/@jpw/bn254", "blog post")
+(Jonathan Wang has a #cite("https://hackmd.io/@jpw/bn254", "blog post")
 about the properties of this curve).
 The name BN stands for Barreto-Naehrig, two mathematicians who
-#link("https://link.springer.com/content/pdf/10.1007/11693383_22.pdf",
+#cite("https://link.springer.com/content/pdf/10.1007/11693383_22.pdf",
 "proposed a family of such curves in 2006").
 
 #definition[
@@ -91,7 +91,7 @@ The constants $p$ and $q$ are contrived so that the following holds:
 ]
 #definition[
   This prime $q approx 2^(254)$ is affectionately called the _Baby Jubjub prime_
-  (a reference to #link("https://w.wiki/5Ck3", "The Hunting of the Snark")).
+  (a reference to #cite("https://w.wiki/5Ck3", "The Hunting of the Snark")).
   It will usually be denoted by $q$ in these notes.
 ]
 
@@ -100,7 +100,7 @@ However, right now it only has the structure of a set.
 
 The beauty of elliptic curves
 is that it's possible to define an *addition* operation on the curve;
-this is called the #link("https://w.wiki/9jhM", "group law on the elliptic curve").
+this is called the #cite("https://w.wiki/9jhM", "group law on the elliptic curve").
 This addition will make $E(FF_p)$ into an abelian group whose identity element
 is the point at infinity $O$. This addition can be formalized as a _group law_, which is an equation that points on the curve must follow.
 
@@ -280,7 +280,7 @@ In other words, $n$ will generally be thought of as being up to about $2^(254)$
 
 On the other hand, given $g in E$,
 one can compute $n dot g$ in just $O(log n)$ operations,
-by #link("https://w.wiki/9jim", "repeated squaring").
+by #cite("https://w.wiki/9jim", "repeated squaring").
 For example, to compute $400g$, one only needs to do $10$ additions,
 rather than $400$: one starts with
 $
@@ -312,7 +312,7 @@ once the identity element $O = (0, oo)$ is added in.
 
 How large is $E(FF_p)$?
 There is a theorem called
-#link("https://w.wiki/9jhi", "Hasse's theorem") that states
+#cite("https://w.wiki/9jhi", "Hasse's theorem") that states
 the number of points in $E(FF_p)$ is between $p+1-2sqrt(p)$ and $p+1+2sqrt(p)$.
 But there is no promise that $E(FF_p)$ will be _prime_;
 consequently, it may not be a cyclic group either.
@@ -321,7 +321,7 @@ the choice of constants in BN254 is engineered to get a prime order.
 
 There are other curves used in practice for which $E(FF_p)$
 is not a prime, but rather a small multiple of a prime.
-The popular #link("https://w.wiki/9jhp", "Curve25519") is such a curve
+The popular #cite("https://w.wiki/9jhp", "Curve25519") is such a curve
 that is also believed to satisfy @ddh.
 Curve25519 is defined as $ Y^2 = X^3 + 486662X^2 + X $ over $FF_p$
 for the prime $p := 2^(255)-19$.
@@ -337,7 +337,7 @@ which is defined in @pairing-friendly when we need it later.
 == Example application: EdDSA signature scheme <eddsa>
 
 We'll show how @ddh can be used to construct a signature scheme that replaces RSA.
-This scheme is called #link("https://w.wiki/4usy", "EdDSA"),
+This scheme is called #cite("https://w.wiki/4usy", "EdDSA"),
 and it's used quite frequently (e.g. in OpenSSH and GnuPG).
 One advantage it has over RSA is that its key size is much smaller:
 both the public and private key are 256 bits.

easy/src/kzg.typ

@@ -108,7 +108,7 @@ $ & pair([Q(s)], [(s-1)(s-2) ... (s-9)]) \
   & = pair([P(s)] - 100[s^2], [1]). $
 
 The full generality just replaces the $100X^2$ with the polynomial
-obtained from #link("https://w.wiki/8Yin", "Lagrange interpolation")
+obtained from #cite("https://w.wiki/8Yin", "Lagrange interpolation")
 (there is a unique such polynomial $f$ of degree $n-1$).
 To spell this out, suppose Peggy wishes to prove to Victor that
 $P(z_i) = y_i$ for $1 <= i <= n$.

easy/src/mpc.typ

@@ -13,10 +13,10 @@ for Bob.
 
 Yao’s Garbled Circuits is one of the most well-known 2PC protocols
 (Vitalik has a great explanation on his
-#link("https://vitalik.eth.limo/general/2020/03/21/garbled.html")[blog];).
+#cite("https://vitalik.eth.limo/general/2020/03/21/garbled.html")[blog];).
 The protocol is quite clever, and optimized variants of the protocol are
 being
-#link("https://github.com/privacy-scaling-explorations/mpz/tree/dev/garble")[implemented and used today];.
+#cite("https://github.com/privacy-scaling-explorations/mpz/tree/dev/garble")[implemented and used today];.
 
 == The Problem
 <the-problem>

easy/src/pair.typ

@@ -98,13 +98,13 @@ In fact, this element will always be a $q$-th root of unity in $FF_(p^k)$,
 and it will satisfy $pair([m], [n]) = zeta^(m n)$,
 where $zeta$ is some fixed $q$-th root of unity.
 The construction of the pairing is based on the
-#link("https://en.wikipedia.org/wiki/Weil_pairing", "Weil pairing")
+#cite("https://en.wikipedia.org/wiki/Weil_pairing", "Weil pairing")
 in algebraic geometry.
 How to compute these pairings is well beyond the scope of these notes;
 the raw definition is quite abstract,
 and a lot of work has gone into computing the pairings efficiently.
 (For more details, see these
-#link("https://crypto.stanford.edu/pbc/notes/ep/pairing.html", "notes").)
+#cite("https://crypto.stanford.edu/pbc/notes/ep/pairing.html", "notes").)
 
 The difficulty of computing these pairings is determined by the size of $k$:
 the values $pair(a, b)$ will be elements of a field of size $p^k$,

easy/src/plonk.typ

@@ -65,13 +65,13 @@ but they do matter a lot to engineers and end users.
 
 But it turns out that Quad-SAT is actually reasonably code-able.
 This is the goal of projects like
-#link("https://docs.circom.io/", "Circom"),
+#cite("https://docs.circom.io/", "Circom"),
 which gives a high-level language that compiles a function like SHA-256
 into a system of equations over $FF_q$ that can be used in practice.
 Systems like this are called _arithmetic circuits_,
 and Circom is appropriately short for "circuit compiler".
 If you're curious, you can see how SHA256 is implemented in Circom on
-#link("https://github.com/iden3/circomlib/blob/master/circuits/sha256/sha256.circom",
+#cite("https://github.com/iden3/circomlib/blob/master/circuits/sha256/sha256.circom",
 "GitHub").
 
 So, the first step in proving a claim like

easy/src/zkintro.typ

@@ -40,7 +40,7 @@ Or: You know a message $M$, and a digital signature proving that $M$ was signed
 [trusted authority], such that a certain neural network, run on the input $M$, outputs "Good."
 
 One recent application along these lines is
-#link("https://tlsnotary.org", "TLSNotary").
+#cite("https://tlsnotary.org", "TLSNotary").
 TLSNotary lets you certify a transcript of communications with a server
 in a privacy-preserving way: you only reveal the parts you want to.