From 42eb4d4e3cc03cb236644c35f5510cf61a18dbf1 Mon Sep 17 00:00:00 2001 From: Brian Lawrence Date: Fri, 5 Jul 2024 15:27:11 -0700 Subject: [PATCH] change #link to #cite --- easy/src/ec.typ | 20 ++++++++++---------- easy/src/kzg.typ | 2 +- easy/src/mpc.typ | 4 ++-- easy/src/pair.typ | 4 ++-- easy/src/plonk.typ | 4 ++-- easy/src/zkintro.typ | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/easy/src/ec.typ b/easy/src/ec.typ index ecdec37..ab3b5b7 100644 --- a/easy/src/ec.typ +++ b/easy/src/ec.typ @@ -20,7 +20,7 @@ The roadmap goes roughly as follows: which we need to make to provide security to our protocols. As an example, in @eddsa we describe how @ddh can be used to construct a signature scheme, namely - #link("https://en.wikipedia.org/wiki/EdDSA", "EdDSA"). + #cite("https://en.wikipedia.org/wiki/EdDSA", "EdDSA"). - The EdDSA idea will later grow up to be the KZG commitment scheme in @kzg. = Elliptic curves @@ -29,7 +29,7 @@ Every modern cryptosystem rests on a hard problem -- a computationally infeasible challenge whose difficulty makes the protocol secure. The best-known example is -#link("https://en.wikipedia.org/wiki/RSA_(cryptosystem)", "RSA"), +#cite("https://en.wikipedia.org/wiki/RSA_(cryptosystem)", "RSA"), which is secure because it is hard to factor a composite number (like $6177$) into prime factors ($6177 = 71 dot 87$). @@ -65,10 +65,10 @@ The BN254 specification fixes a specific#footnote[ large prime $p approx 2^(254)$ (and a second large prime $q approx 2^(254)$ that we define later) which has been specifically engineered to have certain properties -(Jonathan Wang has a #link("https://hackmd.io/@jpw/bn254", "blog post") +(Jonathan Wang has a #cite("https://hackmd.io/@jpw/bn254", "blog post") about the properties of this curve). The name BN stands for Barreto-Naehrig, two mathematicians who -#link("https://link.springer.com/content/pdf/10.1007/11693383_22.pdf", +#cite("https://link.springer.com/content/pdf/10.1007/11693383_22.pdf", "proposed a family of such curves in 2006"). #definition[ @@ -91,7 +91,7 @@ The constants $p$ and $q$ are contrived so that the following holds: ] #definition[ This prime $q approx 2^(254)$ is affectionately called the _Baby Jubjub prime_ - (a reference to #link("https://w.wiki/5Ck3", "The Hunting of the Snark")). + (a reference to #cite("https://w.wiki/5Ck3", "The Hunting of the Snark")). It will usually be denoted by $q$ in these notes. ] @@ -100,7 +100,7 @@ However, right now it only has the structure of a set. The beauty of elliptic curves is that it's possible to define an *addition* operation on the curve; -this is called the #link("https://w.wiki/9jhM", "group law on the elliptic curve"). +this is called the #cite("https://w.wiki/9jhM", "group law on the elliptic curve"). This addition will make $E(FF_p)$ into an abelian group whose identity element is the point at infinity $O$. This addition can be formalized as a _group law_, which is an equation that points on the curve must follow. @@ -280,7 +280,7 @@ In other words, $n$ will generally be thought of as being up to about $2^(254)$ On the other hand, given $g in E$, one can compute $n dot g$ in just $O(log n)$ operations, -by #link("https://w.wiki/9jim", "repeated squaring"). +by #cite("https://w.wiki/9jim", "repeated squaring"). For example, to compute $400g$, one only needs to do $10$ additions, rather than $400$: one starts with $ @@ -312,7 +312,7 @@ once the identity element $O = (0, oo)$ is added in. How large is $E(FF_p)$? There is a theorem called -#link("https://w.wiki/9jhi", "Hasse's theorem") that states +#cite("https://w.wiki/9jhi", "Hasse's theorem") that states the number of points in $E(FF_p)$ is between $p+1-2sqrt(p)$ and $p+1+2sqrt(p)$. But there is no promise that $E(FF_p)$ will be _prime_; consequently, it may not be a cyclic group either. @@ -321,7 +321,7 @@ the choice of constants in BN254 is engineered to get a prime order. There are other curves used in practice for which $E(FF_p)$ is not a prime, but rather a small multiple of a prime. -The popular #link("https://w.wiki/9jhp", "Curve25519") is such a curve +The popular #cite("https://w.wiki/9jhp", "Curve25519") is such a curve that is also believed to satisfy @ddh. Curve25519 is defined as $ Y^2 = X^3 + 486662X^2 + X $ over $FF_p$ for the prime $p := 2^(255)-19$. @@ -337,7 +337,7 @@ which is defined in @pairing-friendly when we need it later. == Example application: EdDSA signature scheme We'll show how @ddh can be used to construct a signature scheme that replaces RSA. -This scheme is called #link("https://w.wiki/4usy", "EdDSA"), +This scheme is called #cite("https://w.wiki/4usy", "EdDSA"), and it's used quite frequently (e.g. in OpenSSH and GnuPG). One advantage it has over RSA is that its key size is much smaller: both the public and private key are 256 bits. diff --git a/easy/src/kzg.typ b/easy/src/kzg.typ index 25d9983..837a15e 100644 --- a/easy/src/kzg.typ +++ b/easy/src/kzg.typ @@ -108,7 +108,7 @@ $ & pair([Q(s)], [(s-1)(s-2) ... (s-9)]) \ & = pair([P(s)] - 100[s^2], [1]). $ The full generality just replaces the $100X^2$ with the polynomial -obtained from #link("https://w.wiki/8Yin", "Lagrange interpolation") +obtained from #cite("https://w.wiki/8Yin", "Lagrange interpolation") (there is a unique such polynomial $f$ of degree $n-1$). To spell this out, suppose Peggy wishes to prove to Victor that $P(z_i) = y_i$ for $1 <= i <= n$. diff --git a/easy/src/mpc.typ b/easy/src/mpc.typ index 9047d70..0249b69 100644 --- a/easy/src/mpc.typ +++ b/easy/src/mpc.typ @@ -13,10 +13,10 @@ for Bob. Yao’s Garbled Circuits is one of the most well-known 2PC protocols (Vitalik has a great explanation on his -#link("https://vitalik.eth.limo/general/2020/03/21/garbled.html")[blog];). +#cite("https://vitalik.eth.limo/general/2020/03/21/garbled.html")[blog];). The protocol is quite clever, and optimized variants of the protocol are being -#link("https://github.com/privacy-scaling-explorations/mpz/tree/dev/garble")[implemented and used today];. +#cite("https://github.com/privacy-scaling-explorations/mpz/tree/dev/garble")[implemented and used today];. == The Problem diff --git a/easy/src/pair.typ b/easy/src/pair.typ index ade46b0..0cea86b 100644 --- a/easy/src/pair.typ +++ b/easy/src/pair.typ @@ -98,13 +98,13 @@ In fact, this element will always be a $q$-th root of unity in $FF_(p^k)$, and it will satisfy $pair([m], [n]) = zeta^(m n)$, where $zeta$ is some fixed $q$-th root of unity. The construction of the pairing is based on the -#link("https://en.wikipedia.org/wiki/Weil_pairing", "Weil pairing") +#cite("https://en.wikipedia.org/wiki/Weil_pairing", "Weil pairing") in algebraic geometry. How to compute these pairings is well beyond the scope of these notes; the raw definition is quite abstract, and a lot of work has gone into computing the pairings efficiently. (For more details, see these -#link("https://crypto.stanford.edu/pbc/notes/ep/pairing.html", "notes").) +#cite("https://crypto.stanford.edu/pbc/notes/ep/pairing.html", "notes").) The difficulty of computing these pairings is determined by the size of $k$: the values $pair(a, b)$ will be elements of a field of size $p^k$, diff --git a/easy/src/plonk.typ b/easy/src/plonk.typ index 9db3d81..aade41d 100644 --- a/easy/src/plonk.typ +++ b/easy/src/plonk.typ @@ -65,13 +65,13 @@ but they do matter a lot to engineers and end users. But it turns out that Quad-SAT is actually reasonably code-able. This is the goal of projects like -#link("https://docs.circom.io/", "Circom"), +#cite("https://docs.circom.io/", "Circom"), which gives a high-level language that compiles a function like SHA-256 into a system of equations over $FF_q$ that can be used in practice. Systems like this are called _arithmetic circuits_, and Circom is appropriately short for "circuit compiler". If you're curious, you can see how SHA256 is implemented in Circom on -#link("https://github.com/iden3/circomlib/blob/master/circuits/sha256/sha256.circom", +#cite("https://github.com/iden3/circomlib/blob/master/circuits/sha256/sha256.circom", "GitHub"). So, the first step in proving a claim like diff --git a/easy/src/zkintro.typ b/easy/src/zkintro.typ index 8bb11fe..679b3db 100644 --- a/easy/src/zkintro.typ +++ b/easy/src/zkintro.typ @@ -40,7 +40,7 @@ Or: You know a message $M$, and a digital signature proving that $M$ was signed [trusted authority], such that a certain neural network, run on the input $M$, outputs "Good." One recent application along these lines is -#link("https://tlsnotary.org", "TLSNotary"). +#cite("https://tlsnotary.org", "TLSNotary"). TLSNotary lets you certify a transcript of communications with a server in a privacy-preserving way: you only reveal the parts you want to.