From 6224000943cc0426e6f4b91b0bdbfff8f5535024 Mon Sep 17 00:00:00 2001 From: Evan Chen Date: Tue, 7 May 2024 20:03:21 -0400 Subject: [PATCH] fix: remove trailing spaces --- src/ec.typ | 18 +++++++++--------- src/intro.typ | 8 ++++---- src/ipa.typ | 2 +- src/kzg.typ | 20 ++++++++++---------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/src/ec.typ b/src/ec.typ index f35b58a..84dc5ac 100644 --- a/src/ec.typ +++ b/src/ec.typ @@ -102,8 +102,8 @@ The equation of $E$ is cubic -- the highest-degree terms have degree $3$. This means that (in general) if you take a line $y = m x + b$ and intersect it with $E$, the line will meet $E$ in exactly three points. The basic idea behind the group law is: -If $P, Q, R$ are the three intersection points of a line (any line) -with the curve $E$, then the group-law addition of the three points is +If $P, Q, R$ are the three intersection points of a line (any line) +with the curve $E$, then the group-law addition of the three points is $ P + Q + R = O. $ @@ -123,7 +123,7 @@ you get $ (m X + b)^2 = X^3 + 3, $ -which is a degree-3 polynomial in $X$, +which is a degree-3 polynomial in $X$, so it has (at most) 3 roots. And in fact if it has 2 roots, it's guaranteed to have a third (because you can factor out the first two roots, and then you're left with a linear factor). @@ -138,7 +138,7 @@ $ $ So now the question is just: how to find $-R$? -Well, it turns out that if $R = (x_R, y_R)$, then +Well, it turns out that if $R = (x_R, y_R)$, then $ - R = (x_R, -y_R). $ @@ -153,7 +153,7 @@ $ and since $x_R$ is fixed now, this equation is quadratic. The two roots are $Y = \pm y_R$. -OK, there are only two intersection points, but +OK, there are only two intersection points, but we say that the third intersection point is "the point at infinity" $O$. (The reason for this lies in projective geometry, but we won't get into it.) So the group law here tells us @@ -167,14 +167,14 @@ $ So: - Given a point $P = (x_P, y_P)$, its negative is just $-P = (x, -y)$. -- To add two points $P$ and $Q$, compute the line through the two points, +- To add two points $P$ and $Q$, compute the line through the two points, let $R$ be the third intersection of that line with $E$, - and set + and set $ P + Q = -R. $ -I just described the group law as a geometric thing, +I just described the group law as a geometric thing, but there are algebraic formulas to compute it as well. They are kind of a mess, but here goes. @@ -389,7 +389,7 @@ $ a_1 g_1 + ... + a_n g_n = b_1 g_1 + ... + b_n g_n. $ Indeed, even if one fixes any choice of $2n-1$ of the $2n$ coefficients above, one cannot find the last coefficient. -#definition[ +#definition[ In these notes, if there's a globally known elliptic curve $E$ and points $g_1, ..., g_n$ have order $q$ and no known nontrivial linear dependencies between them, diff --git a/src/intro.typ b/src/intro.typ index 6a50b9d..579c8ed 100644 --- a/src/intro.typ +++ b/src/intro.typ @@ -108,7 +108,7 @@ For example, imagine you have some private text that you want to translate into another language. You encrypt the text and feed it to your favorite FHE machine translation server. You decrypt the server's output and get the translation. -The server only ever sees encrypted text, +The server only ever sees encrypted text, so the server learns nothing about the text you translated. == Where these fit together @@ -149,13 +149,13 @@ Sounds pretty boring, unless you're an algebra student. Slightly better answer: You can prove that you have executed a program correctly, revealing some or all of the inputs and outputs, as you please. -For example: You know a messame $M$ such that +For example: You know a messame $M$ such that $op("sha")(M) = "0xa91af3ac..."$, but you don't want to reveal $M$. -Or: You only want to reveal the first 30 bytes of $M$. +Or: You only want to reveal the first 30 bytes of $M$. Or: You know a message $M$, and a digital signature proving that $M$ was signed by [trusted authority], such that a certain neural network, run on the input $M$, outputs "Good." -One recent application along these lines is +One recent application along these lines is #link("https://tlsnotary.org", "TLSNotary"). TLSNotary lets you certify a transcript of communications with a server in a privacy-preserving way: you only reveal the parts you want to. diff --git a/src/ipa.typ b/src/ipa.typ index 18ccd3c..3411cb6 100644 --- a/src/ipa.typ +++ b/src/ipa.typ @@ -46,7 +46,7 @@ one reduces verifying a vector for $n$ is good (hence $2n+1$ length) by verifying a vector for $n/2$ is good (of length $n+1$). To see how you might think of the idea on your own, -check out this +check out this #link("https://notes.0xparc.org/notes/pedersen-ipa", "0xPARC blog post"). To illustrate the induction, we'll first show how to get from $n=2$ to $n=1$. diff --git a/src/kzg.typ b/src/kzg.typ index 8ab2401..e590e00 100644 --- a/src/kzg.typ +++ b/src/kzg.typ @@ -103,8 +103,8 @@ Then anyone in the world can use the resulting sequence for KZG commitments. #remark[ The trusted party has to delete $s$ after the calculation. If anybody knows the value of $s$, the protocol will be insecure. - The trusted party will only publish $[s^0] = [1], [s^1], ..., [s^M]$. - Given these published values, it is (probably) extremely hard to recover $s$ -- + The trusted party will only publish $[s^0] = [1], [s^1], ..., [s^M]$. + Given these published values, it is (probably) extremely hard to recover $s$ -- this is a case of the discrete logarithm problem. You can make the protocol somewhat more secure by involving several different trusted parties. @@ -112,7 +112,7 @@ Then anyone in the world can use the resulting sequence for KZG commitments. The second party chooses $s_2$ and computes $[(s_1 s_2)^0], ..., [(s_1 s_2)^M]$. And so forth. - In the end, the value $s$ will be the product of the secrets $s_i$ + In the end, the value $s$ will be the product of the secrets $s_i$ chosen by the $i$ parties... so the only way they can break secrecy is if all the "trusted parties" collaborate. ] @@ -198,27 +198,27 @@ If we chose $E$ to be BN254, the following property holds: This integer $k$ is called the *embedding degree*. This section is an aside explaining how the embedding degree affects pairing. -The pairing function $pair(a, b)$ takes as input two points $a, b in E$ -on the elliptic curve, -and spits out a value $pair(a, b) in FF_{p^k}^*$ -- +The pairing function $pair(a, b)$ takes as input two points $a, b in E$ +on the elliptic curve, +and spits out a value $pair(a, b) in FF_{p^k}^*$ -- in other words, a nonzero element of the finite field of order $p^k$ (where $k$ is the embedding degree we just defined). In fact, this element will always be a $q$th root of unity in $FF_{p^k}$, -and it will satisfy $pair([m], [n]) = zeta^{m n}$, +and it will satisfy $pair([m], [n]) = zeta^{m n}$, where $\zeta$ is some fixed $q$th root of unity. -The construction of the pairing is based on the +The construction of the pairing is based on the #link("https://en.wikipedia.org/wiki/Weil_pairing", "Weil pairing"). in algebraic geometry. How to compute these pairings is well beyond the scope of these notes; the raw definition is quite abstract, and a lot of work has gone into computing the pairings efficiently. -(For more details, see these +(For more details, see these #link("https://crypto.stanford.edu/pbc/notes/ep/pairing.html", "notes").) The difficulty of computing these pairings is determined by the size of $k$: the values $pair(a, b)$ will be elements of a field of size $p^k$, so they will require 256 bits even to store. -For a curve to be "pairing-friendly" -- in order to be able to +For a curve to be "pairing-friendly" -- in order to be able to do pairing-based cryptography on it -- we need the value of $k$ to be pretty small.