style: remove trailing whitespace

easy/src/fhe0.typ

@@ -5,15 +5,15 @@
 
 Alice has a secret $x$, and Bob has a function $f$.
 They want to compute $f(x)$.
-Actually, Alice wants Bob to compute $f(x)$ -- but 
+Actually, Alice wants Bob to compute $f(x)$ -- but
 she doesn't want to tell him $x$.
 
 Alice wants to encrypt $x$ and send Bob $Enc (x)$.
 Then Bob is going to "apply $f$ to the ciphertext",
 to turn $Enc (x)$ into $Enc (f(x))$.
 Finally, Bob sends $Enc (f(x))$ back,
 and Alice decrypts it to learn $f(x)$.
- 
+
 This is fully homomorphic encryption (FHE).
 
 Levelled FHE is a sort of weaker version of FHE. Like FHE, levelled FHE
@@ -52,14 +52,14 @@ won’t give the right answer anymore.
 But as long as you’re careful not to go over the error limit, you can
 add ciphertexts with confidence.
 
-In fact, for our levelled FHE protocol, our message will be a bit: 
+In fact, for our levelled FHE protocol, our message will be a bit:
 either 0 or 1;
 our operations will be the logic gates AND and NOT.
 Any logic circuit can be built out of AND and NOT gates,
 so we'll be able to perform arbitrary calculations
 within the FHE encryption.
 
-Our protocol uses a cryptosystem built 
+Our protocol uses a cryptosystem built
 from a problem called "learning with errors."
 "Learning with errors" is kind of a strange name;
 I'd call it "approximate linear algebra modulo $q$."

easy/src/fhe3.typ

@@ -5,13 +5,13 @@
 
 Now we want to turn the public-key encryption from @lwe-crypto
 into a levelled FHE scheme.
-In other words: 
+In other words:
 We want to be able to encrypt bits (0s and 1s)
 and operate on them with AND and NOT gates.
 
-It might help you to imagine that, instead of AND and NOT, 
+It might help you to imagine that, instead of AND and NOT,
 the operations we want to encrypt are addition and multiplication.
-If $x$ and $y$ are bits, then 
+If $x$ and $y$ are bits, then
 NOT $x$ is just $1 - x$, and $x$ AND $y$ is just $x y$.
 But it's easier to do algebra with $+$ and $*$.
 
@@ -23,7 +23,7 @@ modulo $q$ – but we’ll also allow the calculations to have a small
 "error" $epsilon.alt$, which will typically be much, much smaller than
 $q$.
 
-Here’s the new idea. 
+Here’s the new idea.
 Our #emph[secret key] will be a vector
 $ upright(bold(v)) = (v_1, dots, v_n) in (ZZ \/ q ZZ)^n $ – a
 vector of length $n$, where the entries are integers modulo $q$. Suppose
@@ -36,7 +36,7 @@ $C upright(bold(v))$, and determine whether it is closer to $0$ or to
 $v_i$.
 
 With a bit of effort, it’s possible to make this into a public-key
-cryptosystem. Just like in @lwe-crypto, 
+cryptosystem. Just like in @lwe-crypto,
 the main idea is to release a
 table of vectors
 $upright(bold(x))$ such that
@@ -106,7 +106,7 @@ value of $a_1$.
 Now suppose I give you the vector
 $ upright(bold(x)) = (9 , 0 , 0 , 0) . $ I ask you for another vector
 $ "Flatten"(upright(bold(x))) = upright(bold(x)) prime , $ where
-$upright(bold(x)) prime$ has to have the following two properties: 
+$upright(bold(x)) prime$ has to have the following two properties:
 - $upright(bold(x)) prime dot.op upright(bold(v)) = upright(bold(x)) dot.op upright(bold(v))$,
   and
 - All the entries of $upright(bold(x)) prime$ are either 0 or 1.
@@ -129,7 +129,7 @@ Similarly, if you know $upright(bold(v))$ has the form
 $ upright(bold(v)) = (a_1 , 2 a_1 , 4 a_1 , dots.h , 2^k a_1 , a_2 , 2 a_2 , 4 a_2 , dots.h , 2^k a_2 , dots.h , a_r , 2 a_r , 4 a_r , dots.h , 2^k a_r) , $
 and you are given some matrix $C$ with coefficients in
 $ZZ \/ q ZZ$, then you can compute another matrix $"Flatten"(C)$
-such that: 
+such that:
 - $"Flatten"(C) upright(bold(v)) = C upright(bold(v))$, and
 - All the entries of $"Flatten"(C)$ are either 0 or 1.
 
@@ -194,12 +194,12 @@ This gives us a #emph[levelled] fully homomorphic encryption protocol:
 it lets us evaluate arbitrary circuits on encrypted data,
 as long as those circuits have bounded depth.
 If we need to evaluate a bigger circuit, we have two options.
-+ Increase the value of $q$.  
++ Increase the value of $q$.
   Of course, the cost of the computations increases with $q$.
 + Use some technique to "reset" the error
   and start anew, as if with a freshly encrypted ciphertext.
 
-  This approach is called "bootstrapping" and it incurs some hefty 
+  This approach is called "bootstrapping" and it incurs some hefty
   computational costs.
   But for very, very large circuits, it's the only viable option.
 

easy/src/lwe.typ

@@ -4,7 +4,7 @@
 <lwe>
 
 Many cryptographic protocols rely on some sort of "hard problem"
--- a computationally infeasible challenge 
+-- a computationally infeasible challenge
 whose difficulty makes the protocol secure.
 It is hard to factor a composite number (like $6177$)
 into prime factors ($6177 = 71*87$);
@@ -17,7 +17,7 @@ KZG polynomial commitments (@kzg), and so forth.
 
 Our protocol for levelled FHE relies on a different hard problem.
 The problem is to solve systems of linear equations.
-Except the equations are only approximately true -- 
+Except the equations are only approximately true --
 they permit a small "error" --
 and instead of solving for rational or real numbers,
 you're solving for integers modulo $q$.
@@ -71,28 +71,28 @@ $(a_1 , dots.h , a_4)$.
 
 #solution[
 We start with some helpful notation. Define an #strong[information
-vector] 
+vector]
 $
   (x_1 , x_2 , x_3 , x_4 lr(|y|) S),
 $
 where $S subset F_11$, to
-mean the statement 
-#quote[$sum a_i x_i = y + s$, where $s in S$.] 
+mean the statement
+#quote[$sum a_i x_i = y + s$, where $s in S$.]
 In
 particular, a given purported approximation
 $
   (x_1 , x_2 , x_3 , x_4) : y
-$ 
+$
 in the LWE protocol corresponds to the
-information vector 
+information vector
 $
   (x_1 , x_2 , x_3 , x_4 lr(|y|) { 0 , - 1 }).
-$ 
+$
 The
 benefit of this notion is that we can take linear combinations of them.
 Specifically,
 
-#proposition[ 
+#proposition[
 If $(X_1 lr(|y_1|) S_1)$ and
 $(X_2 lr(|y_2|) S_2)$ are information vectors (where $X_i$ are vectors),
 then

easy/src/mpc.typ

@@ -35,7 +35,7 @@ Here is our problem setting, slightly more formally:
 == The solution (an outline)
 
 Very briefly:
-- Alice constructs a "garbled circuit" 
+- Alice constructs a "garbled circuit"
   that takes in the value $b$ (whatever it is)
   and spits out $f(a, b)$.
 
@@ -44,19 +44,19 @@ Very briefly:
   a secret password corresponding to his input bits.
 
   (or: that Bob can only evaluate once...)
-- Alice uses "oblivious transfer" 
+- Alice uses "oblivious transfer"
   to send Bob the password for his input.
 
   Bob doesn't learn the passwords for any other inputs,
   and Alice doesn't find out which password she sent to Bob.
 
 #todo[
   Ask Gub to paraphrase, he writes well
-]  
+]
 
 In slightly more detail:
 
-Whatever the function $f$ is, 
+Whatever the function $f$ is,
 we'll assume that it takes $m+n$ bits of input
 $a_1, dots, a_m$ and $b_1, dots, b_n$,
 and that it's computed by some sort of circuit
@@ -65,7 +65,7 @@ made of AND, OR and NOT gates.
 Alice's first task is to "plug her own inputs into this circuit $f$."
 The result will be a new circuit
 (you might call it $f_a$)
-that has just $n$ input slots 
+that has just $n$ input slots
 for Bob's $n$ bits $b_1, dots, b_n$.
 
 And then Alice is going to "garble" the circuit $f_a$.
@@ -74,10 +74,10 @@ He'll only be able to plug his own input $(b_1, dots, b_n)$
 into the circuit.
 
 What stops Bob from plugging other inputs in as well?
-A garbled circuit will require a "password" 
+A garbled circuit will require a "password"
 for each input Bob wants to plug in --
 a different password for every possible input.
-If Bob has the password for $(b_1, dots, b_n)$, 
+If Bob has the password for $(b_1, dots, b_n)$,
 he can learn $f_a(b_1, dots, b_n) = f(a, b)$ --
 but he won't learn anything else about how the circuit works.
 
@@ -98,7 +98,7 @@ except its functionality is hidden.
 What does that mean?
 
 Let's say the gate has two input bits,
-so there are four possible inputs to the gate: 
+so there are four possible inputs to the gate:
 $(0, 0), (0, 1), (1, 0), (1, 1)$.
 For each of those four inputs $(x, y)$,
 there is a secret password $P_(x, y)$.
@@ -112,7 +112,7 @@ Choose a symmetric-key
 "when you think of plain-vanilla encryption: " +
 "You use a secret key $K$ to encrypt a message $m$, " +
 "and then you use the same secret key $K$ to decrypt it.")
-] 
+]
 encryption scheme $Enc$
 [#footnote("We'll talk later about what sort of " +
 "encryption scheme is suitable for this...")]
@@ -147,10 +147,10 @@ We'll need to make two changes to the protocol.
 1. To chain garbled gates together,
   we need to modify the output of each gate:
   In addition to outputting the bit $z = G_i (x, y)$,
-  the $i$-th gate $G_i$ 
+  the $i$-th gate $G_i$
   will also output a password $P_z$ that Bob can use at the next step.
 
-  Now Bob has one bit coming in for the left-hand input $x$, 
+  Now Bob has one bit coming in for the left-hand input $x$,
   and it came with some password $P_x^(text("left"))$ --
   and then another bit coming in for $y$,
   that came with some password $P_y^(text("right"))$.
@@ -164,13 +164,13 @@ We'll need to make two changes to the protocol.
   even the single bit he gets as output.
 
   This is an easy fix:
-  Instead of having the gate output 
+  Instead of having the gate output
   both the bit $z$ and the password $P_z$,
   we'll just have the gate output the password $P_z$.
 
   But now how does Bob know what values to feed into the next gate?
-  The left-hand column of the "gate table" 
-  needs to be indexed by the passwords 
+  The left-hand column of the "gate table"
+  needs to be indexed by the passwords
   $P_x^(text("left"))$ and $P_y^(text("right"))$,
   not by the bits $(x, y)$.
   But we don't want Bob to learn the other passwords from the table!
@@ -182,7 +182,7 @@ We'll need to make two changes to the protocol.
 
   Of course, the solution is to use a hash function!
   So here is the new version of our garbled gate.
-  For simplicity, I'll assume it's an AND gate -- 
+  For simplicity, I'll assume it's an AND gate --
   so the outputs will be (the passwords encoding) 0, 0, 0, 1.
   #table(
   columns: 2,
@@ -198,22 +198,22 @@ Let's play through one round of Bob's gate-using protocol.
 
 0. Suppose Bob's input bits are 0 (on the left) and 1 (on the right).
   Bob doesn't know he has 0 and 1 (but we do!).
-  Bob knows his left password is some value 
+  Bob knows his left password is some value
   $
     P_0^(text("left")),
   $
-  and his right password is some other value 
+  and his right password is some other value
   $
     P_1^(text("right")).
   $
 
 1. Bob takes the two passwords, concatenates them, and computes a hash.
-  Now Bob has 
+  Now Bob has
   $
     sha(P_0^(text("left")), P_1^(text("right"))).
   $
 
-2. Bob finds the row of the table indexed by 
+2. Bob finds the row of the table indexed by
   $sha(P_0^(text("left")), P_1^(text("right")))$,
   and he uses it to look up
   $
@@ -230,7 +230,7 @@ Let's play through one round of Bob's gate-using protocol.
 4. Now Bob has the password for the bit 0, to feed into the next gate --
   but he doesn't know his bit is 0.
 
-So Bob is exactly where he started: 
+So Bob is exactly where he started:
 he knows the password for his bit, but he doesn't know his bit.
 So we can chain together as many of these garbled gates as we like
 to make a full garbled circuit.
@@ -243,13 +243,13 @@ How?
 
 Easy!
 The final output gates are different from the intermediate gates.
-Instead of outputting a password, 
+Instead of outputting a password,
 they will just output the resulting bit in plain text.
 
 == How the circuit starts
 
 This is trickier.
-At the beginning of the computation, 
+At the beginning of the computation,
 Bob needs to learn the passwords for all of his input bits.
 
 Let's just tackle the problem for a single bit.
@@ -259,7 +259,7 @@ Let's just tackle the problem for a single bit.
 - Bob does not want Alice to learn the value of $b$.
 - Alice does not want Bob to learn the other password.
 
-Alice sends the password to Bob 
+Alice sends the password to Bob
 using a protocol called oblivious transfer,
 which we'll see in @ot.