From dc75b6ea281bf12e4668c3d6bc784d3a61bc7dab Mon Sep 17 00:00:00 2001 From: Evan Chen Date: Fri, 29 Mar 2024 16:09:17 -0400 Subject: [PATCH] Spelling is hard --- src/ec.typ | 6 +++--- src/ipa.typ | 16 ++++++++-------- src/kzg.typ | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/ec.typ b/src/ec.typ index 60730a2..1879f09 100644 --- a/src/ec.typ +++ b/src/ec.typ @@ -55,7 +55,7 @@ one cannot find the last coefficient. and this is a critical standing assumption for this entire framework. ] -== Petersen commitments +== Pedersen commitments One application of this injectivity is that we can have a hash of the vector with shorter length @@ -67,7 +67,7 @@ This is named: Given a vector $angle.l a_1, ..., a_n angle.r in FF_q^n$ of scalars, the vector $ arrow(a) = sum a_i g_i in E$ - is called the *Petersen commitment*. + is called the *Pedersen commitment*. ] -We will see Petersen commitments later on in IPA. +We will see Pedersen commitments later on in IPA. diff --git a/src/ipa.typ b/src/ipa.typ index e9d85f2..290460f 100644 --- a/src/ipa.typ +++ b/src/ipa.typ @@ -3,7 +3,7 @@ = Inner product arguments (IPA) This chapter requires the earlier chapter on the discrete logarithm problem and -Petersen commitments. +Pedersen commitments. Let $E$ be an elliptic curve over $FF_p$ and we have fixed globally known generators $g_1, ..., g_n, h_1, ..., h_n, u in E$ which are "practically independent". @@ -12,13 +12,13 @@ We'll start by describing the goal of the general IPA protocol and how to implement it., Then we'll show some use cases for IPA. -== Pitch: IPA allows verifying $c = sum a_i b_i$ without revealing $a_i$ and $b_i$ +== Pitch: IPA allows verifying $c = sum a_i b_i$ without revealing $a_i$, $b_i$, $c$ As we mentioned before, an element of the form $ a_1 g_1 + ... + a_n g_n + b_1 h_1 + ... + b_n h_n + c u in E $ where $a_1, ..., a_n, b_1, ..., b_n, c in FF_p$, is practically a vector of length $2n + 1$, as discussed earlier. -(If you like terminology, it's a Petersen commitment.) +(If you like terminology, it's a Pedersen commitment.) #definition[ Let's say that an element @@ -147,18 +147,18 @@ And $w(x) = v + x dot w_L + x^(-1) dot w_R$ as before. TODO (this is the argument with $mu$ and $lambda$ that Aard mentioned) -== Application: revealing an element of a Petersen commitment +== Application: revealing an element of a Pedersen commitment One easy special case: suppose Penny have a vector $arrow(a) = angle.l a_1, ..., a_n angle.r$ -and a Petersen commitment $C = sum a_i g_i$ to it. +and a Pedersen commitment $C = sum a_i g_i$ to it. Then Penny can reveal any single element to Victor by running IPA to show the dot product of $arrow(a)$ with the vector $arrow(b)$ which has a $1$ in the position of interest and $0$'s elsewhere. -== Application: showing two Petersen commitments coincide +== Application: showing two Pedersen commitments coincide -Suppose there are two Petersen commitments +Suppose there are two Pedersen commitments $C = sum a_i g_i$ and $C' = sum a_i' g_i'$ and Penny wants to prove that $a_i = a_i'$ for all $i$ (i.e. they are the same vector) @@ -171,7 +171,7 @@ TODO: write this. Suppose now $P(T) = sum a_i T^(i-1)$ is given polynomial. Then Penny could get a scheme resembling KZG commitments as follows: -- Penny publishes Petersen commitment of the coefficients of $P$, +- Penny publishes Pedersen commitment of the coefficients of $P$, that is Penny publishes $ g := sum a_i g_i in E. $ - Suppose Victor wants to open the commitment at a value $z$, and Penny asserts that $P(z) = y$. diff --git a/src/kzg.typ b/src/kzg.typ index 4d9739d..80a94f1 100644 --- a/src/kzg.typ +++ b/src/kzg.typ @@ -9,7 +9,7 @@ This chapter requires reading the earlier chapter on discrete logarithm. The goal of the KZG commitment schemes is to have the following API: - Penny has a secret polynomial $P(T) in FF_q [T]$. -- Penny sends a short "commitment" the polynomial, which is a hash. +- Penny sends a short "commitment" to the polynomial (like a hash). - This commitment should have the additional property that Penny should be able to "open" the commitment at any $z in FF_q$: Specifically: