Merge remote-tracking branch 'origin/sot-131' into sot-131

# Conflicts:
#	terms/commitment_scheme.md
#	terms/gkr_protocol.md
#	terms/sumcheck_protocol.md

terms/commitment_scheme.md

@@ -2,33 +2,21 @@
 comments: true
 ---
 
-# Commitment Scheme
-
-**Parties**: Committer and Verifier
-
-**Goal**: Committer binds to a message $m$ without revealing it. The commitment:
-
-1. **Binding**: Committer can't change the message after committing.
-2. **Hiding**: Verifier can't learn anything about the message from the commitment.
-
-**Recommended Resource**: [Video on Binding and Hiding](https://www.youtube.com/watch?v=4w_b8Msxy14).
-
-## Formal Definition
-
-### Algorithms
-
-1. **$KeyGen$**: Generates keys
-    - $ck$ for the committer
-    - $vk$ for the verifier
-    - If public, $ck = vk$
-2. **$Commit$**:
-    - Input: $ck$, message $m$
-    - Output: Commitment $c$, possibly extra info $d$
-3. **$Verify$**:
-    - Input: $c$, $vk$, claimed message $m'$, and opening info $d$
-    - Output: Accept or Reject
-
-### Diagram
+# Commitment scheme
+
+In a commitment scheme, there are two parties, a committer and a verifier. The committer wishes to bind itself to a message without
+revealing the message to the verifier. That is, once the committer sends a commitment to some message $m$, it should be unable to
+“open” to the commitment to any value other than $m$ (this property is called binding). But at the same time the commitment itself
+should not reveal information about $m$ to the verifier (this is called hiding). I highly recommend you watch
+[this video](https://www.youtube.com/watch?v=4w_b8Msxy14) to clearly understand these two properties.
+
+Formally, a commitment scheme is specified by three algorithms, $KeyGen$, $Commit$, and $Verify$. $KeyGen$ is a randomized algorithm
+that generates a commitment key $ck$ and a verification key $vk$ that are available to the committer and the verifier respectively (if
+all keys are public then $ck$ = $vk$), while $Commit$ is a randomized algorithm that takes as input the committing key $ck$ and the
+message $m$ to be committed and outputs the commitment $c$, as well as possibly extra “opening information” $d$ that the committer may
+hold onto and only reveal during the verification procedure. $Verify$ takes as input the commitment, the verification key, and a
+claimed message $m'$ provided by the committer, and any opening information $d$ and decides whether to accept $m$ as a valid opening of
+the commitment. See the diagram below for a better visualization.
 
 ```mermaid
 flowchart TD
@@ -49,13 +37,11 @@ flowchart TD
     D -->|Decision| F[Accept or Reject]
 ```
 
-## Properties
-
-- **Correctness**: $Verify(vk, Commit(m, ck), m)$ accepts with probability 1 for any $m$.
-- **Perfectly Hiding**: Distribution of $Commit(m, ck)$ is independent of $m$.
-- **Computationally Binding**: It's computationally hard to find $d', m' \neq m$ such that
-  $Verify(vk, (c, d), m) = Verify(vk, (c, d'), m') = 1$.
-
-## Example
+A commitment scheme is correct if $Verify(vk,Commit(m, ck),m)$ accepts with probability $1$, for any $m$ (i.e., an honest committer can
+always successfully open the commitment to the value that was committed). A commitment scheme is ==perfectly hiding== if the
+distribution
+of the commitment $Commit(m, ck)$ is independent of $m$. Finally, a commitment scheme is ==computationally binding== if it require
+exorbitant computational power to find some $d', m' \neq m$ such that $Verify(vk,(c,d),m) = Verify(vk,(c,d'),m') = 1$.
 
-[Polynomial Commitment Scheme](polynomial-commitment/000_polynomial_commitment.md)
+One crucial type of commitment scheme that you will often see
+is [polynomial commitment scheme](polynomial-commitment/000_polynomial_commitment.md).

terms/gkr_protocol.md

@@ -95,9 +95,9 @@ $$
 **Example**: Compute $\tilde W$ in a circuit over $F_5$ consisting entirely of multiplication gates
 ![compute_w](attachments/compute_tilde_w.png)
 
-## 4 Discussion of Costs and Soundness
+### 4 Discussion of Costs and Soundness
 
-### V's runtime
+#### V's runtime
 
 - The total communication cost is $O(S_0 + dlogS)$, where $S_0$ is the number of outputs.
 - The time cost to $V$ is $O(n + dlogS + t + S_0)$, where:
@@ -106,20 +106,20 @@ $$
   - $S_0$ is the time required to read the vector of claimed outputs and evaluate the corresponding **MLE**.
   - $dlogS$ is the time required for $V$ to send messages to $P$ and process and check the messages from $P$.
 
-### P's runtime
+#### P's runtime
 
 - $O(S^3)$.
 - Can be improved by using [Lagrange Interpolation](../../terms/lagrange_interpolation.md).
 
-### Round complexity and communication cost
+#### Round complexity and communication cost
 
 - $O(dlogS)$ rounds.
 
-### Soundness error
+#### Soundness error
 
 - The soundness error is: $O(dlog(S)/|F|)$.
 
-## 5 Evaluating $\tilde {add}_i$ and $\tilde {mult}_i$ Efficiently
+### 5 Evaluating $\tilde {add}_i$ and $\tilde {mult}_i$ Efficiently
 
 The issue of the verifier efficiently evaluating $\tilde {add} _ i$ and $\tilde {mult} _ i$ at a random
 point $\omega \in F^{k _ i+2k _ {i+1}}$ is a tricky one.

terms/sumcheck_protocol.md

@@ -2,19 +2,21 @@
 comments: true
 ---
 
-# Sum-Check Protocol
+# Sum-check Protocol
 
-Given a $v$-variate polynomial $g$ defined over a finite field $F$, the purpose of the sum-check protocol is for the prover to provide
+Given a $v$-variate polynomial $g$ defined over a finite field $F$. The purpose of the sum-check protocol is for the prover to provide
 this sum for the verifier:
 
 $$
-H := \sum_{b_{1} \in \{0, 1\}} \dots \sum_{b_{v} \in \{0, 1\}} g(b_{1}, \dots, b_v)
+\begin{aligned}
+H := \sum_{b_{1} \in \{0, 1\}} ... \sum_{b_{v} \in \{0, 1\}} g(b_{1},...,b_v)
+\end{aligned}
 $$
 
-**What does the verifier gain by using the sum-check protocol?**
+**What does the verifier gain by using the sum-check protocol ?**
 
-Instead of computing $H$ via the equation above (runtime $2^v$), $V$ can use the sum-check protocol to reduce the runtime to:
-$O(v + \text{the cost to evaluate } g \text{ at a single input in } F^v)$. $P$ can compute all of its prescribed messages by evaluating
+Instead of compute $H$ via the equation above (runtime $2^v$), $V$ can use sum-check protocol to reduce runtime to:
+$O(v + \text{the cost to evaluate }g \text{ at a single input in }F^v)$. $P$ can compute all of its prescribed messages by evaluating
 $g$ at $O(2^v)$ inputs in $F^v$.
 
 ## Description of Sum-Check Protocol
@@ -24,43 +26,44 @@ $g$ at $O(2^v)$ inputs in $F^v$.
 
 $$
 \begin{aligned}
-\sum_{(x_2, \dots, x_v) \in \{0, 1\}^{v-1}} g(X_1, x_2, \dots, x_v)
+\sum_{(x_2,..,x_v) \in \{0, 1\}^{v-1}} g(X_1, x_2,...,x_v)
 \end{aligned}
 $$
 
-$V$ checks that:
+$V$ checks that :
 
 - $g_1(0) + g_1(1) = C_1$
-- $g_1$ is a univariate polynomial of degree at most $\text{deg}_1(g)$, where $\text{deg}_j(g)$ is the degree of $g(X_1, X_2, \dots,
-  X_v)$ in variable $X_j$.
+- $g_1$ is a univariate polynomial of degree at most $deg_1(g)$ where $deg_j(g)$ is the degree of $g(X_1, X_2,.. X_v)$ in variable
+  $X_j$.
 
-- $V$ chooses a random element $r_1 \in F$ and sends $r_1$ to $P$.
+- $V$ chooses a random element $r_1 \in F$, and sends $r_1$ to $P$
 - In the $j$-th round, for $1 < j < v$, $P$ sends to $V$ a univariate polynomial $g_j(X_j)$ claimed to equal:
 
 $$
 \begin{aligned}
-\sum_{(x_{j+1}, \dots, x_v) \in \{0, 1\}^{v-j}} g(r_1, \dots, r_{j-1}, X_j, x_{j+1}, \dots, x_v)
+\sum_{(x_{j+1},..,x_v) \in \{0, 1\}^{v-j}} g(r_1,...,r_{j-1},X_j,x_{j+1}...,x_v)
 \end{aligned}
 $$
 
 $V$ checks that:
 
 - $g_j(0) + g_j(1) = g_{j-1}(r_{j-1})$
-- $g_j$ is a univariate polynomial of degree at most $\text{deg}_j(g)$. If not, $V$ rejects.
-- $V$ chooses a random element $r_j \in F$ and sends it to $P$.
-- In Round $v$, after $P$ sends $g_v(X_v)$ to $V$ and $V$ checks the conditions, $V$ chooses a random element $r_v \in F$, evaluates
-  $g(r_1, r_2, \dots, r_v)$, and checks that $g_v(r_v) = g(r_1, \dots, r_v)$. If not, $V$ rejects.
+- $g_j$ is a univariate polynomial of degree at most $deg_j(g)$.
+  Rejecting if not.
+- $V$ chooses a random element $r_j \in F$, and sends it to $P$.
+- In Round $v$, after $P$ sends $g_v(X_v)$ to $V$ and $V$ check the conditions, $V$ chooses a random element $r_v \in F$, evaluates
+  $g(r_1, r_2,...,r_v)$ and checks that $g_v(r_v) = g(r_1,...,r_v)$, rejecting if not.
 - If $V$ has not yet rejected, $V$ accepts.
 
 ## Completeness and Soundness
 
-Let $g$ be a $v$-variate polynomial of degree at most $d$ in each variable, defined over a finite field $F$. The completeness error
-$\delta_c = 0$ and the soundness error $\delta_s \leq vd/|F|$.
+Let $g$ be a $v$-variate polynomial of degree at most $d$ in each variable, defined over a finite field $F$, the completeness error
+$\delta_c = 0$ and the soundness error $\delta_s \le vd/|F|$
 
-## Discussion of Costs
+## Discussion of costs
 
-| Communication                     | Round | $V$ Time                                  | $P$ Time                                                |
-|-----------------------------------|-------|-------------------------------------------|---------------------------------------------------------|
-| $O(\sum_{i=1}^v \text{deg}_i(g))$ | $v$   | $O(v + \sum_{i=1}^v \text{deg}_i(g)) + T$ | $O(\sum_{i=1}^v \text{deg}_i(g) \cdot 2^{v-i} \cdot T)$ |
+| Communication              | Round | $V$ time                         | $P$ time                                       |
+|----------------------------|-------|----------------------------------|------------------------------------------------|
+| $O(\sum_{i=1}^v deg_i(g))$ | $v$   | $O(v+\sum_{i=1}^v deg_i(g)) + T$ | $O(\sum_{i=1}^v deg_i(g)\cdot 2^{v-i}\cdot T)$ |
 
 where $T$ is the cost of an oracle query to $g$.