Merge branch 'main' into eriktaubeneck-patch-1

private-attribution · Jul 8, 2024 · daf2fb5 · daf2fb5
2 parents da1215d + 69f4359
commit daf2fb5
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 32 deletions.
diff --git a/draft-savage-ppm-3phm-mpc.md b/draft-savage-ppm-3phm-mpc.md
@@ -200,19 +200,10 @@ other share, or right share, held by each is the next highest-numbered share
 illustrated in {{fig-shares-parties}}:
 
 ~~~ aasvg
-     x₁ .----. x₂  x₂ .----.  x₃  x₃ .----. x₁
-   .---+  P₁  +------+  P₂  +------+  P₃  +---.
-    \   `----'        `----'        `----'   /
-     '--------------------------------------'
-
-
-        x₁  .----.  x₂
-       .---|  P₁  |---.
-      /     `----'     \
- x₁  /                  \  x₂
- .----.                .----.
-|  P₃  |--------------|  P₂  |
- `----'  x₃        x₃  `----'
+         x₁ .----. x₂  x₂ .----. x₃  x₃ .----. x₁
+       .---+  P₁  +------+  P₂  +------+  P₃  +---.
+        \   `----'        `----'        `----'   /
+         '--------------------------------------'
 ~~~
 {: #fig-shares-parties title="Parties and Shares"}
 
@@ -234,10 +225,10 @@ left:      .----.      .----.      .----.
          '---------------------------------'
 
 send
-right:     .----.      .----.      .----.
-      .-->|  P₁  +--->+  P₂  +--->|  P₃  +--.
-       \   `----'      `----'      `----'  /
-        '---------------------------------'
+right:      .----.      .----.      .----.
+       .-->|  P₁  +--->+  P₂  +--->|  P₃  +--.
+        \   `----'      `----'      `----'  /
+         '---------------------------------'
 ~~~
 {: #fig-send-direction title="Parties and Sending Directions"}
 
@@ -719,14 +710,14 @@ At each iteration:
    the prover cannot control the choice of `r`, the likelihood that a dishonest
    prover can cheat without detection is inversely proportional to the field size.
 
-    1. If we define two new vectors `u’ = p<sub>0</sub>(r), …,
-       p<sub>s-1</sub>(r)`, and `v’ = q<sub>0</sub>(r), …,
-       q<sub>s-1</sub>(r)`, then we can rewrite the statement that needs to be
-       proven as: `u’ · v’ = G(r)`. This is of the same form as the original
-       statement, but with the new vectors `u’` and `v’` having length `L` times
+    1. If we define two new vectors `u′ = { p<sub>0</sub>(r), …,
+       p<sub>s-1</sub>(r) }`, and `v′ = { <q<sub>0</sub>(r), …,
+       q<sub>s-1</sub>(r) }`, then we can rewrite the statement that needs to be
+       proven as: `u′ · v′ = G(r)`. This is of the same form as the original
+       statement, but with the new vectors `u′` and `v′` having length `L` times
        shorter than the original vectors.
 
-    2. `u’` and `v’` need not be communicated, since the prover and left verifier (`P_-`)
+    2. `u′` and `v′` need not be communicated, since the prover and left verifier (`P_-`)
        can both compute each value `p<sub>i</sub>(r)` using Lagrange interpolation,
        just as the prover and right verifier (`P_+`) can compute each value `q<sub>i</sub>(r)`.
 
@@ -738,7 +729,7 @@ At each iteration:
        distributed zero knowledge proof. This transforms this protocol from a
        multi-round interactive protocol into a constant round protocol.
 
-5. The vectors `u` and `v` are replaced by `u’` and `v’`, the value of `t` is
+5. The vectors `u` and `v` are replaced by `u′` and `v′`, the value of `t` is
    set to `G(r)`, and the next iteration is started.
 
 The recursion ends when the vectors `u` and `v` have length less than `L`.  The
@@ -927,15 +918,15 @@ Recall the definition of `G(x)`:
 G(x) = sum(i=0..s, p<sub>i</sub>(x)·q<sub>i</sub>(x))
 ~~~
 
-This is equivalent to providing that `u’ · v’ = G(r)`, where:
+This is equivalent to providing that `u′ · v′ = G(r)`, where:
 
 ~~~ pseudocode
-u’ = <p<sub>0</sub>(r), p<sub>1</sub>(r), …>
-v’ = <q<sub>0</sub>(r), q<sub>1</sub>(r), …>
+u′ = <p<sub>0</sub>(r), p<sub>1</sub>(r), …>
+v′ = <q<sub>0</sub>(r), q<sub>1</sub>(r), …>
 ~~~
 
 This is a problem of exactly the same form as the original problem, except that
-the length of `u’` and `v’` is now a factor of `L` shorter than the original
+the length of `u′` and `v′` is now a factor of `L` shorter than the original
 length of `u` and `v`.
 
 The prover (P<sub>=</sub>) and left verifier (P<sub>-</sub>) use Lagrange interpolation
@@ -1055,7 +1046,7 @@ TODO
 - Parameter choice and security margins
   - Talk about trade-off between attack success probability and prime size.
   - Show equation for how many bits of security you get when validating N multiplications
-- You can’t just use the multiplication protocol without the validation protocol due to the additive attack (explain why)
+- You can't just use the multiplication protocol without the validation protocol due to the additive attack (explain why)
 - Communication security (authentication)
 - Constant time and implications thereof
 - Fiat-Shamir vs more rounds

diff --git a/fix-sub.py b/fix-sub.py
@@ -4,9 +4,9 @@
 import re
 import sys
 
-chars = "-+=()0123456789imp"
-subtr = "₋₊₌₍₎₀₁₂₃₄₅₆₇₈₉ᵢₘₚ"
-suptr = "⁻⁺⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ⁱᵐᵖ"
+chars = "-+=()0123456789imps"
+subtr = "₋₊₌₍₎₀₁₂₃₄₅₆₇₈₉ᵢₘₚₛ"
+suptr = "⁻⁺⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ⁱᵐᵖˢ"
 
 blockcode = re.compile(r"^(~~~~*) *(\w+)$")
 inlinecode = re.compile(r"(?:^|(?<=[^\\]))`")