diff --git a/blogo-input/blogo.json b/blogo-input/blogo.json
index d3ca195..a6903b3 100755
--- a/blogo-input/blogo.json
+++ b/blogo-input/blogo.json
@@ -27,7 +27,7 @@
     {
       "thumb": "fri_thumb.md",
       "metadescr": "This document contains notes on FRI low degree testing and the trick to convert it to a polynomial commitment scheme.",
-      "outsideArticle": "https://raw.githubusercontent.com/arnaucube/math/master/notes_fri.pdf"
+      "outsideArticle": "https://raw.githubusercontent.com/arnaucube/math/master/notes_fri_stir.pdf"
     },
     {
       "thumb": "powersoftau_thumb.md",
diff --git a/blogo-input/posts/fri_thumb.md b/blogo-input/posts/fri_thumb.md
index 5e3a265..103022b 100644
--- a/blogo-input/posts/fri_thumb.md
+++ b/blogo-input/posts/fri_thumb.md
@@ -1,5 +1,6 @@
-### Notes on FRI (pdf)
+### Notes on FRI and STIR (pdf)
 
 This document contains notes on FRI low degree testing and the trick to convert it to a polynomial commitment scheme.
+(Update 2024-03-22: also few notes on STIR).
 
 *2023-02-26*
diff --git a/public/blind-signatures-ec.html b/public/blind-signatures-ec.html
index a0e1ab9..3df93d9 100644
--- a/public/blind-signatures-ec.html
+++ b/public/blind-signatures-ec.html
@@ -72,7 +72,7 @@
 
 <h4>Blind signatures</h4>
 
-<p>Few years ago I read about the RSA blind signatures scheme (thanks to <a href="https://futur.upc.edu/JuanBautistaHernandezSerrano">Juan Hernández</a> who discovered it to me) and I was amazed on such thing being possible. You can read the step by step of the <em>RSA blind signatures</em> scheme in <a href="https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures">this Wikipedia article</a>.
+<p>Few years ago I read about the RSA blind signatures scheme (thanks to <a href="https://futur.upc.edu/JuanHernandezSerrano">Juan Hernández</a> who discovered it to me) and I was amazed on such thing being possible. You can read the step by step of the <em>RSA blind signatures</em> scheme in <a href="https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures">this Wikipedia article</a>.
 The main idea is that one party has a message and blinds it, then sends the blinded message to a signer. The signer generates a signature of that blinded message, who sends it to the initial party, who unblinds the signature, obtaining a valid signature for the original message, while the signer does not know what it is signing, but the signature can be verified for the original message for the signer&rsquo;s public key.</p>
 
 <p><div style="text-align:center; font-size:80%;">
@@ -167,6 +167,37 @@ func main() {
 
 <p><em>Special thanks to <a href="https://github.com/dhole">@dhole</a> for reviewing this text.</em></p>
 
+<h3>Update 2022-10-29: Schnorr Blind Signatures</h3>
+
+<p><em>2022-10-29</em></p>
+
+<p><a href="https://sites.google.com/site/vincenzoiovinoit/">Vincenzo Iovino</a> recently showed me the paper <a href="https://eprint.iacr.org/2019/877">https://eprint.iacr.org/2019/877</a>, which describes the <em>Blind Schnorr Signature</em>. This subsection describes it. The concepts and parties are the same, the difference is in the values computed.</p>
+
+<p>The public parameters consist of a group <span class="math inline">\(\mathbb{G}\)</span> of order <span class="math inline">\(p\)</span> and generator <span class="math inline">\(G\)</span>, and a cryptographic hash function <span class="math inline">\(\mathcal{H} : \{0,1\}^* \rightarrow \mathbb{Z}_p\)</span>.</p>
+
+<p>The private key of the Signer is a random scalar <span class="math inline">\(x \in \mathbb{Z}_p\)</span> and the corresponding public key is <span class="math inline">\(X = xG\)</span>.</p>
+
+<p>Any User who wants to obtain a signature for some message <span class="math inline">\(m\)</span> without disclosing the content of that message to the Signer proceeds as follows:</p>
+
+<ol>
+<li>The User sends a signing request to the Signer. This request will typically be signed; thus the Signer knows whether the request is legitimate or not.</li>
+<li>If the request is legitimate, the Signer generates a random <span class="math inline">\(r \in \mathbb{Z}_p\)</span>, computes <span class="math inline">\(R = rG\)</span> and sends <span class="math inline">\(R\)</span> to the User.</li>
+<li>The User selects random scalars <span class="math inline">\(\alpha, \beta \in \mathbb{Z}_p\)</span>, computes the \emph{blinding factor} <span class="math inline">\(R' = R + \alpha G + \beta X\)</span>, sets <span class="math inline">\(c = \mathcal{H}(R', m) + \beta \bmod{p}\)</span> and sends <span class="math inline">\(c\)</span> to the Signer.</li>
+<li>The Signer computes <span class="math inline">\(s = r + cx \bmod{p}\)</span> and sends <span class="math inline">\(s\)</span> to the User.</li>
+<li>The User verifies that the value <span class="math inline">\(s\)</span> received is correct by verifying that <span class="math inline">\(sG = R + cX\)</span>. Setting <span class="math inline">\(s' = s + \alpha \bmod{p}\)</span>, the signature of the message <span class="math inline">\(m\)</span> is then <span class="math inline">\(\sigma = (R', s')\)</span>.</li>
+</ol>
+
+<p>Anyone can then verify the validity of the signature by checking the equality <span class="math inline">\(s'G \stackrel{?}{=} R' + \mathcal{H}(R', m)X\)</span>. To see why this must hold, we can unroll the equation:</p>
+<p><span class="math display">\[
+s'G = sG + \alpha G \\
+    = rG + cxG + \alpha G \\
+    = rG + (\mathcal{H}(R', m) + \beta) X + \alpha G \\
+    = R + \alpha G + \beta X + \mathcal{H}(R', m) X \\
+    = R' + \mathcal{H}(R', m) X
+\]</span></p><p>Note that blind Schnorr signatures can be subject to so-called ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) attacks, but these attacks can be defended against by forbidding parallel sessions.</p>
+
+<p>An implementation of this scheme in Rust and also in R1CS circuits can be found at <a href="https://github.com/aragonzkresearch/ark-ec-blind-signatures">github.com/aragonzkresearch/ark-ec-blind-signatures</a> . We used this scheme in the <a href="https://github.com/aragonzkresearch/research/blob/main/blind-ovote/blind-ovote.pdf">Blind-OVOTE</a> project, a L2 validity rollup, which uses blind signatures over elliptic curves inside zkSNARK, to provide offchain anonymous voting with onchain binding execution on Ethereum.</p>
+
     </div>
 
     <footer style="text-align:center; margin-top:100px;margin-bottom:50px;">
diff --git a/public/index.html b/public/index.html
index 8beb700..d520c49 100644
--- a/public/index.html
+++ b/public/index.html
@@ -90,10 +90,11 @@ ProtoGalaxy is a <em>folding scheme</em> which iterates on ideas from ProtoStar
 
 </div>
 
-</a><a href='https://raw.githubusercontent.com/arnaucube/math/master/notes_fri.pdf'><div class="row postThumb">
-        <h3>Notes on FRI (pdf)</h3>
+</a><a href='https://raw.githubusercontent.com/arnaucube/math/master/notes_fri_stir.pdf'><div class="row postThumb">
+        <h3>Notes on FRI and STIR (pdf)</h3>
 
-<p>This document contains notes on FRI low degree testing and the trick to convert it to a polynomial commitment scheme.</p>
+<p>This document contains notes on FRI low degree testing and the trick to convert it to a polynomial commitment scheme.
+(Update 2024-03-22: also few notes on STIR).</p>
 
 <p><em>2023-02-26</em></p>
 
diff --git a/public/protogalaxy.html b/public/protogalaxy.html
index 2c1fac9..35c1491 100644
--- a/public/protogalaxy.html
+++ b/public/protogalaxy.html
@@ -77,7 +77,7 @@ The paper is very well written and exposes the ideas very clearly, so it&rsquo;s
 
 <p>ProtoGalaxy is a <em>folding scheme</em> which iterates on ideas from <a href="https://eprint.iacr.org/2023/620">ProtoStar paper</a> (here you can find <a href="https://geometry.xyz/notebook/paper-speedrun-protostar">Geometry&rsquo;s post</a> overviewing its main results and techniques).</p>
 
-<p>For an introduction to <em>folding schemes</em> I highly recommend <a href="https://youtu.be/IzLTpKWt-yg?t=6367">this talk (at 1:46)</a> by <a href="https://twitter.com/CPerezz19">Carlos Perez</a>.</p>
+<p>For an introduction to <em>folding schemes</em> I highly recommend <a href="https://youtu.be/IzLTpKWt-yg?t=6367">this talk (at 1:46)</a> by <a href="https://twitter.com/CPerezz19">Carlos Pérez</a>.</p>
 
 <p>I would like to thank <a href="https://twitter.com/LiamEagen">Liam Eagen</a> and <a href="https://twitter.com/rel_zeta_tech">Ariel Gabizon</a> for their kind explanations on the scheme.
 Also thanks to <a href="https://twitter.com/kiliconu">Onur</a> for comments and corrections.</p>
@@ -192,14 +192,14 @@ While, when we evaluate $L_2(X)$ at for example $\omega^1$, we will obtain a $0$
 
 <p>The way to check that the lemma is true for me was to implement it with code and check that it is satisfied. This is not a proper way, so luckily later <a href="https://hecmas.github.io">Héctor Masip</a> showed me an actual proof of this lemma, which goes as follows:</p>
 
-<p>Recall from the <a href="https://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#Euclidean_division">euclidean polynomial division</a>:</p>
+<p>Recall from the <a href="https://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#Euclidean_division">Euclidean polynomial division</a>:</p>
 
 <blockquote>
 <p>For <span class="math inline">\(f(X), g(X) \in \mathbb{F}[X]\)</span> with <span class="math inline">\(\deg f \geq \deg g\)</span>, <span class="math inline">\(\exists\)</span> unique polynomials <span class="math inline">\(q(X), r(X) \in \mathbb{F}[X]\)</span> such that <span class="math inline">\(f(X) = g(X) q(X) + r(X)\)</span>, with <span class="math inline">\(0 \leq \deg r &lt; \deg g\)</span>.</p>
 </blockquote>
 
 <p>Thus,</p>
-<p><span class="math display">\[f(\sum_{i=0}^k a_i \cdot L_i(X)) = Q(X) \cdot Z(X) + r(X)\]</span></p><p>with <span class="math inline">\(0 \leq \deg r &lt; \deg z = k+1\)</span>.</p>
+<p><span class="math display">\[f(\sum_{i=0}^k a_i \cdot L_i(X)) = Q(X) \cdot Z(X) + r(X)\]</span></p><p>with <span class="math inline">\(0 \leq \deg r &lt; \deg Z = k+1\)</span>.</p>
 
 <p>So, when evaluating at <span class="math inline">\(a_j, ~\forall j=0, \ldots, k\)</span>,</p>
 <p><span class="math display">\[f(\sum_{i=0}^k a_i \cdot L_i(a_j)) = f(a_j) = \underbrace{Q(a_j) \cdot Z(a_j)}_{0} + r(a_j)\]</span></p><p>so <span class="math inline">\(f(a_j)=r(a_j)\)</span>, therefore</p>
@@ -259,7 +259,7 @@ F(X) := \sum_{i \in [n]} pow_i(
 \\
 \text{\scriptsize{representation of the new random vector over $X$}}
 \\
-\text{\scriptsize{where $\overrightarrow{\eta}=\{ \beta+X \delta, \beta^2 + X \delta^2, \beta^4 +X \delta^4, \ldots, \beta^{2^{t-1}} + X \delta^{2^{t-1}} \}$}}
+\text{\scriptsize{where $\overrightarrow{\eta}=\{ \beta+X \delta, (\beta + X \delta)^2, (\beta +X \delta)^4, \ldots, (\beta + X \delta)^{2^{t-1}} \}$}}
 \\
 = \sum_{i \in [n]}
 	pow_i(\textcolor{orange}{\overrightarrow{\eta}})