add typos.toml config and fix typos

abstract-algebra-charles-pinter-notes.tex

@@ -97,7 +97,7 @@ Every subgroup of a cyclic group is cyclic.
 \begin{definition}[Subgroup]
     Let $G$ be a group, and $H$ a non-empty subset of $G$. If
     \begin{enumerate}[i.]
-	\item the idenity $e$ of $G$ is in $H$.
+	\item the identity $e$ of $G$ is in $H$.
 	\item $H$ is closed with respect to the operation. Which is for $a, b \in H$, $ab \in H$.
 	\item $H$ is closed with respect to inverses. Which is for $a \in H$, $a^{-1} \in H$.
     \end{enumerate}
@@ -174,7 +174,7 @@ In finite sets, if $f: A \rightarrow B$ is injective then $|A| \leq |B|$, and if
 \section{Cosets}
 
 \begin{definition}[Coset]
-    Let $G$ be a group, and $H$ a subgroup of $G$. For any element $a$ in $G$, the symbol $aH$ denotes the set of all products $ah$, as $a$ remains fixed and $h$ ranges over $H$. $aH$ is caled a \emph{left coset} of $H$ in $G$.
+    Let $G$ be a group, and $H$ a subgroup of $G$. For any element $a$ in $G$, the symbol $aH$ denotes the set of all products $ah$, as $a$ remains fixed and $h$ ranges over $H$. $aH$ is called a \emph{left coset} of $H$ in $G$.
     \\
     In similar fashion, $Ha$ denotes the set of all products $ha$, as $a$ remains fixed an $h$ ranges over $H$. $Ha$ is called a \emph{right coset} of $H$ in $G$.
 \end{definition}
@@ -306,7 +306,7 @@ Quotient group construction is useful as a way of actually manufacturing all the
 \end{definition}
 
 \begin{definition}[Unity]
-    A ring does not necessarily have a neutral element for multiplication. If there is in $A$ a neutral element for mulitplication, it is called the \emph{unity} of $A$, and is denoted by the symbol $1$.
+    A ring does not necessarily have a neutral element for multiplication. If there is in $A$ a neutral element for multiplication, it is called the \emph{unity} of $A$, and is denoted by the symbol $1$.
     \\
     If $A$ has a unity, we call $A$ a \emph{ring with unity}.
 \end{definition}
@@ -531,7 +531,7 @@ Let $a(x) \in F[x]$ be a polynomial of degree $n$. There is an extension field $
     The set of all the linear combinations of $\overrightarrow{a_1}, \overrightarrow{a_2}, \ldots, \overrightarrow{a_n}$ is a \emph{subspace of} $V$.
 \end{definition}
 
-\begin{definition}[Linear dependancy]
+\begin{definition}[Linear dependency]
     Let $S = \{$\overrightarrow{a_1}, \overrightarrow{a_2}, \ldots, \overrightarrow{a_n}$\}$ be a set of distinct vectors in a vector space $V$. $S$ is said to be \emph{linearly dependent} if there are scalars $k_1, \ldots, k_n$, not all zero, such that $k_1 \overrightarrow{a_1} + k_2 \overrightarrow{a_2} + \cdots + k_n \overrightarrow{a_n} = 0$.
     Which is equivalent to saying that at least one of the vectors in $S$ is a linear combination of the others.
 

fft.sage

@@ -41,7 +41,7 @@ def fft(F, n):
     return w, ft, ft_inv
 
 
-# Fast polynomial multiplicaton using FFT
+# Fast polynomial multiplication using FFT
 def poly_mul(fa, fb, F, n):
     w, ft, ft_inv = fft(F, n)
 
@@ -126,7 +126,7 @@ print("fa_eval'", fa_eval)
 assert fa_eval2 == fa_eval
 
 
-# Fast polynomial multiplicaton using FFT
+# Fast polynomial multiplication using FFT
 print("\n---------")
 print("---Fast polynomial multiplication using FFT")
 

ipa.sage

@@ -184,7 +184,7 @@ class IPA_halo:
         return a[0], l, r, L, R
 
     def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R):
-        print("methid verify()")
+        print("method verify()")
 
         # compute P' = P + [v] U
         P = P + int(v) * U
@@ -323,7 +323,7 @@ h = 1
 q = g.order()
 Fq = GF(q)
 
-# simplier curve values
+# simpler curve values
 #  p = 19
 #  Fp = GF(p)
 #  E = EllipticCurve(Fp,[0,3])

notes_bls-sig.tex

@@ -57,12 +57,12 @@ $$e(pk, H(m)) = e([sk] \cdot g_1, H(m) = e(g_1, H(m))^{sk} = e(g_1, [sk] \cdot H
 \paragraph{Aggregation}
 Signatures aggregation:
 $$\sigma_{aggr} = \sigma_1 + \sigma_2 + \ldots + \sigma_n$$
-where $\sigma_{aggr} \in G_2$, and an aggregated signatures is indistinguishible from a non-aggregated signature.
+where $\sigma_{aggr} \in G_2$, and an aggregated signatures is indistinguishable from a non-aggregated signature.
 
 \vspace{0.5cm}
 Public keys aggregation:
 $$pk_{aggr} = pk_1 + pk_2 + \ldots + pk_n$$
-where $pk_{aggr} \in G_1$, and an aggregated public keys is indistinguishible from a non-aggregated public key.
+where $pk_{aggr} \in G_1$, and an aggregated public keys is indistinguishable from a non-aggregated public key.
 
 
 \paragraph{Verification of aggregated signatures}

notes_caulk.tex

@@ -358,7 +358,7 @@ $[W_2^i(x)]_2 ~~\forall i \in I$, where $W_2^i(X) = \frac{Z_{\mathbb{H}}(X)}{X-\
 	\item $Z_I'(X)= r_1 \prod_{i \in I} (X - \omega^i)$
 	\item $C_I(X)=\sum_{i \in I} c_i \tau_i(X)$ (unblinded)
 	\item blinded $C_I'(X)=C_I(X) + (r_2 + r_3 X + r_4 X^2) Z_I'(X)$
-	\item set $U(x)$, being degree $m-1$ interploation over $\mathbb{V}$ with $U(v_i)=\omega^{u(i)},~ \forall i\in [m]$
+	\item set $U(x)$, being degree $m-1$ interpolation over $\mathbb{V}$ with $U(v_i)=\omega^{u(i)},~ \forall i\in [m]$
 	\item blinded $U'(X)= U(X) + (r_5 + r_6 X) Z_{\mathbb{V}}(X)$
 	\item return $z_I=[Z_I'(x)]_1,~ c_I=[C_I'(x)]_1,~ u=[U'(X)]_1$
 \end{enumerate}

notes_fri.tex

@@ -7,6 +7,8 @@
 \usepackage{enumerate}
 \usepackage{hyperref}
 \usepackage{xcolor}
+% \usepackage{pgf-umlsd} % diagrams
+
 
 % prevent warnings of underfull \hbox:
 \usepackage{etoolbox}
@@ -32,7 +34,7 @@
 \maketitle
 
 \begin{abstract}
-	Notes taken from \href{https://sites.google.com/site/vincenzoiovinoit/}{Vincenzo Iovino} \cite{vincenzoiovino} explainations about FRI \cite{fri}, \cite{cryptoeprint:2022/1216}, \cite{cryptoeprint:2019/1020}.
+	Notes taken from \href{https://sites.google.com/site/vincenzoiovinoit/}{Vincenzo Iovino} \cite{vincenzoiovino} explanations about FRI \cite{fri}, \cite{cryptoeprint:2022/1216}, \cite{cryptoeprint:2019/1020}.
 
 	These notes are for self-consumption, are not complete, don't include all the steps neither all the proofs.
 
@@ -68,7 +70,7 @@ Consider the following protocol:
 	\item V checks $f(r)=g(r) + \alpha h(r)$. (Schwartz-Zippel lema).
 		If holds, V can be certain that $f(x)=g(x)+ \alpha h(x)$.
 	\item P proves that $deg(f) \leq d$. 
-	\item If V is convinced that $deg(f) \leq d$, V belives that both $g, h$ have $deg \leq d$.
+	\item If V is convinced that $deg(f) \leq d$, V believes that both $g, h$ have $deg \leq d$.
 \end{enumerate}
 
 %/// TODO tabulate this next lines
@@ -183,6 +185,22 @@ P would receive a challenge $z \in D$ set by V (where $D$ is the evaluation doma
 	\item[] Constant values of last iteration: $\{f_k^L,~f_k^R\}$, for $k=log(d)$
 \end{itemize}
 
+% \begin{figure}[htp]
+% \centering
+% \begin{footnotesize}
+% \begin{sequencediagram}
+%     \newinst[0]{p}{Prover}
+%     \newinst[5]{v}{Verifier}
+% 
+%     \mess{p}{$\{Comm(f_i)\}_0^{log(d)},~ \{f_i(z^{2^i}),~f_i(-(z^{2^i})) \}_0^{log(d)},~ \{f_k^L,~ f_k^R\}$}{v}
+% 
+% \end{sequencediagram}
+% \end{footnotesize}
+% \caption[FRI-LDT]{sketch of the FRI-LDT flow}
+% \label{fig:fri-ldt}
+% \end{figure}
+
+
 \paragraph{Verification}
 
 V receives:

notes_hypernova.tex

@@ -263,7 +263,7 @@ c &= \left(
 \end{align}
 $$\textcolor{gray}{(Recall,~ g(x) := \left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right) + \gamma^{t+1} \cdot Q(x))}$$
 
-Outputed LCCCS: $(C', u', x', \textcolor{pink}{r_x'}, v_1', \ldots, v_t')$
+Outputted LCCCS: $(C', u', x', \textcolor{pink}{r_x'}, v_1', \ldots, v_t')$
 
 
 \framebox{\begin{minipage}{4.3 in}

notes_nova.tex

@@ -124,7 +124,7 @@ Problem: not non-trivial, and not zero-knowledge. Solution: use polynomial commi
 
 \paragraph{Committed Relaxed R1CS}
 Instance for a Committed Relaxed R1CS\\
-$(\overline{E}, u, \overline{W}, x)$, satisfyied by a witness $(E, r_E, W, r_W)$ such that
+$(\overline{E}, u, \overline{W}, x)$, satisfied by a witness $(E, r_E, W, r_W)$ such that
 \begin{align*}
 	&\overline{E} = Com(E, r_E)\\
 	&\overline{W} = Com(E, r_W)\\
@@ -207,7 +207,7 @@ P will prove that knows the valid witness $(E, r_E, W, r_W)$ for the committed r
 
 The previous protocol achieves non-interactivity via Fiat-Shamir transform, obtaining a \emph{Non-Interactive Folding Scheme for Committed Relaxed R1CS}.
 
-Note: the paper later uses $\mathsf{u}_i,~ \mathsf{U}_i$ for the two inputed $\varphi_1,~ \varphi_2$, and later $\mathsf{u}_{i+1}$ for the outputed $\varphi$. Also, the paper later uses $\mathsf{w},~ \mathsf{W}$ to refer to the witnesses of two folded instances (eg. $\mathsf{w}=(E, r_E, W, r_W)$).
+Note: the paper later uses $\mathsf{u}_i,~ \mathsf{U}_i$ for the two inputted $\varphi_1,~ \varphi_2$, and later $\mathsf{u}_{i+1}$ for the outputted $\varphi$. Also, the paper later uses $\mathsf{w},~ \mathsf{W}$ to refer to the witnesses of two folded instances (eg. $\mathsf{w}=(E, r_E, W, r_W)$).
 
 
 \subsection{NIFS}

notes_reed-solomon.tex

@@ -155,7 +155,7 @@ Furthermore, in our use case in the context of FRI IOP, we are not interested in
 Let $g(x)$ be the generator polynomial
 $$g(x) = (x-\alpha) (x-\alpha^2) \cdots (x-\alpha^{2s-1})$$
 
-whith $\alpha$ being a primitive element of $GF(p^r)$.
+with $\alpha$ being a primitive element of $GF(p^r)$.
 
 The \emph{encoder} wants to map the message $\{ m_0, m_1, \ldots, m_{k-1} \}$ into a polynomial $p(x)$ of degree $<k$ such that
 

notes_sonic.tex

@@ -98,7 +98,7 @@ Combine the multiplicative and linear constraints to:
 + \sum_{i=1}^n a_i b_i (Y^i + Y^{-i}) - k(Y) = 0
 \end{align}
 
-where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embeded into the constant term of the polynomial $t(X, Y)$.
+where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embedded into the constant term of the polynomial $t(X, Y)$.
 
 
 Define $r(X, Y)$ s.t. $r(X, Y) = r(XY, 1)$.
@@ -154,7 +154,7 @@ PC scheme (adaptation of KZG):
 	== e(F, h^{x^{-d+max}})$$
 \end{enumerate}
 
-\subsection{Succint signatures of correct computation}
+\subsection{Succinct signatures of correct computation}
 Signature of correct computation to ensure that an element $s=s(z, y)$ for a known polynomial
 $$s(X, Y) = \sum_{i, j = -d}^d s_{i, j} \cdot X^i \cdot Y^i$$
 

notes_spartan.tex

@@ -125,7 +125,7 @@ This would mean that the R1CS instance is satisfied.
 	\item[] Thus $Q_{io}(t)= \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t, x)$, and then we prove that $Q_{io}(\tau)=0$, for $\tau \in^R \mathbb{F}^s$.
 \end{itemize}
 
-\section{NIZKs with succint proofs for R1CS}
+\section{NIZKs with succinct proofs for R1CS}
 
 From Thm 4.1: to check R1CS instance $(\mathbb{F}, A, B, C, io, m, n)$ V can check if
 $\sum_{x \in \{0,1\}^s} G_{io, \tau} (x) = 0$, which through sum-check protocol can be reduced to $e_x = G_{io, \tau} (r_x)$, where $r_x \in \mathbb{F}^s$.
@@ -247,7 +247,7 @@ Instead of evaluating $\widetilde{Z}(r_y)$ in $O(|w|)$ communications, P sends a
 		\item Sum-check 2. $e_y \leftarrow <P_{SC}(M_{r_x}), V_{SC}(r_y)>(\mu_2, l_2, T_2)$
 		\item P: $v \leftarrow \widetilde{w}(r_y[1..])$, send $v$ to V
 		\item $b_e \leftarrow <P_{PC.Eval}(\widetilde{w}, S), V_{PC.Eval}(r)>(pp,  C, r_y, v, \mu_2)$
-		\item V: abourt with $b=0$ if $b_e==0$
+		\item V: abort with $b=0$ if $b_e==0$
 		\item V: $v_z \leftarrow (1 - r_y[0]) \cdot \widetilde{w}(r_y [1..]) + r_y[0] \widetilde{(io, 1)} (r_y[1..])$
 		\item V: $v_1 \leftarrow \widetilde{A}(r_x, r_y),~ v_2 \leftarrow \widetilde{B}(r_x, r_y),~ v_3 \leftarrow \widetilde{C}(r_x, r_y)$
 		\item V: abort with $b=0$ if $e_y \neq (r_A v_1 + r_B v_2 + r_C v_3) \cdot v_z$

sigma.sage

@@ -325,7 +325,7 @@ class TestORProof(unittest.TestCase):
 
                 # Alice generates key pair
                 X = alice.new_key()
-                Xs.insert(0, X) # add X at the begining of Xs array
+                Xs.insert(0, X) # add X at the beginning of Xs array
 
                 # Alice generates commitments (internally running the simulator)
                 As = alice.gen_commitments(Xs)

slides_hypernova-part1-introduction.tex

@@ -77,7 +77,7 @@ We used to use recursive SNARKs to achieve IVC.
 
 $$Az \circ Bz = Cz$$
 
-Typically we use some scheme to prove that the previous equation is fullfilled by some private $w$ (eg. Groth16, Marlin, Spartan, etc).
+Typically we use some scheme to prove that the previous equation is fulfilled by some private $w$ (eg. Groth16, Marlin, Spartan, etc).
 
 \end{frame}
 
@@ -114,7 +114,7 @@ We're not verifying the entire proof
 \begin{itemize}
    \item Take n instances and 'batch' them together
   \begin{itemize}
-    \item Folds $k$ (eg. 2) instances (eg. R1CS instances) and their respective witnesses into a signle one
+    \item Folds $k$ (eg. 2) instances (eg. R1CS instances) and their respective witnesses into a single one
   \end{itemize}
    \item At the end of the chain of folds, we just prove that the last fold is correct through a SNARK
   \begin{itemize}
@@ -136,7 +136,7 @@ In Nova: folding without a SNARK, we just reduce the satisfiability of the 2 inp
 
 $$Az \circ Bz = u \cdot Cz + E$$
 
-\begin{scriptsize} % TODO use the other simplier font syntax
+\begin{scriptsize} % TODO use the other simpler font syntax
 (= R1CS when $u=1,~ E=0$)
 \end{scriptsize}
 
@@ -189,7 +189,7 @@ Let $z_1 = (w_1, x_1, u_1)$ and $z_2 = (w_2, x_2, u_2)$.
 \end{footnotesize}
 \pause
 \begin{scriptsize}
-Note: $T$ are the cross-terms comming from combining the two R1CS instances from
+Note: $T$ are the cross-terms coming from combining the two R1CS instances from
 \begin{align*}
   Az \circ Bz &=A(z_1 + r \cdot z_2) \circ B(z_1 + r z_2)\\
 	      &=A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2) = \ldots

typos.toml

@@ -0,0 +1,7 @@
+# usage:
+# install `typos`: https://github.com/crate-ci/typos
+# run: typos --config typos.toml
+
+[default.extend-words]
+groth = "groth"
+pinter = "pinter"