diff --git a/README.md b/README.md
index 599c6fa..9ce86ee 100644
--- a/README.md
+++ b/README.md
@@ -1,18 +1,7 @@
-# math
+# math/cryptography
 
 Notes, code and documents done while reading books and papers.
 
-### Sage code
-- [blind signatures over elliptic curve](blind-sign-over-ec.sage)
-- [BLS signatures](bls-sigs.sage)
-- [FFT](fft.sage)
-- [IPA](ipa.sage)
-- [KZG commitments](kzg.sage)
-- [Powers of Tau](powersoftau.sage)
-- [Ring signatures](ring-signatures.sage)
-- [Sigma protocol](sigma.sage)
-
-### Notes
 - [Notes on "Abstract Algebra" book, by Charles C. Pinter](abstract-algebra-charles-pinter-notes.pdf)
 - [Notes on Caulk & Caulk+ papers](notes_caulk.pdf)
 - [Notes on the DFT & FFT](fft-notes.pdf)
@@ -24,3 +13,5 @@ Notes, code and documents done while reading books and papers.
 - [Notes on Reed-Solomon codes](notes_reed-solomon.pdf)
 - [Notes on FRI](notes_fri.pdf)
 - [Notes on Nova](notes_nova.pdf)
+
+Also some Sage implementations can be found in the `*.sage` files of this repo.
diff --git a/notes_fri.pdf b/notes_fri.pdf
index 4e3598c..a258baa 100644
Binary files a/notes_fri.pdf and b/notes_fri.pdf differ
diff --git a/notes_fri.tex b/notes_fri.tex
index e6c02d4..7fd4ef1 100644
--- a/notes_fri.tex
+++ b/notes_fri.tex
@@ -32,24 +32,17 @@
 \maketitle
 
 \begin{abstract}
-	Notes taken from \href{https://sites.google.com/site/vincenzoiovinoit/}{Vincenzo Iovino} explainations about FRI \cite{fri}, \cite{cryptoeprint:2022/1216}.
+	Notes taken from \href{https://sites.google.com/site/vincenzoiovinoit/}{Vincenzo Iovino} \cite{vincenzoiovino} explainations about FRI \cite{fri}, \cite{cryptoeprint:2022/1216}, \cite{cryptoeprint:2019/1020}.
 
 	These notes are for self-consumption, are not complete, don't include all the steps neither all the proofs.
 
-	An implementation of FRI can be found at \href{https://github.com/arnaucube/fri-commitment}{https://github.com/arnaucube/fri-commitment}.
+	An implementation of FRI can be found at\\ \href{https://github.com/arnaucube/fri-commitment}{https://github.com/arnaucube/fri-commitment} \cite{fri-impl}.
 \end{abstract}
 
 \tableofcontents
 
 \section{Preliminaries}
-\subsection{Low degree testing}
-V wants to ensure that $deg(f(x)) \leq d$.
-
-We are in the IOP setting, V asks on a point, P sends back the opening at that point.
-
-TODO
-
-\subsubsection{General degree d test}
+\subsection{General degree d test}
 
 Query at points $\{ x_i \}_0^{d+1},~z$ (with rand $z \overset{R}{\in} \mathbb{F}$).
 Interpolate $p(x)$ at $\{f(x_i)\}_0^{d+1}$ to reconstruct the unique polynomial $p$ of degree $d$ such that $p(x_i)=f(x_i)~\forall i=1, \ldots, d+1$.
@@ -91,7 +84,8 @@ Here, P proves $g,~h$ both have $deg \leq d$, but instead of doing $2 \cdot (d+2
 So we halved the number of queries.
 
 
-\subsection{FRI}
+\subsection{FRI-LDT}\label{sec:fri-ldt}
+FRI low degree testing.\\
 Both P and V have oracle access to function $f$.
 
 V wants to test if $f$ is polynomial with $deg(f) \leq d$.
@@ -154,8 +148,9 @@ eg. for $f(x)=x^4+x^3+x^2+x+1$,
 \vspace{30px}
 
 \paragraph{Proof generation}
-P starts from $f(x)$, and for $i=0$ sets $f_0(x)=f(x)$.
 
+\emph{(Commitment phase)}
+P starts from $f(x)$, and for $i=0$ sets $f_0(x)=f(x)$.
 \begin{enumerate}
 	\item $\forall~i \in \{0, log(d)\}$, with $d = deg~f(x)$,\\
 		P computes $f_i^L(x),~ f_i^R(x)$ for which
@@ -163,7 +158,7 @@ P starts from $f(x)$, and for $i=0$ sets $f_0(x)=f(x)$.
 			f_i(x) = f_i^L(x^2) + x f_i^R(x^2)
 		\end{equation}
 		holds.
-	\item V sends challenge $\alpha_i$
+	\item V sends challenge $\alpha_i \in \mathbb{F}$
 	\item P commits to the random linear combination $f_{i+1}$, for
 		\begin{equation}\tag{eq. $B_i$}
 		f_{i+1}(x) = f_i^L(x) + \alpha_i f_i^R(x)
@@ -174,12 +169,16 @@ Notice that at each step, $deg(f_i)$ halves.
 
 This is done until the last step, where $f_i^L(x),~ f_i^R(x)$ are constant (degree 0 polynomials). For which P does not commit but gives their values directly to V.
 
+\emph{(Query phase)}
+P would receive a challenge $z \in D$ set by V (where $D$ is the evaluation domain, $D \in \mathbb{F}$), and P would open the commitments at $\{z^{2^i}, -z^{2^i}\}$ for each step $i$.
+(Recall, "opening" means that would provide a proof (MerkleProof) of it).
+
 \paragraph{Data sent from P to V}
 \begin{itemize}
 	\item[] Commitments: $\{Comm(f_i)\}_0^{log(d)}$\\
 		{\scriptsize eg. $\{Comm(f_0),~ Comm(f_1),~ Comm(f_2),~ ...,~ Comm(f_{log(d)})\}$ }
 	\item[] Openings: $\{ f_i(z^{2^i}),~f_i(-(z^{2^i})) \}_0^{log(d)}$\\
-		for a challenge $z \in \mathbb{F}$ set by V\\
+		for a challenge $z \in D$ set by V\\
 		{\scriptsize eg. $f_0(z),~ f_0(-z),~ f_1(z^2),~ f_1(-z^2),~ f_2(z^4),~ f_2(-z^4),~ f_3(z^8),~ f_3(-z^8),~ \ldots$}
 	\item[] Constant values of last iteration: $\{f_k^L,~f_k^R\}$, for $k=log(d)$
 \end{itemize}
@@ -195,7 +194,8 @@ V receives:
 
 \vspace{20px}
 
-For all $i \in \{0, log(d)\}$, V knows the openings at $z^{2^i}$ and $-(z^{2^i})$ for $Comm(f_i(x))$, which are $o_i=f_i(z^{2^i})$ and $o_i'=f_i(-(z^{2^i}))$ respectively.
+For all $i \in \{0, log(d)\}$, V knows the openings at $z^{2^i}$ and $-(z^{2^i})$ for\\
+$Comm(f_i(x))$, which are $o_i=f_i(z^{2^i})$ and $o_i'=f_i(-(z^{2^i}))$ respectively.
 
 V, from (eq. $A_i$), knows that
 $$f_i(x)=f_i^L(x^2) + x f_i^R(x^2)$$
@@ -236,12 +236,12 @@ where V will find the values of $f_i^L(z^{2^i}),~f_i^R(z^{2^i})$ being
 
 Once, V has computed $f_i^L(z^{2^i}),~f_i^R(z^{2^i})$, can use them to compute the linear combination of
 $$
-f_{i+1}(z^2) = f_i^L(z^2) + \alpha_i f_i^R(z^2)
+f_{i+1}(z^{2^i}) = f_i^L(z^{2^i}) + \alpha_i f_i^R(z^{2^i})
 $$
-obtaining then $f_{i+1}(z^2)$. This comes from (eq. $B_i$).
+obtaining then $f_{i+1}(z^{2^i})$. This comes from (eq. $B_i$).
 
-Now, V checks that the obtained $f_{i+1}(z^2)$ is equal to the received opening $o_{i+1}=f_{i+1}(z^2)$ from the commitment done by P.
-V checks also the commitment of $Comm(f_{i+1}(x))$ for the opening $o_{i+1}=f_{i+1}(z^2)$.\\
+Now, V checks that the obtained $f_{i+1}(z^{2^i})$ is equal to the received opening $o_{i+1}=f_{i+1}(z^{2^i})$ from the commitment done by P.
+V checks also the commitment of $Comm(f_{i+1}(x))$ for the opening $o_{i+1}=f_{i+1}(z^{2^i})$.\\
 If the checks pass, V is convinced that $f_1(x)$ was committed honestly.
 
 Now, sets $i := i+1$ and starts a new iteration.
@@ -251,8 +251,38 @@ For the last iteration, V checks that the obtained $f_i^L(z^{2^i}),~f_i^R(z^{2^i
 \vspace{10px}
 It needs $log(d)$ iterations, and the number of queries (commitments + openings sent and verified) needed is $2 \cdot log(d)$.
 
-\section{FRI as polynomial commitment}
-\emph{[WIP. Unfinished document]}
+\subsection{Parameters}
+
+P commits to $f_i$ restricted to a subfield $F_0 \subset \mathbb{F}$.
+Let $0<\rho<1$ be the \emph{rate} of the code, such that
+$$|F_0| = \rho^{-1} \cdot d$$
+
+\begin{theorem}
+	For $\delta \in (0, 1-\sqrt{\rho})$, we have that if V accepts, then w.v.h.p. (with very high probability) $\Delta(f_0,~ p^d) \leq \delta$.
+\end{theorem}
+
+\section{FRI as polynomial commitment scheme}
+This section overviews the trick from \cite{cryptoeprint:2019/1020} to convert FRI into a polynomial commitment.
+
+Want to check that the evaluation of $f(x)$ at $r$ is $f(r)$, which is equivalent to proving that $\exists ~Q \in \mathbb{F}[x]$ with $deg(Q)=d-1$, such that
+
+$$
+f(x)-f(r) = Q(x) \cdot (x-r)
+$$
+
+note that $f(x)-f(r)$ evaluated at $r$ is $0$, so $(x-r) | (f(x)-f(r))$, in other words
+$(f(x)-f(r))$ is a multiple of $(x-r)$ for a polynomial $Q(x)$.
+
+Let us define $g(x) = \frac{f(x)-f(r)}{x-r}$.
+
+Prover uses FRI-LDT \ref{sec:fri-ldt} to commit to $g(x)$, and then prove w.v.h.p that $deg(g) \leq d-1$ ($\Longleftrightarrow \Delta(g,~ p^{d-1} \leq \delta$).
+
+Prover was already proving that $deg(f) \leq d$.
+
+Now, the missing thing to prove is that $g(x)$ has the right shape. We can relate $g$ to $f$ as follows:
+V does the normal FRI-LDT, but in addition, at the first iteration:
+V has $f(z)$ and $g(z)$ openings, so can verify
+$$g(z) = (f(z)-f(r))\cdot (z-r)^{-1}$$
 
 
 \bibliography{paper-notes.bib}
diff --git a/notes_nova.pdf b/notes_nova.pdf
index aafcbf0..367b3d6 100644
Binary files a/notes_nova.pdf and b/notes_nova.pdf differ
diff --git a/notes_nova.tex b/notes_nova.tex
index c1eeb7e..b392858 100644
--- a/notes_nova.tex
+++ b/notes_nova.tex
@@ -134,7 +134,7 @@ Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$.
 \end{enumerate}
 
 P uses a zkSNARK showing that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.
-Then, vie Fiat-Shamir transform we achieve non-interactivity.
+Then, via Fiat-Shamir transform we achieve non-interactivity.
 
 \section{IVC proofs}
 \textbf{WIP}
diff --git a/paper-notes.bib b/paper-notes.bib
index beb9b94..6827f61 100644
--- a/paper-notes.bib
+++ b/paper-notes.bib
@@ -73,6 +73,14 @@
       note = {\url{https://eprint.iacr.org/2022/1216}},
       url = {https://eprint.iacr.org/2022/1216}
 }
+@misc{cryptoeprint:2019/1020,
+      author = {Alexander Vlasov and Konstantin Panarin},
+      title = {Transparent Polynomial Commitment Scheme with Polylogarithmic Communication Complexity},
+      howpublished = {Cryptology ePrint Archive, Paper 2019/1020},
+      year = {2019},
+      note = {\url{https://eprint.iacr.org/2019/1020}},
+      url = {https://eprint.iacr.org/2019/1020}
+}
 
 @misc{cryptoeprint:2021/370,
       author = {Abhiram Kothapalli and Srinath Setty and Ioanna Tzialla},
@@ -82,3 +90,13 @@
       note = {\url{https://eprint.iacr.org/2021/370}},
       url = {https://eprint.iacr.org/2021/370}
 }
+
+@misc{vincenzoiovino,
+      title = {{Vincenzo Iovino}},
+      note = {\url{https://sites.google.com/site/vincenzoiovinoit/}},
+      url = {https://sites.google.com/site/vincenzoiovinoit/}
+}
+@misc{fri-impl,
+      note = {\url{https://github.com/arnaucube/fri-commitment}},
+      url = {https://github.com/arnaucube/fri-commitment}
+}