diff --git a/README.md b/README.md
index f3d1f0e..599c6fa 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Notes, code and documents done while reading books and papers.
 
 ### Notes
 - [Notes on "Abstract Algebra" book, by Charles C. Pinter](abstract-algebra-charles-pinter-notes.pdf)
-- [Notes on Caulk paper](notes_caulk.pdf)
+- [Notes on Caulk & Caulk+ papers](notes_caulk.pdf)
 - [Notes on the DFT & FFT](fft-notes.pdf)
 - [Notes on the BLS signatures](notes_bls-sig.pdf)
 - [Notes on IPA from Halo paper](notes_halo.pdf)
@@ -22,3 +22,5 @@ Notes, code and documents done while reading books and papers.
 - [Notes on Weil pairing](weil-pairing.pdf)
 - [Notes on Sigma protocol and OR proofs](sigma-or-notes.pdf)
 - [Notes on Reed-Solomon codes](notes_reed-solomon.pdf)
+- [Notes on FRI](notes_fri.pdf)
+- [Notes on Nova](notes_nova.pdf)
diff --git a/notes_caulk.pdf b/notes_caulk.pdf
index ff31410..7e97cdb 100644
Binary files a/notes_caulk.pdf and b/notes_caulk.pdf differ
diff --git a/notes_caulk.tex b/notes_caulk.tex
index a45cc47..02840db 100644
--- a/notes_caulk.tex
+++ b/notes_caulk.tex
@@ -339,7 +339,59 @@ $$e([P]_1, [1]_2) + e(-(\rho_1(\alpha) + \rho_2(\alpha)) - z_{V_n}(\alpha) [x^{d
 
 
 \section{Caulk+}
-\emph{WIP}
+Main update from original Caulk: $R_{unity}$, $\pi_{unity}$ is replaced with a pairing check constraining the evaluation points to be roots of a polynomial dividing $X^n-1$.
+
+KZG commitment $c$ to $C(X)$, with evaluation points in $\mathbb{H}$.\\
+KZG commitment $a$ to $A(X)$, with evaluation points in $\mathbb{V}$.
+
+Witness:\\
+$I \subset [n], ~~ \{ c_i \}_{i \in I} ,~~ C(X), A(X) ,~~ u: [m] \rightarrow I$
+
+Precomputed:\\
+$[W_1^i(x)]_2 ~~\forall i \in I$, where $W_1^i(X) = \frac{C(X) - c_i)}{X-\omega^i}$\\
+$[W_2^i(x)]_2 ~~\forall i \in I$, where $W_2^i(X) = \frac{Z_{\mathbb{H}}(X)}{X-\omega^i}$
+
+\paragraph{Round 1}
+\begin{enumerate}[i.]
+	\item rand blinding factors $r1, \ldots, r_6$
+	\item Lagrange basis polynomials $\{ \tau_i(X) \}_{i \in [m]}$ over $\omega^j_{j \in I}$
+	\item $Z_I'(X)= r_1 \prod_{i \in I} (X - \omega^i)$
+	\item $C_I(X)=\sum_{i \in I} c_i \tau_i(X)$ (unblinded)
+	\item blinded $C_I'(X)=C_I(X) + (r_2 + r_3 X + r_4 X^2) Z_I'(X)$
+	\item set $U(x)$, being degree $m-1$ interploation over $\mathbb{V}$ with $U(v_i)=\omega^{u(i)},~ \forall i\in [m]$
+	\item blinded $U'(X)= U(X) + (r_5 + r_6 X) Z_{\mathbb{V}}(X)$
+	\item return $z_I=[Z_I'(x)]_1,~ c_I=[C_I'(x)]_1,~ u=[U'(X)]_1$
+\end{enumerate}
+
+Verifier sets random challenges $\chi_1, \chi_2$.
+
+\paragraph{Round 2}
+\begin{enumerate}[i.]
+	\item $[W_1(x)+ \chi_2 W_2(x)]_2 = \sum_{i \in I} \frac{[W_1^i(x)]_2 + \chi_2 [W_2^i(x)]_2}{\prod_{j \in I,~i \neq j} \omega^i - \omega^j}$
+	\item $H(X) = \frac{Z_I'(U'(X)) + \chi_1 (C_I'(U'(X)) - A(X))}{Z_{\mathbb{V}}(X)}$
+	\item return $w=r_1^{-1} [W_1(x) + \chi_2 W_2(x)]_2 - [r_2 + r_3 x + r_4 x^2]_2,~ h=[H(x)]_1$
+\end{enumerate}
+
+Verifier sets random challenge $\alpha$.
+
+\paragraph{Round 3}
+Output $v_1, v_2, \pi_1, \pi_2, \pi_3$, where
+\begin{align*}
+	P_1(X) &\leftarrow Z_I'(X) + \chi_1 C_I'(X)\\
+	P_2(X) &\leftarrow Z_I'(U'(\alpha)) + \chi_1 (C_I'(U'(\alpha)) - A(X)) - Z_{\mathbb{V}}(\alpha) H(X)\\
+	(v_1, \pi_1) &\leftarrow KZG.Open(U'(X), \alpha)\\
+	(v_2, \pi_2) &\leftarrow KZG.Open(P_1(X), v_1)\\
+	(0, \pi_3) &\leftarrow KZG.Open(P_2(X), \alpha)\\
+\end{align*}
+
+\paragraph{Verify}
+Compute $p_1 = z_I + \chi_1 c_I, ~~ p_2= [v_2]_1 - \chi_1 a - Z_{\mathbb{V}}(\alpha) h$, verify
+\begin{align*}
+	1 &\leftarrow KZG.Verify(u, \alpha, v_1, \pi_1)\\
+	1 &\leftarrow KZG.Verify(p_1, v_1, v_2, \pi_2)\\
+	1 &\leftarrow KZG.Verify(p_2, \alpha, 0, \pi_3)\\
+	e((C-c_I) &+ \chi_2[x^n -1]_1, [1]_2) = e(z_I, w)
+\end{align*}
 
 \bibliography{paper-notes.bib}
 \bibliographystyle{unsrt}
diff --git a/notes_fri.pdf b/notes_fri.pdf
new file mode 100644
index 0000000..d355352
Binary files /dev/null and b/notes_fri.pdf differ
diff --git a/notes_fri.tex b/notes_fri.tex
new file mode 100644
index 0000000..15ada21
--- /dev/null
+++ b/notes_fri.tex
@@ -0,0 +1,186 @@
+\documentclass{article}
+\usepackage[utf8]{inputenc}
+\usepackage{amsfonts}
+\usepackage{amsthm}
+\usepackage{amsmath}
+\usepackage{mathtools}
+\usepackage{enumerate}
+\usepackage{hyperref}
+\usepackage{xcolor}
+
+% prevent warnings of underfull \hbox:
+\usepackage{etoolbox}
+\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
+
+\theoremstyle{definition}
+\newtheorem{definition}{Def}[section]
+\newtheorem{theorem}[definition]{Thm}
+
+% custom lemma environment to set custom numbers
+\newtheorem{innerlemma}{Lemma}
+\newenvironment{lemma}[1]
+{\renewcommand\theinnerlemma{#1}\innerlemma}
+{\endinnerlemma}
+
+
+\title{Notes on FRI}
+\author{arnaucube}
+\date{February 2023}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+	Notes taken from \href{https://sites.google.com/site/vincenzoiovinoit/}{Vincenzo Iovino} explainations and while reading about FRI \cite{fri}, \cite{cryptoeprint:2022/1216}.
+
+	Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
+
+	The notes are not complete, don't include all the steps neither all the proofs.
+\end{abstract}
+
+\tableofcontents
+
+\section{Preliminaries}
+\subsection{Low degree testing}
+V wants to ensure that $deg(f(x)) \leq d$.
+
+We are in the IOP setting, V asks on a point, P sends back the opening at that point.
+
+TODO
+
+\subsubsection{General degree d test}
+
+Query at points $\{ x_i \}_0^{d+1},~z$ (with rand $z \overset{R}{\in} \mathbb{F}$).
+Interpolate $p(x)$ at $\{f(x_i)\}_0^{d+1}$ to reconstruct the unique polynomial $p$ of degree $d$ such that $p(x_i)=f(x_i)~\forall i=1, \ldots, d+1$.
+
+V checks $p(z)=f(z)$, if the check passes, then V is convinced with high probability.
+
+This needs $d+2$ queries, is linear, $\mathcal{O}(n)$. With FRI we will have the test in $\mathcal{O}(\log{}d)$.
+
+\section{FRI protocol}
+Allows to test if a function $f$ is a poly of degree $\leq d$ in $\mathcal{O}(\log{}d)$.
+
+Note: "P \emph{sends} $f(x)$ to V", "\emph{sends}", in the ideal IOP model means that all the table of $f(x)$ is sent, in practice is sent a commitment to $f(x)$.
+
+\subsection{Intuition}
+V wants to check that two functions $g,~h$ are both polynomials of degree $\leq d$.
+
+Consider the following protocol:
+
+\begin{enumerate}
+	\item V sends $\alpha \in \mathbb{F}$ to P. P sends $f(x) = g(x) + \alpha h(x)$ to V.
+	\item P sends $f(x)=g(x) + \alpha h(x)$ to V.
+	\item V queries $f(r), ~g(r), ~h(r)$ for rand $r \in \mathbb{F}$.
+	\item V checks $f(r)=g(r) + \alpha h(r)$. (Schwartz-Zippel lema).
+		If holds, V can be certain that $f(x)=g(x)+ \alpha h(x)$.
+	\item P proves that $deg(f) \leq d$. 
+	\item If V is convinced that $deg(f) \leq d$, V belives that both $g, h$ have $deg \leq d$.
+\end{enumerate}
+
+%/// TODO tabulate this next lines
+With high probablility, $\alpha$ will not cancel the coeffs with $deg \geq d+1$. % TODO check which is the name of this theorem or why this is true
+
+Let $g(x)=a \cdot x^{d+1}, ~~ h(x)=b \cdot x^{d+1}$, and set $f(x) = g(x) + \alpha h(x)$.
+Imagine that P can chose $\alpha$ such that $a x^{d+1} + \alpha \cdot b x^{d+1} = 0$, then, in $f(x)$ the coefficients of degree $d+1$ would cancel.
+%///
+
+\quad
+
+Here, P proves $g,~h$ both have $deg \leq d$, but instead of doing $2 \cdot (d+2)$ queries ($d+2$ for $g$, and $d+2$ for $h$), it is done in $d+2$ queries (for $f$).
+So we halved the number of queries.
+
+
+\subsection{FRI}
+Both P and V have oracle access to function $f$.
+
+V wants to test if $f$ is polynomial with $deg(f) \leq d$.
+
+Let $f_0(x)=f(x)$.
+
+Each polynomial $f(x)$ of degree that is a power of $2$, can be written as
+$$f(x) = f^L(x^2) + x f^R(x^2)$$
+for some polynomials $f^L,~f^R$ of degree $\frac{deg(f)}{2}$, each one containing the even and odd degree coefficients as follows:
+
+% $f^L(x)$ is built from the even degree coefficients divided by $x$, and $f^R(x)$ from the odd degree coefficients divided by $x$.
+
+$$f^L(x)= \sum_0^{\frac{d+1}{2}-1} c_{2i} x^i ,~~ f^R(x)= \sum_0^{\frac{d+1}{2}-1} c_{2i+1} x^i$$
+
+eg. for $f(x)=x^4+x^3+x^2+x+1$,
+\begin{align*}
+	\begin{rcases}
+	f^L(x)=x^2+x+1\\
+	f^R(x)=x+1
+	\end{rcases}
+	~f(x) = f^L(x^2) &+ x \cdot f^R(x^2)\\
+	= (x^2)^2 + (x^2) + 1 &+ x \cdot ((x^2) + 1)\\
+	= x^4 + x^2 + 1 &+ x^3 + x
+\end{align*}
+
+\begin{enumerate}
+	\item V sends to P some $\alpha_0 \in \mathbb{F}$.
+		Let
+		\begin{equation}\tag{$A_0$}
+			f_0(x) = f_0^L(x^2) + x f_0^R(x^2)
+		\end{equation}
+	\item P sends
+		\begin{equation}\tag{$B_0$}
+			f_1(x) = f_0^L(x) + \alpha_0 f_0^R(x)
+		\end{equation}
+		to V.
+
+		(remember that "sends" in IOP model is that P commits to it)
+	\item V sends to P some $\alpha_1 \in \mathbb{F}$.
+		Let
+		\begin{equation}\tag{$A_1$}
+			f_1(x) = f_1^L(x^2) + x f_1^R(x^2)
+		\end{equation}
+	\item P sends
+		\begin{equation}\tag{$B_1$}
+			f_2(x) = f_1^L(x) + \alpha_1 f_1^R(x)
+		\end{equation}
+		to V.
+	\item Keep repeating the process, eg. let
+		\begin{equation}\tag{$A_2$}
+			f_2(x) = f_2^L(x^2) + x f_2^R(x^2)
+		\end{equation}
+		until $f_i^L,~ f_i^R$ are constant (degree 0 polynomials).
+	\item Once $f_i^L,~ f_i^R$ are constant, P sends them to V.
+\end{enumerate}
+
+Notice that at each step, $deg(f_i)$ halves.
+
+\paragraph{Query phase}
+
+\begin{enumerate}
+	\item V sends rand $z \in \mathbb{F}$ to P
+	\item P sends $\{ f_i(z^{2^i}), f_i(- z^{2^i}) \}$ to V.\\
+		{\scriptsize eg. $f_0(z),~ f_0(-z),~ f_1(z^2),~ f_1(-z^2),~ f_2(z^4),~ f_2(-z^4),~ f_3(z^8),~ f_3(-z^8),~ \ldots$}
+	\item V checks $f_i(a)=f_i^L(a^2) + a f_i^R(a^2)$ for $a=\{z, -z\}$
+		$$
+		\begin{pmatrix}
+			1 & z\\
+			1 & -z
+		\end{pmatrix}
+		\begin{pmatrix}
+			f_i^L(z^2)\\
+			f_i^R(z^2)
+		\end{pmatrix}
+		=
+		\begin{pmatrix}
+			f_i(z)\\
+			f_i(-z)
+		\end{pmatrix}
+		$$
+\end{enumerate}
+
+The number of queries needed is $2 \cdot log(d)$.
+
+\section{FRI as polynomial commitment}
+\emph{[WIP. Unfinished document]}
+
+
+\bibliography{paper-notes.bib}
+\bibliographystyle{unsrt}
+
+\end{document}
diff --git a/notes_nova.pdf b/notes_nova.pdf
new file mode 100644
index 0000000..a6535db
Binary files /dev/null and b/notes_nova.pdf differ
diff --git a/notes_nova.tex b/notes_nova.tex
new file mode 100644
index 0000000..37937e8
--- /dev/null
+++ b/notes_nova.tex
@@ -0,0 +1,146 @@
+\documentclass{article}
+\usepackage[utf8]{inputenc}
+\usepackage{amsfonts}
+\usepackage{amsthm}
+\usepackage{amsmath}
+\usepackage{mathtools}
+\usepackage{enumerate}
+\usepackage{hyperref}
+\usepackage{xcolor}
+
+% prevent warnings of underfull \hbox:
+\usepackage{etoolbox}
+\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
+
+\theoremstyle{definition}
+\newtheorem{definition}{Def}[section]
+\newtheorem{theorem}[definition]{Thm}
+
+% custom lemma environment to set custom numbers
+\newtheorem{innerlemma}{Lemma}
+\newenvironment{lemma}[1]
+{\renewcommand\theinnerlemma{#1}\innerlemma}
+{\endinnerlemma}
+
+
+\title{Notes on Nova}
+\author{arnaucube}
+\date{February 2023}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+	Notes taken while reading Nova \cite{cryptoeprint:2021/370} paper.
+
+	Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
+
+	The notes are not complete, don't include all the steps neither all the proofs.
+\end{abstract}
+
+\tableofcontents
+
+\section{Folding Scheme for Committed Relaxed R1CS}
+
+\subsection{R1CS modification}
+
+Want: merge 2 instances of R1CS with the same matrices into a single one. Each instance has $z_i = (W_i,~ x_i)$ (public witness, private values resp.).
+
+\paragraph{traditional R1CS}
+Merged instance with $z=z_1 + r z_2$, for rand $r$. But, since R1CS is not linear $\longrightarrow$ can not apply.
+
+eg.
+\begin{align*}
+	Az \circ Bz &= A(z_1 + r z_2) \circ B (z_1 + r z_2)\\
+	&= A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2)\\
+	&\neq Cz
+\end{align*}
+
+$\longrightarrow$ introduce error vector $E \in \mathbb{F}^m$, which absorbs the cross-temrs generated by folding.
+
+$\longrightarrow$ introduce scalar $u$, which absorbs an extra factor of $r$ in $C z_1 + r^2 C z_2$ and in $z=(W, x, 1+r\cdot 1)$.
+
+\paragraph{Relaxed R1CS}
+\begin{align*}
+	&u=u_1+r u_2\\
+	&E=E_1 + r (A z_1 \circ B z_2 + A z_2 \circ B z_1 - u_1 C z_2 - u_2 C z_1) + r^2 E_2\\
+	&Az \circ Bz = uCz + E,~~ with~ z=(W,~x,~u)
+\end{align*}
+where R1CS set $E=0,~u=1$.
+
+\begin{align*}
+	Az \circ Bz &= A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2)\\
+		    &= (u_1 C z_1 + E_1) + r (A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (u_2 C z_2 + E_2)\\
+		    &= u_1 C z_1 + \underbrace{E_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 E_2}_\text{E} + r^1 u_2 C z_2\\
+		    &= u_1 C z_1 + r^2 u_2 C z_2 + E\\
+		    &= (u_1 + r u_2) \cdot C \cdot (z_1 + r z_2) + E\\
+		    &= uCz + E
+\end{align*}
+
+For R1CS matrices $(A,~B,~C)$, the folded witness $W$ is a satisfying witness for the folded instance $(E,~u,~x)$.
+
+
+
+\vspace{20px}
+Problem: not non-trivial, and not zero-knowledge. Solution: use polynomial commitment with hiding, binding, succintness and additively homomorphic properties.
+
+\paragraph{Committed Relaxed R1CS}
+Instance for a Committed Relaxed R1CS\\
+$(\overline{E}, u, \overline{W}, x)$, satisfyied by a witness $(E, r_E, W, r_W)$ such that
+\begin{align*}
+	&\overline{E} = Com(E, r_E)\\
+	&\overline{W} = Com(E, r_W)\\
+	&Az \circ Bz = uCz+E,~~ where~z=(W, x, u)
+\end{align*}
+
+
+\subsection{Folding protocol}
+
+V and P take two \emph{committed relaxed R1CS} instances
+\begin{align*}
+	\varphi_1&=(\overline{E}_1, u_1, \overline{W}_1, x_1)\\
+	\varphi_2&=(\overline{E}_2, u_2, \overline{W}_2, x_2)
+\end{align*}
+
+P additionally takes witnesses to both instances
+\begin{align*}
+	(E_1, r_{E_1}, W_1, r_{W_1})\\
+	(E_2, r_{E_2}, W_2, r_{W_2})
+\end{align*}
+
+Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$.
+
+% \paragraph{Protocol}
+\begin{enumerate}
+	\item P send $\overline{T} = Com(T, r_T)$,\\
+		where $T=A z_1 \circ B z_1 + A z_2 \circ B z_2 - u_1 C z_2 - u_2 C z_2$\\
+		and rand $r_T \in \mathbb{F}$
+	\item V sample random challenge $r \in \mathbb{F}$
+	\item V, P output the folded instance $(\overline{E}, u, \overline{W}, x)$
+		\begin{align*}
+			&\overline{E}=\overline{E}_1 + r \overline{T} + r^2 \overline{E}_2\\
+			&u = u_1 + r u_2\\
+			&\overline{W} = \overline{W}_1 + r \overline{W}_2\\
+			&x = x_1 + r x_2
+		\end{align*}
+	\item P outputs the folded witness $(E, r_E, W, r_W)$
+		\begin{align*}
+			&E = E_1 + r T + r^2 E_2\\
+			&r_E = r_{E_1} + r \cdot r_T + r^2 r_{E_2}\\
+			&W=W_1 + r W_2\\
+			&r_W = r_{W_1} + r \cdot r_{W_2}
+		\end{align*}
+\end{enumerate}
+
+P uses a zkSNARK showing that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.
+Then, vie Fiat-Shamir transform we achieve non-interactivity.
+
+\section{IVC proofs}
+\textbf{WIP}
+
+
+\bibliography{paper-notes.bib}
+\bibliographystyle{unsrt}
+
+\end{document}
diff --git a/paper-notes.bib b/paper-notes.bib
index 7dc719a..beb9b94 100644
--- a/paper-notes.bib
+++ b/paper-notes.bib
@@ -57,3 +57,28 @@
       note = {\url{https://eprint.iacr.org/2022/957}},
       url = {https://eprint.iacr.org/2022/957}
 }
+
+@misc{fri,
+	author = {Eli Ben-Sasson and Iddo Bentov and Yinon Horesh and Michael Riabzev},
+	title = {Fast Reed-Solomon Interactive Oracle Proofs of Proximity},
+	year = {2018},
+	note = {\url{https://eccc.weizmann.ac.il/report/2017/134/}},
+	url = {https://eccc.weizmann.ac.il/report/2017/134/}
+}
+@misc{cryptoeprint:2022/1216,
+      author = {Ulrich Haböck},
+      title = {A summary on the FRI low degree test},
+      howpublished = {Cryptology ePrint Archive, Paper 2022/1216},
+      year = {2022},
+      note = {\url{https://eprint.iacr.org/2022/1216}},
+      url = {https://eprint.iacr.org/2022/1216}
+}
+
+@misc{cryptoeprint:2021/370,
+      author = {Abhiram Kothapalli and Srinath Setty and Ioanna Tzialla},
+      title = {Nova: Recursive Zero-Knowledge Arguments from Folding Schemes},
+      howpublished = {Cryptology ePrint Archive, Paper 2021/370},
+      year = {2021},
+      note = {\url{https://eprint.iacr.org/2021/370}},
+      url = {https://eprint.iacr.org/2021/370}
+}