Address further review comments.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>

book/src/design/circuit/gadgets/ecc.md

@@ -1,17 +1,19 @@
 # Elliptic Curve Cryptography
 
 ## Incomplete addition
-Inputs: $P = (x_P, y_P), Q = (x_Q, y_Q)$
-Output: $A = P + Q = (x_A, y_A)$
+- Inputs: $P = (x_p, y_p), Q = (x_q, y_q)$
+- Output: $R = P + Q = (x_r, y_r)$
 
 Formulae:
 - $\lambda \cdot (x_p - x_q) = y_p - y_q$
-- $x_a = \lambda^2 - x_q - x_p$
-- $y_a = \lambda(x_q - x_a) - y_q$
+- $x_r = \lambda^2 - x_q - x_p$
+- $y_r = \lambda(x_q - x_r) - y_q$
 
 Substituting for $\lambda$, we get the constraints:
-- $(x_a + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
-- $(y_a + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_a) = 0$
+- $(x_r + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
+  - Note that this constraint is unsatisfiable for $P + (-P)$, and so cannot be used with arbitrary inputs.
+- $(y_r + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_r) = 0$
+
 
 ## Complete addition
 
@@ -36,7 +38,7 @@ P + Q &= R\\
 (x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\
                 \lambda &= \frac{y_p - y_q}{x_p - x_q} \\
                     x_r &= \lambda^2 - x_q - x_p \\
-                    y_r &= \lambda(x_p - x_r) - y_p
+                    y_r &= \lambda(x_q - x_r) - y_q
 \end{aligned}
 $$
 
@@ -73,4 +75,4 @@ A \cdot \left(2y_p \cdot \lambda - 3{x_p}^2\right) &=& 0 & A \wedge y_p \neq 0 &
 \end{array}
 $
 
-Max degree: 4
+Max degree: $4$

book/src/design/circuit/gadgets/ecc/fixed-base-scalar-mul.md

@@ -19,8 +19,8 @@ Then, we precompute multiples of the fixed base $B$ for each window. This takes
 
 The additional $(k + 1)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{83} (2^3)^j$.
 
-For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..84]$:
-- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..7]$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
+For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..84)$:
+- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..8)$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
   $$
   \mathcal{L}_x(k) = \begin{cases}
     ([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..84); \\
@@ -32,7 +32,7 @@ For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \i
 Repeating this for all $85$ windows, we end up with:
 - an $85 \times 8$ table $\mathcal{L}_x$ storing $8$ coefficients interpolating the $x-$coordinate for each window. Each $x$-coordinate interpolation polynomial will be of the form
 $$\mathcal{L}_x[w](k) = c_0 + c_1 \cdot k + c_2 \cdot k^2 + \cdots + c_7 \cdot k^7,$$
-where $k \in [0..7], w \in [0..84]$ and $c_k$'s are the coefficients for each power of $k$; and
+where $k \in [0..8), w \in [0..85)$ and $c_k$'s are the coefficients for each power of $k$; and
 - a length-$85$ array $Z$ of $z_w$'s.
 
 We load these precomputed values into fixed columns whenever we do fixed-base scalar multiplication in the circuit.