From b605fe1061a853c37545f5536bc35076ed7cbdd0 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Sat, 11 Aug 2018 21:09:53 +0100
Subject: [PATCH] Cosmetics and minor wording improvements.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 7e892ead..56f636c0 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -1549,7 +1549,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
 \newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
 \newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
-\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1})_{\subgroupr}}
+\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1}\kern-0.03em)_{\subgroupr}}
 \newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
 \newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
 \newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
@@ -4511,7 +4511,7 @@ breaking the binding property of the \valueCommitmentScheme.
 
 \introlist
 The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that
-$\vSum = 0$, we also need to demonstrate that it does not overflow $\ValueCommitType$.
+$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType$.
 
 The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$.
 Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$.
@@ -6549,7 +6549,7 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
   \item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$.
   \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
   \item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$.
-  \item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$.
+  \item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.12em}$.
   \item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$.
 \end{algorithm}
 
@@ -6559,14 +6559,14 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
 \begin{algorithm}
   \item Let $\RedDSAReprR{}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and
         let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
-  \item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and
+  \item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.15em\big)$, and
         let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$.
   \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}}$.
         \vspace{-0.5ex}
   \item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$.
         \vspace{0.5ex}
   \item Return $1$ if $\RedDSASigR{} \neq \bot$ and $\RedDSASigS{} < \ParamG{r}$ and
-        $\scalarmult{\ParamG{h}}{\big(\!\!-\scalarmult{\RedDSASigS{}}{\GenG{}} + \RedDSASigR{} + \scalarmult{\RedDSASigc{}}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
+        $\scalarmult{\ParamG{h}}{\big(\!\!-\!\scalarmult{\RedDSASigS{}}{\GenG{}} + \RedDSASigR{} + \scalarmult{\RedDSASigc{}}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
 \end{algorithm}
 
 \vspace{-2ex}
@@ -7245,7 +7245,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
         is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
 
         It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
-          {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M} \typecolon \byteseq{32}}$
+          {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
         is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
           {\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle.
 \end{pnotes}
@@ -7277,13 +7277,13 @@ with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinem
 the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
 
 A $\PHGR$ proof consists of a tuple
-$(\Proof{A}  \typecolon \GroupGstar{1},\;
-  \Proof{A}' \typecolon \GroupGstar{1},\;
-  \Proof{B}  \typecolon \GroupGstar{2},\;
-  \Proof{B}' \typecolon \GroupGstar{1},\;
-  \Proof{C}  \typecolon \GroupGstar{1},\;
-  \Proof{C}' \typecolon \GroupGstar{1},\;
-  \Proof{K}  \typecolon \GroupGstar{1},\;
+$(\Proof{A}  \typecolon \GroupGstar{1},\,
+  \Proof{A}' \typecolon \GroupGstar{1},\,
+  \Proof{B}  \typecolon \GroupGstar{2},\,
+  \Proof{B}' \typecolon \GroupGstar{1},\,
+  \Proof{C}  \typecolon \GroupGstar{1},\,
+  \Proof{C}' \typecolon \GroupGstar{1},\,
+  \Proof{K}  \typecolon \GroupGstar{1},\,
   \Proof{H}  \typecolon \GroupGstar{1})$.
 It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
 specified in \crossref{bnpairing}.
@@ -7361,8 +7361,8 @@ for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescrip
 \outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
 
 A $\Groth$ proof consists of a tuple
-$(\Proof{A} \typecolon \GroupSstar{1},\;
-  \Proof{B} \typecolon \GroupSstar{2},\;
+$(\Proof{A} \typecolon \GroupSstar{1},\,
+  \Proof{B} \typecolon \GroupSstar{2},\,
   \Proof{C} \typecolon \GroupSstar{1})$.
 It is computed as described in \cite{Groth2016}, using the pairing parameters specified
 in \crossref{blspairing}.
@@ -7385,7 +7385,7 @@ library used by \Zcash, to ensure compatibility.
 A $\Groth$ proof is encoded by concatenating the encodings of its elements;
 for the $\BLSCurve$ pairing this is:
 
-\begin{formulae}[leftmargin=0.2em]
+\begin{formulae}
   \item $\Justthebox{\grothbox}$
 \end{formulae}
 
@@ -11438,7 +11438,7 @@ final exponentiation respectively of the pairing computation, so that:
 \begin{formulae}
   \item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
 \end{formulae}
-\vspace{-1ex}
+\vspace{-1.5ex}
 where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
 
 \vspace{2ex}
@@ -11447,10 +11447,11 @@ Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSst
 A $\Groth$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothProofS$.
 
 Verification of a single $\Groth$ proof requires checking the equation
+\vspace{-0.5ex}
 \begin{formulae}
   \item $\PairingS(\Proof{A}, \Proof{B}) = \PairingS(\Proof{C}, \delta) \mult \PairingS(Z, \gamma) \mult Y$
 \end{formulae}
-\vspace{-1ex}
+\vspace{-2ex}
 for some $Y \typecolon \GroupS{T}$, $Z \typecolon \GroupS{1}$, and
 $\delta, \gamma \typecolon \GroupS{2}$ depending on the verification key.
 
@@ -11467,7 +11468,7 @@ Raising to the power of random $z \neq 0$ gives:
          \mult \PairingS(\scalarmult{z}{Z}, \gamma) \mult Y^z = 1$.
 \end{formulae}
 
-\vspace{2ex}
+\vspace{1ex}
 This justifies the following optimized procedure for performing faster verification of a batch of $\Groth$ proofs.
 Implementations \MAY use this procedure to determine whether all proofs in a batch are valid.
 
@@ -11488,7 +11489,7 @@ Define $\GrothBatchVerify \typecolon (\Proof{\barerange{0}{N-1}} \typecolon \typ
           \item $\FinalExpS(\Accum{AB} \mult \MillerLoopS(\Accum{\delta}, \delta) \mult \MillerLoopS(\Accum{\gamma}, \gamma))
                  \mult Y^{\Accum{Y}} = 1$,
         \end{itemize}
-        \vspace{-0.5ex}
+        \vspace{-1.5ex}
         otherwise $0$.
 \end{algorithm}