Merge branch 'main' of github.com:dalek-cryptography/bulletproofs into update-deps

Author: hdevalence

Cargo.toml

@@ -22,6 +22,7 @@ serde = "1"
 serde_derive = "1"
 failure = "0.1"
 merlin = "1.0.0-pre.0"
+clear_on_drop = "0.2"
 
 [dev-dependencies]
 hex = "0.3"

README.md

@@ -1,73 +1,128 @@
-# Ristretto Bulletproofs
-
-A pure-Rust implementation of [Bulletproofs][bp_website] using [Ristretto][ristretto].
-
-This crate contains both an implementation and a set of notes on how and why
-Bulletproofs work.  The [external documentation][doc_external] describes how to use this
-crate’s API, while the [internal documentation][doc_internal] contains the notes.
-
-## WARNING
-
-This code is still research-quality.  It is not (yet) suitable for deployment.
+# Bulletproofs
+
+<img
+ width="100%"
+ src="https://user-images.githubusercontent.com/698/46373713-9cc40280-c643-11e8-9bfe-2b0586e40369.png"
+/>
+
+The fastest [Bulletproofs][bp_website] implementation ever, featuring
+single and aggregated range proofs, strongly-typed multiparty
+computation, and a programmable constraint system API for proving
+arbitrary statements (under development).
+
+This library implements Bulletproofs using [Ristretto][ristretto],
+using the `ristretto255` implementation in
+[`curve25519-dalek`][curve25519_dalek].  When using the [parallel
+formulas][parallel_edwards] in the `curve25519-dalek` AVX2 backend, it
+can verify 64-bit rangeproofs **approximately twice as fast** as the
+original `libsecp256k1`-based Bulletproofs implementation.
+
+This library provides implementations of:
+
+* Single-party proofs of single or multiple ranges, using the
+  aggregated rangeproof construction;
+
+* Online multi-party computation for rangeproof aggregation between
+  multiple parties, using [session types][session_type_blog] to
+  statically enforce correct protocol flow;
+  
+* A programmable constraint system API for expressing rank-1
+  constraint systems, and proving and verifying proofs of arbitrary
+  statements (under development in the `circuit` branch);
+  
+* Online multi-party computation for aggregated circuit proofs
+  (planned future work).
+  
+These proofs are implemented using [Merlin transcripts][doc_merlin],
+allowing them to be arbitrarily composed with other proofs without
+implementation changes.
 
 ## Documentation
+  
+The user-facing documentation for this functionality can be [found
+here][doc_external].  In addition, the library *also* contains
+extensive notes on how Bulletproofs work.  These notes can be found in
+the library's [internal documentation][doc_internal]:
+
+* how [Bulletproofs work][bp_notes];
+* how [the range proof protocol works][rp_notes];
+* how [the inner product proof protocol works][ipp_notes];
+* how [the aggregation protocol works][agg_notes];
+* how the Bulletproof circuit proofs work (under development);
+* how the constraint system reduction works (under development);
+* how the aggregated circuit proofs work (future work).
+
+## Comparative Performance
+
+The following table gives comparative timings for proving and
+verification of a 64-bit rangeproof on an i7-7800X with Turbo Boost
+disabled.  Times are in microseconds (lower is better), with the
+relative speed compared to the fastest implementation.
+
+| Implementation | Group            | Proving (μs) |       rel | Verification (μs) |       rel |
+|----------------|------------------|-------------:|----------:|------------------:|----------:|
+| ours (avx2)    | ristretto255     |         7300 | **1.00x** |              1040 | **1.00x** |
+| ours (u64)     | ristretto255     |        11300 | **1.54x** |              1490 | **1.43x** |
+| libsecp+endo   | secp256k1        |        14300 | **1.96x** |              1900 | **1.83x** |
+| libsecp-endo   | secp256k1        |        16800 | **2.30x** |              2080 | **2.00x** |
+| Monero         | ed25519 (unsafe) |        53300 | **7.30x** |              4810 | **4.63x** |
+
+This crate also contains other benchmarks; see the *Benchmarks*
+section below for details.
 
-* [Public API documentation][doc_external]
-* [Internal documentation][doc_internal]
-  * [Notes on how Bulletproofs work][bp_notes] (located in the internal `notes` module)
-  * [Range proof protocol description][rp_notes]
-  * [Inner product protocol description][ipp_notes]
-
-
-Unfortunately, `cargo doc` does not yet have support for custom HTML injection
-and for documenting private members, so the documentation is built using:
-
-```text
-make doc           # Builds external documentation
-make doc-internal  # Builds internal documentation
-```
+## WARNING
 
-Note: `cargo doc --open` rebuilds the docs without the custom
-invocation, so it may be necessary to rerun `make`.
+This code is still research-quality.  It is not (yet) suitable for
+deployment.  The development roadmap can be found in the
+[Milestones][gh_milestones] section of the [Github repo][gh_repo].
 
 ## Tests
 
 Run tests with `cargo test`.
 
 ## Benchmarks
 
-This crate uses [criterion.rs][criterion] for benchmarks.  Run benchmarks with
-`cargo bench`.
+This crate uses [criterion.rs][criterion] for benchmarks.  Run
+benchmarks with `cargo bench`.
 
 ## Features
 
-The `yolocrypto` feature enables the `yolocrypto` feature in
-`curve25519-dalek`, which enables the experimental AVX2 backend.  To use it for
-Bulletproofs, the `target_cpu` must support AVX2:
+The `avx2_backend` feature enables `curve25519-dalek`'s AVX2 backend,
+which implements curve arithmetic using [parallel
+formulas][parallel_edwards].  To use it for Bulletproofs, the
+`target_cpu` must support AVX2:
 
 ```text
-RUSTFLAGS="-C target_cpu=skylake" cargo bench --features "yolocrypto"
+RUSTFLAGS="-C target_cpu=skylake" cargo bench --features "avx2_backend"
 ```
 
 Skylake-X CPUs have double the AVX2 registers. To use them, try
 
 ```text
-RUSTFLAGS="-C target_cpu=skylake-avx512" cargo bench --features "yolocrypto"
+RUSTFLAGS="-C target_cpu=skylake-avx512" cargo bench --features "avx2_backend"
 ```
 
 This prevents spills in the AVX2 parallel field multiplication code, but causes
 worse code generation elsewhere ¯\\\_(ツ)\_/¯
 
 ## About
 
-This is a research project being built for Chain, Inc, by Henry de Valence,
-Cathie Yun, and Oleg Andreev.
+This is a research project sponsored by [Interstellar][interstellar],
+developed by Henry de Valence, Cathie Yun, and Oleg Andreev.
 
 [bp_website]: https://crypto.stanford.edu/bulletproofs/
-[ristretto]: https://doc.dalek.rs/curve25519_dalek/ristretto/index.html
-[doc_external]: https://doc.dalek.rs/ristretto_bulletproofs/index.html
-[doc_internal]: https://doc-internal.dalek.rs/ristretto_bulletproofs/index.html
-[bp_notes]: https://doc-internal.dalek.rs/ristretto_bulletproofs/notes/index.html
-[rp_notes]: https://doc-internal.dalek.rs/ristretto_bulletproofs/range_proof/index.html
-[ipp_notes]: https://doc-internal.dalek.rs/ristretto_bulletproofs/inner_product_proof/index.html
+[ristretto]: https://ristretto.group
+[doc_merlin]: https://doc.dalek.rs/merlin/index.html
+[doc_external]: https://doc.dalek.rs/bulletproofs/index.html
+[doc_internal]: https://doc-internal.dalek.rs/bulletproofs/index.html
+[bp_notes]: https://doc-internal.dalek.rs/bulletproofs/notes/index.html
+[rp_notes]: https://doc-internal.dalek.rs/bulletproofs/range_proof/index.html
+[ipp_notes]: https://doc-internal.dalek.rs/bulletproofs/inner_product_proof/index.html
+[agg_notes]: https://doc-internal.dalek.rs/bulletproofs/notes/index.html#aggregated-range-proof
 [criterion]: https://github.com/japaric/criterion.rs
+[session_type_blog]: https://blog.chain.com/bulletproof-multi-party-computation-in-rust-with-session-types-b3da6e928d5d
+[curve25519_dalek]: https://doc.dalek.rs/curve25519_dalek/index.html
+[parallel_edwards]: https://medium.com/@hdevalence/accelerating-edwards-curve-arithmetic-with-parallel-formulas-ac12cf5015be
+[gh_repo]: https://github.com/dalek-cryptography/bulletproofs/
+[gh_milestones]: https://github.com/dalek-cryptography/bulletproofs/milestones
+[interstellar]: https://interstellar.com/

benches/bulletproofs.rs

@@ -9,9 +9,11 @@ use rand::Rng;
 extern crate curve25519_dalek;
 use curve25519_dalek::scalar::Scalar;
 
+extern crate merlin;
+use merlin::Transcript;
+
 extern crate bulletproofs;
 use bulletproofs::RangeProof;
-use bulletproofs::Transcript;
 use bulletproofs::{BulletproofGens, PedersenGens};
 
 static AGGREGATION_SIZES: [usize; 6] = [1, 2, 4, 8, 16, 32];
@@ -79,7 +81,7 @@ fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
             let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
 
             let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
-            let proof = RangeProof::prove_multiple(
+            let (proof, value_commitments) = RangeProof::prove_multiple(
                 &bp_gens,
                 &pc_gens,
                 &mut transcript,
@@ -88,17 +90,11 @@ fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
                 n,
             ).unwrap();
 
-            let value_commitments: Vec<_> = values
-                .iter()
-                .zip(blindings.iter())
-                .map(|(&v, &v_blinding)| pc_gens.commit(v.into(), v_blinding))
-                .collect();
-
             b.iter(|| {
                 // Each proof creation requires a clean transcript.
                 let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
 
-                proof.verify(&bp_gens, &pc_gens, &mut transcript, &value_commitments, n)
+                proof.verify_multiple(&bp_gens, &pc_gens, &mut transcript, &value_commitments, n)
             });
         },
         &AGGREGATION_SIZES,

docs/aggregation-api.md

@@ -287,8 +287,8 @@ Instead, the prover chooses vectors of blinding factors
 and uses them to construct vector polynomials
 \\[
 \begin{aligned}
-  {\mathbf{l}}(x) &= {\mathbf{l}}\_{0} + {\mathbf{l}}\_{1} x = ({\mathbf{a}}\_{L} + {\mathbf{s}}\_{L} x) - z {\mathbf{1}} & \in {\mathbb Z\_p}[x]^{n}  \\\\
-  {\mathbf{r}}(x) &= {\mathbf{r}}\_{0} + {\mathbf{r}}\_{1} x = {\mathbf{y}}^{n} \circ \left( ({\mathbf{a}}\_{R} + {\mathbf{s}}\_{R} x\right)  + z {\mathbf{1}}) + z^{2} {\mathbf{2}}^{n} &\in {\mathbb Z\_p}[x]^{n} 
+  {\mathbf{l}}(x) &= {\mathbf{l}}\_{0} + {\mathbf{l}}\_{1} x = ({\mathbf{a}}\_{L} + {\mathbf{s}}\_{L} x) - z {\mathbf{1}} & \in {\mathbb Z\_p}\[x\]^{n}  \\\\
+  {\mathbf{r}}(x) &= {\mathbf{r}}\_{0} + {\mathbf{r}}\_{1} x = {\mathbf{y}}^{n} \circ \left( ({\mathbf{a}}\_{R} + {\mathbf{s}}\_{R} x\right)  + z {\mathbf{1}}) + z^{2} {\mathbf{2}}^{n} &\in {\mathbb Z\_p}\[x\]^{n} 
 \end{aligned}
 \\]
 These are the left and right sides of the combined inner product with \\({\mathbf{a}}\_{L}\\), \\({\mathbf{a}}\_{R}\\)
@@ -529,10 +529,10 @@ and compress the vectors by adding the left and the right halves
 separated by the variable \\(u\_k\\):
 \\[
 \begin{aligned}
-  {\mathbf{a}}^{(k-1)} &= {\mathbf{a}}\_L \cdot u\_k        + u^{-1}\_k \cdot {\mathbf{a}}\_R \\\\
-  {\mathbf{b}}^{(k-1)} &= {\mathbf{b}}\_L \cdot u^{-1}\_k   + u\_k \cdot {\mathbf{b}}\_R \\\\
-  {\mathbf{G}}^{(k-1)} &= {\mathbf{G}}\_L \cdot u^{-1}\_k   + u\_k \cdot {\mathbf{G}}\_R \\\\
-  {\mathbf{H}}^{(k-1)} &= {\mathbf{H}}\_L \cdot u\_k        + u^{-1}\_k \cdot {\mathbf{H}}\_R 
+  {\mathbf{a}}^{(k-1)} &= {\mathbf{a}}\_{\operatorname{lo}} \cdot u\_k        + u^{-1}\_k \cdot {\mathbf{a}}\_{\operatorname{hi}} \\\\
+  {\mathbf{b}}^{(k-1)} &= {\mathbf{b}}\_{\operatorname{lo}} \cdot u^{-1}\_k   + u\_k \cdot {\mathbf{b}}\_{\operatorname{hi}} \\\\
+  {\mathbf{G}}^{(k-1)} &= {\mathbf{G}}\_{\operatorname{lo}} \cdot u^{-1}\_k   + u\_k \cdot {\mathbf{G}}\_{\operatorname{hi}} \\\\
+  {\mathbf{H}}^{(k-1)} &= {\mathbf{H}}\_{\operatorname{lo}} \cdot u\_k        + u^{-1}\_k \cdot {\mathbf{H}}\_{\operatorname{hi}}
 \end{aligned}
 \\]
 The powers of \\(u\_k\\) are chosen so they cancel out in the
@@ -546,17 +546,17 @@ Expanding it in terms of the original \\({\mathbf{a}}\\), \\({\mathbf{b}}\\),
 \\({\mathbf{G}}\\) and \\({\mathbf{H}}\\) gives:
 \\[
 \begin{aligned}
-    P\_{k-1} &{}={}& &{\langle {\mathbf{a}}\_L \cdot u\_k   + u\_k^{-1} \cdot {\mathbf{a}}\_R, {\mathbf{G}}\_L \cdot u^{-1}\_k + u\_k \cdot {\mathbf{G}}\_R      \rangle} + \\\\
-             &&  &{\langle {\mathbf{b}}\_L \cdot u^{-1}\_k  + u\_k \cdot {\mathbf{b}}\_R,      {\mathbf{H}}\_L \cdot u\_k      + u^{-1}\_k \cdot {\mathbf{H}}\_R \rangle} + \\\\
-             &&  &{\langle {\mathbf{a}}\_L \cdot u\_k       + u^{-1}\_k \cdot {\mathbf{a}}\_R,      {\mathbf{b}}\_L \cdot u^{-1}\_k + u\_k \cdot {\mathbf{b}}\_R      \rangle} \cdot Q
+    P\_{k-1} &{}={}& &{\langle {\mathbf{a}}\_{\operatorname{lo}} \cdot u\_k   + u\_k^{-1} \cdot {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{G}}\_{\operatorname{lo}} \cdot u^{-1}\_k + u\_k \cdot {\mathbf{G}}\_{\operatorname{hi}}      \rangle} + \\\\
+             &&  &{\langle {\mathbf{b}}\_{\operatorname{lo}} \cdot u^{-1}\_k  + u\_k \cdot {\mathbf{b}}\_{\operatorname{hi}},      {\mathbf{H}}\_{\operatorname{lo}} \cdot u\_k      + u^{-1}\_k \cdot {\mathbf{H}}\_{\operatorname{hi}} \rangle} + \\\\
+             &&  &{\langle {\mathbf{a}}\_{\operatorname{lo}} \cdot u\_k       + u^{-1}\_k \cdot {\mathbf{a}}\_{\operatorname{hi}},      {\mathbf{b}}\_{\operatorname{lo}} \cdot u^{-1}\_k + u\_k \cdot {\mathbf{b}}\_{\operatorname{hi}}      \rangle} \cdot Q
 \end{aligned}
 \\]
 Breaking down in simpler products:
 \\[
 \begin{aligned}
-    P\_{k-1} &{}={}& &{\langle {\mathbf{a}}\_L, {\mathbf{G}}\_L \rangle} + {\langle {\mathbf{a}}\_R, {\mathbf{G}}\_R \rangle} &{}+{}& u\_k^2 {\langle {\mathbf{a}}\_L, {\mathbf{G}}\_R \rangle} + u^{-2}\_k {\langle {\mathbf{a}}\_R, {\mathbf{G}}\_L \rangle} + \\\\
-       &&      &{\langle {\mathbf{b}}\_L, {\mathbf{H}}\_L \rangle} + {\langle {\mathbf{b}}\_R, {\mathbf{H}}\_R \rangle} &{}+{}& u^2\_k {\langle {\mathbf{b}}\_R, {\mathbf{H}}\_L \rangle} + u^{-2}\_k {\langle {\mathbf{b}}\_L, {\mathbf{H}}\_R \rangle} + \\\\
-       &&      &({\langle {\mathbf{a}}\_L, {\mathbf{b}}\_L \rangle} + {\langle {\mathbf{a}}\_R, {\mathbf{b}}\_R \rangle})\cdot Q &{}+{}& (u^2\_k {\langle {\mathbf{a}}\_L, {\mathbf{b}}\_R \rangle} + u^{-2}\_k {\langle {\mathbf{a}}\_R, {\mathbf{b}}\_L \rangle}) \cdot Q
+    P\_{k-1} &{}={}& &{\langle {\mathbf{a}}\_{\operatorname{lo}}, {\mathbf{G}}\_{\operatorname{lo}} \rangle} + {\langle {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{G}}\_{\operatorname{hi}} \rangle} &{}+{}& u\_k^2 {\langle {\mathbf{a}}\_{\operatorname{lo}}, {\mathbf{G}}\_{\operatorname{hi}} \rangle} + u^{-2}\_k {\langle {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{G}}\_{\operatorname{lo}} \rangle} + \\\\
+       &&      &{\langle {\mathbf{b}}\_{\operatorname{lo}}, {\mathbf{H}}\_{\operatorname{lo}} \rangle} + {\langle {\mathbf{b}}\_{\operatorname{hi}}, {\mathbf{H}}\_{\operatorname{hi}} \rangle} &{}+{}& u^2\_k {\langle {\mathbf{b}}\_{\operatorname{hi}}, {\mathbf{H}}\_{\operatorname{lo}} \rangle} + u^{-2}\_k {\langle {\mathbf{b}}\_{\operatorname{lo}}, {\mathbf{H}}\_{\operatorname{hi}} \rangle} + \\\\
+       &&      &({\langle {\mathbf{a}}\_{\operatorname{lo}}, {\mathbf{b}}\_{\operatorname{lo}} \rangle} + {\langle {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{b}}\_{\operatorname{hi}} \rangle})\cdot Q &{}+{}& (u^2\_k {\langle {\mathbf{a}}\_{\operatorname{lo}}, {\mathbf{b}}\_{\operatorname{hi}} \rangle} + u^{-2}\_k {\langle {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{b}}\_{\operatorname{lo}} \rangle}) \cdot Q
 \end{aligned}
 \\]
 We now see that the left two columns in the above equation is the
@@ -566,8 +566,8 @@ terms with \\(u^2\_k\\) as \\(L\_k\\) and all terms with \\(u^{-2}\_k\\) as \\(R
 \\[
 \begin{aligned}
     P\_{k-1} &= P\_k + u^2\_k \cdot L\_k + u^{-2}\_k \cdot R\_k\\\\
-    L\_k  &= {\langle {\mathbf{a}}\_L, {\mathbf{G}}\_R \rangle} + {\langle {\mathbf{b}}\_R, {\mathbf{H}}\_L \rangle} + {\langle {\mathbf{a}}\_L, {\mathbf{b}}\_R \rangle} \cdot Q\\\\
-    R\_k  &= {\langle {\mathbf{a}}\_R, {\mathbf{G}}\_L \rangle} + {\langle {\mathbf{b}}\_L, {\mathbf{H}}\_R \rangle} + {\langle {\mathbf{a}}\_R, {\mathbf{b}}\_L \rangle} \cdot Q
+    L\_k  &= {\langle {\mathbf{a}}\_{\operatorname{lo}}, {\mathbf{G}}\_{\operatorname{hi}} \rangle} + {\langle {\mathbf{b}}\_{\operatorname{hi}}, {\mathbf{H}}\_{\operatorname{lo}} \rangle} + {\langle {\mathbf{a}}\_{\operatorname{lo}}, {\mathbf{b}}\_{\operatorname{hi}} \rangle} \cdot Q\\\\
+    R\_k  &= {\langle {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{G}}\_{\operatorname{lo}} \rangle} + {\langle {\mathbf{b}}\_{\operatorname{lo}}, {\mathbf{H}}\_{\operatorname{hi}} \rangle} + {\langle {\mathbf{a}}\_{\operatorname{hi}}, {\mathbf{b}}\_{\operatorname{lo}} \rangle} \cdot Q
 \end{aligned}
 \\]
 If the prover commits to \\(L\_k\\) and \\(R\_k\\) before \\(u\_k\\) is randomly
@@ -623,7 +623,7 @@ New notation for aggregated proofs
 
 The subscript \\({(j)}\\) denotes the \\(j\\)th party's share. For instance, \\(v_{(j)}\\) is the \\(v\\) value of the \\(j\\)th party; \\( \mathbf{a}\_{L, (j)}\\) is the \\( \mathbf{a}\_L \\) vector of the \\(j\\)th party; \\(\mathbf{l}\_{(0)}(x)\\) is the \\(\mathbf{l}(x)\\) polynomial of party \\(0\\). 
 
-We use pythonic notation to denote slices of vectors, such that \\(\mathbf{G}\_{[a:b]} = [\mathbf{G}\_{a}, \mathbf{G}\_{a+1}, \dots, \mathbf{G}\_{b-1} ]\\).
+We use pythonic notation to denote slices of vectors, such that \\(\mathbf{G}\_{\[a:b\]} = [\mathbf{G}\_{a}, \mathbf{G}\_{a+1}, \dots, \mathbf{G}\_{b-1} ]\\).
 
 \\({\mathbf{G}\_{(j)}}\\) is party \\(j\\)'s share of the generators \\({\mathbf{G}}\\), or \\({\mathbf{G}\_{[j\cdot n : (j+1)n]}}\\), and \\({\mathbf{H}'\_{(j)}}\\) is party \\(j\\)'s share of the generators \\({\mathbf{H}'}\\), or \\({\mathbf{H}'\_{[j\cdot n : (j+1)n]}}\\).
 
@@ -692,8 +692,8 @@ The prover chooses vectors of blinding factors \\( \mathbf{s}\_{L, (j)}, {\mathb
 
 \\[
 \begin{aligned}
-  {\mathbf{l}}\_{(j)}(x) &= ({\mathbf{a}}\_{L, (j)} + {\mathbf{s}}\_{L, (j)} x) - z {\mathbf{1}} & \in {\mathbb Z\_p}[x]^{n}  \\\\
-  {\mathbf{r}}\_{(j)}(x) &= {\mathbf{y}}^{n}\_{(j)} \circ \left( ({\mathbf{a}}\_{R, (j)} + {\mathbf{s}}\_{R, (j)} x\right)  + z {\mathbf{1}}) + z^{2} z_{(j)} {\mathbf{2}}^{n} &\in {\mathbb Z\_p}[x]^{n} 
+  {\mathbf{l}}\_{(j)}(x) &= ({\mathbf{a}}\_{L, (j)} + {\mathbf{s}}\_{L, (j)} x) - z {\mathbf{1}} & \in {\mathbb Z\_p}\[x\]^{n}  \\\\
+  {\mathbf{r}}\_{(j)}(x) &= {\mathbf{y}}^{n}\_{(j)} \circ \left( ({\mathbf{a}}\_{R, (j)} + {\mathbf{s}}\_{R, (j)} x\right)  + z {\mathbf{1}}) + z^{2} z_{(j)} {\mathbf{2}}^{n} &\in {\mathbb Z\_p}\[x\]^{n} 
 \end{aligned}
 \\]
 

docs/assets/aggregated-range-proof.sketch

@@ -31,7 +31,7 @@ S_{(j)} &\gets \operatorname{Com}({\mathbf{s}}\_{L, (j)}, {\mathbf{s}}\_{R, (j)}
 \\] where \\(\widetilde{v}\_{(j)}, \widetilde{a}\_{(j)}, \widetilde{s}\_{(j)}\\) are sampled randomly
 from \\({\mathbb Z\_p}\\) and \\(\mathbf{s}\_{L, (j)}, \mathbf{s}\_{R, (j)}\\) are sampled randomly from \\({\mathbb Z\_p}^{n}\\).
 
-The parties all send their \\(V_{(j)}\\), \\(A_{(j)}\\), and \\(S_{(j)}\\) values to the dealer as `ValueCommitment`. The dealer adds each \\(V_{(j)}\\) value to the protocol transcript, in order. The dealer then computes \\(A\\) and \\(S\\) as follows:
+The parties all send their \\(V_{(j)}\\), \\(A_{(j)}\\), and \\(S_{(j)}\\) values to the dealer as `BitCommitment`. The dealer adds each \\(V_{(j)}\\) value to the protocol transcript, in order. The dealer then computes \\(A\\) and \\(S\\) as follows:
 
 \\[
 \begin{aligned}
@@ -40,9 +40,9 @@ The parties all send their \\(V_{(j)}\\), \\(A_{(j)}\\), and \\(S_{(j)}\\) value
 \end{aligned}
 \\]
 
-The dealer adds \\(A\\) and \\(S\\) to the protocol transcript and obtains challenge scalars \\(y,z \in {\mathbb Z\_p}\\) from the transcript. The dealer sends \\(y, z\\) as `ValueChallenge` to all of the parties.
+The dealer adds \\(A\\) and \\(S\\) to the protocol transcript and obtains challenge scalars \\(y,z \in {\mathbb Z\_p}\\) from the transcript. The dealer sends \\(y, z\\) as `BitChallenge` to all of the parties.
 
-Using their secret vectors and the challenges \\(y, z\\) from `ValueChallenge`, each party constructs vector polynomials:
+Using their secret vectors and the challenges \\(y, z\\) from `BitChallenge`, each party constructs vector polynomials:
 \\[
 \begin{aligned}
   {\mathbf{l}}\_{(j)}(x) &= {\mathbf{l}}\_{0, (j)} + {\mathbf{l}}\_{1, (j)} x \\\\