typos, add Chaum-Pedersen DLEq sigma protocol, update commitment bind…

…ing/hiding props

docs/Areas-of-Cryptography/zk.md

@@ -179,7 +179,7 @@ Sigma protocols can be made non-interactive via the [Fiat-Shamir transform](../t
         1. The prover P samples $r \stackrel{\$}{\gets} \mathbb{Z}_p$ and sends $a := b^r$ to the verifier V
         1. V sends back a uniform challenge $c \stackrel{\$}{\gets} \mathbb{Z}_p$
         1. P sends $z := r + c \cdot x$
-        1. V check that $b^z = a \cdot y^{c}$
+        1. V checks that $b^z = a \cdot y^{c}$
 
         Correctness holds since $a \cdot y^{c} = (b^r) \cdot (b^x)^{c} = b^{r + x \cdot c}$.
 
@@ -197,8 +197,21 @@ Sigma protocols can be made non-interactive via the [Fiat-Shamir transform](../t
 !!! example "Sigma protocol: DLEq [Chaum-Pedersen'92]"
 
     === "Scheme"
+        **Public parameters:** Group $\mathbb{G}$ of prime order $p$.  
+        **Prover:** $y_1,b_1,y_2,b_2 \in \mathbb{G}$ and $x \in \mathbb{Z}_p$.  
+        **Verifier:** $y_1,b_1,y_2,b_2 \in \mathbb{G}$  
+        To prove equality of the discrete logarithms of $y_1,y_2$ w.r.t. $b_1,b_2$, i.e., $y_1 = b_1^x$ and $y_2 = b_2^x$: 
+
+        1. The prover P samples $r \stackrel{\$}{\gets} \mathbb{Z}_p$ and sends $a_1 := b_1^r$, $a_2 := b_2^r$ to the verifier V
+        1. V sends back a uniform challenge $c \stackrel{\$}{\gets} \mathbb{Z}_p$
+        1. P sends $z := r + c \cdot x$
+        1. V checks that $b_1^z = a_1 \cdot y_1^{c}$ and $b_2^z = a_2 \cdot y_2^{c}$
+
+        Correctness holds since $a_i \cdot y_i^{c} = (b_i^r) \cdot (b_i^x)^{c} = b_i^{r + x \cdot c}$ for $i=1,2$ where (crucially) the same $r,z$ are used.
 
     === "Properties"
+        <!-- This can be seen as an AND of two instances of the [Schnorr protocol for DLog]() -->
+        <!-- Not exactly, uses the same randomness $r$ in step 1 -->
 
 !!! example "Sigma protocol: Pedersen opening"
 

docs/Cryptographic-Primitives/commitments.md

@@ -16,8 +16,8 @@ A commitment scheme consists of a commitment algorithm $\sf Com$ and an opening
         - $\underline{{\sf Vrfy}({\sf com}, m, r) \to \{0,1\}}$: The verifier checks that ${\sf com} = g^m h^r$.
 
     === "Properties"
-        - unconditional hiding
-        - computational binding (by DLog assumption)
+        - computationally binding (by DLog assumption)
+        - unconditionally (information-theoretically) hiding
 
 ## Properties
 
@@ -88,6 +88,8 @@ Besides the basic commitment functionality, there are additional "fancier" types
                 (where $\tau G = {\sf crs}_1$).
 
         === "Properties"
+            - Computationally binding ($t$-SDH)
+            - Computationally hiding (DLog)
             - The prover can do a **full open** and reveal all the evaluations by simply sending a candidate polynomial $f'(X)$; the verifier checks that ${\sf Com}({\sf crs}, f'(X)) = {\sf com}$. There is an [optimization [FK20]](https://alinush.github.io/2021/06/17/Feist-Khovratovich-technique-for-computing-KZG-proofs-fast.html) to do this in $O(d\log{d})$ instead of $O(d^2)$.
             - There is also a **batch mode** in which the prover can open $t < d$ points, which the verifier can check with a single pairing. See "Further reading".
             - **Trusted setup**: the scheme relies on a trusted setup, i.e. a well-formed CRS. (On the plus side, the CRS is of the "powers-of-tau" variant, which is fairly easy to generate via an [MPC](../Areas-of-Cryptography/mpc.md) protocol (e.g., [2022/1592](https://eprint.iacr.org/2022/1592)).)
@@ -97,6 +99,8 @@ Besides the basic commitment functionality, there are additional "fancier" types
 
 **Vector commitment** { #vc }
 : A vector commitment allows one to commit to a vector $\vec{v} = (v_1, \dots, v_n)$ and later individually open elements $v_i$. (Note that a [polynomial commitment](#poly-com) to a polynomial of degree $d$ can be thought of as a vector commitment to $d+1$ points.)
+
+    !!! example "Merkle tree"
 
     !!! example "Libert-Yung VC [[LY10]](https://www.iacr.org/archive/tcc2010/59780496/59780496.pdf)"
 

docs/Cryptographic-Primitives/signatures.md

@@ -3,7 +3,7 @@
 !!! summary
     Signatures are used to ensure integrity.
 
-A digital signature scheme consists of three algorithms: a key generation algorithm $\mathsf{Gen}$ (or $\mathsf{KGen}$) that takes no input and outputs a key pair, an signing algorithm $\mathsf{Sign}$ that takes a private key and a message and outputs a signature, and a verification algorithm $\mathsf{Vrfy}$ that takes a public key, a message, and a signature and outputs 1 (the signature is a valid signature on that message) or 0 (the signature is not valid on that message).
+A digital signature scheme consists of three algorithms: a key generation algorithm $\mathsf{Gen}$ (or $\mathsf{KGen}$) that takes no input and outputs a key pair, a signing algorithm $\mathsf{Sign}$ that takes a private key and a message and outputs a signature, and a verification algorithm $\mathsf{Vrfy}$ that takes a public key, a message, and a signature and outputs 1 (the signature is a valid signature on that message) or 0 (the signature is not valid on that message).
 
 !!! notation "Signature scheme syntax"
     - $({\sf pk}, {\sf sk}) \gets \mathsf{Gen}(1^\lambda)$
@@ -78,7 +78,7 @@ A common paradigm for a signature scheme is to instantiate a signature as a [NIZ
         [^1]: By this we mean the x-coordinate is 0 (the y-coordinate is uniquely defined -- up to reflection over the x-axis -- by the x-coordinate).
 
     === "Assumptions"
-    - [DLog](../assumptions.md#discrete-logarithm) over elliptic curves
+        - [DLog](../assumptions.md#discrete-logarithm) over elliptic curves
 
 !!! example "Schnorr signatures"
     === "Construction"