minor

MadibaGroup · Jul 3, 2024 · 2a1f7c1 · 2a1f7c1
1 parent 145be7e
commit 2a1f7c1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/content/docs/background/kzg.md b/content/docs/background/kzg.md
@@ -155,9 +155,9 @@ If the cost of opening a set of points is roughly the same as the cost of openin
 * Batch open the same point on multiple polynomials: direct from KZG, not shown. 
 * Batch open multiple points on multiple polynomials: not directly possible with KZG but possible with variants.
 
-To batch open multiple points on the same polynomial $P(\square)$, the prover asserts the full set of points to the verifier. The verifier will interpolate a polynomial through these points $R(\square)$ and compute its commitment $K_{R(\tau)}$. Recall that when proving a single point $\{x,y\}$, it would compute $\tilde{P}(\square)=P(\square)-y$. This does not work for multiple points because the amount to "slide down" the polynomial differs. However $R(\square)$ has the right amount at every value of $x$ being opened. So the verifier computes $\tilde{P}(\square)=P(\square)-R(\square)$ using the additively homomorphic property, and now all the points are roots, so the prover uses the "selective open: multiple roots" protocol above. 
+To batch open multiple points on the same polynomial $P(\square)$, the prover asserts the full set of points to the verifier. The verifier will interpolate a polynomial through these points $R(\square)$ and compute its commitment $K_{R(\tau)}$. Recall that when proving a single point $\{x,y\}$, it would compute $\tilde{P}(\square)=P(\square)-y$. This does not work for multiple points because the amount to "slide down" the polynomial differs. However $R(\square)$ has the right amount at every value of $x$ being opened. So the verifier computes $K_{\tilde{P}(\tau)}=K_{P(\tau)} \cdot (K_{R(\tau)})^{-1}$ where $\tilde{P}(\square)=P(\square)-R(\square)$ using the additively homomorphic property, and now all the points are roots, so the prover uses the "selective open: multiple roots" protocol above on $\tilde{P}(\square)$. 
 
 ## Footnotes
 
 [^1]: The result was actually pointed out earlier by DeMillo and Lipton, and thus is occasionally referred to as the DeMillo–Lipton–Schwartz–Zippel lemma
-[^2]: The Pedersen commitment was popularized by Pedersen but Pedersen attributes it to Bos and Chaum in his paper. It appeared even earlier as a bit commitment scheme in a paper by Chaum, Damgard, and van de Graaf.
+[^2]: The commitment was popularized by Pedersen but Pedersen attributes it to Bos and Chaum in his paper. It appeared even earlier as a bit commitment scheme in a paper by Chaum, Damgard, and van de Graaf.