Merge branch 'main' into patch-1

draft-case-ppm-binomial-dp.md

@@ -107,7 +107,7 @@ can be made about the amount of privacy loss that applies to any given input.
 There are multiple methods for applying noise to aggregates, but the one that
 offers the lowest amount of noise — and therefore the most useful outputs — is
 one where a single entity samples and adds noise, known as central
-DP. Alternatives include local DP, where each noise is added to each input to
+DP. Alternatives include local DP, where noise is added to each input to
 the aggregation, or shuffle DP, which reduces noise requirements for local DP by
 shuffling inputs.
 
@@ -132,7 +132,7 @@ present. In two-party MPC, each party has to assume the other is dishonest, so
 each adds the entire noise quantity, ultimately doubling the overall noise that
 is added. In a three-party honest majority MPC, each party can add half of the
 required noise on the assumption that one other party is honest, resulting in a
-50% increase in the amount of noise.
+50% increase in the amount of noise relative to the ideal.
 
 Finally, an MPC protocol can be executed to add noise. The primary drawback of
 this approach is that there is an increased cost to generating the noise in MPC.
@@ -203,12 +203,12 @@ sensitivity, {{compute-n}} describes how to determine the number of Bernoulli
 samples needed.
 
 To count the number of successes across these `N` trials, the MPC helpers simply
-run an aggregation circuit over the secret shared results of the `N` Bernoulli
-trials, each or which is either 0 or 1.  The result of this sum is a sample from
-a `Bin(N, p)` distribution. This binomial noise value is then added to the
-output inside the MPC and then the final noised result revealed to the
-appropriate output parties.  That is, if the MPC computes `f(D)`, it outputs
-shares of the result `f(D) + Bin(N,p)`.
+add the secret shared results of the `N` Bernoulli trials, each or which is
+either 0 or 1.  The result of this sum is a sample from a `Bin(N, p)`
+distribution. This binomial noise value is then added to the output inside the
+MPC and then the final noised result revealed to the appropriate output parties.
+That is, if the MPC computes `f(D)`, it outputs shares of the result `f(D) +
+Bin(N,p)`.
 
 The party receiving the output can then postprocess this output to get an
 unbiased estimate for `f(D)` by subtracting the mean of the `Bin(N,p)`
@@ -264,7 +264,7 @@ o = f(D) / s + X
 For an MPC system, the output of the system is shares of this scaled and biased
 value. The recipient can reconstruct the an unbiased, unscaled, noised value by:
 
-* Adding the shares it receives: `o = sum(o_i, o_2, …)`
+* Adding the shares it receives: `o = sum(o_1, o_2, …)`
 * Correcting for bias: `o - N\*p`
 * Scaling the value: `f′(D) = s * (o - N\*p)`
 
@@ -299,7 +299,7 @@ For `f(D)` that produces output that is a `d`-dimensional vector of integer
 values, the `p`-norms of interest for use with the binomial mechanism is the L1,
 L2, and L∞ (or Linfty) norms.
 
-The L1 norm of `x∊ℤ<sup>d</sup>` is:
+The L1 norm of `x` (where x∊ℤ<sup>d</sup>) is:
 
 ~~~ pseudocode
 sensitivity\_1 = ||x||<sub>1</sub> = sum(i=1..d, |x_i|)
@@ -376,7 +376,7 @@ The `epsilon_delta_constraint` is a function of epsilon, delta, `s`, `d`,
 more complicated formula.
 
 
-For the `epsilon_delta constraint`, {{CPSGD}} defines some intermediate
+For the `epsilon_delta_constraint`, {{CPSGD}} defines some intermediate
 functions of the success probability, `p`. For `p = 0.5`, these become fixed
 constants:
 

draft-savage-ppm-3phm-mpc.md

@@ -65,7 +65,7 @@ are never revealed to any single entity. MPC executes an agreed function,
 revealing only the output of that function.
 
 This makes MPC well-suited to handling data that is sensitive or private. MPC in
-a three-party honest majority setting, is broadly recognized as being extremely
+a three-party honest majority setting is broadly recognized as being extremely
 efficient:
 
 * Addition and subtraction have zero communication cost and negligible
@@ -484,8 +484,6 @@ the proof.
 Since the two verifiers possess all of this information distributed amongst
 themselves, this approach is referred to as "Distributed Zero Knowledge Proofs".
 
-## Distributed Zero Knowledge Proofs
-
 {{?FLPCP=DOI.10.1007/978-3-030-26954-8_3}} describes a system of zero-knowledge
 proofs that rely on linear operations. This is expanded in
 {{?BOYLE=DOI.10.1007/978-3-030-64840-4_9}} to apply to three-party
@@ -528,7 +526,7 @@ dot-product of two vectors, one of which is known to both `P_=` and
 Rearranging terms:
 
 ~~~ pseudocode
-x_-·y_+ ⊕ (x_-·y_- ⊕ z_- ⊕ r_- ) ⊕ x_+·y_- ⊕ r_+ = 0
+x_-·y_+ ⊕ (x_-·y_- ⊕ z_- ⊕ r_-) ⊕ x_+·y_- ⊕ r_+ = 0
 ~~~
 
 Define:
@@ -540,7 +538,7 @@ e_- = x_-·y_- ⊕ z_- ⊕ r_-
 Then:
 
 ~~~ pseudocode
-(x_-·y_+ ⊕ e_- ) ⊕ (x_+·y_- ⊕ r_+) = 0
+(x_-·y_+ ⊕ e_-) ⊕ (x_+·y_- ⊕ r_+) = 0
 ~~~
 
 Using: `x ⊕ y = x·(1 - 2·y) + y`
@@ -597,9 +595,9 @@ From this point, each party can compute the vectors that they are able to.
 `P_=` and `P_-` both compute `g_i` as follows:
 
 ~~~ pseudocode
-g_1 = -2·x_-·y_-·(1 - 2·e_- )
-g_2 = y_-·(1 - 2·e_- )
-g_3 = x_-·(1 - 2·e_- )
+g_1 = -2·x_-·y_-·(1 - 2·e_-)
+g_2 = y_-·(1 - 2·e_-)
+g_3 = x_-·(1 - 2·e_-)
 g_4 = -½(1 - 2·e_-)
 ~~~
 
@@ -1018,7 +1016,7 @@ AES-128-GCM is RECOMMENDED, with the same KDF being used for PRSS and AES-128 as
 the PRP.
 
 For validation, the prime field used is modulo the Mersenne prime
-2<sup>61</sup>-1 validation.  Any sufficiently large prime can be used, but this
+2<sup>61</sup>-1.  Any sufficiently large prime can be used, but this
 value provides both good performance on 64-bit hardware and useful security
 margins for typical batch sizes; see TODO/below for an analysis of the batch
 size requirements and security properties that can be obtained by using this

draft-thomson-ppm-prss.md

@@ -185,8 +185,8 @@ def ss, enc = Send(kem, pk_bytes):
     ss, enc = kem.Encap(pk)
 ~~~
 
-The sender then sends the encapsulated public key, `enc`, to the receiver.  The
-receiver decapsulates this value to obtain the shared secret, `ss`:
+The sender then sends the encapsulated secret, `enc`, to the receiver.  The
+receiver decapsulates this value to obtain the shared secret:
 
 ~~~ pseudocode
 def ss = Receive(kem, sk, enc):
@@ -447,7 +447,7 @@ fixed range of values.
 
 The total randomness available is limited by the entropy from the chosen KEM,
 KDF, and PRF.  Each KEM is only able to convey a maximum amount of entropy.
-Similarly, each KDF is limited in the amount of entropy it only able to retain.
+Similarly, each KDF is limited in the amount of entropy it is able to retain.
 Finally, each PRF also has limits that might further reduce the maximum entropy
 available.
 
@@ -471,7 +471,8 @@ Binary sampling produces uniformly random values with the only drawback being
 the constraint on its output range.
 
 For small values of `n`, the same PRF invocation could be used to produce
-multiple values, depending on the value of `Mo` for the chosen PRF.
+multiple values, depending on the value of `Mo` for the chosen PRF.  For large
+values of `n`, multiple invocations of the PRF can be used.
 
 
 ## Rejection Sampling {#rejection}
@@ -564,7 +565,7 @@ most `2\^((k-a)/2)`, where `a` is the desired attacker advantage in bits (that
 is, advantage is at most 2<sup>-a</sup>).
 
 Using that value for `q` and an advantage of `(2^a)/2` for the second component
-leads to a limit for `p` of `2^(b-(k+a)/2-2)`.  For example, to obtain 40 bits
+leads to a limit for `p` of `2\^(b-(k+a)/2-2)`.  For example, to obtain 40 bits
 of security, the value of `p` for AES-128 is limited to 2<sup>42</sup>, which
 assumes a value of `q` no more than 2<sup>44</sup>.
 

fix-sub.py

@@ -10,8 +10,8 @@
 
 blockcode = re.compile(r"^(~~~~*) *(\w+)$")
 inlinecode = re.compile(r"(?:^|(?<=[^\\]))`")
-sub = re.compile(r"(?:<sub>([" + chars + r"]+)</sub>|(?<=\w)_([" + chars + r"]))")
-sup = re.compile(r"(?:<sup>([" + chars + r"]+)</sup>|(?<=\w)\^([" + chars + r"]))")
+sub = re.compile(r"(?:<sub>([" + chars + r"]+)</sub>|(?<=[\w\)])_([" + chars + r"]))")
+sup = re.compile(r"(?:<sup>([" + chars + r"]+)</sup>|(?<=[\w\)])\^([" + chars + r"]))")
 
 def warn(msg, **kwargs):
     print(msg, file=sys.stderr, **kwargs)