Changelog (maintenance began June 2022)

  1. June 27, 2022. Fixed typos and added clarification to the proof of Fact 10.1. Thank you mmagician!
  2. June 21, 2022: Clarified relationship between binding and extractability of polynomial commitments in Section 7.4, clarified notation in knowledge soundness analysis in that section. Thank you Bryan Gillespie!
  3. June 21, 2022: Small clarifications to the description of the circuit-sat problem in Section 6.5.1
  4. June 10, 2022: Corrected typos in Bulletproofs coverage: 4/p --> 1-4/p on page 212. v_L and v_R--> v'_L and v'_R in the final line of Protocol 13 pseudocode. Thank you, Elliott Jin!
  5. June 10, 2022: Clarified intro to knowledge soundness (start of Section 7.4) in response to questions/feedback. Earlier in the chapter, clarified discussion of why Merkle trees alone do not yield a polynomial commitment scheme.