fix bls12381 specification section

neps/nep-0488.md

@@ -79,38 +79,38 @@ to ensure future ease in supporting corresponding precompiles for Aurora[^24].
 elements $\textbraceleft 0, 1, \ldots, p - 1 \textbraceright$ with two 
 operations: multiplication $\cdot$ and addition $+$.
 These operations involve standard integer multiplication and addition, 
-followed by taking the remainder modulo $p$.
+followed by computing the remainder modulo $p$.
 
-**The elliptic curve $E(F_p)$**  is a set of all pairs $(x, y) \in F_p$:
+**The elliptic curve $E(F_p)$** is the set of all pairs $(x, y)$ with coordinates in $F_p$ satisfying:
 
 $$
 y^2 \equiv x^3 + Ax + B \mod p
 $$
 
-together with an imaginary point at infinity 0, where: $A, B \in F_p$, p is prime > 3, and $4A^3 + 27B^2 \not \equiv 0 \mod p$
+together with an imaginary point at infinity $\mathcal{O}$, where: $A, B \in F_p$, p is prime > 3, and $4A^3 + 27B^2 \not \equiv 0 \mod p$
 
 In the case of BLS12-381 equation is $y^2 \equiv x^3 + 4 \mod p$[^15],[^51],[^14],[^11]
 
 **Parameters for our case:**
 
 - $A = 0$
 - $B = 4$
-- $p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab$
+- $p = \mathtt{0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab}$
 
-Let’s $P \in E(F_q)$ have coordinates (x, y), define **$-P$**  as a point on a curve with coordinates (x, -y).
+Let $P \in E(F_q)$ have coordinates (x, y), define **$-P$**  as a point on a curve with coordinates (x, -y).
 
-**The addition operation for Elliptic Curve** is a function $+\colon E(F_p) \times E(F_p) \rightarrow E(F_p)$ defined with following rules: let’s P and Q $\in E(F_p)$
+**The addition operation for Elliptic Curve** is a function $+\colon E(F_p) \times E(F_p) \rightarrow E(F_p)$ defined with following rules: let P and Q $\in E(F_p)$
 
 - if  $P \ne Q$ and $P \ne -Q$
   - draw a line passing through P and Q. This line intersects the curve at a third point R
-  - reflect the point R about the x-axis by changing the sign of the y-coordinate. The resulting point is P+Q.
+  - reflect the point R across the x-axis by changing the sign of the y-coordinate. The resulting point is P+Q.
 - if $P=Q$
   - draw a tangent line throw P for an elliptic curve. The line will intersect the curve at the second point R.
-  - reflect the point R about the x-axis the same way to get point 2P
+  - reflect the point R across the x-axis the same way to get point 2P
 - $P = -Q$
-  - $P + Q = P + (-P) = 0$ — the point on infinity
-- Q = 0
-  - $P + Q = P + 0 = P$
+  - $P + Q = P + (-P) = \mathcal{O}$ — the point on infinity
+- $Q = \mathcal{O}$
+  - $P + Q = P + \mathcal{O} = P$
 
 With the addition operation, Elliptic Curve forms a **group**.
 
@@ -128,21 +128,21 @@ Group/subgroup **order** is the number of elements in group/subgroup.
 
 Notation: |G|  or #G, where G represents the group.
 
-For some technical reason (for `pairing` operation which we will define later),
-we will operate not with the entire $E(F_p)$,
-but only with the two subgroups $G_1$ and $G_2$
+For some technical reason (related to the `pairing` operation which we will define later),
+we will not operate over the entire $E(F_p)$,
+but only over the two subgroups $G_1$ and $G_2$
 having the same **order** $r$. 
 $G_1$ is a subset of $E(F_p)$, 
 while $G_2$ is a subgroup of another group that we will define later.
-The value of $r$ should be a prime number, and $G1 \ne G2$
+The value of $r$ should be a prime number and $G_1 \ne G_2$
 
-For our BLS12-381 Elliptic Curve, **the order r** of $G1$  and $G2$[^15],[^51] is given by:
+For the BLS12-381 Elliptic Curve, **the order r** of $G_1$  and $G_2$[^15],[^51] is given by:
 
-- $r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001$
+- $r = \mathtt{0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001}$
 
 #### Field extension
 
-**The field extension $F_{p^k}$** is a set comprising all polynomials with a degree < k and coefficients from $F_p$, along with defined operations of multiplication ($\cdot$) and addition ($+$).
+**The field extension $F_{p^k}$ of $F_{p}$** is a set comprising all polynomials of degree < k and coefficients from $F_p$, along with defined operations of multiplication ($\cdot$) and addition ($+$).
 
 $$
 a_{k - 1}x^{k - 1} + \ldots + a_1x + a_0 = A(x) \in F_{p^k} \vert a_i \in F_p
@@ -177,7 +177,7 @@ We'll construct this field not directly as an extension from $F_p$,
 but rather through a stepwise process. First, we'll build $F_{p^2}$ 
 as a quadratic extension of the field $F_p$. 
 Second, we'll establish $F_{p^6}$ as a cubic extension of $F_{p^2}$. 
-Finally, we'll create $F_{p^{12}}$, a quadratic extension of the 
+Finally, we'll create $F_{p^{12}}$ as a quadratic extension of the 
 field $F_{p^6}$.
 
 To define these fields, we'll need to set up three irreducible polynomials[^51]:
@@ -186,7 +186,7 @@ To define these fields, we'll need to set up three irreducible polynomials[^51]:
 - $F_{p^6} = F_{p^2}[v] / (v^3 - u - 1)$
 - $F_{p^{12}} = F_{p^6}[w] / (w^2 - v)$
 
-The second subgroup we'll utilize has an order of r and 
+The second subgroup we'll utilize has order r and 
 resides within the same elliptic curve but with elements from $F_{p^{12}}$.   
 Specifically, $G_2 \subset E(F_{p^{12}})$, where $E: y^2 = x^3 + 4$
 
@@ -214,14 +214,14 @@ In most cases, we will be working with points from $G_2' \subset E'(F_{p^2})$ an
 
 #### Generators
 
-If there exists an element g in the group G such that $\textbraceleft g, 2g, 3g, \ldots, |G|g \textbraceright = G$, the group G is called a ***cyclic group*** and g is termed a ***generator***
+If there exists an element $g$ in the group $G$ such that $\textbraceleft g, 2 \cdot g, 3 \cdot g, \ldots, |G|g \textbraceright = G$, the group $G$ is called a ***cyclic group*** and $g$ is termed a ***generator***
 
 $G_1$ and $G_2$ are cyclic subgroups with the following generators[^15],[^51]:
 
 $G_1$:
 
-- $x = 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb$
-- $y = 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1$
+- $x = \mathtt{0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb}$
+- $y = \mathtt{0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1}$
 
 For $(x', y') \in G_2 \subset E'(F_{p^2}):$
 $$x' = x_0 + x_1u$$
@@ -230,44 +230,44 @@ $$y' = y_0 + y_1u$$
 
 $G_2$:
 
-- $x_0 = 0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8$
-- $x_1 = 0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e$
-- $y_0 = 0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801$
-- $y_1 = 0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be$
+- $x_0 = \mathtt{0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8}$
+- $x_1 = \mathtt{0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e}$
+- $y_0 = \mathtt{0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801}$
+- $y_1 = \mathtt{0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be}$
 
 
-**Cofactor** is the ratio of the size of the entire group G to the size of the subgroup H:
+**Cofactor** is the ratio of the size of the entire group $G$ to the size of the subgroup $H$:
 
 $$
 |G|/|H|
 $$
 
 Cofactor $G_1\colon h = |E(F_p)|/r$[^51]
 
-$$h = 0x396c8c005555e1568c00aaab0000aaab$$
+$$h = \mathtt{0x396c8c005555e1568c00aaab0000aaab}$$
 
 Cofactor $G_2\colon h' = |E'(F_{p^2})|/r$[^51]
 
-$$h' = 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5$$
+$$h' = \mathtt{0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5}$$
 
 #### Pairing
 
-Pairing is an operation necessary for digital signatures and zkSNARKs verification. It performs the operation $e\colon G_1 \times G_2 \rightarrow G_T$, where $G_T \subset F_{p^{12}}$.
+Pairing is a necessary operation for the verification of BLS signatures and certain zkSNARKs. It performs the operation $e\colon G_1 \times G_2 \rightarrow G_T$, where $G_T \subset F_{p^{12}}$.
 
 The main properties of the pairing operation are:
 
 - $e(P, Q + R) = e(P, Q) \cdot e(P, R)$
 - $e(P  + S, R) = e(P, R)\cdot e(S, R)$
 
-To compute this function, we utilize an algorithm called Miller Loop. 
-For effective implementation of this algorithm, 
+To compute this function, we utilize an algorithm called Miller Loop.
+For an affective implementation of this algorithm, 
 we require a key parameter for the BLS curve, denoted as $x$:
 
-$$ x = -0xd201000000010000$$
+$$ x = -\mathtt{0xd201000000010000}$$
 
 This parameter can be found in the following sources:
 
-- [^15] section specification, pairing parameters, miller loop scalar
+- [^15] section specification, pairing parameters, Miller loop scalar
 - [^51] section 4.2.1 Parameter t
 - [^14] section BLS12-381, parameter u
 - [^11] section Curve equation and parameters, parameter x
@@ -276,7 +276,7 @@ This parameter can be found in the following sources:
 
 The parameters for the BLS12-381 curve are as follows:
 
-Base field modulus: $p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab$
+Base field modulus: $p = \mathtt{0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab}$
 
 $$
 E\colon y^2 \equiv x^3 + 4
@@ -286,7 +286,7 @@ $$
 E'\colon y^2 \equiv x^3 + 4(u + 1)
 $$
 
-Main subgroup order: $r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001$
+Main subgroup order: $r = \mathtt{0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001}$
 
 $$
 F_{p^2} = F_p[u] / (u^2 + 1)
@@ -300,27 +300,27 @@ $$
 F_{p^{12}} = F_{p^6}[w] / (w^2 - v)
 $$
 
-Generator for G1:
+Generator for $G_1$:
 
-- $x = 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb$
-- $y = 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1$
+- $x = \mathtt{0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb}$
+- $y = \mathtt{0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1}$
 
-Generator for G2:
+Generator for $G_2$:
 
-- $x_0 = 0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8$
-- $x_1 = 0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e$
-- $y_0 = 0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801$
-- $y_1 = 0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be$
+- $x_0 = \mathtt{0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8}$
+- $x_1 = \mathtt{0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e}$
+- $y_0 = \mathtt{0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801}$
+- $y_1 = \mathtt{0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be}$
 
 
-Cofactor for G1:
-$$h = 0x396c8c005555e1568c00aaab0000aaab$$
+Cofactor for $G_1$:
+$$h = \mathtt{0x396c8c005555e1568c00aaab0000aaab}$$
 
-Cofactor for G2:
-$$h' = 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5$$
+Cofactor for $G_2$:
+$$h' = \mathtt{0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5}$$
 
 Key  BLS12-381 parameter used in Miller Loop:
-$$x = -0xd201000000010000$$
+$$x = -\mathtt{0xd201000000010000}$$
 
 All parameters were sourced from [^15], [^51], and [^14], and they remain consistent across these sources.
 
@@ -329,21 +329,21 @@ All parameters were sourced from [^15], [^51], and [^14], and they remain consis
 This section delineates the functionality of the `bls12381_map_fp_to_g1` and `bls12381_map_fp2_to_g2` functions, 
 operating in accordance with the RFC9380 specification "Hashing to Elliptic Curves"[^62].
 
-These functions map the field elements in $F_p$ or $F_{p^2}$ 
+These functions map field elements in $F_p$ or $F_{p^2}$ 
 to their corresponding subgroups: $G_1 \subset E(F_p)$ or $G_2 \subset E'(F_{p^2})$. 
 `bls12381_map_fp_to_g1`/`bls12381_map_fp2_to_g2` combine the functionalities 
-of map_to_curve and clear_cofactor from RFC9380[^63].
+of `map_to_curve` and `clear_cofactor` from RFC9380[^63].
 
 ```text
 fn bls12381_map_fp_to_g1(u):
     let Q = map_to_curve(u);
     return clear_cofactor(Q);
 ```
 
-We choose not to implement the hash_to_field function as a host function due to potential changes in hashing methods. 
+We choose not to implement the `hash_to_field` function as a host function due to potential changes in hashing methods. 
 Additionally, executing this function within the contract consumes approximately 2 TGas, which is acceptable for our goals.
 
-Specific implementation parameters for bls12381_map_fp_to_g1 and bls12381_map_fp2_to_g2 can be found in RFC9380 
+Specific implementation parameters for `bls12381_map_fp_to_g1` and `bls12381_map_fp2_to_g2` can be found in RFC9380 
 under sections 8.8.1[^64] and 8.8.2[^65], respectively.
 
 ### Curve points encoding
@@ -532,9 +532,9 @@ This section aims to verify the correctness of summing two valid elements on the
 Edge cases:
 
 - Points not from G1.
-- 0 + 0 = 0.
-- P + 0 = 0 + P = P.
-- P + (-P) = (-P) + P = 0.
+- $\mathcal{O} + \mathcal{O} = \mathcal{O}$.
+- $P + \mathcal{O} = \mathcal{O} + P = P$.
+- $P + (-P) = (-P) + P = \mathcal{O}$.
 - P + P (tangent to the curve).
 - The sum of two points P and (-(P + P)) (tangent to the curve at point P).
 
@@ -543,15 +543,15 @@ Edge cases:
 
 This section aims to validate the correctness of point inversion:
 
-- Generate random points on the curve and verify P - P = -P + P = 0.
+- Generate random points on the curve and verify $P - P = -P + P = \mathcal{O}$.
 - Generate random points on the curve and verify -(-P) = P.
 - Generate random points from G1 and ensure that -P also belong to G1.
 - Utilize an external implementation, generate random points on the curve, and compare results.
 
 Edge cases:
 
 - Point not from G1
-- -0
+- -$\mathcal{O}$
 
 <ins>Tests for incorrect data</ins>
 
@@ -926,9 +926,9 @@ For an empty input, the function returns ERROR_CODE = 0.
 
 <ins>Tests for one pair</ins>
 
-- Generate a random point $P \in G_1$: verify $e(P, 0) = 1$
-- Generate a random point $Q \in G_2$: verify $e(0, Q) = 1$
-- Generate random points $P \ne 0 \in G_1$ and $Q \ne 0 \in G_2$: verify $e(P, Q) \ne 1$  
+- Generate a random point $P \in G_1$: verify $e(P, \mathcal{O}) = 1$
+- Generate a random point $Q \in G_2$: verify $e(\mathcal{O}, Q) = 1$
+- Generate random points $P \ne \mathcal{O} \in G_1$ and $Q \ne \mathcal{O} \in G_2$: verify $e(P, Q) \ne 1$  
 
 <ins>Tests for two pairs</ins>