Update docs

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

equality_across_groups/src/ec/sw_scalar_mult.rs

@@ -228,6 +228,7 @@ impl<P: AffineRepr, C: AffineRepr, const NUM_REPS: usize>
                 let bit_idx = i % 8;
                 let c = (challenge[byte_idx] >> bit_idx) & 1;
                 // If c = 0, send opening of point alpha * base else send opening of (alpha-omega) * base
+                // If c = 0, the point addition protocol gets a challenge value of "-1" else it gets the value "1"
                 if c == 0 {
                     ScalarMultiplicationProofSingleRep {
                         comm_alpha: p.comm_alpha.comm,
@@ -300,6 +301,7 @@ impl<P: AffineRepr, C: AffineRepr, const NUM_REPS: usize>
                 comm_key_2,
             )?;
             // If c = 0, expect opening of point alpha * base else expect opening of (alpha-omega) * base
+            // If c = 0, the point addition protocol gets a challenge value of "-1" else it gets the value "1"
             if c == 0 {
                 if self.0[i].comm_alpha
                     != CommitmentWithOpening::new_given_randomness(

equality_across_groups/src/pok_ecdsa_pubkey.rs

@@ -15,7 +15,11 @@
 //!
 //! Thus using the protocols for scalar multiplication and point addition, the prover proves:
 //! - Given commitments to `z` and `-z*R`, the scalar multiplication of `z` and `-R` is indeed `-z*R`
-//! - Given commitments to `q` and `-z*R`, the sum of `q` and `-z*R` is indeed `-g*t*r^-1`
+//! - Given commitments to `q` and `-z*R`, the sum of `q` and `-z*R` is indeed `-g*t*r^-1`. Note that the `-g*t*r^-1` is public but
+//! the point addition protocol expects all 3 points to be committed so the prover commits to `-g*t*r^-1` and the proof
+//! contains the randomness used in its commitment. The verifier can itself compute `-g*t*r^-1` so using the randomness in the proof,
+//! it computes the same commitment to `-g*t*r^-1` as the prover's. So I could use a point addition protocol where the resulting point
+//! isn't committed but that protocol isn't going to be any better than the currently implemented one.
 //!
 
 #![allow(non_snake_case)]
@@ -58,7 +62,8 @@ pub struct PoKEcdsaSigCommittedPublicKeyProtocol<const NUM_REPS_SCALAR_MULT: usi
     pub comm_z: Affine,
     /// Commitment to coordinates of `-z*R`
     pub comm_minus_zR: PointCommitment<crate::tom256::Affine>,
-    /// Randomness in the commitment to coordinates of `-g*t*r^-1`
+    /// Randomness in the commitment to coordinates of `-g*t*r^-1` so verifier can create the same commitment
+    /// to `-g*t*r^-1` as the prover.
     pub comm_minus_g_t_r_inv_rand: (
         <crate::tom256::Affine as AffineRepr>::ScalarField,
         <crate::tom256::Affine as AffineRepr>::ScalarField,
@@ -78,7 +83,8 @@ pub struct PoKEcdsaSigCommittedPublicKey<const NUM_REPS_SCALAR_MULT: usize = 128
     pub comm_z: Affine,
     /// Commitment to coordinates of `-z*R`
     pub comm_minus_zR: PointCommitment<crate::tom256::Affine>,
-    /// Randomness in the commitment to coordinates of `-g*t*r^-1`
+    /// Randomness in the commitment to coordinates of `-g*t*r^-1` so verifier can create the same commitment
+    /// to `-g*t*r^-1` as the prover.
     pub comm_minus_g_t_r_inv_rand: (
         <crate::tom256::Affine as AffineRepr>::ScalarField,
         <crate::tom256::Affine as AffineRepr>::ScalarField,