From abcc04d6a69d5a108f7d0ca6cca9d40fbd971e4c Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 15 Jul 2017 17:55:31 +0100
Subject: [PATCH] shamir.1: Inhibit line breaks in nroff equations.

Reformat the nroff equation setting to use ties before binary operators
and relations, because there were some pretty terrible line-breaks.
---
 shamir.1 | 210 +++++++++++++--------------------------------------------------
 1 file changed, 41 insertions(+), 169 deletions(-)

diff --git a/shamir.1 b/shamir.1
index ce71a1e..dc5effc 100644
--- a/shamir.1
+++ b/shamir.1
@@ -136,15 +136,7 @@ any
 of them can be used to reassemble the original secret.
 It must be the case that
 .ie t $1 <= "thresh" <= "count" <= 255$.
-.el \{\
-1
-\(<=
-.I thresh
-\(<=
-.I count
-\(<=
-255.
-.\}
+.el .RI "1\~\(<= " thresh "\~\(<= " count "\~\(<= 255."
 .PP
 The first line contains secret-sharing parameters,
 which will be required in any recovery operation.
@@ -332,12 +324,7 @@ Its slots are as follows.
 The share's index,
 as a decimal integer;
 .ie t $0 <= i < "count"$.
-.el \{\
-0 \(<=
-.I i
-<
-.IR count .
-.\}
+.el .RI "0\~\(<= " i "\~< " count .
 .TP
 .B y
 The share data, Base64 encoded.
@@ -351,85 +338,42 @@ Let
 be a field.
 Suppose we are given a secret
 .ie t $s member k$
-.el \{\
-.I s
-\*(mo
-.I k
-.\}
+.el .IR s \~\*(mo\~ k
 which we want to split into shares
 such that any $t$ of them can be used to recover
 .IR s .
 Choose coefficients
 .ie t $a sub i member k$
-.el \{\
-.IR a _ i
-\*(mo
-.I k
-.\}
+.el .IR a _ i \~\*(mo\~ k
 for
 .ie t $1 <= i < t$
-.el \{\
-1 \(<=
-.I i
-<
-.I t
-.\}
+.el .RI "1\~\(<= " i \~<\~ t
 at random.
 Let 
 .ie t $p(x) = s + a sub 1 x + ... + a sub {t-1} x sup {t-1}$.
 .el \{\
-.IR p ( x )
-=
-.I s
-+
-.IR a _1
-.I x
-+ ... +
-.IR a _( t \-1)
-.IR x ^( t \-1).
+.IR p ( x ")\~= " s "\~+ " a "_1\~+ ...\~+"
+.IR a _( t \-1)\~ x ^( t \-1).
 .\}
 Note that
 .ie t $p(0) = s$.
-.el \{\
-.IR p (0)
-=
-.IR s .
-.\}
+.el .IR p "(0)\~= " s .
 We can evaluate 
 .I p
 to obtain shares
 .ie t $y sub i = p( x sub i )$
-.el \{\
-.IR y _ i
-=
-.IR p ( x _ i )
-.\}
+.el .IR y _ i "\~= " p ( x _ i )
 for various
 .ie t $x sub i member k - lbrace ~ 0 ~ rbrace$.
-.el \{\
-.IR x _ i
-\*(mo
-.I k
-\-
-{ 0 }.
-.\}
+.el .IR x _ i "\~\*(mo " k "\~\- {\~0\~}."
 .PP
 How do we recover the secret?
 Suppose we are given
 .ie t $y sub i = p( x sub i )$
-.el \{\
-.IR y _ i
-=
-.IR p ( x _ i )
-.\}
+.el .IR y _ i "\~= " p ( x _ i )
 for
 .ie t $0 <= i < t$,
-.el \{\
-0 \(<=
-.I i
-<
-.IR t .
-.\}
+.el .RI "0\~\(<= " i "\~< " t ,
 where the
 .ie t $x sub i$
 .el .IR x _ i
@@ -463,30 +407,17 @@ Then
 .el .RI \*(*l_ i
 is a
 .ie t degree-$(t - 1)$
-.el \{\
-.RI degree-( t
-\- 1)
-.\}
+.el .RI degree-( t \~\-\~1)
 polynomial
 such that 
 .ie t $lambda sub i ( x sub i ) = 1$,
-.el \{\
-.RI \*(*l_ i ( x _ i )
-= 1,
-.\}
+.el .RI \*(*l_ i ( x _ i )\~=\~1,
 and
 .ie t $lambda sub i ( x sub j ) = 0$
-.el \{\
-.RI \*(*l_ i ( x _ j )
-= 0
-.\}
+.el .RI \*(*l_ i ( x _ j )\~=\~0
 if
 .ie t $j != i$.
-.el \{\
-.I j
-\(!=
-.IR i .
-.\}
+.el .IR j \~\(!=\~ i .
 Define
 .ie t \{\
 .EQ
@@ -511,72 +442,36 @@ Note that
 .I q
 has degree
 .ie t $t - 1$,
-.el \{\
-.I t
-\- 1,
-.\}
+.el .IR t "\~\- 1"
 and
 .ie t $q( x sub i ) = y sub i = p( x sub i )$
-.el \{\
-.IR q ( x _ i )
-=
-.IR y _ i
-=
-.IR p ( x _ i )
-.\}
+.el .IR q ( x _ i ")\~= " y _ i "\~= " p ( x _ i )
 for all
 .ie t $0 <= i < t$.
-.el \{\
-0 \(<=
-.I i
-<
-.IR t .
-.\}
+.el .RI "0\~\(<= " i \~<\~ t .
 Hence
 .ie t $p - q$
-.el \{\
-.I p
-\-
-.I q
-.\}
+.el .IR p \~\-\~ q
 is a polynomial with degree at most
 .ie t $t - 1$
-.el \{\
-.I t
-\- 1
-.\}
+.el .IR t \~\-\~1
 but with at least
 .I t
 distinct zeros;
 therefore
 .ie t $q - p$
-.el \{\
-.I p
-\-
-.I q
-.\}
+.el .IR q \~\-\~ p
 must be identically zero
 and hence
 .ie t $q == p$
-.el \{\
-.I q
-\(==
-.I p
-.\}
+.el .IR q \~\(==\~ p
 and
 .ie t $s = q(0)$.
-.el \{\
-.I s
-=
-.IR q (0).
-.\}
+.el .IR s "\~= " q (0).
 .PP
 Suppose we are given
 .ie t $t - 1$
-.el \{\
-.I t
-\- 1
-.\}
+.el .IR t \~\-\~1
 shares.
 Then,
 for any putative secret
@@ -613,54 +508,36 @@ This program uses the field
 represented as the quotient ring
 .ie t $FIELD sub 2 [u]/( u sup 8 + u sup 4 + u sup 3 + u sup 2 + 1 )$.
 .el \{\
-.RI GF(2)[ u ]/( u ^8
-+
-.IR u ^4
-+
-.IR u ^3
-+
-.IR u ^2
-+
-1).
+.RI GF(2)[ u ]/( u ^8\~+
+.IR u ^4\~+
+.IR u ^3\~+
+.IR u ^2\~+\~1).
 .\}
 Hence, a field element fits exactly into a single byte:
 specifically, the field element
 .ie t $x = a sub 0 + a sub 1 u + ... + a sub 7 u sup 7$
 .el \{\
-.I x
-=
-.IR a _0
-+
-.IR a _1
-.I u
-+ ... +
-.IR a _7
-.IR u ^7
+.IR x \~=
+.IR a _0\~+
+.IR a _1\~ u \~+
+\&...\~+
+.IR a _7\~ u ^7
 .\}
 corresponds to the byte
 .ie t $B(x) = a sub 0 + 2 a sub 1 + ... + 2 sup 7 a sub 7$.
 .el \{\
-.IR B ( x )
-=
-.IR a _0
-+
-2
-.IR a _1
-+ ... +
-2^7
-.IR a _7.
+.IR B ( x )\~=
+.IR a _0\~+
+.RI 2\~ a _1\~+
+\&... +
+.RI 2^7\~ a _7.
 .\}
 Secrets longer than a single byte are shared bytewise independently,
 which is why the shares leak information about the secret size.
 .PP
 The program represents share indices as small integers
 .ie t $0 <= i < n$;
-.el \{\
-0 \(<=
-.I i
-<
-.IR n ;
-.\}
+.el .RI "0\~\(<= " i \~<\~ n ;
 specifically, the share with index
 .I i
 is generated by
@@ -669,12 +546,7 @@ evaluating the polynomial
 .el .IR p ( x )
 where
 .ie t $i = B(x) - 1$.
-.el \{\
-.I i
-=
-.IR B ( x )
-\- 1.
-.\}
+.el .IR i "\~= " B ( x )\~\-\~1.
 .SH AUTHOR
 Mark Wooding, <mdw@distorted.org.uk>
 .SH SEE ALSO
-- 
2.11.0