ChainSafe / go-schnorrkel

🍵 Schnorr Signatures over Ristretto255 in pure Go

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

The batch verification equation is incorrect

Yawning opened this issue · comments

The code per comments (and manual inspection) uses -B ∑ s_i + ∑ P_i H(R_i || P_i || m_i) + ∑ R_i = 0 as the batch verification equation.

This is wrong and should be -B ∑ z_i s_i + ∑ z_i P_i H(R_i || P_i || m_i) + ∑ z_i R_i = 0, where z_i are uniform random 128-bit scalars.