You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/// so that we can use multiscalar multiplication speedups.
This should be
/// The batch verification equation is:
///
/// h_G * ( -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
///
/// as given in https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate
/// (the terms are split out so that we can use multiscalar multiplication speedups).
Since the split-out form is already the one given in the spec, there is no need to derive it. More importantly, the cofactor multiplication applies to all terms, not just the term with base $\mathcal{P}_ {\mathbb{G}}$. Since * has higher precedence than +, the given version is wrong. The equation further on in the comment that splits out $\mathcal{P}_ {SpendAuth}$ and $\mathcal{P}_ {Binding}$ is correct.
This does not affect the implementation which delegates to the reddsa crate. (The comment in the corresponding reddsa code is also wrong in the same way; I will file a separate issue.)
The text was updated successfully, but these errors were encountered:
redjubjub/src/batch.rs
Lines 93 to 101 in 0dbe2dd
This should be
Since the split-out form is already the one given in the spec, there is no need to derive it. More importantly, the cofactor multiplication applies to all terms, not just the term with base$\mathcal{P}_ {\mathbb{G}}$ . Since * has higher precedence than +, the given version is wrong. The equation further on in the comment that splits out $\mathcal{P}_ {SpendAuth}$ and $\mathcal{P}_ {Binding}$ is correct.
This does not affect the implementation which delegates to the
reddsa
crate. (The comment in the correspondingreddsa
code is also wrong in the same way; I will file a separate issue.)The text was updated successfully, but these errors were encountered: