From 0d4191bae5facdb7b4ae20ab5f7afc98f7e84877 Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Tue, 15 Oct 2019 12:11:17 -0700
Subject: [PATCH] Formulate claims about BatchVerify more accurately

---
 bip-schnorr.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki
index af279c7f..b7bd541e 100644
--- a/bip-schnorr.mediawiki
+++ b/bip-schnorr.mediawiki
@@ -192,7 +192,7 @@ The algorithm ''BatchVerify(pk<sub>1..u</sub>,m<sub>1..u</sub>,sig<sub>1..u</sub
 * Fail if ''(s<sub>1</sub> + a<sub>2</sub>s<sub>2</sub> + ... + a<sub>u</sub>s<sub>u</sub>)⋅G &ne; R<sub>1</sub> + a<sub>2</sub>⋅R<sub>2</sub> + ... + a<sub>u</sub>⋅R<sub>u</sub> + e<sub>1</sub>⋅P<sub>1</sub> + (a<sub>2</sub>e<sub>2</sub>)⋅P<sub>2</sub> + ... + (a<sub>u</sub>e<sub>u</sub>)⋅P<sub>u</sub>''.
 * Return success iff no failure occurred before reaching this point.
 
-With overwhelming probability, ''BatchVerify(pk<sub>1..u</sub>,m<sub>1..u</sub>,sig<sub>1..u</sub>) = Verify(pk<sub>1</sub>,m<sub>1</sub>,sig<sub>1</sub>) and Verify(pk<sub>2</sub>,m<sub>2</sub>,sig<sub>2</sub>) and ... and Verify(pk<sub>u</sub>,m<sub>u</sub>,sig<sub>u</sub>)''. If all signatures are valid it will always succeed. If one or more signatures are invalid, it will succeed with probability ''2<sup>-n</sup>''.
+If all individual signatures are valid (i.e., ''Verify'' would return success for them), ''BatchVerify'' will always return success. If at least one signature is invalid, ''BatchVerify'' will return success with at most a negligable probability.
 
 === Optimizations ===