From 1442d4dabca9ac9a5323c0c366c6d10fd9f9c38c Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Tue, 15 Oct 2019 12:11:17 -0700
Subject: [PATCH] Formulate claims about BatchVerify more accurately

---
 bip-schnorr.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki
index af279c7f..b7bd541e 100644
--- a/bip-schnorr.mediawiki
+++ b/bip-schnorr.mediawiki
@@ -192,7 +192,7 @@ The algorithm ''BatchVerify(pk<sub>1..u</sub>,m<sub>1..u</sub>,sig<sub>1..u</sub
 * Fail if ''(s<sub>1</sub> + a<sub>2</sub>s<sub>2</sub> + ... + a<sub>u</sub>s<sub>u</sub>)⋅G &ne; R<sub>1</sub> + a<sub>2</sub>⋅R<sub>2</sub> + ... + a<sub>u</sub>⋅R<sub>u</sub> + e<sub>1</sub>⋅P<sub>1</sub> + (a<sub>2</sub>e<sub>2</sub>)⋅P<sub>2</sub> + ... + (a<sub>u</sub>e<sub>u</sub>)⋅P<sub>u</sub>''.
 * Return success iff no failure occurred before reaching this point.
 
-With overwhelming probability, ''BatchVerify(pk<sub>1..u</sub>,m<sub>1..u</sub>,sig<sub>1..u</sub>) = Verify(pk<sub>1</sub>,m<sub>1</sub>,sig<sub>1</sub>) and Verify(pk<sub>2</sub>,m<sub>2</sub>,sig<sub>2</sub>) and ... and Verify(pk<sub>u</sub>,m<sub>u</sub>,sig<sub>u</sub>)''. If all signatures are valid it will always succeed. If one or more signatures are invalid, it will succeed with probability ''2<sup>-n</sup>''.
+If all individual signatures are valid (i.e., ''Verify'' would return success for them), ''BatchVerify'' will always return success. If at least one signature is invalid, ''BatchVerify'' will return success with at most a negligable probability.
 
 === Optimizations ===