Incorrect batch verification equation in comment

Lines 93 to 101 in 0dbe2dd

    
           /// The batch verification equation is: 
        
           /// 
        
           /// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i + [z_i * c_i]VK_i) = 0_G 
        
           /// 
        
           /// which we split out into: 
        
           /// 
        
           /// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) = 0_G 
        
           /// 
        
           /// so that we can use multiscalar multiplication speedups.

This should be

    /// The batch verification equation is:
    ///
    /// h_G * ( -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
    ///
    /// as given in https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate
    /// (the terms are split out so that we can use multiscalar multiplication speedups).

Since the split-out form is already the one given in the spec, there is no need to derive it. More importantly, the cofactor multiplication applies to all terms, not just the term with base $\mathcal{P}_ {\mathbb{G}}$. Since * has higher precedence than +, the given version is wrong. The equation further on in the comment that splits out $\mathcal{P}_ {SpendAuth}$ and $\mathcal{P}_ {Binding}$ is correct.

This does not affect the implementation which delegates to the reddsa crate. (The comment in the corresponding reddsa code is also wrong in the same way; I will file a separate issue.)

	/// The batch verification equation is:
	///
	/// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i + [z_i * c_i]VK_i) = 0_G
	///
	/// which we split out into:
	///
	/// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) = 0_G
	///
	/// so that we can use multiscalar multiplication speedups.