The batch verification equation is incorrect

[Yawning]

The code per comments (and manual inspection) uses -B ∑ s_i + ∑ P_i H(R_i || P_i || m_i) + ∑ R_i = 0 as the batch verification equation.

This is wrong and should be -B ∑ z_i s_i + ∑ z_i P_i H(R_i || P_i || m_i) + ∑ z_i R_i = 0, where z_i are uniform random 128-bit scalars.