/// The batch verification equation is:
///
/// h_G * ( -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
///
/// as given in https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate
/// (the terms are split out so that we can use multiscalar multiplication speedups).
Since the split-out form is already the one given in the spec, there is no need to derive it. More importantly, the cofactor multiplication applies to all terms, not just the term with base $\mathcal{P} {\mathbb{G}}$. Since * has higher precedence than +, the given version is wrong. The equation further on in the comment that splits out $\mathcal{P} {SpendAuth}$ and $\mathcal{P}_ {Binding}$ is correct.
This does not affect the implementation which delegates to the reddsa crate. (The comment in the corresponding reddsa code is also wrong in the same way; I will file a separate issue.)
https://github.com/ZcashFoundation/redjubjub/blob/0dbe2dd455dd565c48a5913e0222a2cf5c8d171f/src/batch.rs#L93-L101
This should be
Since the split-out form is already the one given in the spec, there is no need to derive it. More importantly, the cofactor multiplication applies to all terms, not just the term with base $\mathcal{P} {\mathbb{G}}$. Since * has higher precedence than +, the given version is wrong. The equation further on in the comment that splits out $\mathcal{P} {SpendAuth}$ and $\mathcal{P}_ {Binding}$ is correct.
This does not affect the implementation which delegates to the
reddsacrate. (The comment in the correspondingreddsacode is also wrong in the same way; I will file a separate issue.)