Update RedDSA verification to use cofactor multiplication.

This is necessary in order for the output of batch verification to match unbatched verification in all cases.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -6559,7 +6559,7 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
   \item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk}}$.
   \item Let $\RedDSASigc = \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M)$.
   \item Return $1$ if $\RedDSASigR \neq \bot$ and $\RedDSASigS < \ParamG{r}$ and
-        $\scalarmult{\RedDSASigS}{\GenG{}} = \RedDSASigR + \scalarmult{\RedDSASigc}{\vk}$, otherwise $0$.
+        $\scalarmult{\ParamG{h}}{\big(\!\!-\scalarmult{\RedDSASigS}{\GenG{}} + \RedDSASigR + \scalarmult{\RedDSASigc}{\vk}\big)} = \ZeroG{}$, otherwise $0$.
 \end{algorithm}
 
 \vspace{-4ex}
@@ -9553,6 +9553,18 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \intropart
 \section{Change History}
 
+\subparagraph{2018.0-beta-23}
+
+\begin{itemize}
+    \item No changes to \Sprout.
+\sapling{
+    \item Update $\RedDSA$ verification to use cofactor multiplication.
+          This is necessary in order for the output of batch verification to match
+          that of unbatched verification in all cases.
+} %sapling
+\end{itemize}
+
+\introlist
 \subparagraph{2018.0-beta-22}
 
 \begin{itemize}