RFC Errata
RFC 8032, "Edwards-Curve Digital Signature Algorithm (EdDSA)", January 2017
Source of RFC: IRTF
Errata ID: 6306
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Dmitry Khovratovich
Date Reported: 2020-10-15
Section 5.1.7 says:
Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid. 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k. 3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's sufficient, but not required, to instead check [S]B = R + [k]A'.
It should say:
Decode the first half R as a point R', and the second half as an integer S, in the range 0 <= S < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid. 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k. 3. Check the group equation [8][S]B = [8]R' + [8][k]A'. It's sufficient, but not required, to instead check [S]B = R' + [k]A'.
Notes:
1) public key R' and its encoding R are confused
2) s changed to S (this errata has been reported already)