Status:

Verified

Type:

Technical

Reported By:

Valeria Nikolaenko

Date Reported:

2020-01-28

Verified by:

Nick Sullivan

Date Verified:

2026-01-27

Section 3.1 says:

3.1.  Encoding

   An integer 0 < S < L - 1 is encoded in little-endian form as a b-bit
   string ENC(S).

It should say:

3.1.  Encoding

   An integer 0 <= S <= L - 1 is encoded in little-endian form as a b-bit
   string ENC(S).

Notes:

The range of the scalar should include the end-points: 0 and L-1.

--VERIFIER NOTE--
Verified. Section 3.1 specifies 0 < S < L - 1 (excluding both 0 and
L-1) but Section 5.1.7 verification requires 0 <= S < L (including
both endpoints). This internal inconsistency is corrected by changing
Section 3.1 to 0 <= S <= L - 1, which is mathematically equivalent
to 0 <= S < L. Security is unaffected as both formulations reject
S >= L (preventing malleability). All known implementations follow
Section 5.1.7's range. See EID 7031 (same paper - held for document
update as it adds content rather than fixing an error).