diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki
index a67afe36a4..eacc71737a 100644
--- a/bip-0340.mediawiki
+++ b/bip-0340.mediawiki
@@ -201,7 +201,7 @@ Input:
* The signatures ''sig1..u'': ''u'' 64-byte arrays
The algorithm ''BatchVerify(pk1..u, m1..u, sig1..u)'' is defined as:
-* Generate ''u-1'' random integers ''a2...u'' in the range ''1...n-1''. They are generated deterministically using a [https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator CSPRNG] seeded by a cryptographic hash of all inputs of the algorithm, i.e. ''seed = seed_hash(pk1..pku || m1..mu || sig1..sigu )''. A safe choice is to instantiate ''seed_hash'' with SHA256 and use [https://tools.ietf.org/html/rfc8439 ChaCha20] with key ''seed'' as a CSPRNG to generate 256-bit integers, skipping integers not in the range ''1...n-1''.
+* Generate ''u-1'' uniformly random integers ''a2...u'' in the range ''0..n-1'' or alternatively in the range ''0...2128-1''.[Integers are not required to be larger than 128 bits to achieve the desired security level of 128 bits (see [[bip-0340/batch-randomizers.mediawiki|lemma]]). Shorter integers can speed up computations in optimized implementations.] It is recommended to generate them deterministically using a [https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator CSPRNG] seeded by a cryptographic hash of all inputs of the algorithm, i.e. ''seed = seed_hash(pk1..pku || m1..mu || sig1..sigu )''. A safe choice is to instantiate ''seed_hash'' with SHA256 and use [https://tools.ietf.org/html/rfc8439 ChaCha20] with key ''seed'' as a CSPRNG.
* For ''i = 1 .. u'':
** Let ''Pi = lift_x(int(pki))''; fail if it fails.
** Let ''ri = int(sigi[0:32])''; fail if ''ri ≥ p''.
diff --git a/bip-0340/batch-randomizers.mediawiki b/bip-0340/batch-randomizers.mediawiki
new file mode 100644
index 0000000000..32ed6a07dc
--- /dev/null
+++ b/bip-0340/batch-randomizers.mediawiki
@@ -0,0 +1,16 @@
+= Size of Randomizers in BIP-340 Batch Verification =
+
+'''Lemma:''' For public keys ''pk1..u'', messages ''m1..u'', signatures ''sig1..u'', the probability that ''BatchVerify(pk1..u, m1..u, sig1..u)'' with uniform 128-bit randomizers succeeds and there exists ''i'' in range ''1..u'' such that ''Verify(pki, mi, sigi)'' fails is not more than 2-128.
+
+''Proof:'' For ''i = 1 .. u'', let
+* ''Pi := lift_x(int(pki))'',
+* ''ri := int(sig[0:32])'',
+* ''Ri := lift_x(ri)'',
+* ''si := int(sig[32:64])''.
+
+If there exists an ''i'' such that ''lift_x'' for ''Pi'' or ''Ri'' fails or ''ri ≥ p'' or ''si ≥ n'', then both ''Verify(pki, mi, sigi)'' and ''BatchVerify(pk1..u, m1..u, sig1..u)'' fail.
+
+Otherwise ''Verify(pki, mi, sigi)'' fails if and only if ''Ci := si⋅G - Ri - ei⋅Pi ≠ 0''.
+We let ''ci'' be the discrete logarithm of ''Ci'' with respect to a fixed group generator and define the polynomial ''fu(a2, ..., au) = c1 + a2c2 + .... + aucu''.
+''BatchVerify'' succeeds if and only if ''fu'' evaluated on uniform randomizers ''a2, ..., au'' is 0.
+Assume there exists ''i'' in range ''1..u'' such that ''Verify(pki, mi, sigi)'' fails. Then ''fu'' is not the zero polynomial and by the [https://en.wikipedia.org/wiki/Schwartz%E2%80%93Zippel_lemma Schwartz–Zippel lemma], we have ''Pr[fu(a2, ..., au) = 0] ≤ 2-128''. QED.
\ No newline at end of file