The return type of $GroupHash^{\mathbb{J}^{(r)*}}$ in \crossref{concretegrouphashjubjub}

was incorrectly given as $\mathbb{J}^{(r)*}$, rather than the correct
$\mathbb{J}^{(r)*} \cup \{\bot\}$.

Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -10837,7 +10837,7 @@ Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
 let $M \typecolon \byteseqs$ be the hash input.
 
 \introlist
-The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as follows:
+The hash $\GroupJHash{\URS}(D, M) \typecolon \maybe{\SubgroupJstar}$ is calculated as follows:
 
 \begin{algorithm}
   \item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
@@ -14654,6 +14654,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \begin{itemize}
     \item Change Daira Emma Hopwood's name.
 \sapling{
+    \item The return type of $\GroupJHash{}$ in \crossref{concretegrouphashjubjub} was
+          incorrectly given as $\SubgroupJstar$, rather than the correct $\maybe{\SubgroupJstar}$.
     \item In the discussion of partitioning oracle attacks on \note encryption in \crossref{inbandrationale},
           we now use the fact that $\DiversifiedTransmitBase$ has order greater than the maximum value of
           $\InViewingKey$, rather than assuming that $\DiversifiedTransmitBase$ is a non-zero point