Add note about non-uniformity of Orchard ivk.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -4943,11 +4943,16 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin
 \end{pnotes}
 
 \vspace{-2ex}
-\nnote{
-The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is
-uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to random
-input, by a similar argument to that used in \crossref{saplingkeycomponents}.
-} %nnote
+\begin{nnotes}
+  \item The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is
+        uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to
+        random input, by a similar argument to that used in \crossref{saplingkeycomponents}.
+  \item The output of $\CommitIvk{}$ is the $x$-coordinate of a \pallasCurve point, which
+        we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption.
+        The fact that $\InViewingKey$ is non-uniform on $\GF{\ParamP{r}}$ (since it can
+        only take on roughly half of the possible values) is not expected to cause any
+        security issue.
+\end{nnotes}
 } %nufive
 
 
@@ -14220,6 +14225,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \nufive{
     \item Correct errors in the definitions of $\ExtractP$ and $\ExtractPbot$ in \crossref{concreteextractorpallas}:
           $\ExtractP(\ZeroP)$ should be $0$, and $\ExtractPbot(\bot)$ should be $\bot$.
+    \item Add a note in \crossref{orchardkeycomponents} about non-uniformity of $\InViewingKey$.
 }
     \item Fix some URLs in references.
 \end{itemize}