In RedDSA verification, clarify that \underline{R} used as part of the input to H^\ast must be exactly as encoded in the signature.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -7246,9 +7246,9 @@ Define $\RedDSAValidate{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \t
 \vspace{-2ex}
 \begin{pnotes}
   \item The validation algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order
-at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonical representation
-(as output by $\reprG{}$) of a point on the curve. This is different to \EdSpecific as specified in
-\crossref{concretejssig}.
+at least $\ParamG{r}$.
+  \item The value $\RedDSAReprR{}$ used as part of the input to $\RedDSAHashToScalar$ \MUST be exactly
+        as encoded in the signature.
   \item Appendix \crossref{reddsabatchvalidate} describes an optimization that \MAY be used to speed up
         validation of batches of $\RedDSA$ signatures.
 \end{pnotes}
@@ -10523,6 +10523,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Change the specification of $\abstJ$ in \crossref{jubjub} to match the implementation.
     \item Repair the argument for $\GroupJHash{\URS}$ being usable as a random oracle, which
           previously depended on $\abstJ$ being injective.
+    \item In $\RedDSA$ verification, clarify that $\RedDSAReprR{}$ used as part of the input to
+          $\RedDSAHashToScalar$ must be exactly as encoded in the signature.
 }
 \canopy{
     \item Specify that \shieldedOutputs of \coinbaseTransactions \MUST use v2 \notePlaintexts after