Correct the statement about FindGroupHash^J never returning \bot.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -6756,7 +6756,9 @@ Let $\FindGroupJHashOf{D, M} =
 \begin{pnotes}
   \item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
   \item For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
-        In the \Zcash protocol, uses of $\FindGroupJHash$ never return $\bot$.
+        In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not
+        return $\bot$; the only use that could potentially return $\bot$ is in the
+        computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}.
 \end{pnotes}
 }
 
@@ -8996,6 +8998,7 @@ found by Brian Warner.
     \item Ensure $\AuthSignBase$ is defined in \crossref{concretespendauthsig}.
     \item Make the public key prefix part of the input to the \hashFunction in $\RedDSA$,
           not part of the message.
+    \item Correct the statement about $\FindGroupJHash$ never returning $\bot$.
     \item Change terminology describing constraint systems.
 } %sapling
 \end{itemize}