Add a step to the algorithm for generating an Orchard note in \crossref{orchardsend}, to restart if esk = 0.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -5640,6 +5640,7 @@ performs the following steps:
   \item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
   \item Let $\NoteUniqueRand = \nfOld{}$ from the same \actionDescription, and let $\NoteUniqueRandBytes = \ItoLEOSPOf{256}{\NoteUniqueRand}$.
   \item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([4] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
+  \item If $\EphemeralPrivate = 0 \pmod{\ParamP{r}}$, repeat the above steps using a different $\NoteSeedBytes$.
   \item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5] \bconcat \NoteUniqueRandBytes)\kern-0.11em\big)$.
   \item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytes)\kern-0.09em\big)$.
   \item Let $\cvNet{}$ be the \valueCommitment to the value of the input \note minus the value $\Value$
@@ -14402,6 +14403,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupPx$ rather than a
           bit sequence.
     \item Explicitly say that padding in \crossref{concretesinsemillahash} is by appending zero bits.
+    \item Add a step to the algorithm for generating an \Orchard \note in \crossref{orchardsend},
+          to restart if $\EphemeralPrivate = 0$.
 } % nufive
     \item No changes before \NUFive.
 \end{itemize}