Clarify the use of cv^new and cm^new in sending Sapling notes.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -4063,12 +4063,13 @@ the following steps:
   \item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandBytes, \Memo)$, where
         $\NoteCommitRandBytes = \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRandNew{})\kern-0.12em}$.
 
-  \item Encrypt $\NotePlaintext{}$, $\cvNew{}$, and $\cmNew{}$ to the recipient
+  \item Encrypt $\NotePlaintext{}$ to the recipient
         \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
-        \diversifiedTransmissionBase $\DiversifiedTransmitBase$, and with
+        \diversifiedTransmissionBase $\DiversifiedTransmitBase$, and to the
         \outgoingViewingKey $\OutViewingKey$, giving the \noteCiphertext
         $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$
-        as described in \crossref{saplingencrypt}.
+        as described in \crossref{saplingencrypt}. This procedure also uses
+        $\cvNew{}$ and $\cmNew{}$ to derive the \outgoingCipherKey.
 
   \item Generate a proof $\ProofOutput$ for the \outputStatement in \crossref{outputstatement}.
 
@@ -9546,6 +9547,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \sapling{
     \item Complete the proof of \theoremref{thmpedersendistinctabsindices}.
     \item Add a note about redundancy in the nonsmall-order checking of $\AuthSignRandomizedPublic$.
+    \item Clarify the use of $\cvNew{}$ and $\cmNew{}$ in sending Sapling notes.
 } %sapling
 \end{itemize}