Add consensus rule that JoinSplit proofs must verify :-)

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -1299,16 +1299,6 @@ where
 
 The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext.
 
-\consensusrule{
-$0 \leq \vpubOld \leq \MAXMONEY$, and $0 \leq \vpubNew \leq \MAXMONEY$.
-}
-
-\consensusrule{
-Either $\vpubOld$ or $\vpubNew$ \MUST be zero.
-}
-
-\todo{Describe case where there are fewer than $\NOld$ real input \notes.}
-
 The value $\hSig$ is also computed from $\RandomSeed$, $\nfOld{\allOld}$, and the
 $\joinSplitPubKey$ of the containing \transaction:
 
@@ -1318,6 +1308,15 @@ $\joinSplitPubKey$ of the containing \transaction:
 
 $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
 
+\begin{consensusrules}
+  \item Elements of a \joinSplitDescription{} \MUST have the types given
+        above (for example: $0 \leq \vpubOld \leq \MAXMONEY$ and $0 \leq \vpubNew \leq \MAXMONEY$).
+  \item Either $\vpubOld$ or $\vpubNew$ \MUST be zero.
+  \item The proof $\Proof_{\JoinSplit}$ \MUST be valid given a \primaryInput formed
+        from the other fields and $\hSig$.
+        I.e. it must be the case that $\ZKJoinSplitVerify((\rt, \nfOld{\allOld}, \cmNew{\allNew},
+        \vpubOld, \vpubNew, \hSig, \h{\allOld}), \Proof_{\JoinSplit}) = 1$.
+\end{consensusrules}
 
 \nsubsection{Sending \Notes} \label{send}