Clarify the interpretation of I_L in Sprout key derivation.

This also fixes a cut-and-paste error (a child chain code is c_i, not c_m).

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

zip-0032.rst

@@ -237,8 +237,11 @@ Let *S* be a seed byte sequence of a chosen length.
 
 - Calculate *I* = BLAKE2b-512("ZcashIP32_Sprout", *S*).
 - Split *I* into two 32-byte sequences, I\ :sub:`L` and I\ :sub:`R`\ .
-- Use *I*\ :sub:`L` as the master spending key a\ :sub:`sk,m`\ , and *I*\ :sub:`R` as the master chain code
-  *c*\ :sub:`m`\ .
+- Interpret *I*\ :sub:`L` as the master spending key a\ :sub:`sk,m`\ by clearing the 4 most
+  significant bits of the first byte, and decoding the 32-byte result in the same way as for
+  *a*\ :sub:`sk`\ in the raw encoding of a Sprout spending key (excluding lead bytes) in
+  [#sapling-spec]_ section 5.6.8.
+- Use *I*\ :sub:`R` as the master chain code *c*\ :sub:`m`\ .
 
 Child key derivation
 --------------------
@@ -251,8 +254,11 @@ CDKsk((*a*\ :sub:`sk,par`\ , *c*\ :sub:`par`\ ), *i*) → (*a*\ :sub:`sk,i`\ , *
   - If not (normal child): return failure
 
 - Split *I* into two 32-byte sequences, *I*\ :sub:`L` and *I*\ :sub:`R`\ .
-- Use *I*\ :sub:`L` as the child spending key *a*\ :sub:`sk,i`\ , and *I*\ :sub:`R` as the child chain code
-  *c*\ :sub:`m`\ .
+- Interpret *I*\ :sub:`L` as the child spending key a\ :sub:`sk,i`\ by clearing the 4 most
+  significant bits of the first byte, and decoding the 32-byte result in the same way as for
+  *a*\ :sub:`sk`\ in the raw encoding of a Sprout spending key (excluding lead bytes) in
+  [#sapling-spec]_ section 5.6.8.
+- Use *I*\ :sub:`R` as the child chain code *c*\ :sub:`i`\ .
 
 
 Specification: Wallet usage