Add question about collision-resistance of PRF^sn.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -187,10 +187,13 @@ different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
 
 $\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent}
 $\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and
-$\PRFpk{x}{i}$. It is required that $\PRFsn{x}$ be collision-resistant. In \Zcash,
-the $\SHAName$ function is used to construct all three of these functions. The bits
-$\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included (respectively) within
-the blocks that are hashed, ensuring that the functions are independent.
+$\PRFpk{x}{i}$. It is required that $\PRFsn{x}$ be collision-resistant.
+\daira{For any given $x$, or across all $x$?}
+
+In \Zcash, the $\SHAName$ function is used to construct all three of these
+functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included
+(respectively) within the blocks that are hashed, ensuring that the functions are
+independent.
 
 \begin{equation*}
 \SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0) = \CRH\left(