Fixes to Pour statement.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -753,33 +753,43 @@ exists in the map.
 
 In \Zcash, $\NOld$ and $\NNew$ are both $2$.
 
-A valid instance of $\PourProof$ assures that given a \term{primary input}
-$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
-\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
-$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
-\cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:
+A valid instance of $\PourProof$ assures that given a \term{primary input}:
 
-\begin{list}{}{}
+\begin{itemize}
+  \item[] $(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
+\vpubNew, \hSig, \h{1..\NOld}, \changed{\TransmitCiphertext{1..\NNew},
+\DiscloseCiphertext{1..\NOld}, \SharedCiphertext})$,
+\end{itemize}
 
-\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
-\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$
+there exists a witness of \term{auxiliary input}:
 
-\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i},
-\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$
+\begin{itemize}
+  \item[] $(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
+\changed{\DiscloseKeyOld{\mathrm{1}..\NOld}, \cpNew{1..\NNew},
+\CoinAddressPreRand, \SharedKey{}, \TransmitKey{1..\NOld}})$
+\end{itemize}
 
-\item The following conditions hold:
+where:
 
-\end{list}
+\begin{itemize}
+  \item[] for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
+\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$;
+  \item[] for each $i \in \{1..\NNew\}$: $\cpNew{i}$ = $(\AuthPublicNew{i},
+\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i}, \Memo_i)$,
+and $\TransmitPlaintext{i}$ is a raw encoding of $\cpNew{i}$;
+\end{itemize}
+
+such that the following conditions hold:
 
 \subparagraph{Merkle path validity}
 
 for each $i \in \{1..\NOld\}$ \changed{$\mid$ $\vOld{i} \neq 0$}:
-$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from
+$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from \linebreak
 $\CoinCommitment(\cOld{i})$ to \coinCommitmentTree root $\rt$.
 
 \subparagraph{Balance}
 
-$\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
+$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
 
 \subparagraph{Serial integrity}
 
@@ -789,22 +799,42 @@ $\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$.
 \subparagraph{Spend authority}
 
 for each $i \in \{1..\NOld\}$:
-$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.
+\changed{
+$\DiscloseKeyOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$ and
+$\AuthPublicOld{i} = \PRFaddr{\DiscloseKeyOld{i}}(1)$.
+}
 
 \subparagraph{Non-malleability}
 
-for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
+for each $i \in \{1..\NOld\}$:
+$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
 
 \changed{
 \subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
 
-for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$
+for each $i \in \{1..\NNew\}$:
+$\CoinAddressRandNew{i} = \PRFrho{\CoinAddressPreRand}(i, \hSig)$
 }
 
 \subparagraph{Commitment integrity}
 
 for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$
 
+\changed{
+\subparagraph{$\TransmitCiphertext{}$ integrity}
+
+for each $i \in \{1..\NNew\}$:
+$\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i}, \Empty)$.
+
+\subparagraph{$\DiscloseCiphertext{}$ integrity}
+
+for each $i \in \{1..\NOld\}$:
+$\DiscloseCiphertext{i} = \SymEncrypt{\DiscloseKeyOld{i}}(\SharedKey{}, \Tag{i})$
+
+\subparagraph{$\SharedCiphertext$ integrity}
+
+$\SharedCiphertext = \SymEncrypt{\SharedKey{}}(\SharedPlaintext{}, \Empty)$
+}
 
 \section{In-band secret distribution}