Specify more precisely the requirements on Ed25519 public keys and signatures.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -3099,10 +3099,18 @@ block.
 $\JoinSplitSig$ is specified in \crossref{abstractsig}.
 
 \changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
-with the additional requirement that $\EdDSAs$ (the integer represented
-by $\EdDSAS$) must be less than the prime
-$\ell = 2^{252} + 27742317777372353535851937790883648493$,
-otherwise the signature is considered invalid.
+with the additional requirements that:
+
+\begin{itemize}
+  \item $\EdDSAS$ \MUST represent an integer less than
+        the prime $\ell = 2^{252} + 27742317777372353535851937790883648493$;
+  \item $\EdDSAR$ \MUST represent a point of order $\ell$ on the Ed25519 curve;
+\end{itemize}
+
+If these requirements are not met then the signature is considered invalid.
+Note that it is \emph{not} required that the encoding of the y-coordinate
+in $\EdDSAR$ is less than $2^{255}-19$.
+
 $\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
 }
 
@@ -5282,6 +5290,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 \subparagraph{2018.0-beta-5}
 
 \begin{itemize}
+    \item Specify more precisely the requirements on $\JoinSplitSigSpecific$
+          public keys and signatures.
 \sapling{
     \item{\Sapling work in progress.}
 }
@@ -5647,7 +5657,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 \printbibliography
 \endgroup
 
-%\notsprout{
+\notsprout{
 
 \introsection
 \vspace{20ex}
@@ -6102,6 +6112,6 @@ cryptanalytic attention to confidently use them for \Sapling.
 
 \nsubsection{The SaplingOutput circuit} \label{cctsaplingoutput}
 
-%} %notsprout
+} %notsprout
 
 \end{document}