Use the term monomorphism for an injective homomorphism, in the context of a "signature scheme with key monomorphism".

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -1028,7 +1028,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\signatureSchemes}{\terms{signature scheme}}
 \newcommand{\oneTimeSignatureScheme}{\termandindex{one-time signature scheme}{one-time (signature scheme)}}
 \newcommand{\rerandomizableSignatureScheme}{\termandindex{signature scheme with re\hyp randomizable keys}{signature scheme with re-randomizable keys}}
-\newcommand{\keyHomomorphicSignatureScheme}{\term{signature scheme with key homomorphism}}
+\newcommand{\keyMonomorphicSignatureScheme}{\term{signature scheme with key monomorphism}}
 \newcommand{\sigNonmalleable}{\termandindex{nonmalleable}{nonmalleability (of signatures)}}
 \newcommand{\sigBatchEntries}{\termandindex{signature batch entries}{signature batch entry}}
 \newcommand{\xPRF}{\termandindex{PRF}{Pseudo Random Function}}
@@ -3396,7 +3396,7 @@ $\SigVerify{\vk}(m, s) = 1$.
 The following security property is needed for $\JoinSplitSig$\sapling{ and $\BindingSig$}.
 \sapling{Security requirements for $\SpendAuthSig$ are defined in the next section,
 \crossref{abstractsigrerand}. An additional requirement for $\BindingSig$ is defined
-in \crossref{abstractsighom}.}
+in \crossref{abstractsigmono}.}
 } %notsprout
 
 \vspace{-1ex}
@@ -3419,7 +3419,7 @@ pair without access to the signing key.
         $\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support
         the key derivation in \crossref{saplingkeycomponents}. This also simplifies some
         aspects of the definitions of \signatureSchemes with additional features in
-        \crossref{abstractsigrerand} and \crossref{abstractsighom}.
+        \crossref{abstractsigrerand} and \crossref{abstractsigmono}.
 } %notsprout
   \item A fresh signature key pair is generated for each \transaction containing
         a \joinSplitDescription{}.
@@ -3534,9 +3534,9 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
 
 \sapling{
 \introlist
-\lsubsubsubsection{Signature with Private Key to Public Key Homomorphism}{abstractsighom}
+\lsubsubsubsection{Signature with Private Key to Public Key Monomorphism}{abstractsigmono}
 
-A \defining{\keyHomomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
+A \defining{\keyMonomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
 additionally defines:
 
 \begin{itemize}
@@ -3552,7 +3552,8 @@ additionally defines:
 such that for any $\sk_{\oneto{2}} \typecolon \SigPrivate$,
 $\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \SigDerivePublic(\sk_2)$.
 
-In other words, $\SigDerivePublic$ is an injective homomorphism from the \privateKey group to the \publicKey group.
+In other words, $\SigDerivePublic$ is a monomorphism (that is, an injective homomorphism) from the
+\privateKey group to the \publicKey group.
 
 \vspace{1ex}
 \introlist
@@ -4801,7 +4802,7 @@ be as defined in \crossref{concretevaluecommit}:
 
 $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
 These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
-$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
+$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}.
 
 \vspace{1.5ex}
 \introlist
@@ -6945,7 +6946,7 @@ The encoding of a \publicKey is as defined in \cite{BDLSY2012}.
 
 $\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization
 as described in \crossref{abstractsigrerand}. It also supports a
-Secret Key to Public Key Homomorphism as described in \crossref{abstractsighom}.
+Secret Key to Public Key Monomorphism as described in \crossref{abstractsigmono}.
 It is based on a scheme from \cite[section 3]{FKMSSS2016}, with some ideas from
 EdDSA \cite{BJLSY2015}.
 
@@ -7077,7 +7078,7 @@ properties, careful analysis of potential interactions is required.}
 
 \vspace{3ex}
 \introlist
-The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$
+The two abelian groups specified in \crossref{abstractsigmono} are instantiated for $\RedDSA$
 as follows:
 \begin{itemize}
   \item $\grpzero := 0 \pmod{\ParamG{r}}$
@@ -7087,7 +7088,7 @@ as follows:
 \end{itemize}
 
 \introlist
-As required, $\RedDSADerivePublic$ is a group homomorphism:
+As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injective and:
 
 \begin{tabular}{@{\hskip 1.5em}r@{\;}l}
   $\RedDSADerivePublic(\sk_1 \grpplus \sk_2)$
@@ -7148,8 +7149,8 @@ use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase$
 See \crossref{bindingsig} for details on the use of this \signatureScheme.
 
 \securityrequirement{
-$\BindingSig$ must be a SUF-CMA secure \keyHomomorphicSignatureScheme as defined in
-\crossref{abstractsighom}. A signature must prove knowledge of the discrete logarithm of
+$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in
+\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of
 the \publicKey with respect to the base $\ValueCommitRandBase$.
 } %securityrequirement
 } %sapling
@@ -10272,6 +10273,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
           and Zancas Wilcox.
     \item Add an acknowledgement to Trail of Bits for their security audit.
     \item Change indices in the \incrementalMerkleTree diagram to be zero-based.
+    \item Use the term \quotedterm{monomorphism} for an injective homomorphism, in
+          the context of a \keyMonomorphicSignatureScheme.
 \end{itemize}
 
 \historyentry{2019.0.9}{2019-12-27}