Protocol spec: cosmetics.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -12275,12 +12275,14 @@ Suppose that the bits of the chunk, $[s_0, s_1, s_2]$, are already boolean-const
 We aim to compute $C = A + \scalarmult{(1 - 2 \mult s_2) \mult (1 + s_0 + 2 \mult s_1)}{P}$
 for some fixed base point $P$ and accumulated sum $A$.
 
+\introlist
 We first compute $s\suband = s_0 \band s_1$:
 
 \begin{formulae}
   \item $\constraint{s_0}{s_1}{s\suband}$
 \end{formulae}
 
+\introlist
 Let $(x_k, y_k) = \scalarmult{k}{P}$ for $k \in \range{1}{4}$. Define each coordinate of
 $(x_S, y_R) = \scalarmult{1 + s_0 + 2 \mult s_1}{P}$ as a linear combination of $s_0$, $s_1$, and $s\suband$:
 
@@ -12289,13 +12291,16 @@ $(x_S, y_R) = \scalarmult{1 + s_0 + 2 \mult s_1}{P}$ as a linear combination of
   \item let $y_R\hspace{0.01em} = \yy_1 + (\yy_2-\yy_1) \mult s_0 + (\yy_3-\yy_1) \mult s_1 + (\yy_4+\yy_1-\yy_2-\yy_3) \mult s\suband$
 \end{formulae}
 
+\introlist
 We implement the conditional negation as $\constraint{2 \mult y_R}{s_2}{y_R - y_S}$.
 After substitution of $y_R$ this becomes:
+
 \begin{formulae}
   \item $\lconstraint{2 \mult (y_1 + (y_2-y_1) \mult s_0 + (y_3-y_1) \mult s_1 + (y_4+y_1-y_2-y_3) \mult s\suband)}\!\lincomb{s_2} = \\
          \mhspace{1.45em}\lincomb{y_1 + (y_2-y_1) \mult s_0 + (y_3-y_1) \mult s_1 + (y_4+y_1-y_2-y_3) \mult s\suband - y_S}$
 \end{formulae}
 
+\introlist
 Then we substitute $x_S$ into the Montgomery addition constraints from \crossref{cctmontarithmetic}, as follows:
 
 \begin{formulae}
@@ -12333,6 +12338,7 @@ The cost is then:
 for a total of $5 \smult c + 5 \smult n - 6$ constraints. This does not include
 the cost of boolean-constraining inputs.
 
+\introlist
 In particular,
 \begin{itemize}
   \item for the Merkle tree hashes $\ell = 516$, so $c = 172$, $n = 3$,