Clarify that Equihash is based on a *variation* of the GBP, and cite [AR2017].

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -8771,9 +8771,9 @@ such that $n$ is a multiple of $k+1$. We assume $k \geq 3$.
 
 The Equihash parameters for the production and test networks are $n = 200, k = 9$.
 
-The Generalized Birthday Problem is defined as follows: given a sequence
-$X_\barerange{1}{\rmN}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that
-$\sxor{j=1}{2^k} X_{i_j} = 0$.
+Equihash is based on a variation of the Generalized Birthday Problem \cite{AR2017}:
+given a sequence $X_\barerange{1}{\rmN}$ of $n$-bit strings, find $2^k$ distinct
+$X_{i_j}$ such that $\sxor{j=1}{2^k} X_{i_j} = 0$.
 
 In Equihash, $\rmN = 2^{\frac{n}{k+1}+1}$, and the sequence $X_\barerange{1}{\rmN}$ is
 derived from the \blockHeader and a nonce.
@@ -9828,6 +9828,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 2019-02-10
 
 \begin{itemize}
+    \item Clarify that Equihash is based on a \emph{variation} of the Generalized
+          Birthday Problem, and cite \cite{AR2017}.
     \item Update reference \cite{BGG2017} (previously [BGG2016]).
 \sapling{
     \item Explain the differences between the system in \cite{Groth2016} and what

protocol/zcash.bib

@@ -223,6 +223,18 @@ Last revised November~5, 2017.}
 Last revised October~27, 2016.}
 }
 
+@inproceedings{AR2017,
+   presort={AR2017},
+   author={Leo Alcock and Ling Ren},
+   title={A Note on the Security of Equihash},
+   booktitle={CCSW '17. Proceedings of the 2017 Cloud Computing Security Workshop
+(Dallas, TX, USA, November~3, 2017); post-workshop of the 2017 ACM SIGSAC
+Conference on Computer and Communications Security},
+   publisher={ACM},
+   url={http://sci-hub.tw/10.1145/3140649.3140652},
+   urldate={2019-01-09}
+}
+
 @inproceedings{Bernstein2006,
    presort={Bernstein2006},
    author={Daniel Bernstein},