* Witness g_d^new and pk_d^new in Orchard as non-identity Pallas points, rather than witnessing

their representations as bit sequences.
* Note that ak^P in Orchard cannot be the identity.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -7046,8 +7046,8 @@ the prover knows an \auxiliaryInput:
          \hparen\AuthSignPublicPoint \typecolon \GroupPstar,\\
          \hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\
          \hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\
-         \hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\
-         \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\vspace{0.2ex}\\
+         \hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\
+         \hparen\DiversifiedTransmitPublicNew \typecolon \GroupPstar,\vspace{0.2ex}\\
          \hparen\vNew{} \typecolon \ValueType,\vspace{0.2ex}\\
          \hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
          \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
@@ -7084,10 +7084,10 @@ $\InViewingKey = \bot$ or $\DiversifiedTransmitPublicOld = \scalarmult{\InViewin
 $\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$.
 
 \snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity}
-$\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr,
-                                                             \DiversifiedTransmitPublicNewRepr,
-                                                             \vNew{},
-                                                             \NoteUniqueRandNew{},
+$\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\reprP(\DiversifiedTransmitBaseNew),
+                                                             \reprP(\DiversifiedTransmitPublicNew),
+                                                             \vNew{}\!,
+                                                             \NoteUniqueRandNew{}\!,
                                                              \NoteNullifierRandNew)\kern-0.1em\big) \in \setof{\cmX, \bot}$,
 where $\NoteUniqueRandNew{} = \nfOld{} \pmod{\ParamP{q}}$.
 
@@ -7110,7 +7110,8 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
         (Recall from \crossref{notation} that ``$\!\!\pmod{\ParamP{q}}$'' interprets an integer as an $\GF{\ParamP{q}}$
         element.)
   \item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified.
-        In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
+        In particular, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitPublicOld$,
+        $\DiversifiedTransmitBaseNew$, $\DiversifiedTransmitPublicNew$, and $\AuthSignPublicPoint$ cannot be $\ZeroP$.
         The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
         \pallasCurve points, i.e.\ $\GroupP$.
   \item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the
@@ -14523,6 +14524,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$.
           This reflects the existing \zcashd implementation; also checking
           $\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary.
+    \item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in
+          the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points,
+          rather than witnessing their representations as bit sequences. This reflects
+          the existing \zcashd implementation.
+    \item Note that $\AuthSignPublicPoint$ in \Orchard cannot be the identity.
 } %nufive
     \item Correct the consensus rule about the maximum value of outputs in a
           \coinbaseTransaction: it should reference the \blockSubsidy rather than