Clarify a note about SU-CMA security for signatures.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -1298,10 +1298,10 @@ pair without access to the signing key.
         In fact the instantiation of $\JoinSplitSig$ uses a scheme designed
         for security under adaptive attack even when multiple signatures are
         signed under the same key.
-  \item SU-CMA security requires it to be infeasible for the adversary to
-        forge a distinct signature on a previously seen message. That is,
-        \joinSplitSignatures are intended to be nonmalleable in the sense of
-        \cite{BIP-62}.
+  \item SU-CMA security requires it to be infeasible for the adversary, not
+        knowing the private key, to forge a distinct signature on a previously
+        seen message. That is, \joinSplitSignatures are intended to be
+        nonmalleable in the sense of \cite{BIP-62}.
 \end{pnotes}
 
 
@@ -3558,6 +3558,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
     \item Update the section on encoding of \transparent addresses.
           (The precise prefixes are not decided yet.)
     \item Clarify why $\Blake{\ell}$ is different from truncated $\Blake{512}$.
+    \item Clarify a note about SU-CMA security for signatures.
     \item Add a paragraph about key length in \crossref{inbandrationale}.
     \item Add acknowledgements for John Tromp, Paige Peterson, Maureen Walsh,
           Jay Graber, and Jack Gavigan.