More references and corrected description of Groth16.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -7532,7 +7532,7 @@ the \Zcash protocol \SHOULD discontinue use of $\BCTV$ as soon as possible.
 The vulnerability does not affect the Zero Knowledge property of the scheme (as
 described in any version of \cite{BCTV2014a} or as implemented in any version of
 \libsnark that has been used in \Zcash), even under subversion of the parameter
-generation \cite[Theorem 4.10]{BGG2016}.
+generation \cite[Theorem 4.10]{BGG2017}.
 }
 
 \introlist
@@ -7592,9 +7592,11 @@ verifier \MUST check, for the encoding of each element, that:
 \subsubsubsection{\GrothProvingSystem} \label{groth}
 
 After \Sapling activation, \Zcash uses \zkSNARKs with the \provingSystem described in
-\cite{Groth2016}. These are used in \transactionVersion 4 and later (\crossref{txnencoding})
-for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and
-\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
+\cite{BGM2017}, which is a modification of the system in \cite{Groth2016}. An independent
+security proof of this system is given in \cite{Maller2018}. These \zkSNARKs are used in
+\transactionVersion 4 and later (\crossref{txnencoding}) for proofs both in \Sprout
+\joinSplitDescriptions, and in \Sapling \spendDescriptions and \outputDescriptions.
+They are generated by the \bellman library \cite{Bowe-bellman}.
 
 A $\Groth$ proof consists of
 $(\Proof{A} \typecolon \SubgroupSstar{1},\,
@@ -8133,7 +8135,7 @@ For the \Zcash production \blockchain and testnet, the $\SHAFull$ hashes of the
 \end{lines}
 
 These parameters were obtained by a multi-party computation described in
-\cite{BGG-mpc} and \cite{BGG2016}. \sapling{They are used only before \Sapling
+\cite{BGG-mpc} and \cite{BGG2017}. \sapling{They are used only before \Sapling
 activation.} Due to the security vulnerability described in \crossref{bctv}, it is
 not recommended to use these parameters in new protocols, and it is recommended to
 stop using them in protocols other than \Zcash where they are currently used.
@@ -8157,7 +8159,7 @@ the \Sprout \joinSplitCircuit used after \Sapling activation, are respectively:
           \texttt{d5054e371842b3f88fa1b9d7e8e075249b3ebabd167fa8b0f3161292d36c180a  sprout-groth16.params}
 \end{lines}
 
-These parameters were obtained by a multi-party computation described in \cite{BGM2018}.
+These parameters were obtained by a multi-party computation described in \cite{BGM2017}.
 } %sapling
 
 
@@ -9822,6 +9824,20 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \section{Change History}
 
 
+\subparagraph{2019.0-beta-37}
+2019-02-10
+
+\begin{itemize}
+    \item Update reference \cite{BGG2017} (previously [BGG2016]).
+\sapling{
+    \item Explain the differences between the system in \cite{Groth2016} and what
+          we refer to as $\Groth$.
+    \item Reference Mary Maller's security proof for $\Groth$ \cite{Maller2018}.
+    \item Correct [BGM2018] to \cite{BGM2017}.
+}
+\end{itemize}
+
+\introlist
 \subparagraph{2019.0-beta-36}
 2019-02-09
 
@@ -9935,7 +9951,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
           based on reduction to \keyPrivacy of ElGamal encryption, for which a security proof
           is given in \cite{BBDP2001}. (This argument has gaps which will be addressed in a future
           version.)
-    \item Add a reference to \cite{BGM2018} for the \Sapling \zkSNARK parameters.
+    \item Add a reference to \cite{BGM2017} for the \Sapling \zkSNARK parameters.
     \item Write \crossref{cctsaplingspend} (draft).
     \item Add a reference to the ristretto\_bulletproofs design notes
           \cite{Dalek-notes} for the synthetic blinding factor technique.
@@ -10603,7 +10619,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Give definitions of computational binding and computational hiding
           for commitment schemes.
     \item Give a definition of statistical zero knowledge.
-    \item Reference the white paper on MPC parameter generation \cite{BGG2016}.
+    \item Reference the white paper on MPC parameter generation \cite{BGG2017}.
 \end{itemize}
 
 \introlist

protocol/zcash.bib

@@ -147,6 +147,15 @@ Vol.~56, pages 455--461; IEEE, 2009.}
 Last revised May~31, 2016.}
 }
 
+@misc{Maller2018,
+   presort={Maller2018},
+   author={Mary Maller},
+   title={A {P}roof of {S}ecurity for the {S}apling {G}eneration of zk-{SNARK} {P}arameters in the {G}eneric {G}roup {M}odel},
+   date={2018-11-16},
+   url={https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf},
+   urldate={2018-02-10}
+}
+
 % Capitalized De/Di is correct <https://www.thoughtco.com/italian-capitalization-rules-2011478>
 @inproceedings{DSDCOPS2001,
    presort={DSDCOPS2001},
@@ -175,17 +184,18 @@ Proceedings of the 21st Annual International Cryptology Conference
    urldate={2017-07-16}
 }
 
-@misc{BGG2016,
-   presort={BGG2016},
+@misc{BGG2017,
+   presort={BGG2017},
    author={Sean Bowe and Ariel Gabizon and Matthew Green},
    title={A multi-party protocol for constructing the public parameters of the {P}inocchio zk-{SNARK}},
-   date={2016-11-24},
-   url={https://github.com/zcash/mpc/blob/master/whitepaper.pdf},
-   urldate={2017-02-11}
+   url={https://eprint.iacr.org/2017/602},
+   urldate={2019-02-10},
+   howpublished={Cryptology ePrint Archive: Report 2017/602.
+Last revised June~25, 2017.}
 }
 
-@misc{BGM2018,
-   presort={BGM2018},
+@misc{BGM2017,
+   presort={BGM2017},
    author={Sean Bowe and Ariel Gabizon and Ian Miers},
    title={Scalable {M}ulti-party {C}omputation for zk-{SNARK} {P}arameters in the {R}andom {B}eacon {M}odel},
    url={https://eprint.iacr.org/2017/1050},