Correct an error in the Pedersen hash specification.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -3670,7 +3670,7 @@ Define $\PedersenHash(D \typecolon \byteseq{8}, M \typecolon \bitseqs)$ as follo
   \item Split $M'$ into $n$ \quotedterm{windows} $M_{\barerange{1}{n}}$ each of length $3$ bits,
         so that $M' = \concatbits(M_{\barerange{1}{n}})$.
   \item Write each $M_i$ as $[\si{0}, \si{1}, \si{2}]$, and let
-        $m_i = (1 - 2 \smult \si{2}) \mult (\si{0} + 2 \smult \si{1})$.
+        $m_i = (1 - 2 \smult \si{2}) \mult (1 + \si{0} + 2 \smult \si{1})$.
   \item Let $R = \vsum{i=1}{n} \scalarmult{m_i}{\PedersenGen{D}{i}}$.
   \item Return $\ItoLEBSP{255}(\ExtractJ(R))$.
 \end{formulae}