Correct the statement and proof of Theorem A.3.2.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -9791,6 +9791,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
             \item Improved cross-referencing in \crossref{concretepedersenhash}.
             \item Clarify the notes concerning domain separation of prefixes in
                   \crossref{saplingmerklecrh} and \crossref{concretesaplingnotecommit}.
+            \item Correct the statement and proof of \theoremref{thmconversiontomontnoexcept}.
           \end{itemize}
 } %sapling
     \item Add the QED-it report to the acknowledgements.
@@ -11250,16 +11251,15 @@ enumerate all exceptional inputs that may violate the side-conditions.
 
 \vspace{1ex}
 \begin{theorem} \label{thmconversiontomontnoexcept}
-Let $(u, \varv)$ be an affine point on a complete twisted Edwards curve.
-Then the only points with $u \neq 0$ or $\varv \neq 0$
-are $(0, 1) = \ZeroJ$; $(0, -1)$ of order $2$; and
-$\left(\pm\, 1/\!\ssqrt{\ParamJ{a}}, 0\right)$ of order $4$.
+Let $(u, \varv)$ be an affine point on a complete twisted Edwards curve $\Edwards{a,d}$.
+Then the only points with $u = 0$ or $1 - \varv = 0$ are $(0, 1) = \ZeroJ$, and
+$(0, -1)$ of order $2$.
 \end{theorem}
 
 \begin{proof}
-Straightforward from the curve equation. (The fact that the points
-$\left(\pm\, 1/\!\ssqrt{\ParamJ{a}}, 0\right)$ are of order $4$
-can be inferred by applying the doubling formula.)
+The curve equation is $a \smult u^2 + \varv^2 = 1 + d \smult u^2 \smult \varv^2$
+with $a \neq d$ (see \cite[Definition 2.1]{BBJLP2008}). By substituting $u = 0$ we
+obtain $\varv = \pm 1$, and by substituting $\varv = 1$ and using $a \neq d$ we obtain $u = 0$.
 \end{proof}
 
 \vspace{0.5ex}