Add a note about PRF^nf corresponding to PRF^sn in \Zerocash.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -1151,6 +1151,8 @@ i.e.\ it should not be feasible to find $(x, y) \neq (x', y')$ such that
 $\PRFnf{x}(y) = \PRFnf{x'}(y')$\changed{, and similarly for $\PRFaddr{}$ and $\PRFrho{}$}.
 }
 
+\pnote{$\PRFnf{}$ was called $\PRFsn{}$ in \Zerocash \cite{BCG+2014}.}
+
 \nsubsubsection{\SymmetricEncryption} \label{abstractsym}
 
 Let $\Sym$ be an \symmetricEncryptionScheme with keyspace $\Keyspace$, encrypting
@@ -3559,6 +3561,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
           (The precise prefixes are not decided yet.)
     \item Clarify why $\Blake{\ell}$ is different from truncated $\Blake{512}$.
     \item Clarify a note about SU-CMA security for signatures.
+    \item Add a note about $\PRFnf{}$ corresponding to $\PRFsn{}$ in \Zerocash.
     \item Add a paragraph about key length in \crossref{inbandrationale}.
     \item Add acknowledgements for John Tromp, Paige Peterson, Maureen Walsh,
           Jay Graber, and Jack Gavigan.