Fix a type error in the output of PRF^nfSapling; a Sapling nullifier is a sequence of 32 bytes, not a bit sequence.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -1472,6 +1472,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}}
 \newcommand{\nf}{\mathsf{nf}}
 \newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
+\newcommand{\nfOldRepr}[1]{{\MakeRepr{\nf}{\mathsf{old}}}_{#1}}
 \newcommand{\Memo}{\mathsf{memo}}
 \newcommand{\MemoByteLength}{512}
 \newcommand{\MemoType}{\byteseq{\MemoByteLength}}
@@ -5311,7 +5312,7 @@ A valid instance of a \defining{\spendStatement}, $\ProofSpend$, assures that gi
 \begin{formulae}
   \item $\oparen\rt \typecolon \MerkleHashSapling,\\
          \hparen\cvOld{} \typecolon \ValueCommitOutput,\\
-         \hparen\nfOld{} \typecolon \bitseq{\PRFOutputLengthNfSapling},\\
+         \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\
          \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
 \end{formulae}
 
@@ -9311,8 +9312,7 @@ $\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline
 $32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot of the \Sapling{} \noteCommitmentTree
 at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline
 
-$32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note,
-$\LEBStoOSPOf{256}{\nf}$. \\ \hline
+$32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note, $\nf$. \\ \hline
 
 $32$ & $\rkField$ & \type{char[32]} & The randomized \validatingKey for $\spendAuthSig$,
 $\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
@@ -10833,6 +10833,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \begin{itemize}
     \item No changes to \Sprout.
 \sapling{
+    \item Fix a type error in the output of $\PRFnfSapling{}$; a \Sapling \nullifier is a
+          sequence of $32$ bytes, not a bit sequence.
     \item Correct an off-by-one in an expression used in the definition of $c$ in
           \crossref{concretepedersencommit} (this does not change the value of $c$).
 } %sapling
@@ -13487,17 +13489,20 @@ The primary input is
 \begin{formulae}
   \item $\oparen\rt \typecolon \MerkleHashSapling,\\
          \hparen\cvOld{} \typecolon \ValueCommitOutput,\\
-         \hparen\nfOld{} \typecolon \bitseq{\PRFOutputLengthNfSapling},\\
+         \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\
          \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
 \end{formulae}
 which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by \Groth):
 \begin{formulae}
   \item $[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic),
           \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIPOf{\MerkleHashLengthSapling}{\rt},
-          \LEBStoIP{254}\big(\nfOld{\barerange{0}{253}}\big), \LEBStoIP{2}\big(\nfOld{\barerange{254}{255}}\big)]$
+          \LEBStoIP{254}\big(\nfOldRepr{\!\barerange{0}{253}}\big), \LEBStoIP{2}\big(\nfOldRepr{\!\barerange{254}{255}}\big)]$
 \end{formulae}
+\vspace{-2ex}
+where $\nfOldRepr{} = \LEOStoBSP{\PRFOutputLengthNfSapling}(\nfOld{})$.
 
 \introlist
+\vspace{1ex}
 The auxiliary input is
 \vspace{1ex}
 \begin{formulae}
@@ -13651,7 +13656,8 @@ $\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit
 significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified.
 
 \pnote{The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$, $\InViewingKeyRepr$,
-$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers.}
+$\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences rather than integers. It
+represents $\nf$ as a bit sequence rather than a byte sequence.}
 
 
 \introsection