Note that [JT2020] proves a tight reduction from finding a nontrivial discrete log relation to DLP.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -8746,6 +8746,9 @@ this is a nontrivial discrete logarithm relation between independent bases.
 \vspace{-2ex}
 \begin{nnotes}
         \vspace{-0.25ex}
+  \item \cite[Lemma 3]{JT2020} proves a tight reduction from finding a nontrivial discrete logarithm
+        relation in a prime-order group to solving the \xDiscreteLogarithmProblem in that group.
+        \vspace{-0.25ex}
   \item The above theorem easily extends to the case where additional scalar multiplication terms with
         independent bases may be added to the $\SinsemillaHashToPoint$ output before applying $\ExtractPbot$.
         This is needed to show security of the $\SinsemillaShortCommitAlg$ \commitmentScheme defined in
@@ -14338,6 +14341,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
           allowed as input to $\MerkleCRH{Orchard}$.
     \item Clarify the distinction between \Orchard \incomingViewingKeys and $\KA{Orchard}$
           \privateKeys.
+    \item Add a note in \crossref{concretesinsemillahash} that \cite[Lemma 3]{JT2020} proves
+          a tight reduction from finding a nontrivial discrete logarithm relation to the
+          \xDiscreteLogarithmProblem.
 } %nufive
 \sapling{
     \item Add a note to \crossref{merklepath} clarifying the encoding of $\rt{Sapling}$

protocol/zcash.bib

@@ -246,6 +246,16 @@ Last revised June~25, 2017.}
 Last revised November~5, 2017.}
 }
 
+@misc{JT2020,
+   presort={JT2020},
+   author={Joseph Jaeger and Stefano Tessaro},
+   title={Expected-Time Cryptography: {G}eneric Techniques and Applications to Concrete Soundness},
+   url={https://eprint.iacr.org/2020/1213},
+   urldate={2021-05-19},
+   howpublished={Cryptology ePrint Archive: Report 2020/1213.
+Received October~2, 2020.}
+}
+
 @misc{Nakamoto2008,
    presort={Nakamoto2008},
    author={Satoshi Nakamoto},