Delete or clarify unused optimizations in Appendix A.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -9555,6 +9555,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Add a note about redundancy in the nonsmall-order checking of $\AuthSignRandomizedPublic$.
     \item Clarify the use of $\cvNew{}$ and $\cmNew{}$, and the selection of
           \outgoingViewingKey, in sending Sapling notes.
+    \item Delete the description of optimizations for the affine-Edwards nonsmall-order
+          check, since the \Sapling circuit does not use them. Also clarify that some other
+          optimizations are not used.
 } %sapling
 \end{itemize}
 
@@ -10494,13 +10497,14 @@ $\Inv{a} = a^{-1} \pmod{\ParamS{r}}$:
   \item $\constraint{\Inv{a}}{a}{1}$
 \end{formulae}
 
-A global optimization allows to use a single inverse computation outside
+\nnote{A global optimization allows to use a single inverse computation outside
 the circuit for any number of nonzero constraints. Suppose that we have
 $n$ variables (or \linearCombinations) that are supposed to be nonzero:
 $a_\barerange{0}{n-1}$. Multiply these together (using $n\!-\!1$ constraints)
 to give $a^* = \sproduct{i=0}{n-1} a_i$; then, constrain $a^*$ to be nonzero.
 This works because the product $a^*$ is nonzero if and only if all of
-$a_\barerange{0}{n-1}$ are nonzero.
+$a_\barerange{0}{n-1}$ are nonzero. However, the \Sapling circuit does not use
+this optimization.}
 
 
 \introsection
@@ -10875,39 +10879,16 @@ On a twisted Edwards curve, only the zero point $\ZeroJ$, and the unique point
 of order $2$ at $(0, -1)$ have zero $u$-coordinate. So this $u$-coordinate check rejects
 both $\ZeroJ$ and the point of order $2$, and no other points.
 
-The first doubling can be merged with the curve point check to avoid recomputing $C$ or $T$.
+The total cost, including the curve check, is $3 + 2 \mult 5 + 1 = 14$ constraints.
-The second doubling does not need to compute $T$ or the $\varv$-coordinate of the result;
-also, the $u$-coordinate of the result is zero if-and-only-if the intermediate value
-$A$ is zero.
 
-\begin{formulae}
+\vspace{-2ex}
-  \item // Curve equation check.
+\pnote{This \emph{does not} ensure that the point is in the prime-order subgroup.}
-  \item $\constraint{u}{u}{uu}$
-  \item $\constraint{\varv}{\varv}{\varvv}$
-  \item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
-        \vspace{1ex}
-  \item // First doubling; subsitute $C = \ParamJ{d} \smult uu \smult \varvv = \ParamJ{a} \smult uu + \varvv - 1$ and
-        $T + (\ParamJ{a} - 1) \smult A = \varvv - \ParamJ{a} \smult uu$.
-  \item $\constraint{u}{\varv}{A_1}$
-  \item $\constraint{\ParamJ{a} \smult uu + \varvv}{u_1}{2 \smult A_1}$
-  \item $\constraint{2 - \ParamJ{a} \smult uu - \varvv}{\varv_1}{\varvv - \ParamJ{a} \smult uu}$
-        \vspace{1ex}
-  \item // Second doubling and non-zero check.
-  \item $\constraint{u_1}{\varv_1}{A_2}$
-  \item // $u$-coordinate is zero if-and-only-if $A_2$ is zero.
-  \item $\constraint{\Ainv}{A_2}{1}$
-\end{formulae}
 
-The total cost, including the curve check, is $3 + 3 + 2 = 8$ constraints.
+\vspace{-2ex}
-
+\nnote{It is possible to reduce the cost to $8$ constraints by merging the first doubling
-\begin{pnotes}
+with the curve point check, and then optimizing the second doubling based on the fact that
-  \item This \emph{does not} ensure that the point is in the prime-order subgroup.
+we only need to check whether the resulting $u$-coordinate is zero. However, the \Sapling
-  \item If the point $P$ is used as the base of a variable-base scalar
+circuit does not use these optimizations.}
-        multiplication using the algorithm of \crossref{cctvarscalarmult}, then
-        $\scalarmult{4}{P}$ will be calculated as $\Base_2$. Then $\SelectuOf{\Base_2} \neq 0$
-        can be checked using a single constraint (saving $4$ constraints).
-        The \Sapling circuit does not use this optimization.
-\end{pnotes}
 
 
 \introsection