Fix a bug in the definition of DefaultDiversifier.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -879,6 +879,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\DiversifyHash}{\mathsf{DiversifyHash}}
 \newcommand{\DiversifyHashText}{\texorpdfstring{$\DiversifyHash$}{DiversifyHash}}
 \newcommand{\DefaultDiversifier}{\mathsf{DefaultDiversifier}}
+\newcommand{\CheckDiversifier}{\mathsf{CheckDiversifier}}
 \newcommand{\NotUpMySleeve}{U}
 
 \newcommand{\tx}{\mathsf{tx}}
@@ -3558,8 +3559,16 @@ as above.
 Let $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
 be as defined in \crossref{concretegrouphashjubjub}.
 
-Define $\DefaultDiversifier(\sk) :=
-\first(\fun{i \typecolon \byte}{\DiversifyHash(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ})$.
+Define:
+\vspace{-2ex}
+\begin{formulae}
+  \item $\CheckDiversifier(\Diversifier \typecolon \DiversifierType) := \begin{cases}
+          \bot,         &\caseif \DiversifyHash(\Diversifier) = \bot \\
+          \Diversifier, &\caseotherwise
+        \end{cases}$
+  \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
+          \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ}\big)$.
+\end{formulae}
 
 For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$.
 
@@ -8911,6 +8920,16 @@ found by Brian Warner.
 \intropart
 \section{Change History}
 
+\subparagraph{2018.0-beta-17}
+
+\begin{itemize}
+    \item No changes to \Sprout.
+\sapling{
+    \item Correct an error in the definition of $\DefaultDiversifier$.
+} %sapling
+\end{itemize}
+
+\introlist
 \subparagraph{2018.0-beta-16}
 
 \begin{itemize}