* ephemeralKey is kept as a byte sequence rather than immediately converted to a curve point;
this matters because of non-canonical encoding.
* The representation of pk_d in a note plaintext may also be non-canonical and need not be in the
prime subgroup.
* Move checking of cm_u in decryption with ivk to the end of the algorithm, to more closely match
the implementation.
* The note about decryption of outputs in mempool transactions should have been normative.
Also change ZIP 212 to say that it is aligned with this version of the protocol spec.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>