ZIP 307: clarify that epk is needed

The current phrasing implies the 580-byte memo ciphertext suffices for detection. Clarify that the 32-byte ephemeral public key is also needed.

Also added "public" to "ephemeral key" further down.

zip-0307.rst

@@ -147,13 +147,14 @@ A recipient detects their transactions by trial-decrypting this ciphertext. On a
 that has the entire block chain, the primary cost is computational. For light clients
 however, there is an additional bandwidth cost: every ciphertext on the block chain must
 be received from the server (or network node) the light client is connected to. This
-results in a total of 580 bytes per output that must be streamed to the client.
+results in a total of 580 bytes per output that must be streamed to the client (in addition
+to the 32-byte ephemeral public key).
 
 However, we don't need all of that just to detect payments. The first 52 bytes of the
 ciphertext contain the contents and opening of the note commitment, which is all of the
 data needed to spend the note and to verify that the note is spendable. If we ignore the
-memo and the authentication tag, we're left with a 32-byte ephemeral key, the 32-byte note
-commitment, and only the first 52 bytes of the ciphertext for each output needed to
+memo and the authentication tag, we're left with a 32-byte ephemeral public key, the 32-byte
+note commitment, and only the first 52 bytes of the ciphertext for each output needed to
 decrypt, verify, and spend a note. This totals to 116 bytes per output, for an 80%
 reduction in bandwidth use.