Generalize the description of the InternalH attack to include finding collisions on (a_pk, rho).

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -3843,11 +3843,11 @@ commitment at a 128-bit security level. Specifically, the internal
 hash of $\AuthPublic$ and $\NoteAddressRand$ is truncated to 128 bits
 (motivated by providing statistical hiding security). This allows an
 attacker, with a work factor on the order of $2^{64}$, to find distinct
-values of $\NoteAddressRand$ with colliding outputs of the truncated
+pairs $(\AuthPublic, \NoteAddressRand)$ and $(\AuthPublic', \NoteAddressRand')$
-hash, and therefore the same \noteCommitment. This would have allowed
+with colliding outputs of the truncated hash, and therefore the same
-such an attacker to break the Balance property by double-spending
+\noteCommitment. This would have allowed such an attacker to break the
-\notes, potentially creating arbitrary amounts of currency for themself
+Balance property by double-spending \notes, potentially creating arbitrary
-\cite{HW2016}.
+amounts of currency for themself \cite{HW2016}.
 
 \Zcash uses a simpler construction with a single $\FullHashName$ evaluation
 for the commitment. The motivation for the nested construction in \Zerocash
@@ -4121,6 +4121,9 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 
 \begin{itemize}
     \item Explain a variation on the Faerie Gold attack and why it is prevented.
+    \item Generalize the description of the InternalH attack to include finding
+          collisions on $(\AuthPublic, \NoteAddressRand)$ rather than just on
+          $\NoteAddressRand$.
     \item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
 \end{itemize}