[ZIP 2005] Error in Spendability argument

[daira]

This argument about the splitting attack on PQ Spendability is wrong:

(Note that $\mathsf{H^{rcm,Orchard}}$ and $f$ have the same inputs and are each random oracles on all of their inputs.)

$f$ is not plausibly a random oracle.

I believe we're not actually depending on it being one.

[defuse]

To practice writing security proofs I took a shot at proving the nullifier is binding in the ROM when split_flag=false, use_qsk=false without any assumptions about $f$ or $g$ (other than that they are independent of the random oracles, and that the reduction can compute discrete logs): https://hackmd.io/@wVbetTmiQgmGipMx2RltIg/SJjdH6i8bg

If this looks like it's going in the right direction I can try to complete it for split_flag=true and use_qsk=true. (FWIW it's very hard to fit the whole protocol in my working memory with all of the different flag settings, but I think I just need to work with it more.)