fix inconsistency in reveal step formulation, now matches implementation

doc/paper/taler.tex

@@ -828,7 +828,7 @@ generator of the elliptic curve.
     possible to use any equivalent mint signing key known to the customer here, as $K$ merely
     serves as proof to the customer that the mint selected this particular $\gamma$.}
   \item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
-  \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$
+  \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
         and sends $S_{C'}(\mathfrak{R})$ to the mint.
   \item \label{step:refresh-ccheck} The mint checks whether $\mathfrak{R}$ is consistent with the commitments;
     specifically, it computes for $i \not= \gamma$:
@@ -837,20 +837,21 @@ generator of the elliptic curve.
     \begin{minipage}{5cm}
     \begin{align*}
       \overline{K}_i :&= H(t_s^{(i)} C_p'), \\
-      (\overline{c}_s^{(i)}, \overline{b}_i) :&= D_{\overline{K}_i}(E^{(i)}), \\
+      (\overline{c}_s^{(i)}, \overline{b_i}) :&= D_{\overline{K}_i}(E^{(i)}), \\
      \overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
      \end{align*}
      \end{minipage}
     \begin{minipage}{5cm}
       \begin{align*}
        \overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
-      \overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}),
+      \overline{B^{(i)}} :&= B_{\overline{b_i}}(\overline{C_p^{(i)}}),
       \end{align*}
     \end{minipage}
 
     and checks if $\overline{B^{(i)}} = B^{(i)}$
     and $\overline{T^{(i)}_p} = T^{(i)}_p$.
 
+
   \item \label{step:refresh-done} If the commitments were consistent,
     the mint sends the blind signature $\widetilde{C} :=
     S_{K}(B^{(\gamma)})$ to the customer.  Otherwise, the mint responds