g_d is ensured to be large order. The relationship between g_d and pk_d ultimately binds ivk to the note. If this were a small order point, it would not do this correctly, and the prover could double-spend by finding random ivk's that satisfy the relationship.
Further, if it were small order, epk would be small order too!
Finally, by careful use of derandomized signing in the prover, it's possible for the receiver of the coins--who shares a secret with the sender, due to ECDH key agreement with the receivers pubkey--to 'rewind' the proof and use it to extract a message sent by the sender which is 80% of the size of the proof. We use this to signal the value and blinding factor to the receiver, but it could also be used to carry things like reference numbers or refund addresses.
init: // each account has 100 unit at the time of initialization
- address0: 0xaa
- spending_key0: 0x4ab
- address1: 0xab
- spending_key1: 0x1c8
transfer 0xab<receiver> 10<amount> 0x4ab<spending_key>