diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 99ed246a..1cbcf8b6 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -5797,7 +5797,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
 \securityrequirement{
 $\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLength}$
 must be \collisionResistant on a $64$-byte input $x$. Note that this
-does not follow from collision-resistance of $\BlakeTwos{256}$
+does not follow from \collisionResistance of $\BlakeTwos{256}$
 (and the best possible concrete security is that of a $251$-bit hash
 rather than a $256$-bit hash), but it is a reasonable assumption
 given the design, structure, and cryptanalysis to date of $\BlakeTwosGeneric$.
@@ -9593,7 +9593,7 @@ Least Authority, Mary Maller, and Kudelski Security.
 The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
 of variations on the attack was performed by Daira Hopwood and Sean Bowe.
 The internal hash collision attack was found by Taylor Hornby.
-The error in the \Zerocash proof of Balance relating to collision-resistance
+The error in the \Zerocash proof of Balance relating to \collisionResistance
 of $\PRFaddr{}$ was found by Daira Hopwood.
 The errors in the proof of Ledger Indistinguishability mentioned in
 \crossref{truncation} were also found by Daira Hopwood.
@@ -10783,6 +10783,8 @@ and so it is only necessary to allocate separate variables for the $\Pi_m$
 such that $m < n-1$ and $c_m = 1$. Furthermore if $c_{\barerange{n-2}{0}}$ has
 $t > 0$ trailing $1$ bits, then we do not need to allocate variables for
 $\Pi_{\barerange{0}{t-1}}$ because those variables will not be used below.
+
+\introlist
 More explicitly:
 
 Let $\Pi_{n-1} = a_{n-1}$.
@@ -10793,9 +10795,9 @@ For $i \from n-2 \downto t$,
   \item if $c_i = 1$, then constrain $\constraint{\Pi_{i+1}}{a_i}{\Pi_i}$.
 \end{itemize}
 
+\introlist
 Then we constrain the $a_i$ as follows:
 
-\introlist
 For $i \from n-1 \downto 0$,
 \begin{itemize}
   \item if $c_i = 0$, constrain $\constraint{1 - \Pi_{i+1} - a_i}{a_i}{0}$;
@@ -10865,6 +10867,7 @@ The algorithm in \crossref{ccteddecompressvalidate} uses range checks with
 $c = \ParamS{r}-1$ to validate compressed Edwards points. In that case $n = 255$ and
 $k = 132$, so the cost of each such range check is $387$ constraints.
 
+\introsection
 \nnote{It is possible to optimize the computation of $\Pi_{\barerange{t}{n-2}}$ further.
 Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a
 run of $1$ bits in $c$. So for each run of $N$ $1$ bits, it is sufficient to compute