diff --git a/protocol/protocol.pdf b/protocol/protocol.pdf
index c465785f..7a029320 100644
Binary files a/protocol/protocol.pdf and b/protocol/protocol.pdf differ
diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 1e2f492d..09742826 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -89,7 +89,7 @@
 \newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}}
 \newcommand{\PRFaddr}[1]{\PRF{#1}{addr}}
 \newcommand{\PRFsn}[1]{\PRF{#1}{sn}}
-\newcommand{\PRFpk}[2]{\PRF{#1}{pk,{\mathnormal{#2}}}}
+\newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
 \newcommand{\SHA}{\mathtt{SHA256Compress}}
 \newcommand{\SHAName}{\term{SHA-256 compression}}
 \newcommand{\SHAOrig}{\term{SHA-256}}
@@ -171,6 +171,9 @@ protected by zero-knowledge succinct non-interactive arguments of knowledge
 All integers visible in \Zcash-specific encodings are unsigned, have a fixed
 bit length, and are encoded as big-endian.
 
+In bit layout diagrams, bits are ordered from left to right with the most
+significant bits in each byte first.
+
 \subsection{Cryptographic Functions}
 
 \subparagraph{}
@@ -183,8 +186,7 @@ different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
 
 $\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent}
 $\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and
-$\PRFpk{x}{i}$. It is required that $\PRFsn{x}$ be collision-resistant.
-\daira{For any given $x$, or across all $x$?}
+$\PRFpk{x}$. It is required that $\PRFsn{x}$ be collision-resistant across all $x$.
 
 In \Zcash, the $\SHAName$ function is used to construct all three of these
 functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included
@@ -211,7 +213,7 @@ independent.
 	\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
 	\bitbox{14}{0} &
 	\bitbox{14}{1} &
-	\bitbox{242}{254 bit truncated $\CoinAddressRand$} &
+	\bitbox{242}{254 bit left-truncated $\CoinAddressRand$} &
 \end{bytefield}
 \enspace
 \right)
@@ -219,19 +221,23 @@ independent.
 
 
 \begin{equation*}
-\h{i} = \PRFpk{\SpendAuthorityPrivate}{i}(\hSig) = \CRH\left(
+\h{i} = \PRFpk{\SpendAuthorityPrivate}(i, \hSig) = \CRH\left(
 \;
 \begin{bytefield}[bitwidth=0.07em]{512}
 	\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
 	\bitbox{14}{1} &
 	\bitbox{14}{0} &
 	\bitbox{14}{i} &
-	\bitbox{241}{253 bit truncated $\hSig$}
+	\bitbox{241}{253 bit left-truncated $\hSig$}
 \end{bytefield}
 \enspace
 \right)
 \end{equation*}
 
+\term{Left-truncated} means that the most significant bits of the first byte of
+$\CoinAddressRand$ and $\hSig$ respectively are dropped. \daira{Should we instead
+define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be 253 bits?}
+
 \subsection{Confidential Addresses and Private Keys}
 
 \subparagraph{}
@@ -540,9 +546,7 @@ $\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
 
 \subparagraph{Non-malleability}
 
-% TODO: protocol is really gross here, let's clarify the
-% indices and use of PRFpk independence from other h sdfhjgahsdjkgfas
-for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}{i}(\hSig)$
+for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
 
 \subparagraph{Commitment integrity}