diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index f3c02819..c2e84d90 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -139,6 +139,7 @@
 \newcommand{\hSigInputVersionByte}{\mathbf{0xF1}}
 \newcommand{\Memo}{\mathsf{memo}}
 \newcommand{\CurveMultiply}{\mathsf{Curve25519}}
+\newcommand{\CurveBase}{\underline{9}}
 \newcommand{\DecryptCoin}{\mathtt{DecryptCoin}}
 \newcommand{\Plaintext}{\mathbf{P}}
 \newcommand{\Ciphertext}{\mathbf{C}}
@@ -449,12 +450,13 @@ derived as follows:
 \DiscloseKey &:= \Trailing{252}(\PRFaddr{\AuthPrivate}(0)) & \hspace{30em} \\
 \AuthPublic &:= \PRFaddr{\DiscloseKey}(1) & \\
 \TransmitPrivate &:= \Clamp(\PRFaddr{\AuthPrivate}(2)) & \\
-\TransmitPublic &:= \CurveMultiply(\TransmitPrivate)
+\TransmitPublic &:= \CurveMultiply(\TransmitPrivate, \CurveBase)
 \end{aligned}
 \end{equation*}
 
-where $\Clamp$ performs the clamping of Curve25519 private key bits, and
-$\CurveMultiply$ performs point multiplication, both as defined in \cite{Curve25519}.
+where $\Clamp$ performs the clamping of Curve25519 private key bits,
+$\CurveMultiply$ performs point multiplication, and $\CurveBase$ is the
+public string representing a base point, all as defined in \cite{Curve25519}.
 }
 
 Users can accept payment from multiple parties with a single
@@ -928,8 +930,8 @@ Then to encrypt:
 $(\EphemeralPublic, \EphemeralPrivate)$, and a new $\SymSpecific$ key $\SharedKey{}$.
   \item For $i$ in $\{1..\NNew\}$,
     \begin{itemize}
-      \item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i},
-\EphemeralPrivate)$.
+      \item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate,
+\TransmitPublicNew{i})$.
       \item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
 \TransmitPublicNew{i}, i)$.
       \item Let $\TransmitCiphertext{i} :=
@@ -957,7 +959,7 @@ will attempt to decrypt that ciphertext component as follows:
 
 \changed{
 \begin{itemize}
-  \item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPublic, \TransmitPrivate)$.
+  \item Let $\DHSecret{i} := \CurveMultiply(\TransmitPrivate, \EphemeralPublic)$.
   \item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
 \TransmitPublicNew{i}, i)$.
   \item Return $\DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}).$
@@ -1017,7 +1019,7 @@ and $\EphemeralPrivate$ from $\SharedPlaintext{}$.
     \begin{itemize}
       \item Let $\CoinPlaintext{i} :=
 \DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i})$.
-      \item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i}, \EphemeralPrivate)$.
+      \item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate, \TransmitPublicNew{i})$.
       \item Let $\TransmitKeyCompare{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
 \TransmitPublicNew{i}, i)$.
       \item If $\CoinPlaintext{i} \neq \bot$ and