diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 32f7284c..93b5687c 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -1342,6 +1342,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\DST}{\mathsf{DST}}
 \newcommand{\leninbytes}{\mathsf{len\_in\_bytes}}
 \newcommand{\binbytes}{\mathsf{b\_in\_bytes}}
+\newcommand{\rinbytes}{\mathsf{r\_in\_bytes}}
 
 \newcommand{\tx}{\mathsf{tx}}
 \newcommand{\ReceivedSet}{\mathsf{ReceivedSet}}
@@ -10624,7 +10625,7 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
 \vspace{-1ex}
 \begin{algorithm}
   \item let $\DST' = \DST \bconcat\, [\,\length(\DST)\,]$
-  \item let $\msg' = \zerobytes{64} \bconcat \msg \bconcat\, [\,0, 128\,] \bconcat\, [\,0\,] \bconcat \DST'$
+  \item let $\msg' = \zerobytes{128} \bconcat \msg \bconcat\, [\,0, 128\,] \bconcat\, [\,0\,] \bconcat \DST'$
   \item let $b_0 = \BlakeTwob{512}\big(\zerobytes{16}, \msg'\big)$
   \item let $b_1 = \BlakeTwob{512}\big(\zerobytes{16}, b_0 \bconcat\, [\,1\,] \bconcat \DST'\big)$
   \item let $b_2 = \BlakeTwob{512}\big(\zerobytes{16}, (b_0 \xor b_1) \bconcat\, [\,2\,] \bconcat \DST'\big)$
@@ -10639,9 +10640,9 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
         the function $\XMDBlakeTwob$ corresponding to $\expandmessagexmd$ defined in
         \cite[section 5.4.1]{ID-hashtocurve}, and with domain separation tag $\DST$.
         In $\expandmessagexmd$, $\mathsf{H}$ is instantiated as $\BlakeTwob{512}$ with
-        $\binbytes = 64$, and we specialize to $\leninbytes = 128$ since that is the only
-        case we need. In the event of any discrepancy or change to the Internet Draft,
-        the definition here takes precedence.
+        $\binbytes = 64$ and $\rinbytes = 128$, and we specialize to $\leninbytes = 128$
+        since that is the only case we need. In the event of any discrepancy or change to
+        the Internet Draft, the definition here takes precedence.
         \vspace{-0.25ex}
   \item Unlike other uses of $\BlakeTwobGeneric$ in \Zcash, zero bytes are used for the
         $\BlakeTwobGeneric$ personalization, in order to follow the Internet Draft which
@@ -10651,7 +10652,7 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
         to follow the Internet Draft.\!\!
         \vspace{-0.25ex}
   \item A minor optimization is to cache the state of the $\BlakeTwob{512}$ instance
-        used to compute $b_0$ after processing $\zerobytes{64}$, since this state does
+        used to compute $b_0$ after processing $\zerobytes{128}$, since this state does
         not depend on the message.
 \end{nnotes}
 
@@ -13953,6 +13954,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
             \item Define $\GroupG{}$ in \crossref{concretegrouphashpallasandvesta}.
             \item Fix type confusion between integers and field elements (including additional
                   cases not found in the audit, involving \nullifiers and $\cmX$).
+            \item Fix a discrepancy between \crossref{concretegrouphashpallasandvesta} and
+                  \cite{ID-hashtocurve}: the zero padding in $\expandmessagexmd$ should be
+                  $128$ bytes (matching the input block size of $\BlakeTwobGeneric$), rather
+                  than $64$ bytes.
             \item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
           \end{itemize}
     \item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.