diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index cee9a534..a2df7b16 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -197,8 +197,10 @@ different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
 \subparagraph{}
 
 $\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent}
-$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and
-$\PRFpk{x}$. It is required that $\PRFsn{x}$ be collision-resistant across all $x$.
+$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and $\PRFpk{x}$.
+It is required that $\PRFsn{x}$ be collision-resistant across all $x$ --- i.e. it
+should not be feasible to find $(x, y) \neq (x', y')$ such that
+$\PRFsn{x}(y) = \PRFsn{x'}(y')$.
 
 In \Zcash, the $\SHAName$ function is used to construct all three of these
 functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included