diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 105fe95a..83320d40 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -6455,7 +6455,7 @@ The encoding of a public key is as defined in \cite{BDLSY2012}.
 
 
 \sapling{
-\subsubsection{\RedDSAAndRedJubjub} \label{concreteredjubjub}
+\subsubsection{\RedDSAAndRedJubjub} \label{concretereddsa} \label{concreteredjubjub}
 
 $\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization
 as described in \crossref{abstractsigrerand}. It also supports a
@@ -9568,6 +9568,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 
 \begin{itemize}
     \item No changes to \Sprout.
+\sapling{
+    \item Add cross references for parameters and functions used in $\RedDSA$ batch verification.
+} %sapling
     \item \texttt{Makefile} changes: name the PDF file for the \Sprout version of the specification as \texttt{sprout.pdf},
           and make \texttt{protocol.pdf} link to the \Sapling version.
 \end{itemize}
@@ -11338,14 +11341,24 @@ cryptanalytic attention to confidently use them for \Sapling.
 
 \subsection{\RedDSAText{} batch verification} \label{reddsabatchverify}
 
-The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concreteredjubjub}.
+The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
 
+Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG$ of order $\ParamG{r}$,
+a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
+a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$;
+$\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$;
+and the derived hash function $\RedDSAHashToScalar \typecolon \byteseqs \rightarrow \GF{\ParamG{r}}$
+be as defined in that section.
+
+\vspace{2ex}
 Implementations \MAY alternatively use the optimized procedure described in this section to perform
 faster verification of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
 Its input is a sequence of $N$ \quotedterm{batch entries}, each of which is a
 (public key, message, signature) triple.
 
 \vspace{2ex}
+Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}.
+
 Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
 
 \introlist