diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index c9f85191..b102640a 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -2688,10 +2688,10 @@ $(m^*, \sigma^*) \not\in \Oracle_{\sk}\mathsf{.}Q$.
         by removing the need for two oracles (since the oracle for original keys,
         called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the oracle for
         randomized keys).
-  \item The fact that
+  \item Since
         $\left(\SigRandomizePublic(\pk, \SigRandomness), \SigRandomizePrivate(\sk, \SigRandomness)\right) :
         \SigRandomness \leftarrowR \SigRandom$ is identically distributed to $\SigGen()$,
-        implies that the combination of a re-randomized public key and signature(s)
+        the combination of a re-randomized public key and signature(s)
         under that key do not reveal the key from which it was re-randomized.
   \item Since $\SigRandomizePrivate(\paramdot, \SigRandomness)$ is injective and
         easily invertible, knowledge of $\SigRandomizePrivate(\sk, \SigRandomness)$
@@ -3050,7 +3050,7 @@ are derived as follows:
 \introlist
 $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as follows:
 
-\begin{tabular}{@{\hskip 2em}r@{\;}l}
+\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
   $\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\
   $\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
   $\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$.
@@ -3345,14 +3345,8 @@ $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following st
              \NoteCommitSapling{\NoteCommitRandNew{\OutputIndex}}(\reprJOf{\DiversifiedTransmitBase},
                                                                   \reprJOf{\DiversifiedTransmitPublic},
                                                                   \ValueNew{\OutputIndex})$ \\[1ex]
-          $\EphemeralPublic$ &$:= \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)$.
-        \end{tabular}
-
-  \item Calculate $\DHSecret{} \typecolon \AffineEdwardsJubjub$ using an
-        Edwards scalar multiplication with cofactor 8:
-
-        \begin{tabular}{@{\hskip 2em}r@{\;}l}
-          $\DHSecret{}$ &$:= \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
+          $\EphemeralPublic$ &$:= \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)$ \\
+          $\DHSecret{}$ &$:= \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$.
         \end{tabular}
 
   \item Let $\Key := \KDFSapling(\OutputIndex, \DHSecret{}, \EphemeralPublic)$.
@@ -3663,7 +3657,6 @@ For details of the form and encoding of proofs, see \crossref{phgr}.
 
 
 \sapling{
-\vspace{50ex}
 \introsection
 \subsubsection{\SpendStatement{} (\Sapling)} \label{spendstatement}
 
@@ -3707,8 +3700,8 @@ $\pack(\cmOld{}) = \NoteCommitSapling{\NoteCommitRandOld{}}(\DiversifiedTransmit
 
 \snarkcondition{Merkle path validity} \label{saplingmerklepathvalidity}
 
-$\treepath{}$ must be a valid \merklePath of depth $\MerkleDepthSapling$, as defined in
-\crossref{merklepath}, from $\cmOld{}$ to \noteCommitmentTree root $\rt$.
+$\treepath{}$ is a valid \merklePath, as defined in \crossref{merklepath}, of depth
+$\MerkleDepthSapling$ from $\cmOld{}$ to the \anchor $\rt$.
 
 \snarkcondition{Value commitment integrity} \label{saplingvaluecommitmentintegrity}
 
@@ -3716,45 +3709,36 @@ $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
 
 \snarkcondition{Point validity checks} \label{saplingpointvalidity}
 
-$\AuthSignRandomizedPublicOld, \AuthSignPublic, \DiversifiedTransmitBase \in \GroupJ$.
-
-$\scalarmult{8}{\AuthSignRandomizedPublicOld} \neq \ZeroJ$.
-
-$\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$.
-
-$\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$.
+$\AuthSignRandomizedPublicOld, \AuthSignPublic, \DiversifiedTransmitBase \in \GroupJ$ and
+are not of small order, i.e.\ $\scalarmult{8}{\AuthSignRandomizedPublicOld} \neq \ZeroJ$
+and $\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$
+and $\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$.
 
 \snarkcondition{\Nullifier{} integrity} \label{saplingnullifierintegrity}
 
-$\nfOld{} = \PRFnfSapling{\AuthProvePublic}(\NoteAddressRand)$.
-
-where
+$\nfOld{} = \PRFnfSapling{\AuthProvePublic}(\NoteAddressRand)$ where
 
 \begin{formulae}
   \item $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$
-  \item $\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$
+  \item $\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$.
 \end{formulae}
 
 \snarkcondition{Spend authority} \label{saplingspendauthority}
 
-$\AuthSignRandomizedPublicOld = \AuthSignPublic + \scalarmult{\AuthSignRandomness}{\AuthSignBase}$
-
-where
+$\AuthSignRandomizedPublicOld = \AuthSignPublic + \scalarmult{\AuthSignRandomness}{\AuthSignBase}$ where
 
 \begin{formulae}
-  \item $\AuthSignRandomizedPublicOld \typecolon \GroupJ = \abstJOf{\AuthSignRandomizedPublicOldRepr}$
-  \item $\AuthSignPublic \typecolon \GroupJ = \abstJOf{\AuthSignPublicRepr}$
+  \item $\AuthSignRandomizedPublicOld \typecolon \GroupJ = \abstJOf{\strut\smash{\AuthSignRandomizedPublicOldRepr}}$
+  \item $\AuthSignPublic \typecolon \GroupJ = \abstJOf{\AuthSignPublicRepr}$.
 \end{formulae}
 
 \snarkcondition{Diversified address integrity} \label{saplingaddressintegrity}
 
-$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
-
-where
+$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where
 
 \begin{formulae}
   \item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$
-  \item $\DiversifiedTransmitBase = \abstJOf{\DiversifiedTransmitBaseRepr}$
+  \item $\DiversifiedTransmitBase = \abstJOf{\DiversifiedTransmitBaseRepr}$.
 \end{formulae}
 
 
@@ -4464,6 +4448,7 @@ We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
   \item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBase}$.
 \end{formulae}
 
+\vspace{-3ex}
 \securityrequirement{
 The function
 \begin{formulae}
@@ -4474,6 +4459,7 @@ The function
 must be \collisionResistant on $(r, M, x)$.
 }
 
+\vspace{2ex}
 See \crossref{cctmixinghash} for efficient circuit implementation of this function.
 } %sapling
 
@@ -6226,7 +6212,7 @@ The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
 \end{consensusrules}
 
 In addition, consensus rules associated with each \joinSplitDescription (\crossref{joinsplitencoding})\sapling{,
-\spendDescription (\crossref{spendencoding}), and \outputDescription (\crossref{outputencoding})}
+each \spendDescription (\crossref{spendencoding}), and each \outputDescription (\crossref{outputencoding})}
 \MUST be followed.
 
 \begin{pnotes}
@@ -6384,7 +6370,7 @@ Consensus rules applying to a \spendDescription are given in \crossref{spenddesc
 
 Let $\LEBStoOSP{}{}$ be as defined in \crossref{endian}.
 
-An abstract \outputDescription, as described in \crossref{spendsandoutputs}, is encoded in
+An abstract \outputDescription, described in \crossref{spendsandoutputs}, is encoded in
 a \transaction as an instance of an \type{OutputDescription} type as follows:
 
 \begin{center}