diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 6d9fdf40..6e92bf70 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -9481,19 +9481,23 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
 
 The inventors of \Zerocash are Eli Ben-Sasson, Alessandro Chiesa,
 Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars
-Virza.
+Virza. The designers of the \Zcash protocol are the \Zerocash inventors
+and also Daira Hopwood, Sean Bowe, Jack Grigg, Simon Liu, Taylor Hornby,
+Nathan Wilcox, Zooko Wilcox, Jay Graber, Ariel Gabizon, and George Tankersley.
+The Equihash proof-of-work algorithm was designed by Alex Biryukov and
+Dmitry Khovratovich.
 
-The authors would like to thank everyone with whom they have discussed
-the \Zerocash protocol design; in addition to the inventors, this includes
-Mike Perry, Isis Lovecruft, Leif Ryge, Andrew Miller, Zooko Wilcox,
-Samantha Hulsey, Jack Grigg, Simon Liu, Ariel Gabizon, jl777, Ben Blaxill,
-Alex Balducci, Jake Tarren, Solar Designer, Ling Ren, Alison Stevenson,
-John Tromp, Paige Peterson, Maureen Walsh, Jay Graber, Jack Gavigan,
-Filippo Valsorda, Zaki Manian, George Tankersley, Tracy Hu, Brian Warner,
-Mary Maller, Michael Dixon, Andrew Poelstra, and no doubt others.
+The authors would like to thank everyone with whom they have discussed the
+\Zerocash and \Zcash protocol designs; in addition to the preceding, this
+includes Mike Perry, Isis Lovecruft, Leif Ryge, Andrew Miller, Samantha Hulsey,
+jl777, Ben Blaxill, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren,
+Alison Stevenson, John Tromp, Paige Peterson, Maureen Walsh, Jack Gavigan,
+Filippo Valsorda, Zaki Manian, Tracy Hu, Brian Warner, Mary Maller,
+Michael Dixon, Andrew Poelstra, and no doubt others. We would also like to
+thank the designers and developers of \Bitcoin.
 
 \Zcash has benefited from security audits performed by NCC Group, Coinspect,
-and Least Authority.
+Least Authority, Mary Maller, and Kudelski Security.
 
 The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
 of variations on the attack was performed by Daira Hopwood and Sean Bowe.
@@ -9509,6 +9513,18 @@ Daira Hopwood, Sean Bowe, and Jack Grigg. A potential attack linking
 \diversifiedPaymentAddresses, avoided in the adopted design, was
 found by Brian Warner.}
 
+Numerous people have contributed to the science of zero-knowledge proving
+systems, but we would particularly like to acknowledge the work of
+Shafi Goldwasser, Silvio Micali, Oded Goldreich, Rosario Gennaro,
+Bryan Parno, Jon Howell, Craig Gentry, Mariana Raykova, and Jens Groth.
+
+Many of the ideas used in \Zcash{} ---including the use of zero-knowledge proofs
+to resolve the tension between privacy and auditability, Merkle trees over
+note commitments\notsprout{ (using Pedersen hashes as in \Sapling)},
+and the use of ``serial numbers'' or \nullifiers to detect or prevent
+double-spends--- were first applied to privacy-preserving digital currencies
+by Tomas Sander and Amnon Ta–Shma. To a large extent \Zcash is a refinement
+of their ``Auditable, Anonymous Electronic Cash'' proposal in \cite{ST1999}.
 
 \notsprout{
 Finally, we would like to thank the Internet Archive for their scan of
@@ -9533,6 +9549,12 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
           of shielded \transactions.
     \item Correct the definition of set difference ($S \setminus T$).
     \item Add a note concerning malleability of \zeroKnowledgeProofs.
+    \item Clarify attribution of the \Zcash protocol design.
+    \item Acknowledge Alex Biryukov and Dmitry Khovratovich as the designers of Equihash.
+    \item Acknowledge Shafi Goldwasser, Silvio Micali, Oded Goldreich, Rosario Gennaro, Bryan Parno, Jon Howell,
+          Craig Gentry, Mariana Raykova, and Jens Groth for their work on zero-knowledge proving systems.
+    \item Acknowledge Tomas Sander and Amnon Ta–Shma for \cite{ST1999}.
+    \item Acknowledge Kudelski Security's audit.
 \sapling{
     \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
           $\GroupG{}$ and $\GroupJ$ where applicable.
diff --git a/protocol/zcash.bib b/protocol/zcash.bib
index ef8825e8..3fb0ae97 100644
--- a/protocol/zcash.bib
+++ b/protocol/zcash.bib
@@ -1091,3 +1091,22 @@ Proceedings of the 14th Annual International Cryptology Conference
    url={https://archive.org/details/throughlookinggl00carr4},
    urldate={2018-06-20}
 }
+
+@inproceedings{ST1999,
+   presort={ST1999},
+   author={Tomas Sander and Amnon Ta--Shma},
+   title={Auditable, {A}nonymous {E}lectronic {C}ash},
+   year={1999},
+   booktitle={Advances in Cryptology - CRYPTO~'99.
+Proceedings of the 19th Annual International Cryptology Conference
+(Santa Barbara, California, USA, August~15--19, 1999)},
+   volume={1666},
+   series={Lecture Notes in Computer Science},
+   editor={Michael Wiener},
+   pages={555--572},
+   publisher={Springer},
+   isbn={978-3-540-66347-8},
+   doi={10.1007/3-540-48405-1_35},
+   url={https://link.springer.com/content/pdf/10.1007/3-540-48405-1_35.pdf}, % not paywalled
+   urldate={2018-06-05}
+}