diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index b13d2fe8..89525049 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -985,7 +985,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\merkleIndex}{\termandindex{index}{index (of a Merkle tree node)}}
 \newcommand{\merkleIndices}{\termandindex{indices}{index (of a Merkle tree node)}}
 \newcommand{\zkSNARK}{\termandindex{zk-SNARK}{proving system (preprocessing zk-SNARK)}}
-\newcommand{\zkSNARKs}{\termandindex{zk-SNARK}{proving system (preprocessing zk-SNARK)}}
+\newcommand{\zkSNARKs}{\termandindex{zk-SNARKs}{proving system (preprocessing zk-SNARK)}}
 \newcommand{\zkProof}{\termandindex{zk proof}{zk-SNARK proof}}
 \newcommand{\zkSNARKProof}{\term{zk-SNARK proof}}
 \newcommand{\zkSNARKProofs}{\terms{zk-SNARK proof}}
@@ -4906,8 +4906,8 @@ according to client implementation.
 The net value of \spendTransfers minus \outputTransfers in a \transaction is
 called the \defining{\balancingValue}, measured in \zatoshi as a signed integer $\vBalance$.
 
-$\vBalance$ is encoded explicitly in a \transaction as the field \valueBalance{};
-see \crossref{txnencoding}.
+$\vBalance$ is encoded explicitly in a \transaction as the field \valueBalance{}. (Transaction
+fields are described in \crossref{txnencoding}.)
 
 A positive $\balancingValue$ takes value from the \defining{\SaplingTxValuePool}
 and adds it to the \transparentTxValuePool. A negative $\balancingValue$ does the reverse.
@@ -8289,9 +8289,10 @@ verifier \MUST check, for the encoding of each element, that:
 
 After \Sapling activation, \Zcash uses \zkSNARKs with the \defining{\Groth} \provingSystem described in
 \cite{BGM2017}, which is a modification of the system in \cite{Groth2016}. An independent
-security proof of this system and its setup is given in \cite{Maller2018}. These \zkSNARKs are used in
-\transactionVersion 4 and later (\crossref{txnencoding}) for proofs both in \Sprout
-\joinSplitDescriptions, and in \Sapling{} \spendDescriptions and \outputDescriptions.
+security proof of this system and its setup is given in \cite{Maller2018}.
+
+\Groth \zkSNARKProofs are used in \transactionVersion 4 and later (\crossref{txnencoding}),
+both in \Sprout \joinSplitDescriptions and in \Sapling{} \spendDescriptions and \outputDescriptions.
 They are generated by the \defining{\bellman} library \cite{Bowe-bellman}.
 
 A \Groth proof consists of
@@ -8542,13 +8543,15 @@ for both \Mainnet and \Testnet.
 
 \lsubsubsection{\SproutOrNothingText{} Payment Addresses}{sproutpaymentaddrencoding}
 
+Let $\KASprout$ be as defined in \crossref{concretesproutkeyagreement}.
+
 A \SproutOrNothing{} \defining{\paymentAddress} consists of $\AuthPublic \typecolon \PRFOutputSprout$
 and $\TransmitPublic \typecolon \KASproutPublic$.
 
 $\AuthPublic$ is a \shaCompress output.
-$\TransmitPublic$ is a $\KASproutPublic$ key (see \crossref{concretesproutkeyagreement}),
-for use with the encryption scheme defined in \crossref{sproutinband}. These
-components are derived from a \spendingKey as described in \crossref{sproutkeycomponents}.
+$\TransmitPublic$ is a $\KASproutPublic$ key, for use with the encryption scheme defined in
+\crossref{sproutinband}. These components are derived from a \spendingKey as described in
+\crossref{sproutkeycomponents}.
 
 \introlist
 The \rawEncoding of a \SproutOrNothing{} \paymentAddress consists of:
@@ -8587,6 +8590,8 @@ cause the first two characters of the Base58Check encoding to be fixed as
 \sapling{
 \lsubsubsection{\SaplingText{} Payment Addresses}{saplingpaymentaddrencoding}
 
+Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.
+
 A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
 and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$.
 
@@ -8624,13 +8629,15 @@ For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}.
 \lsubsubsection{\SproutOrNothingText{} Incoming Viewing Keys}{sproutinviewingkeyencoding}
 
 \changed{
+Let $\KASprout$ be as defined in \crossref{concretesproutkeyagreement}.
+
 \sprout{An}\notsprout{A \Sprout} \defining{\incomingViewingKey} consists of $\AuthPublic \typecolon \PRFOutputSprout$ and
 $\TransmitPrivate \typecolon \KASproutPrivate$.
 
 $\AuthPublic$ is a \shaCompress output.
-$\TransmitPrivate$ is a $\KASproutPrivate$ key (see \crossref{concretesproutkeyagreement}),
-for use with the encryption scheme defined in \crossref{sproutinband}. These
-components are derived from a \spendingKey as described in \crossref{sproutkeycomponents}.
+$\TransmitPrivate$ is a $\KASproutPrivate$ key, for use with the encryption scheme defined in
+\crossref{sproutinband}. These components are derived from a \spendingKey as described in
+\crossref{sproutkeycomponents}.
 
 \introlist
 The \rawEncoding of \sprout{an}\notsprout{a \Sprout} \incomingViewingKey consists of, in order:
@@ -8677,6 +8684,8 @@ cause the first four characters of the Base58Check encoding to be fixed as
 \sapling{
 \lsubsubsection{\SaplingText{} Incoming Viewing Keys}{saplinginviewingkeyencoding}
 
+Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.
+
 Let $\InViewingKeyLength$ be as defined in \crossref{constants}.
 
 A \Sapling{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeSapling$.
@@ -8712,6 +8721,8 @@ For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktests
 \sapling{
 \lsubsubsection{\SaplingText{} Full Viewing Keys}{saplingfullviewingkeyencoding}
 
+Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.
+
 A \Sapling{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \SubgroupJstar$,
 $\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.