diff --git a/protocol/protocol.pdf b/protocol/protocol.pdf
index a49298ef..1ae87fb5 100644
Binary files a/protocol/protocol.pdf and b/protocol/protocol.pdf differ
diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index c2e84d90..670475d1 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -117,6 +117,7 @@
 \newcommand{\shared}{\mathsf{shared}}
 \newcommand{\DHSecret}[1]{\mathsf{dhsecret}_{#1}}
 \newcommand{\EphemeralPublic}{\mathsf{epk}}
+\newcommand{\EphemeralPublicCompare}{\mathsf{epk}^*}
 \newcommand{\EphemeralPrivate}{\mathsf{esk}}
 \newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
 \newcommand{\TransmitPublicNew}[1]{\mathsf{pk^{new}_{\enc,\mathnormal{#1}}}}
@@ -1019,11 +1020,13 @@ and $\EphemeralPrivate$ from $\SharedPlaintext{}$.
     \begin{itemize}
       \item Let $\CoinPlaintext{i} :=
 \DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i})$.
+      \item Let $\EphemeralPublicCompare := \CurveMultiply(\EphemeralPrivate, \CurveBase)$.
       \item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate, \TransmitPublicNew{i})$.
       \item Let $\TransmitKeyCompare{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
 \TransmitPublicNew{i}, i)$.
-      \item If $\CoinPlaintext{i} \neq \bot$ and
-$\TransmitKeyCompare{i} \neq \TransmitKey{i}$ then set the \memo
+      \item If $\CoinPlaintext{i} \neq \bot$ and either
+($\TransmitKeyCompare{i} \neq \TransmitKey{i}$ or
+$\EphemeralPublicCompare \neq \EphemeralPublic$), then set the \memo
 of $\CoinPlaintext{i}$ to be $\bot$ (indicating that, although this is a valid
 coin, the recipient would not have been able to decrypt it, and that the \memo
 cannot be verified).