diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 57c4f22..fbe37ab 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -3843,11 +3843,11 @@ commitment at a 128-bit security level. Specifically, the internal
 hash of $\AuthPublic$ and $\NoteAddressRand$ is truncated to 128 bits
 (motivated by providing statistical hiding security). This allows an
 attacker, with a work factor on the order of $2^{64}$, to find distinct
-values of $\NoteAddressRand$ with colliding outputs of the truncated
-hash, and therefore the same \noteCommitment. This would have allowed
-such an attacker to break the Balance property by double-spending
-\notes, potentially creating arbitrary amounts of currency for themself
-\cite{HW2016}.
+pairs $(\AuthPublic, \NoteAddressRand)$ and $(\AuthPublic', \NoteAddressRand')$
+with colliding outputs of the truncated hash, and therefore the same
+\noteCommitment. This would have allowed such an attacker to break the
+Balance property by double-spending \notes, potentially creating arbitrary
+amounts of currency for themself \cite{HW2016}.
 
 \Zcash uses a simpler construction with a single $\FullHashName$ evaluation
 for the commitment. The motivation for the nested construction in \Zerocash
@@ -4121,6 +4121,9 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 
 \begin{itemize}
     \item Explain a variation on the Faerie Gold attack and why it is prevented.
+    \item Generalize the description of the InternalH attack to include finding
+          collisions on $(\AuthPublic, \NoteAddressRand)$ rather than just on
+          $\NoteAddressRand$.
     \item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
 \end{itemize}