diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 5b2ceab..b696673 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -3298,6 +3298,7 @@ A \block satisfies the Proof of Work if and only if:
 \end{itemize}
 
 
+\introsection
 \nsubsubsection{Equihash} \label{equihash}
 
 An instance of the Equihash algorithm is parameterized by positive integers $n$ and $k$,
@@ -3346,16 +3347,21 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$.
 \subparagraph{Algorithm Binding conditions}
 
 \introlist
-For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}$:
 \begin{itemize}
-  \item $\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
-  \item $i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} < i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
+  \item For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
+        \vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
+  \item For all $r \in \range{1}{k}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
+        i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} <
+        i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
 \end{itemize}
 
-\pnote{
-This does not include a difficulty condition, because here we are defining validity
-of an Equihash solution independent of difficulty.
-}
+\begin{pnotes}
+  \item This does not include a difficulty condition, because here we are
+        defining validity of an Equihash solution independent of difficulty.
+  \item Previous versions of this specification incorrectly specified the
+        range of $r$ to be $\range{1}{k\!-\!1}$ for both parts of the algorithm
+        binding condition. The implementation in \zcashd was as intended.
+\end{pnotes}
 
 \introlist
 An Equihash solution with $n = 200$ and $k = 9$ is encoded in the $\solution$
@@ -3944,9 +3950,10 @@ to 254 bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcas
 Also, $\hSig$ is truncated from 256 to 253 bits in the input to $\PRFpk{}$.
 These truncations are not taken into account in the security proofs.
 
-\introlist
 Both truncations affect the validity of the proof sketch for Lemma D.2 in
 the proof of Ledger Indistinguishability in \cite[Appendix D]{BCG+2014}.
+
+\introlist
 In more detail:
 
 \begin{itemize}
@@ -4186,6 +4193,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 \subparagraph{2017.0-beta-2.7}
 
 \begin{itemize}
+    \item Fix an off-by-one error in the specification of the Equihash algorithm
+          binding condition. (The implementation in \zcashd was as intended.)
     \item Correct the types and consensus rules for \transactionVersionNumbers
           and \blockVersionNumbers. (Again, the implementation in \zcashd was as
           intended.)