diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index a4c98e9..60a9c39 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -664,6 +664,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ZKSatisfying}{\mathsf{ZK.SatisfyingInputs}}
 \newcommand{\ZKProve}[1]{\mathsf{ZK.}\mathtt{Prove}_{#1}}
 \newcommand{\ZKVerify}[1]{\mathsf{ZK.}\mathtt{Verify}_{#1}}
+\newcommand{\Simulator}{\mathcal{S}}
+\newcommand{\Distinguisher}{\mathcal{D}}
 \newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}}
 \newcommand{\ZKJoinSplit}{\mathsf{ZK}_{\JoinSplit}}
 \newcommand{\ZKJoinSplitVerify}{\ZKJoinSplit\mathsf{.Verify}}
@@ -673,6 +675,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\JoinSplitProof}{\Proof_{\JoinSplit}}
 \newcommand{\zkproof}{\mathtt{zkproof}}
 \newcommand{\POUR}{\texttt{POUR}}
+\newcommand{\Prob}[2]{\mathrm{Pr}\scalebox{0.88}{\ensuremath{
+  \left[\!\!\begin{array}{c}#1\end{array} \middle| \begin{array}{l}#2\end{array}\!\!\right]
+}}}
 
 % JoinSplit
 \newcommand{\hSig}{\mathsf{h_{Sig}}}
@@ -1493,8 +1498,18 @@ a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors
 $\CommitTrapdoor$.
 
 Let $\Commit{} \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$
-be a function satisfying the security requirements of computational hiding
-and computational binding, as defined in \todo{need reference}.
+be a function satisfying the security requirements below.
+
+\begin{securityrequirements}
+  \item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$,
+        the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$
+        and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are
+        computationally indistinguishable.
+  \item \textbf{Computational binding:} It is infeasible to find
+        $x, x' \typecolon \CommitInput$ and
+        $r, r' \typecolon \CommitTrapdoor$
+        such that $x \neq x'$ and $\Commit{r}(x) = \Commit{r'}(x')$.
+\end{securityrequirements}
 
 
 \nsubsubsection{\ZeroKnowledgeProvingSystem} \label{abstractzk}
@@ -1533,19 +1548,44 @@ $x \typecolon \ZKPrimary$ and proof $\Proof \typecolon \ZKProof$ such that $\ZKV
 there is an efficient extractor $E_{\Adversary}$ such that if $E_{\Adversary}(\vk, \pk)$
 returns $w$, then the probability that $(x, w) \not\in \ZKSatisfying$ is negligable.
   \item \textbf{Statistical Zero Knowledge:} An honestly generated proof is statistical
-zero knowledge. \todo{Full definition.}
+zero knowledge. That is, there is a feasible stateful simulator $\Simulator$ such that,
+for all stateful distinguishers $\Distinguisher$, the following two probabilities are
+negligibly close:
+\vspace{0.5ex}
+
+$\;\;\Prob{
+  (x, w) \in \ZKSatisfying \\
+  \Distinguisher(\Proof) = 1
+}{
+  (\pk, \vk) \leftarrowR \ZKGen() \\
+  (x, w) \leftarrowR \Distinguisher(\pk, \vk) \\
+  \Proof \leftarrowR \ZKProve{\pk}(x, w)
+}
+\text{\; and \;}
+\Prob{
+  (x, w) \in \ZKSatisfying \\
+  \Distinguisher(\Proof) = 1
+}{
+  (\pk, \vk) \leftarrowR \Simulator() \\
+  (x, w) \leftarrowR \Distinguisher(\pk, \vk) \\
+  \Proof \leftarrowR \Simulator(x)
+}$
 \end{securityrequirements}
 
 These definitions are derived from those in \cite[Appendix C]{BCTV2014}, adapted to
-state concrete rather than asymptotic security. ($\ZKProve{}$ corresponds to $P$,
-$\ZKVerify{}$ corresponds to $V$, and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$
-in the notation of that appendix.)
+state concrete security for a fixed circuit, rather than asymptotic security for
+arbitrary circuits. ($\ZKProve{}$ corresponds to $P$, $\ZKVerify{}$ corresponds to $V$,
+and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ in the notation of that appendix.)
 
 The Proof of Knowledge definition is a way to formalize the property that it is
 infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without
 \emph{knowing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$.
-(It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives
-no information that helps to find a proof for other $(x, w)$.)
+Note that Proof of Knowledge implies Soundness --- i.e.\ the property that it is
+infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without
+\emph{there existing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$.
+
+It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives
+no information that helps to find a proof for other $(x, w)$.
 
 The \provingSystem is instantiated in \crossref{proofs}.
 $\ZKJoinSplit$ refers to this \provingSystem specialized to the \joinSplitStatement
@@ -4035,6 +4075,15 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 \introlist
 \nsection{Change history}
 
+\subparagraph{2017.0-beta-2.2}
+
+\begin{itemize}
+    \item Give definitions of computational binding and computational hiding
+          for commitment schemes.
+    \item Give a definition of statistical zero knowledge.
+\end{itemize}
+
+\introlist
 \subparagraph{2017.0-beta-2.1}
 
 \begin{itemize}