diff --git a/draft-irtf-cfrg-det-sigs-with-noise.md b/draft-irtf-cfrg-det-sigs-with-noise.md
index aedf9db..1a44d37 100644
--- a/draft-irtf-cfrg-det-sigs-with-noise.md
+++ b/draft-irtf-cfrg-det-sigs-with-noise.md
@@ -505,8 +505,11 @@ d.  Set:
 ~~~~~~~~~~~~~~~~~~~~~~~
 f.  Set:
 
-       K = HMAC_K(V || 0x01 || Z || 000... || int2octets(x) ||
+       K = HMAC_K(V || 0x01 || Z2 || 000... || int2octets(x) ||
            000... || bits2octets(h1))
+
+    Note that the "internal octet" is 0x01 this time and that Z 
+    is newly generated random data, i.e., not reused from step (d).
 ~~~~~~~~~~~~~~~~~~~~~~~
 
 When ECDSA is used with SHAKE {{SHA3}} the HMAC construction above MAY be used but it is RECOMMENDED to use the more efficient KMAC construction {{KMAC}}. SHAKE is a variable-length hash function defined as SHAKE(M, d) where the output is a d-bits-long digest of message M. When ECDSA is used with SHAKE128(M, d), it is RECOMMENDED to replace HMAC(K, M) with KMAC128(K, M, d, ""). When ECDSA is used with SHAKE256(M, d), it is RECOMMENDED to replace HMAC(K, M) with KMAC256(K, M, d, ""). {{RFC8692}} and {{FIPS-186-5}} define the use of SHAKE128 with an output length of 256 bits and SHAKE256 with an output length or 512 bits.