diff --git a/draft-irtf-cfrg-det-sigs-with-noise.md b/draft-irtf-cfrg-det-sigs-with-noise.md
index 0a38ccb..e8252b0 100644
--- a/draft-irtf-cfrg-det-sigs-with-noise.md
+++ b/draft-irtf-cfrg-det-sigs-with-noise.md
@@ -482,18 +482,18 @@ For Deterministic ECDSA: In existing ECDSA deployments where side-channel and fa
 ~~~~~~~~~~~~~~~~~~~~~~~
 d.  Set:
 
-       K = HMAC_K(V || 0x00 || Z || 000... || int2octets(x) || 000...
+       K = HMAC_K(V || 0x00 || Z0 || 000... || int2octets(x) || 000...
            || bits2octets(h1))
 
     where '||' denotes concatenation.  In other words, we compute
     HMAC with key K, over the concatenation of the following, in
     order: the current value of V, a sequence of eight bits of value
-    0, random data Z (of the same length as int2octets(x)), a
+    0, random data Z0 (of the same length as int2octets(x)), a
     sequence of zero bits 000..., the encoding of the (EC)DSA private
     key x, a sequence of zero bits 000..., and the hashed message
     (possibly truncated and extended as specified by the bits2octets
     transform).  The number of zeroes 000... is chosen so that the
-    length of (V || 0x00 || Z || 000...) and (int2octets(x) ||
+    length of (V || 0x00 || Z0 || 000...) and (int2octets(x) ||
     000...) are multiples of the block size of the hash function.
     The HMAC result is the new value of K.  Note that the private key
     x is in the [1, q-1] range, hence a proper input for int2octets,
@@ -503,10 +503,10 @@ d.  Set:
 ~~~~~~~~~~~~~~~~~~~~~~~
 f.  Set:
 
-       K = HMAC_K(V || 0x01 || Z || 000... || int2octets(x) ||
+       K = HMAC_K(V || 0x01 || Z1 || 000... || int2octets(x) ||
            000... || bits2octets(h1))
 
-    Note that the "internal octet" is 0x01 this time and that Z is
+    Note that the "internal octet" is 0x01 this time and that Z1 is
     newly generated random data, i.e., not reused from step (d).
 ~~~~~~~~~~~~~~~~~~~~~~~