diff --git a/bip-0047.mediawiki b/bip-0047.mediawiki
index c8397a7d..8247e001 100644
--- a/bip-0047.mediawiki
+++ b/bip-0047.mediawiki
@@ -99,11 +99,13 @@ Prior to the first time Alice initiates a transaction to Bob, Alice MUST inform
## Alice selects the private key corresponding to the first exposed public key, of the first pubkey-exposing input, of the transaction: a
## Alice selects the public key associated with Bob's notification address: B, where B = bG
## Alice calculates a secret point: S = aB
-## Alice expresses the secret point in compressed DER format, then calculates a scalar shared secret: s = SHA256(S)
+## Alice calculates a 64 byte blinding factor: s = HMAC-SHA512(x, o)
+### "x" is the x value of the secret point
+### "o" is the outpoint being spent by the first pubkey-exposing input of the transaction.
# Alice serializes her payment code in binary form.
-# Alice renders her payment code (P) unreadable to anyone except Bob by:
-## Replace the x value with x': x' = s XOR (x value)
-## Replace the chain code with c': c' = sha256(s) XOR (chain code)
+# Alice renders her payment code (P) unreadable to anyone except Bob:
+## Replace the x value with x': x' = x XOR (first 32 bytes of s)
+## Replace the chain code with c': c' = c XOR (last 32 bytes of s)
# Alice adds an OP_RETURN output to her transaction which consists of P.
@@ -113,10 +115,12 @@ Prior to the first time Alice initiates a transaction to Bob, Alice MUST inform
## Bob selects the first exposed public key, of the first pubkey-exposing input, of the transaction: A, where A = aG
## Bob selects the private key associated with his notification address: b
## Bob calculates a secret point: S = bA
-## Bob expresses the secret point in compressed DER format, then calculates a scalar shared secret: s = SHA256(S)
+## Bob calculates the binding factor: s = HMAC-SHA512(x, o)
+### "x" is the x value of the secret point
+### "o" is the outpoint being spent by the first pubkey-exposing input of the transaction.
## Bob interprets the 80 byte payload as a payment code, except:
-### Replace the x value with x': x' = s XOR (x value)
-### Replace the chain code with c': c' = sha256(s) XOR (chain code)
+### Replace the x value with x': x' = x XOR (first 32 bytes of s)
+### Replace the chain code with c': c' = c XOR (last 32 bytes of s)
## If the updated x value is a member of the secp256k1 group, the payment code is valid.
## If the updated x value is not a member of the secp256k1 group, the payment code is ignored.
@@ -138,7 +142,7 @@ Bitcoins received via notification transactions require special handling in orde
## Alice selects the next unused public key derived from Bob's payment code, starting from zero: B, where B = bG
### The "next unused" public key is based on an index specific to the Alice-Bob context, not global to either Alice or Bob
## Alice calculates a secret point: S = aB
-## Alice expresses the secret point in compressed DER format, then calculates a scalar shared secret: s = SHA256(S)
+## Alice calculates a scalar shared secret using the x value of S: s = SHA256(Sx)
### If the value of s is not in the secp256k1 group, Alice MUST increment the index used to derive Bob's public key and try again.
## Alice uses the scalar shared secret to calculate the ephemeral public key used to generate the P2PKH address for this transaction: B' = B + sG
@@ -248,6 +252,7 @@ In order to use Bitmessage notification, the recipient must have a Bitmessage cl
* [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
* [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
* [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic Wallets]]
+* [[https://bitcoin.org/en/glossary/outpoint|Outpoint]]
* [[https://github.com/petertodd/dust-b-gone|dust-b-gone]]
* [[https://en.bitcoin.it/wiki/Base58Check_encoding|Base58Check encoding]]
* [[https://bitmessage.org/bitmessage.pdf|Bitmessage]]