diff --git a/proofreading/draft-irtf-cfrg-aegis-aead.html b/proofreading/draft-irtf-cfrg-aegis-aead.html
index 9016000..e58db6b 100644
--- a/proofreading/draft-irtf-cfrg-aegis-aead.html
+++ b/proofreading/draft-irtf-cfrg-aegis-aead.html
@@ -3633,7 +3633,7 @@ <h4 id="name-multi-user-security">
         <h3 id="name-implementation-security">
 <a href="#section-10.2" class="section-number selfRef">10.2. </a><a href="#name-implementation-security" class="section-name selfRef">Implementation Security</a>
         </h3>
-<p id="section-10.2-1">If tag verification fails, the unverified plaintext and computed authentication tag <span class="bcp14">MUST NOT</span> be released. As shown in <span>[<a href="#VV18" class="cite xref">VV18</a>]</span>, even a partial leak of the plaintext without verification would facilitate chosen ciphertext attacks.<a href="#section-10.2-1" class="pilcrow">¶</a></p>
+<p id="section-10.2-1">If tag verification fails, the unverified plaintext and computed authentication tag <span class="bcp14">MUST NOT</span> be released. As shown in <span>[<a href="#VV18" class="cite xref">VV18</a>]</span>, even a partial leak of the plaintext without verification facilitates chosen ciphertext attacks.<a href="#section-10.2-1" class="pilcrow">¶</a></p>
 <p id="section-10.2-2">The security of AEGIS against timing and physical attacks is limited by the implementation of the underlying <code>AESRound</code> function. Failure to implement <code>AESRound</code> in a fashion safe against timing and physical attacks, such as differential power analysis, timing analysis, or fault injection attacks, may lead to leakage of secret key material or state information. The exact mitigations required for timing and physical attacks depend on the threat model in question.<a href="#section-10.2-2" class="pilcrow">¶</a></p>
 <p id="section-10.2-3">Regardless of the variant, the <code>key</code> and <code>nonce</code> are only required by the <code>Init</code> function; other functions only depend on the resulting state. Therefore, implementations can overwrite ephemeral keys with zeros right after the last <code>Update</code> call of the initialization function.<a href="#section-10.2-3" class="pilcrow">¶</a></p>
 </section>
diff --git a/proofreading/draft-irtf-cfrg-aegis-aead.txt b/proofreading/draft-irtf-cfrg-aegis-aead.txt
index edc7166..640af2c 100644
--- a/proofreading/draft-irtf-cfrg-aegis-aead.txt
+++ b/proofreading/draft-irtf-cfrg-aegis-aead.txt
@@ -1905,8 +1905,8 @@ return tag
 
    If tag verification fails, the unverified plaintext and computed
    authentication tag MUST NOT be released.  As shown in [VV18], even a
-   partial leak of the plaintext without verification would facilitate
-   chosen ciphertext attacks.
+   partial leak of the plaintext without verification facilitates chosen
+   ciphertext attacks.
 
    The security of AEGIS against timing and physical attacks is limited
    by the implementation of the underlying AESRound function.  Failure