diff --git a/draft-irtf-cfrg-aegis-aead.md b/draft-irtf-cfrg-aegis-aead.md
index 177757a..70553aa 100644
--- a/draft-irtf-cfrg-aegis-aead.md
+++ b/draft-irtf-cfrg-aegis-aead.md
@@ -348,7 +348,7 @@ Primitives:
 - `LE64(x)`: the little-endian encoding of unsigned 64-bit integer `x`.
 - `ZeroPad(x, n)`: appends zeros to `x` until its length is a multiple of `n` bits. No padding is added if `x` is already a multiple of `n` bits, including when `x` is empty.
 - `Truncate(x, n)`: returns the first `n` bits of `x`.
-- `Split(x, n)`: splits `x` into `n`-bit blocks, ignoring partial blocks.
+- `Split(x, n)`: returns` x` split into `n`-bit blocks, ignoring partial blocks.
 - `Tail(x, n)`: returns the last `n` bits of `x`.
 - `AESRound(in, rk)`: a single round of the AES encryption round function, which is the composition of the `SubBytes`, `ShiftRows`, `MixColums`, and `AddRoundKey` transformations, as defined in Section 5 of {{FIPS-AES}}. Here, `in` is the 128-bit AES input state, and `rk` is the 128-bit round key.
 - `Repeat(n, F)`: `n` sequential evaluations of the function `F`.
@@ -495,6 +495,7 @@ expected_tag = Finalize(|ad|, |msg|)
 
 if CtEq(tag, expected_tag) is False:
     erase msg
+    erase expected_tag
     return "verification failed" error
 else:
     return msg
@@ -831,6 +832,7 @@ expected_tag = Finalize(|ad|, |msg|)
 
 if CtEq(tag, expected_tag) is False:
     erase msg
+    erase expected_tag
     return "verification failed" error
 else:
     return msg
@@ -1129,6 +1131,7 @@ expected_tag = Finalize(|ad|, |msg|)
 
 if CtEq(tag, expected_tag) is False:
     erase msg
+    erase expected_tag
     return "verification failed" error
 else:
     return msg