diff --git a/draft-irtf-cfrg-vdaf.md b/draft-irtf-cfrg-vdaf.md
index 546858a7..84301347 100644
--- a/draft-irtf-cfrg-vdaf.md
+++ b/draft-irtf-cfrg-vdaf.md
@@ -3179,7 +3179,7 @@ encryption of it.
 Validity is defined in terms of an arithmetic circuit evaluated over the
 measurement. The inputs to this circuit are elements of a finite field that
 comprise the encoded measurement; the gates of the circuit are multiplication,
-addition, and negation operations; and the output of the circuit is a single
+addition, and subtraction operations; and the output of the circuit is a single
 field element. If the value is zero, then the measurement is deemed valid;
 otherwise, if the output is non-zero, then the measurement is deemed invalid.
 
@@ -3190,18 +3190,17 @@ For example, the simplest circuit specified in this document is the following
 C(x) = x * (x-1)
 ~~~
 
-This circuit contains one negation gate (`-1`), one addition gate (`x + (-1)`),
-and one multiplication gate (`x * (x + (-1))`). Observe that `C(x) = 0` if and
-only if `x in range(2)`.
+This circuit contains one subtraction gate (`x -1`) and one multiplication
+gate (`x * (x -1)`). Observe that `C(x) = 0` if and only if `x in range(2)`.
 
 Our goal is to allow each Aggregator, who holds a secret share of `x`, to
 correctly compute a secret share of `C(x)`. This allows the Aggregators to
 determine validity by combining their shares of the output.
 
 Suppose for a moment that the validity circuit `C` is affine, meaning its only
-operations are negation, addition, and multiplication-by-constant. (The circuit
-above is non-affine because it contains a multiplication gate with non-constant
-inputs.) Then each Aggregator can compute its share locally, since
+operations are addition, subtraction, and multiplication-by-constant. (The
+circuit above is non-affine because it contains a multiplication gate with
+non-constant inputs.) Then each Aggregator can compute its share locally, since
 
 ~~~
 C(x_shares[0] + ... + x_shares[SHARES-1]) =