diff --git a/draft-irtf-cfrg-vdaf.md b/draft-irtf-cfrg-vdaf.md
index bcd0e9fb..01782b82 100644
--- a/draft-irtf-cfrg-vdaf.md
+++ b/draft-irtf-cfrg-vdaf.md
@@ -4562,17 +4562,16 @@ scheme would not allow key rotation over the lifetime of a task.
 ## Requirements for the Nonce {#nonce-requirements}
 
 The sharding and preparation steps of VDAF execution depend on a nonce
-associated with the Client's report. To ensure privacy of the underlying
-measurement, the Client MUST generate this nonce using a CSPRNG. This is
-required in order to leverage security analysis for the privacy definition of
-{{DPRS23}}, which assumes the nonce is chosen at random prior to generating the
-report.
+associated with the Client's report. To leverage the security analysis for the
+privacy definition of {{DPRS23}}, which assumes the nonce is chosen at random
+prior to generating the report, the client MUST generate this nonce using a
+CSPRNG and the aggregators MUST verify that nonces are never re-used.
 
 Other security considerations may require the nonce to be non-repeating. For
 example, to achieve differential privacy it is necessary to avoid "over
-exposing" a measurement by including it too many times in a single batch or
-across multiple batches. It is RECOMMENDED that the nonce generated by the
-Client be used by the Aggregators for replay protection.
+exposing" a report by including it too many times in a single batch or across
+multiple batches. It is RECOMMENDED that the nonce generated by the Client be
+used by the Aggregators for replay protection.
 
 ## Requirements for the Aggregation Parameters