diff --git a/protocols/BTP.md b/protocols/BTP.md
index 1fe9efa2f7692c554a752399bcf7d96717062599..75565f2f80b125bec7516f853407f0fbfc1ec810 100644
--- a/protocols/BTP.md
+++ b/protocols/BTP.md
@@ -204,17 +204,21 @@ The tag for the i<sup>th</sup> stream from a given sender to a given recipient i
 
 ### 3.2 Stream Headers
 
-The pseudo-random tag is followed by the stream header, which consists of a true random **initialisation vector (IV)** followed by a symmetric **ephemeral cipher key.**
+The pseudo-random tag is followed by the stream header, which consists of a true random **initialisation vector (IV)** followed by a symmetric **ephemeral cipher key.** The IV is IV\_LEN bytes long, where IV\_LEN = NONCE\_LEN - 8.
 
-The ephemeral cipher key is encrypted and authenticated with the sender's outgoing header key, using the random IV as the nonce. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.
+The ephemeral cipher key is encrypted and authenticated with the sender's outgoing header key, using a nonce consisting of the stream number as a 64-bit integer followed by the IV. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.
 
-The stream header is NONCE\_LEN + KEY\_LEN + AUTH\_LEN bytes long.
+The stream header is IV\_LEN + KEY\_LEN + AUTH\_LEN bytes long.
 
 The stream header is composed as follows:
 
-- stream\_iv = R(NONCE\_LEN)
+- stream\_iv = R(IV\_LEN)
 
-- stream\_header = stream\_iv || ENC(outgoing\_header\_key, stream\_iv, ephemeral\_cipher\_key)
+- stream\_header\_nonce = int(stream\_number) || stream\_iv
+
+- stream\_header = stream\_iv || ENC(outgoing\_header\_key, stream\_header\_nonce, ephemeral\_cipher\_key)
+
+The random IV ensures that if a stream number is accidentally reused, the nonces will be different. IV\_LEN must be large enough to ensure that two random IVs are different with high probability. (*Note:* In the current version of the protocol, IV\_LEN = 16.)
 
 ### 3.3 Frames