diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 6db7ed7002..5d073ee6ab 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -1211,6 +1211,25 @@ if packet_type == Initial:
 sample = packet[sample_offset..sample_offset+sample_length]
 ~~~
 
+In both above pseudocodes, `packet` designates the entire partially protected
+packet's bytes, with unprotected header fields as its header and the encrypted
+payload, output of the {{!AEAD}} encryption process (see {{aead}}), as its
+payload.
+
+Note that the header protection sampling actually operates on the ciphertext
+only, so the process can be expressed relative to the beginning of the
+encrypted payload as well. The following pseudocode shows how this can be
+achieved, for both short-header and long-header packets:
+
+~~~
+sample_offset = 4 - len(packet_number)
+
+sample = ciphertext[sample_offset..sample_offset+sample_length]
+~~~
+
+where `ciphertext` is the encrypted payload, result of the {{!AEAD}} function
+for the original packet payload, as described in {{aead}}.
+
 
 ### AES-Based Header Protection {#hp-aes}