diff --git a/draft-irtf-cfrg-vdaf.md b/draft-irtf-cfrg-vdaf.md
index 4e90ad02..8037f15c 100644
--- a/draft-irtf-cfrg-vdaf.md
+++ b/draft-irtf-cfrg-vdaf.md
@@ -2034,6 +2034,9 @@ def decode_from_bit_vec(cls, vec: list[Self]) -> Self:
     """
     Decode the field element from the bit representation, expressed
     as a vector of field elements `vec`.
+
+    This may also be used with secret shares of a bit representation,
+    since it is linear.
     """
     bits = len(vec)
     if cls.MODULUS >> bits == 0:
@@ -3903,6 +3906,12 @@ The circuit uses the polynomial-evaluation gadget `PolyEval` specified in
 if and only if `x` is in the range `[0, 2)`. The complete circuit is specified
 below:
 
+Note that decoding a sequence of bits into an integer is a linear operation,
+specifically, a linear combination with a sequence of powers of two, so it can
+be done within a validity circuit using "free" affine gates. Furthermore,
+decoding secret shares of a bit-encoded integer will produce secret shares of
+the original integer.
+
 ~~~
 class Sum(Valid[int, int, F]):
     GADGETS: list[Gadget[F]] = [PolyEval([0, -1, 1])]
diff --git a/poc/vdaf_poc/field.py b/poc/vdaf_poc/field.py
index 3774ce4a..a33df0b3 100644
--- a/poc/vdaf_poc/field.py
+++ b/poc/vdaf_poc/field.py
@@ -103,6 +103,9 @@ def decode_from_bit_vec(cls, vec: list[Self]) -> Self:
         """
         Decode the field element from the bit representation, expressed
         as a vector of field elements `vec`.
+
+        This may also be used with secret shares of a bit representation,
+        since it is linear.
         """
         bits = len(vec)
         if cls.MODULUS >> bits == 0: