diff --git a/exam/ex.tex b/exam/ex.tex
index 93f3ce5..3324f88 100644
--- a/exam/ex.tex
+++ b/exam/ex.tex
@@ -290,7 +290,20 @@
       at a soundness error of $1/2^{260}$, which is well below the required
       $1/2^{192}$.
 
-    \item \TODO
+    \item A simulator $\mathcal{S}$ is built as follows:
+      \begin{itemize}
+        \item $\mathcal{S}$ starts $\mathcal{V}^*$ with $G_i$ and
+          $i\in\{0,\dots,2^{130}-1\}$. 
+        \item $\mathcal{S}$ makes a guess $\mathsf{ch}^*$ and calculates
+          $G'\leftarrow\psi(\phi_{ch^*}^{-1}(G_{ch^*}))$.
+        \item $\mathcal{S}$ gets a challenge $\mathsf{ch}$ from $\mathcal{V}^*$.
+          If $\mathsf{ch}=\mathsf{ch}^*$, $\mathcal{S}$ outputs
+          $(G',\mathsf{ch}^*,\phi_{ch^*}^{-1}\psi)$. If
+          $\mathsf{ch}\neq\mathsf{ch}^*$, $\mathcal{S}$ rewinds $\mathcal{V}^*$
+          and goes to step 2.
+      \end{itemize}
+      The simular $\mathcal{S}$ is expected probabilistic polynomial-time with
+      $2^{130}n$ time and the protocol is zero-knowledge.
 
     \item For completeness see 5e.