diff --git a/exam/ex.tex b/exam/ex.tex
index 8e23599..fe92231 100644
--- a/exam/ex.tex
+++ b/exam/ex.tex
@@ -122,7 +122,12 @@
       (without the counter) is at most 102 bits long which gives a maximum
       message length of $102\cdot (2^{26}-2) = \unit[6845103924]{bits}$.
 
-    \item \TODO
+    \item $\widetilde{E}$ should behave like a pseudorandom permutation in order
+      to be able to prove the security of $\mathsf{CrAp}$. If it does not, a
+      distinguisher is able to gain a significant advantage because the block
+      cipher does not actually generate \emph{random} outputs. Further, if the
+      security of the underlying primitive is broken, the whole scheme falls
+      apart.
 
     \item \TODO