diff --git a/exam/ex.tex b/exam/ex.tex
index ad85d18..c9f5802 100644
--- a/exam/ex.tex
+++ b/exam/ex.tex
@@ -193,7 +193,14 @@
       Finding a minimum-weight solution to $s=zH$ given $s$ and $H$ is
       $\mathsf{NP}$-hard.
 
-    \item \TODO
+    \item The private key in LEDAcrypt consists of two binary matrices $Q$ and
+      $H$. The public key is constructed from the matrix $L=Q\cdot H$. The
+      security of the scheme relies on the fact that obtaining the original
+      information from a perturbed codeword is hard unless the factorization of
+      the public key ($Q\cdot H$) is known. If the aforementioned problem of
+      decoding linear codes has a polynomial-time solution, an attacker will
+      also easily be able to obtain the factorization of the public key. If that
+      was possible, the scheme would be broken.
 
     \item \TODO