diff --git a/exam/ex.tex b/exam/ex.tex
index 132a3a2..ccc730c 100644
--- a/exam/ex.tex
+++ b/exam/ex.tex
@@ -332,7 +332,24 @@
       Futhermore, the commitment is also not vulnerable to dictionary attacks,
       as is common with stored password hashes on the server's side.
 
-    \item \TODO
+    \item The signer calculates a commitment with a predefined soundness error.
+      Then the signer calculates the challenge by taking the hash of the message
+      to be signed and the commitment. Afterwards, it will run the protocol
+      again and calculate a response for the created challenge (hash) and the
+      commitment. The signature is a tuple of the commitment and the response.
+
+      The verifier can calculate the challenge on its own from the message and
+      the commitment and then verifies that the response matches the commitment
+      for that challenge. If it does, the signature is valid, otherwise it is
+      invalid.
+
+      The signature is $\mathsf{EUF}$-$\mathsf{CMA}$ secure if
+      $\mathsf{ID}_{\mathrm{CGI2}}$ satisfies special soundness and honest
+      verifier zero-knowledge, which it does. Futhermore, it is secure if the
+      attacker has a negligible probability of finding a valid signature for a
+      message which has not been queried before. This rests on the fact that
+      finding an isomorphism for a specific commitment and challenge which
+      matches the response is hard.
 
     \item \TODO