Processes review comments.

1 files changed, 3 insertions, 3 deletions

diff --git a/content/cmix_additions.tex b/content/cmix_additions.tex
index ee7edb6..a9675a9 100644
--- a/content/cmix_additions.tex
+++ b/content/cmix_additions.tex
@@ -1,12 +1,12 @@
 \section{\cmix additions}
 \label{sec:cmixaddtions}
-So the base protocol still has some issues\cite{galteland2016attacks}, thankfully these issues can be addressed at the cost of some speed and clarity. Because it would not be safe to use \cmix in the wild without these attack mitigations. This implementation adds the extra messages needed as this results in a more realistic benchmark.
+The base protocol still has some issues\cite{galteland2016attacks}, thankfully these issues can be addressed at the cost of some speed and clarity. Because it would not be safe to use \cmix in the wild without these attack mitigations. This implementation adds the extra messages needed as this results in a more realistic benchmark.
 
 \subsection{Tagging attack}
 \label{sec:tagging}
-In a tagging attack an adversary changes a message slightly in such a way that it can later detect and reverse the change. Detection to be able to track a message even though it has been permuted. Reversible because the adversary needs to stay undetected. The easiest variant; when a malicious person had control over the last node.
+In a tagging attack an adversary changes a message slightly in such a way that it can later detect and reverse the change. Detection to be able to track a message even though it has been permuted. Reversible because the adversary needs to stay undetected. The easiest variant; when a malicious person had control over the last node. This type of attack and the mitigation being discussed here were found and explained in \cite{galteland2016attacks}
 
 When you control the last node you can change the output of realtime precomputation phase slightly. You can do this by slightly changing your value of  $r$ one slot of the input. You either combine the input with $r * i$, for cyclic group ElGamal, or $r + p$, for elliptic curve implementations. After all the realtime computations are done you have the plaintexts that you want to send to their destination. If you can verify that one of the outputs is not valid, it probably is the value you modified with either $i$ or $p$. Now you know the slot this value used to be in and you can reverse your tag by doing the reverse operation. This is undetectable by other nodes or any client and thus compromises the network. Note that no node in \cmix is special. The claim is that when all but one node is compromised the network should still function as intended and keep your transmissions anonymous.
 
-To stop this attack we need to change the protocol slightly. First we need to change the third step of the precomputation phase. Instead of sending the decryption shares of each node to the next, we send a hash, a commitment to our decryption shares. The nodes keep the decryption shares to themselves, and will use them separately in the realtime phase. The last node also includes a hash of the current mix result. So the hash of the decryption of formula \ref{form:EPiRS}. This makes that an adversary can no longer tamper with the $r$ values in the realtime phase, which means an attacker can no longer apply the tag without being detectable by other nodes.
+To stop this attack we need to change the protocol slightly as described in. First we need to change the third step of the precomputation phase. Instead of sending the decryption shares of each node to the next, we send a hash, a commitment to our decryption shares. The nodes keep the decryption shares to themselves, and will use them separately in the realtime phase. The last node also includes a hash of the current mix result. So the hash of the decryption of formula \ref{form:EPiRS}. This makes that an adversary can no longer tamper with the $r$ values in the realtime phase, which means an attacker can no longer apply the tag without being detectable by other nodes.