diff --git a/index.md b/index.md
index 779f5c5..6198a63 100644
--- a/index.md
+++ b/index.md
@@ -784,7 +784,7 @@ where the padding string `PS` must consist of at least eight 0xff bytes. Given S
designation of SHA-1 another 15, this all leads to a minimum RSA modulus length of 20+15+3+8=46 bytes or 368 bits.
This length of RSA moduli is rather difficult to work with, so I implemented this challenge by allowing the padding string
`PS` to consist of two rather than 8 0xff bytes. This reduces the overhead of PKCS#1 padding with SHA-1 to
-20+15+3+2=40 bytes, implying the minimum RSA modulus is 320 bits.
+20+15+3+2=40 bytes, implying a minimum RSA modulus of 320 bits.
I ended up writing [quite a bit of concurrent code](https://github.com/ilchen/cryptopals/blob/master/src/main/java/com/cryptopals/Set8.java#L539-L605)
to tackle this, and pre-calculated all small primes less than 220
@@ -802,7 +802,8 @@ After that I calculate ep=logs(pad(m)) mod p and eq=logs(p
Pohlig-Hellman and J.M. Pollard's Lambda Method](https://github.com/ilchen/cryptopals/blob/master/src/main/java/com/cryptopals/Set8.java#L485-L530) using a technique from [Challenge 59](https://toadstyle.org/cryptopals/58.txt).
To make Pollard's Lambda Method tractable I ensured that the product
of all prime factors for each of `p-1` and `q-1` is at least 3700000000000000000000000000000000. I arrived at this
-number heuristically, for DLogs whose prime is around 160 bits long Pollard's Lambda Method works reasonably fast.
+number heuristically, for DLogs in a group whose prime is around 160 bits long Pollard's Lambda Method works reasonably fast.
+For smaller moduli I divide it by 20.7·(320 - RSA_Modulus_bit_length).
The following part of the problem description deserves a word of caution
> 4\. Use the Chinese Remainder Theorem to put ep and eq together:
@@ -820,15 +821,15 @@ in Section 4.1 of [this paper](http://mpqs.free.fr/corr98-42.pdf) to correctly t
One interesting nuance that @spdevlin doesn't explain is why the forged `e` is a valid RSA exponent. We made sure that
we found two suitable smooth primes `p` and `q`. You will recall that one of the conditions for candidate primes was
-that both `s` and `pad(m)` be generators of the entire Zp* and Zq* groups
-(i.e. that they are both primitive roots of Zp* and Zq* respectively):
+that both `s` and `pad(m)` be generators of the entire Zp\* and Zq\* groups
+(i.e. that they are both primitive roots of Zp\* and Zq\* respectively):
> s shouldn't be in any subgroup that pad(m) is not in. If it is,
the discrete logarithm won't exist. The simplest thing to do is
make sure they're both primitive roots.
-This implies that `ep` (in `s^ep = pad(m) mod p`) is relatively prime with `p-1` — the order of Zp* .
+This implies that `ep` (in `s^ep = pad(m) mod p`) is relatively prime with `p-1` — the order of Zp\*.
Analogously `eq` is relatively prime with `q-1`. This, in turn, implies that `e` is relatively prime with `(p-1)·(q-1)` the order
-of group ZN* and hence a valid RSA exponent.
+of group ZN\* and hence a valid RSA exponent.
Thwarting DSKS attacks is trivial, the signer needs to attach their public key to the message before signing it. While
the verifier should do an extra check to ensure the public key they use to verify corresponds to the one added
@@ -851,7 +852,7 @@ for encryption adds randomness so that padding the same plaintext message twice
of this operation `forgedPadm`. This will play the role of a forged plaintext.
4. Encrypting `padm` using `legitRsa` public key. Let's call the result of this operation `cTxt`
5. Searching for an RSA key-pair of approximately the same size as the modulus of `legitRsa` and for which the following equation
-holds: $cTxt^{forgedD}=forgedPadm (mod forgedN)$ .
+holds: cTxt^forgedD≡forgedPadm (mod forgedN).
Where `forgedD` is the private key of the forged RSA key-pair and
`forgedN` is its RSA modulus. This search is done in exactly the same way as for the DSKS attack on RSA earlier in this challenge.