Overall
-------

This is a tutorial paper that presents a portion of the paper by Naor
et al by explicitly explaining and clarifying some of the implicit
deductions made in the original paper.  It does a very good job of
this task. The paper will be much improved if it (a) relates this
paper to the other papers, and (b) explains why the results are
useful.
	
Technical
---------
- A survey should ideally cover more than one source.  You can do this
  by, e.g.,
  - in page 3, instead of referring the reader to "see an example from [3]"
    explain the example.
  - manual channel message authentication protocols in [2] and [4] are
    different from this protocol in many respects (2-rounds
    vs. k-rounds; use of commitments vs. use of a series of "hash"
    functions with increasingly shorter range). Explain (or at least
    give an intuition) as to how the bounds proven for the protocol in this
    paper relate to those protocols.
  - in page 6, your refer to a claim in [4] that seems to suggest that
    the protocol in this paper is more secure?  Is that so?  Explain
    the intuition (and the details).
    
- Can you explain how this protocol could be instantiated in practice?
  E.g., could the C*j_k(m) functions be realized by message
  authentication functions (like HMAC-SHA) whose output is truncated
  to the right length?

  Again, you can compare such a practical instantiation with practical
  realizations of the protocols in [2] and [4].
    
- In Section 3, Lemma 1, why are cases 1 and 3 relevant/interesting?
  Intuitively, it seems like the best strategy for the attacker is
  case 2.    
 
Editorial
---------

page 2, column 1
- s/e/\epsilon/
- s/adversary's forgery probability/
    upper bound for adversary's forgery probability

page 2, Figure 1    
- Figure 1 caption is far too long
- Explain that Figure 1 is the protocol P_k    

page 3, column 1
- explain what is "Protocol P_k" before referring to it (see above)

page 3, column 2
- s/choosed/chose/