diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 5e8f03921..ccdc54444 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -58,7 +58,8 @@
 \usetikzlibrary{calc}
 \usepackage{eurosym}
 \usepackage[T1]{fontenc}
-
+\usepackage{verbatim}
+\usepackage[utf8]{inputenc}
 
 % Copyright
 %\setcopyright{none}
@@ -1868,6 +1869,16 @@ data being persisted are represented in between $\langle\rangle$.
   \item[$\overline{C^{(i)}_p}$]{Public coin keys computed from $\overline{c_s^{(i)}}$ by the verifier}
 \end{description}
 
+\newpage
+\onecolumn
+\section{Supplemental: Reviews and Responses from Financial Cryptography}
+
+\subsection{FC 2016}
+\verbatiminput{taler_FC2016.txt}
+
+\subsection{FC 2017}
+\verbatiminput{taler_FC2017.txt}
+
 \end{document}
 
 
diff --git a/doc/paper/taler_FC2017.txt b/doc/paper/taler_FC2017.txt
index de1c64a30..66f8560ad 100644
--- a/doc/paper/taler_FC2017.txt
+++ b/doc/paper/taler_FC2017.txt
@@ -21,7 +21,7 @@ be insecure.
 > We added a section with proofs
 
 I find two (possible) attacks against the refresh protocol. As the
-exchange does not check the validity of the public key Cp′ , the attacker can
+exchange does not check the validity of the public key Cp', the attacker can
 send an arbitrary public key to the exchange that will accept, and obtain a
 fresh coin. The attacker can spend partially a coin multiple times via
 refreshing the coin and obtaining a fresh coin in turn, as the refresh protocol