diff --git a/Bibliography.md b/Bibliography.md
index 8509ea2..9091cd4 100644
--- a/Bibliography.md
+++ b/Bibliography.md
@@ -28,7 +28,7 @@ Here are some papers that are potentially of interest.
 
 [Hash-based Digital Signature Schemes](http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/hashbasedcrypto.pdf) by Buchmann, Dahmen, and Szydlo; A survey of why it might be a good idea.
 
-[Merkle Signatures with Virtually Unlimited Signature Capacity](http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=8AC81C407AA3CBF35093032BD01F3085?doi=10.1.1.95.1374&rep=rep1&type=pdf) by Buchmann, Dahmen, Klintsevich, Okeya, and Vuillaume; includes treating the parameters as an optimization problem and solving it with various weights or constraints to find various good settings for the parameters
+[Merkle Signatures with Virtually Unlimited Signature Capacity](http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=8AC81C407AA3CBF35093032BD01F3085?doi=10.1.1.95.1374&rep=rep1&type=pdf) by Buchmann, Dahmen, Klintsevich, Okeya, and Vuillaume; includes treating the parameters as an optimization problem and solving it with various weights or constraints to find various good settings for the parameters. Unfortunately their weights and constraints are different from hours: they thought it was fine to let key generation time take tens of hours! We want key generation time to be as few milliseconds as possible. A good rule of thumb for us would probably be to make key-generation time, signing time, and verification time all be about equal.
 
 [Fast Hash-Based Signatures on Constrained Devices](https://www.minicrypt.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf) by Rohde, Eisenbarth, Dahmen, Buchmann, and Paar; a case study of implementing hash-based digital signatures for a 8-bit microcontroller. Their implementation had some trade-offs that we wouldn't want: it is a "key-evolving" design (the signer has to maintain state in order to avoid a security failure), it can only handle a limited number of signatures, and they spent a lot of time in key generation. Hm, they don't say how long key-generation took in this paper—only that it took so long that they had to run it on a PC instead of on their microcontroller. In [Signatures with Virtually Unlimited Signature Capacity]Merkle, the key-generation took tens of hours on a PC!!! On the other hand, they do show a digital signature scheme which is faster at signing and verifying and is also arguably safer than RSA or ECDSA on their 8-bit microcontroller.