diff --git a/Bibliography.md b/Bibliography.md
index 2b3b6dd..f02cf9a 100644
--- a/Bibliography.md
+++ b/Bibliography.md
@@ -23,7 +23,11 @@ Here are some papers that are potentially of interest.
 
 ### Public Key Cryptography
 
-[Efficient Signature Schemes with Tight Reductions to the Diffie-Hellman Problems](http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf) Scheme 1 in this paper comes with a tight reduction to the Computational Diffie-Hellman problem, which means it is definitely at least as secure as any discrete-log-based scheme and could be more secure. It also has a good pedigree (having been suggested by David Chaum et al. in 1989 and having been proven to tightly reduce to Computational Diffie-Hellman by Katz et al. in 2003). It also has a nice short public key, which could be good for fitting it into our capability security schemes.
+#### Hash-Based Digital Signatures
+
+[Hash-based Digital Signature Schemes](http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/hashbasedcrypto.pdf) by Buchmann, Dahmen, and Szydlo; A survey of why it might be a good idea.
+
+[Fast Hash-Based Signatures on Constrained Devices](https://www.minicrypt.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf) by Rohde, Eisenbarth, Dahmen, Buchmann, and Paar; a case study of implementing hash-based digital signatures for a 8-bit microcontroller. Their implementation had some trade-offs that we wouldn't want: it is a "key-evolving" design (the signer has to maintain state in order to avoid a security failure), it can only handle a limited number of signatures, and they spent a lot of time in key generation. Hm, I can't find this in their paper now, but I thought that last time I read it I saw that they spent more than an hour (!!) generating each key on a PC! On the other hand, the result is a digital signature scheme which is faster and arguably safer than RSA or ECDSA on their 8-bit microcontroller. 
 
 ### Elliptic Curve Cryptography
 
@@ -80,6 +84,12 @@ See also our [RelatedProjects page](RelatedProjects).
 
 These are some references which are less interesting or relevant than the ones above.
 
+### Public Key Cryptography
+
+[Efficient Signature Schemes with Tight Reductions to the Diffie-Hellman Problems](http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf) Scheme 1 in this paper comes with a tight reduction to the Computational Diffie-Hellman problem, which means it is definitely at least as secure as any discrete-log-based scheme and could be more secure. It also has a good pedigree (having been suggested by David Chaum et al. in 1989 and having been proven to tightly reduce to Computational Diffie-Hellman by Katz et al. in 2003). It also has a nice short public key, which could be good for fitting it into our capability security schemes.
+
+### Miscellaneous
+
 [POST: A Secure, Resilient, Cooperative Messaging System](http://citeseer.ist.psu.edu/mislove03post.html) -- use a DHT for messaging; includes a suggestion to ameliorate the confidentiality problems of single-instance store by adding random bits to small text messages
 
 [Non-Transitive Connectivity and DHTs](http://srhea.net/papers/ntr-worlds05.pdf) -- practical lessons in dealing with not-fully-connected DHTs that theoreticians learned in deployment