diff --git a/Bibliography.md b/Bibliography.md
index 0989a75..3ee9e2d 100644
--- a/Bibliography.md
+++ b/Bibliography.md
@@ -30,14 +30,6 @@ Here are some papers that are potentially of interest.
 and practical signature scheme with minimal security requirements: a pseudorandom and a second preimage resistant (hash) function family. Its signature size is reduced to less than 25% compared to
 the best provably secure hash based signature scheme.”
 
-[Digital Signatures out of Second-Preimage Resistant Hash Functions](http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/DOTV08.pdf) by Dahmen, Okeya, Takagi, Vuillame; This scheme is secure as long as the underlying hash function has *second-preimage resistance*, which real hash functions are a lot more likely to have than to have a stronger property like *collision-resistance*.
-
-[Hash-based Digital Signature Schemes](http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/hashbasedcrypto.pdf) by Buchmann, Dahmen, and Szydlo; A survey of why it might be a good idea.
-
-[Merkle Signatures with Virtually Unlimited Signature Capacity](http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=8AC81C407AA3CBF35093032BD01F3085?doi=10.1.1.95.1374&rep=rep1&type=pdf) by Buchmann, Dahmen, Klintsevich, Okeya, and Vuillaume; includes treating the parameters as an optimization problem and solving it with various weights or constraints to find various good settings for the parameters. Unfortunately their weights and constraints are different from hours: they thought it was fine to let key generation time take tens of hours! We want key generation time to be as few milliseconds as possible. A good rule of thumb for us would probably be try to reduce the time of whichever of the three operations is the slowest: key-generation, signing, and verification.
-
-[Fast Hash-Based Signatures on Constrained Devices](https://www.minicrypt.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf) by Rohde, Eisenbarth, Dahmen, Buchmann, and Paar; a case study of implementing hash-based digital signatures for a 8-bit microcontroller. Their implementation had some trade-offs that we wouldn't want: it is a "key-evolving" design (the signer has to maintain state in order to avoid a security failure), it can only handle a limited number of signatures, and they spent a lot of time in key generation. Hm, they don't say how long key-generation took in this paper—only that it took so long that they had to run it on a PC instead of on their microcontroller. In [Signatures with Virtually Unlimited Signature Capacity]Merkle, the key-generation took tens of hours on a PC!!! On the other hand, they do show a digital signature scheme which is faster at signing and verifying and is also arguably safer than RSA or ECDSA on their 8-bit microcontroller. 
-
 ### Elliptic Curve Cryptography
 
 [ECC Brainpool Standard Curves and Curve Generation](http://tools.ietf.org/html/draft-lochter-pkix-brainpool-ecc-03) new elliptic curve parameters which come with a proof that they were generated deterministically and pseudorandomly from the first few bits of Π, as well as proofs that they are immune to certain other potential cryptographic weaknesses.
@@ -119,4 +111,13 @@ These are some references which are less interesting or relevant than the ones a
 
 [ChaChaCha20](http://cr.yp.to/chacha.html) even better stream cipher; It might be slightly safer than Salsa20 and it is certainly slightly faster on some platforms, but slightly slower on others.  However, the author of Salsa20 and ChaChaCha20, Daniel J. Bernstein, seems to have settled on using Salsa20 (or a tweak of it named XSalsa20), so probably that is the one to use.
 
-[Cryptanalysis of the Tiger Hash Function](https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=81263) by Mendel and Rijmen
\ No newline at end of file
+[Cryptanalysis of the Tiger Hash Function](https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=81263) by Mendel and Rijmen
+
+[Digital Signatures out of Second-Preimage Resistant Hash Functions](http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/DOTV08.pdf) by Dahmen, Okeya, Takagi, Vuillame; This scheme is secure as long as the underlying hash function has *second-preimage resistance*, which real hash functions are a lot more likely to have than to have a stronger property like *collision-resistance*.
+
+[Hash-based Digital Signature Schemes](http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/hashbasedcrypto.pdf) by Buchmann, Dahmen, and Szydlo; A survey of why it might be a good idea.
+
+[Merkle Signatures with Virtually Unlimited Signature Capacity](http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=8AC81C407AA3CBF35093032BD01F3085?doi=10.1.1.95.1374&rep=rep1&type=pdf) by Buchmann, Dahmen, Klintsevich, Okeya, and Vuillaume; includes treating the parameters as an optimization problem and solving it with various weights or constraints to find various good settings for the parameters. Unfortunately their weights and constraints are different from hours: they thought it was fine to let key generation time take tens of hours! We want key generation time to be as few milliseconds as possible. A good rule of thumb for us would probably be try to reduce the time of whichever of the three operations is the slowest: key-generation, signing, and verification.
+
+[Fast Hash-Based Signatures on Constrained Devices](https://www.minicrypt.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf) by Rohde, Eisenbarth, Dahmen, Buchmann, and Paar; a case study of implementing hash-based digital signatures for a 8-bit microcontroller. Their implementation had some trade-offs that we wouldn't want: it is a "key-evolving" design (the signer has to maintain state in order to avoid a security failure), it can only handle a limited number of signatures, and they spent a lot of time in key generation. Hm, they don't say how long key-generation took in this paper—only that it took so long that they had to run it on a PC instead of on their microcontroller. In [Signatures with Virtually Unlimited Signature Capacity]Merkle, the key-generation took tens of hours on a PC!!! On the other hand, they do show a digital signature scheme which is faster at signing and verifying and is also arguably safer than RSA or ECDSA on their 8-bit microcontroller. 
+