From cf947995d1a9735ba8f32b9b7eaf875a9d6cfac7 Mon Sep 17 00:00:00 2001
From: davidsarah <>
Date: Wed, 21 Dec 2011 22:25:13 +0000
Subject: [PATCH] clarifications about hash-based digital sigs

[Imported from Trac: page OneHundredYearCryptography, version 17]
---
 OneHundredYearCryptography.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/OneHundredYearCryptography.md b/OneHundredYearCryptography.md
index d9e2450..2bb0de0 100644
--- a/OneHundredYearCryptography.md
+++ b/OneHundredYearCryptography.md
@@ -31,16 +31,16 @@ David-Sarah has proposed to use hash-based digital signatures.
 
 Zooko posted ["back of the envelope" performance constraints](https://tahoe-lafs.org/pipermail/tahoe-dev/2011-February/006133.html). Bottom-line: you get 30 million ARM instructions to implement one complete digital signature verification.
 
-Julian Wälde has [posted an actual implementation](http://tahoe-lafs.org/pipermail/tahoe-dev/2011-March/006237.html) of hash-based digital signatures! Exciting fact: his implementation meets Zooko's performance criterion!
+Julian Wälde has [posted an actual implementation](http://tahoe-lafs.org/pipermail/tahoe-dev/2011-March/006237.html) of (stateful) hash-based digital signatures! Exciting fact: his implementation meets Zooko's performance criterion!
 
-Brian and David-Sarah wrote [a simulator]source:trunk/misc/simulators/hashbasedsig.py or two to explore performance trade-offs in hash-based signature parameters. The output of one run with the following parameters is this:
+Brian and David-Sarah wrote [a simulator]source:trunk/misc/simulators/hashbasedsig.py or two to explore performance trade-offs in (stateless) hash-based signature parameters. The output of one run with the following parameters is this (note that the signing times include regeneration of per-message signing keys from a small long-term private key):
 ```
 # range of hash output lengths
 range_L_hash = [128]
 
 lg_M = 53                   # lg(required number of signatures before losing security)
 
-limit_bytes = 20000        # limit on signature length
+limit_bytes = 20000         # limit on signature length
 limit_cost = 500            # limit on Mcycles_Sig + weight_ver*Mcycles_ver
 weight_ver = 1              # how important verification cost is relative to signature cost
                             # (note: setting this too high will just exclude useful candidates)