That makes sense; I hadn’t thought of the possibility that a security failure in the HBO tree might be acceptable in this context. OTOH, if there’s an input that corrupts the HBO tree, isn’t it possible that the corrupted tree could output a supposed “LBO overseer” that embeds the malicious input and corrupts us when we try to verify it? If the HBO tree is insecure, it seems like a manual process that verifies its output must be insecure as well.
One situation is: maybe an HBO tree of size 10^20 runs into a security failure with high probability, but an HBO tree of size 10^15 doesn’t and is sufficient to output a good LBO overseer.
That makes sense; I hadn’t thought of the possibility that a security failure in the HBO tree might be acceptable in this context. OTOH, if there’s an input that corrupts the HBO tree, isn’t it possible that the corrupted tree could output a supposed “LBO overseer” that embeds the malicious input and corrupts us when we try to verify it? If the HBO tree is insecure, it seems like a manual process that verifies its output must be insecure as well.
One situation is: maybe an HBO tree of size 10^20 runs into a security failure with high probability, but an HBO tree of size 10^15 doesn’t and is sufficient to output a good LBO overseer.