Re-add the paragraph about corruption being 3x slower to detect

author Michael Savage <mikejsavage@gmail.com>

Thu, 7 Dec 2017 18:05:06 +0000 (20:05 +0200)

committer Michael Savage <mikejsavage@gmail.com>

Thu, 7 Dec 2017 18:05:06 +0000 (20:05 +0200)
author Michael Savage <mikejsavage@gmail.com>
Thu, 7 Dec 2017 18:05:06 +0000 (20:05 +0200)
committer Michael Savage <mikejsavage@gmail.com>
Thu, 7 Dec 2017 18:05:06 +0000 (20:05 +0200)
diff --git a/doc/man/man3/crypto_lock_init.3monocypher b/doc/man/man3/crypto_lock_init.3monocypher

index 6f4f1bcc20692b612addfb0e4ad25c71dac53de4..3c5745ba7121db92ebe6c0c3e8a5056e1d9a6310 100644 (file)
--- a/doc/man/man3/crypto_lock_init.3monocypher
+++ b/doc/man/man3/crypto_lock_init.3monocypher
@@ -234,3 +234,9 @@ Chacha20 and Poly1305 are described in RFC 7539.
  XChacha20 derives from Chacha20 the same way XSalsa20 derives from
  Salsa20, and benefits from the same security reduction (proven secure
  as long as Chacha20 itself is secure).
+.Sh IMPLEMENTATION DETAILS
+The incremental interface is roughly three times slower than the direct
+interface at identifying corrupted messages.
+This is because the incremental interface works in a single pass and has
+to interleave decryption and verification.
+Users who expect a high corruption rate may want to avoid it.
author	Michael Savage <mikejsavage@gmail.com>
	Thu, 7 Dec 2017 18:05:06 +0000 (20:05 +0200)
committer	Michael Savage <mikejsavage@gmail.com>
	Thu, 7 Dec 2017 18:05:06 +0000 (20:05 +0200)