Salsa20, and benefits from the same security reduction (proven secure
as long as Chacha20 itself is secure).
.Sh SECURITY CONSIDERATIONS
-Messages must be completely decrypted before they can be verified.
-Make sure to call
-.Fn crypto_unlock_final ,
-and make sure to check its return value
+Messages are not verified until the call to
+.Fn crypto_unlock_final .
+Make sure to call it and check the return value
.Em before
processing the message.
Messages may be stored before they are verified, but they cannot be
Ed25519 is described in RFC 7748.
.Sh SECURITY CONSIDERATIONS
Messages are not verified until the call to
-.Xr crypto_check_final .
+.Fn crypto_check_final .
Messages may be stored before they are verified, but they cannot be
.Em trusted .
Processing untrusted messages increases the attack surface of the
Doing so securely is hard.
Do not process messages before calling
.Fn crypto_check_final .
-Additionally, the security considerations documented in
-.Xr crypto_sign 3monocypher ,
-apply here too.
+.Pp
+When signing messages, the security considerations documented in
+.Xr crypto_sign 3monocypher
+also apply.
.Sh IMPLEMENTATION DETAILS
EdDSA signatures require two passes that cannot be performed in
parallel.
projects / Monocypher.git / commitdiff