A 80-byte message, which is generated and sent by the client.
It is the only message in the key exchange.
.El
-.Pp
.Ss Key exchange as the client
When starting a new connection to the server, the client first reads
the server's public key from the network; then it calls
.Fc
.Sh DESCRIPTION
Poly1305 is a one-time message authentication code.
-"One-time" means the authentication key can be used only once.
+.Dq One-time
+means the authentication key can be used only once.
.Sy This makes Poly1305 easy to misuse .
On the other hand, Poly1305 is fast, and provably secure if used
correctly.
Reads may be interrupted, and more attacks are possible on a file than
on a system call.
.Ss Timing attacks
-Monocypher runs in "constant time".
+Monocypher runs in
+.Dq constant time .
There is no flow from secrets to timings.
No secret dependent indices, no secret dependent branches.
Nevertheless, there are a couple important caveats.
encrypted, they can observe changes to the ciphertext length to recover
secrets from the input.
Researchers have demonstrated an attack on HTTPS to steal session
-cookies when compression is enabled, dubbed "CRIME".
+cookies when compression is enabled, dubbed
+.Dq CRIME .
.Ss Forward secrecy
Long term secrets cannot be expected to stay safe indefinitely.
Users may reveal them by mistake, or the host computer might have a
projects / Monocypher.git / commitdiff