From: Michael Savage <mikejsavage@gmail.com>
Date: Fri, 8 Dec 2017 23:53:38 +0000 (+0200)
Subject: Poly1305 manual tweaks based on Loup's comments
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=95d5af174f7ab94e4b5b0718aa61d856df89b0b8;p=Monocypher.git

Poly1305 manual tweaks based on Loup's comments
---

diff --git a/doc/man/man3/crypto_poly1305.3monocypher b/doc/man/man3/crypto_poly1305.3monocypher
index e5a6803..47d7423 100644
--- a/doc/man/man3/crypto_poly1305.3monocypher
+++ b/doc/man/man3/crypto_poly1305.3monocypher
@@ -150,7 +150,8 @@ Session keys cannot be used for this.
 They are shared and secret, but would be reused when sending multiple
 messages.
 Random numbers cannot be used either as there is no reasonable way to
-share it with the recipient without also revealing it to the attacker.
+share them with the recipient without also revealing them to the
+attacker.
 .Pp
 The only practical source for the authentication key is a chunk of the
 encryption stream used to encrypt the message.
@@ -175,8 +176,9 @@ This is the approach used by
 Use
 .Xr crypto_verify16 3monocypher
 to compare message authentication codes.
-Avoid standard buffer comparison functions, as they may not run in
-constant time.
+Avoid standard buffer comparison functions.
+They may not run in constant time, enabling an attacker to exploit timing
+attacks to recover the MAC.
 .Pp
 The authentication key should be wiped with
 .Xr crypto_wipe 3monocypher