From: Fabio Scotoni <34964387+fscoto@users.noreply.github.com>
Date: Tue, 31 Mar 2020 13:11:10 +0000 (+0200)
Subject: Address review concerns from #164.
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=ebcf6710b803315ac9cd895385247608354e3b6b;p=Monocypher.git

Address review concerns from #164.

1. Remove recommendation for 512-bit BLAKE2b.
   32 bytes is enough, and it's not like we offer EC functions of a
   higher security level either.
   The text added in 628f027 already does enough to recommend proper
   hash output lengths.
2. Bump .Dd date in crypto_poly1305.3monocypher.
3. crypto_verify16 add "byte by byte" for both accuracy of how a MAC
   with a variable-time comparison function will be found and
   for dramatic reasons because it sounds like doom is slowly
   approaching, byte by byte.
---

diff --git a/doc/man/man3/crypto_blake2b.3monocypher b/doc/man/man3/crypto_blake2b.3monocypher
index 6208299..67f59d1 100644
--- a/doc/man/man3/crypto_blake2b.3monocypher
+++ b/doc/man/man3/crypto_blake2b.3monocypher
@@ -123,7 +123,6 @@ Length of
 .Fa hash ,
 in bytes.
 Must be between 1 and 64.
-64 is recommended.
 Anything below 32 is discouraged when using Blake2b as a general-purpose
 hash function;
 anything below 16 is discouraged when using Blake2b as a message
diff --git a/doc/man/man3/crypto_poly1305.3monocypher b/doc/man/man3/crypto_poly1305.3monocypher
index b9c1f55..c0f25a1 100644
--- a/doc/man/man3/crypto_poly1305.3monocypher
+++ b/doc/man/man3/crypto_poly1305.3monocypher
@@ -50,7 +50,7 @@
 .\" with this software.  If not, see
 .\" <https://creativecommons.org/publicdomain/zero/1.0/>
 .\"
-.Dd March 2, 2020
+.Dd March 31, 2020
 .Dt CRYPTO_POLY1305 3MONOCYPHER
 .Os
 .Sh NAME
diff --git a/doc/man/man3/crypto_verify16.3monocypher b/doc/man/man3/crypto_verify16.3monocypher
index 2008959..9ff898b 100644
--- a/doc/man/man3/crypto_verify16.3monocypher
+++ b/doc/man/man3/crypto_verify16.3monocypher
@@ -89,8 +89,8 @@ If the attacker attempts a forgery, one does not want to reveal
 .Dq your MAC is wrong, Em and it took 384 microseconds to tell .
 If the next attempt takes 462 microseconds instead, it tells the
 attacker they just guessed a byte correctly.
-That way, an attacker can derive the correct MAC, and successfully
-forge a message.
+That way, an attacker can derive the correct MAC byte by byte,
+and successfully forge a message.
 This has lead to practical attacks in the past.
 .Pp
 To avoid such catastrophic failure,