From 2738d9d53fab591627ad0f1df3cfd99ee1a7846d Mon Sep 17 00:00:00 2001
From: Fabio Scotoni <34964387+fscoto@users.noreply.github.com>
Date: Thu, 5 Dec 2019 09:09:01 +0100
Subject: [PATCH] intro: Be more accurate about constant-time multiplication

Information obtained via https://bearssl.org/cmul.html

Considering the interest in Monocypher on embedded platforms,
some ARM Cortex-M CPUs lacking constant-time multiplication needs
special emphasis.
---
 doc/man/man3/intro.3monocypher | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/man/man3/intro.3monocypher b/doc/man/man3/intro.3monocypher
index 0cf437b..2ec0c69 100644
--- a/doc/man/man3/intro.3monocypher
+++ b/doc/man/man3/intro.3monocypher
@@ -201,8 +201,12 @@ destroy all security.
 .Pp
 The Poly1305 authenticator, X25519, and EdDSA use multiplication.
 Some older processors do not multiply in constant time.
-If the target platform is something other than x86, x86_64, ARM or
-ARM64, double check how it handles multiplication.
+If the target platform is something other than Intel or AMD x86_64,
+double check how it handles multiplication.
+In particular,
+.Em ARM Cortex-M CPUs may lack constant-time multiplication .
+Some VIA Nano x86 and x86_64 CPUs may lack constant-time multiplication
+as well.
 .Ss Data compression
 Encryption does not hide the length of the input plaintext.
 Most compression algorithms work by using fewer bytes to encode
-- 
2.47.3