From 55e76010846450f7eb92f2cfbd499c0ab3022ba9 Mon Sep 17 00:00:00 2001
From: Michael Savage <mikejsavage@gmail.com>
Date: Thu, 7 Dec 2017 20:05:06 +0200
Subject: [PATCH] Re-add the paragraph about corruption being 3x slower to
 detect

---
 doc/man/man3/crypto_lock_init.3monocypher | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/man/man3/crypto_lock_init.3monocypher b/doc/man/man3/crypto_lock_init.3monocypher
index 6f4f1bc..3c5745b 100644
--- a/doc/man/man3/crypto_lock_init.3monocypher
+++ b/doc/man/man3/crypto_lock_init.3monocypher
@@ -234,3 +234,9 @@ Chacha20 and Poly1305 are described in RFC 7539.
 XChacha20 derives from Chacha20 the same way XSalsa20 derives from
 Salsa20, and benefits from the same security reduction (proven secure
 as long as Chacha20 itself is secure).
+.Sh IMPLEMENTATION DETAILS
+The incremental interface is roughly three times slower than the direct
+interface at identifying corrupted messages.
+This is because the incremental interface works in a single pass and has
+to interleave decryption and verification.
+Users who expect a high corruption rate may want to avoid it.
-- 
2.47.3