From b67352349f7a18a4318b11a1fba23878bd173b91 Mon Sep 17 00:00:00 2001
From: Fabio Scotoni <34964387+fscoto@users.noreply.github.com>
Date: Tue, 31 Mar 2020 13:39:37 +0200
Subject: [PATCH] crypto_x25519: Note that _from_eddsa exists

---
 doc/man/man3/crypto_x25519.3monocypher | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/man/man3/crypto_x25519.3monocypher b/doc/man/man3/crypto_x25519.3monocypher
index 0aa8b45..e39c0d4 100644
--- a/doc/man/man3/crypto_x25519.3monocypher
+++ b/doc/man/man3/crypto_x25519.3monocypher
@@ -52,7 +52,7 @@
 .\" with this software.  If not, see
 .\" <https://creativecommons.org/publicdomain/zero/1.0/>
 .\"
-.Dd March 2, 2020
+.Dd March 31, 2020
 .Dt CRYPTO_X25519 3MONOCYPHER
 .Os
 .Sh NAME
@@ -128,6 +128,15 @@ compare the output of
 to an all-zero buffer using
 .Xr crypto_verify32 3monocypher ;
 abort the protocol if the output and the all-zero buffer are equal.
+.Pp
+Do not use the same secret key for both key exchanges and signatures.
+The public keys are different, and revealing both may leak information.
+If there really is no room to store or derive two different secret keys,
+consider generating a key pair for signatures and then converting it
+with
+.Xr crypto_from_eddsa_private 3monocypher
+and
+.Xr crypto_from_eddsa_public 3monocypher .
 .Sh RETURN VALUES
 .Fn crypto_x25519
 and
-- 
2.47.3