X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/b86e6f3fab7736f9f70131be1c48434d377a4ae0..de8edc7fdb0a26ca9cb736a49b020a64ee4a0d40:/server/tripe.8.in

diff --git a/server/tripe.8.in b/server/tripe.8.in
index 33f07b52..c19ee57a 100644
--- a/server/tripe.8.in
+++ b/server/tripe.8.in
@@ -412,6 +412,48 @@ more significantly, the transform is entirely deterministic, so (a) it
 doesn't need the (possibly slow) random number generator, and (b) it
 closes a kleptographic channel, over which a compromised implementation
 could leak secret information to a third party.
+.TP
+.B naclbox
+A transform based on the NaCl
+.B crypto_secretbox
+transformation.
+The main difference is that NaCl uses XSalsa20,
+while TrIPE uses plain Salsa20 or ChaCha,
+because it doesn't need the larger nonce space.
+You can set the
+.B cipher
+key attribute to one of
+.BR salsa20 ,
+.BR salsa20/12 ,
+.BR salsa20/8 ,
+.BR chacha20 ,
+.BR chacha12 ,
+or
+.B chacha8
+to select the main cipher.
+You can set the
+.B mac
+key attribute to
+.B poly1305
+or
+.B poly1305/128
+but these are the default and no other choice is permitted.
+(This is for forward compatibility,
+in case other MACs and/or tag sizes are allowed later.)
+.SS "Other key attributes"
+The following attributes can also be set on keys.
+.TP
+.B serialization
+Selects group-element serialization formats.
+The recommended setting is
+.BR constlen ,
+which selects a constant-length encoding when hashing group elements.
+The default,
+for backwards compatibility, is
+.BR v0 ;
+but this is deprecated.
+(The old format uses a variable length format for hashing,
+which can leak information through timing.)
 .SS "Using SLIP interfaces"
 Though not for the faint of heart, it is possible to get
 .B tripe