From 66b19a6da3853aa684efcd2982c8406e8e9003a6 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Wed, 18 Oct 2017 09:24:13 +0200
Subject: [PATCH] Add a note on ED25519_NONDETERMINISTIC

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index 57c7881..ab36e04 100644
--- a/README.md
+++ b/README.md
@@ -51,3 +51,18 @@ Alternative implementations
 
 * [rsign](https://bitbucket.org/danielrangel/rsign) is a minisign
 implementation written in Rust.
+
+Faults injections
+-----------------
+
+Minisign uses the EdDSA signature system, and deterministic signature
+schemes are fragile against fault attacks. However, conducting these requires
+physical access or the attacker having access to the same physical host.
+
+More importantly, this requires a significant amount of time, and messages
+being signed endlessly while the attack is being conducted.
+
+If such a scenario ever happens to be part of your threat model,
+libsodium should be compiled with the `ED25519_NONDETERMINISTIC` macro
+defined. This will add random noise to the computation of EdDSA
+nonces.