From a43a5b053c1d1e931eeb56d65e6a40f634a0b94f Mon Sep 17 00:00:00 2001
From: Yawning Angel <yawning@schwanenlied.me>
Date: Sun, 24 Mar 2024 22:52:21 +0900
Subject: [PATCH] core/crypto: Add more documentation about assumptions (NFC)

---
 core/crypto/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/core/crypto/README.md b/core/crypto/README.md
index 1e4e41fb8..303b1f625 100644
--- a/core/crypto/README.md
+++ b/core/crypto/README.md
@@ -14,6 +14,14 @@ constant-time byte comparison.
 - Best-effort is make to mitigate timing side-channels on reasonable
   architectures.  Architectures that are known to be unreasonable include
   but are not limited to i386, i486, and WebAssembly.
+- Implementations assume a 64-bit architecture (64-bit integer arithmetic
+  is fast, and includes add-with-carry, sub-with-borrow, and full-result
+  multiply).
+- Hardware sidechannels are explicitly out of scope for this package.
+  Notable examples include but are not limited to:
+  - Power/RF side-channels etc.
+  - Fault injection attacks etc.
+  - Hardware vulnerabilities ("apply mitigations or buy a new CPU").
 - The packages attempt to santize sensitive data, however this is, and
   will remain a "best-effort" implementation decision.  As Thomas Pornin
   puts it "In general, such memory cleansing is a fool's quest."