diff --git a/poly1305.cpp b/poly1305.cpp
index 1d8abf9e..88acffa6 100644
--- a/poly1305.cpp
+++ b/poly1305.cpp
@@ -27,11 +27,10 @@
 
 ////////////////////////////// Common Poly1305 //////////////////////////////
 
-#define CONSTANT_TIME_CARRY(a,b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
-
 ANONYMOUS_NAMESPACE_BEGIN
 
 using namespace CryptoPP;
+#define CONSTANT_TIME_CARRY(a,b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
 
 void Poly1305_HashBlocks(word32 h[5], word32 r[4], const byte *input, size_t length, word32 padbit)
 {
diff --git a/poly1305.h b/poly1305.h
index 97b51881..f1158c9d 100644
--- a/poly1305.h
+++ b/poly1305.h
@@ -1,5 +1,13 @@
 // poly1305.h - written and placed in the public domain by Jeffrey Walton and Jean-Pierre Munch
-//              Based on Andy Polyakov's Base-2^26 scalar multiplication implementation for OpenSSL.
+//              Based on Andy Polyakov's Base-2^26 scalar multiplication implementation.
+//              For more information, see https://www.openssl.org/~appro/cryptogams/.
+
+// The library added Bernstein's Poly1305 classses at Crypto++ 5.6.4. The IETF
+// uses a slightly different implementation than Bernstein, and the IETF
+// classes were added at Crypto++ 8.1. We wanted to maintain ABI compatibility
+// at the 8.1 release so the original Poly1305 classes were not disturbed.
+// Instead new classes were added for IETF Poly1305. The back-end implementation
+// shares code as expected, however.
 
 /// \file poly1305.h
 /// \brief Classes for Poly1305 message authentication code