diff --git a/nacl.h b/nacl.h
index 0f939828..e967deb9 100644
--- a/nacl.h
+++ b/nacl.h
@@ -21,18 +21,22 @@
/// MinGW and MSYS are LP64 systems (not LLP64 systems). In
/// addition, Crypto++ was missing NaCl's signed 64-bit integer i64.
/// \details Crypto++ rejects all 0-keys due to small points. The TweetNaCl
-/// library allowed the 0-keys due to small points. Also see commit
+/// 675149b9b8b6, May the
+/// Fourth Be With You: A Microarchitectural Side Channel Attack on Several
+/// Real-World Applications of Curve25519 and RFC 7748, Elliptic Curves for
/// Security, Section 6.
/// \details TweetNaCl is well written but not well optimzed. It runs 2x to 4x
/// slower than optimized routines from libsodium. However, the library is still
-/// 2x to 4x faster than the algorithms NaCl was designed to replace.
-/// \details The Crypto++ wrapper for TweetNaCl requires OS features. That is,
-/// NO_OS_DEPENDENCE cannot be defined. It is due to TweetNaCl's
-/// internal function randombytes. Crypto++ used
-/// DefaultAutoSeededRNG within randombytes, so OS integration
-/// must be enabled. You can use another generator like RDRAND to
-/// avoid the restriction.
+/// 2x to 4x faster than the algorithms NaCl was designed to replace.
+/// \details The Crypto++ wrapper for TweetNaCl requires OS features, and
+/// NO_OS_DEPENDENCE cannot be defined. The requirement is due to
+/// TweetNaCl's internal function randombytes. Crypto++ implemented
+/// randombytes using DefaultAutoSeededRNG, so OS integration
+/// must be enabled. You can use another generator like RDRAND to
+/// avoid the restriction.
/// \sa TweetNaCl:
/// A crypto library in 100 tweets (20140917)
/// \since Crypto++ 6.0