diff --git a/ChangeLog b/ChangeLog
index 9d8c0bf4b2cc1ae316b8a1cdc19119eb44e8da75..a4548bc92b938d51a949881654a2512de6a676f9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2016-09-07 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle.texinfo (Elliptic curves): Split into sub-nodes.
+
2016-09-06 Niels Möller <nisse@lysator.liu.se>
* NEWS: Update for 3.3.
diff --git a/nettle.texinfo b/nettle.texinfo
index 22922b95d372d0c55cbce7fc387eabea34926cd8..291ebcecf8612f8b774a04be9629fd74c1b5d477 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -107,6 +107,12 @@ Public-key algorithms
* DSA:: The DSA digital signature algorithm.
* Elliptic curves:: Elliptic curves and ECDSA
+@acronym{Elliptic curves}
+
+* Side-channel silence::
+* ECDSA::
+* Curve 25519::
+
@end detailmenu
@end menu
@@ -4174,7 +4180,17 @@ visible to nettle users. The ``bitsize of the curve'' is used as a
shorthand for the bitsize of the curve's prime @math{p}, e.g., 256 bits
for @code{nettle_secp_256r1}.
+@menu
+* Side-channel silence::
+* ECDSA::
+* Curve 25519::
+@end menu
+
+@node Side-channel silence, ECDSA, , Elliptic curves
+@comment node-name, next, previous, up
@subsubsection Side-channel silence
+@cindex Side-channel attack
+
Nettle's implementation of the elliptic curve operations is intended to
be side-channel silent. The side-channel attacks considered are:
@@ -4200,6 +4216,8 @@ accesses depend only on the size of the input data and its location in
memory, not on the actual data bits. This implies a performance penalty
in several of the building blocks.
+@node ECDSA, Side-channel silence, Curve 25519, Elliptic curves
+@comment node-name, next, previous, up
@subsubsection ECDSA
ECDSA is a variant of the DSA digital signature scheme (@pxref{DSA}),
@@ -4302,6 +4320,8 @@ random octets and store them at @code{dst}. For advice, see
@xref{Randomness}.
@end deftypefun
+@node Curve 25519, , ECDSA, Elliptic curves
+@comment node-name, next, previous, up
@subsubsection Curve25519
@cindex Curve 25519