diff --git a/rsa.h b/rsa.h
index 2105daa5aa141c603bef85c0a2f4bea2c2d8acb9..9631e502d2ebe88b5376bc44728afc640aafd2e9 100644
--- a/rsa.h
+++ b/rsa.h
@@ -76,13 +76,13 @@ extern "C" {
#define _rsa_verify _nettle_rsa_verify
#define _rsa_check_size _nettle_rsa_check_size
- /* This limit is somewhat arbitrary. Technically, the smallest
- modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4
- bits. But for ridiculously small keys, not all odd e are possible
- (e.g., for 5 bits, the only possible modulo is 3*7 = 21, phi(21)
- = 12, and e = 3 don't work). The smallest size that makes sense
- with pkcs#1, and which allows RSA encryption of one byte
- messages, is 12 octets, 89 bits. */
+/* This limit is somewhat arbitrary. Technically, the smallest modulo
+ which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
+ for ridiculously small keys, not all odd e are possible (e.g., for
+ 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
+ 3 don't work). The smallest size that makes sense with pkcs#1, and
+ which allows RSA encryption of one byte messages, is 12 octets, 89
+ bits. */
#define RSA_MINIMUM_N_OCTETS 12
#define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)