diff --git a/ChangeLog b/ChangeLog
index 6d54149a2d70a8038c9227544de92fd835bed6f4..5e130699099a903ac7bf1f687adc1c5534cbfcf4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-09-05  Niels Möller  <nisse@lysator.liu.se>
+
+	* curve25519.h (NETTLE_CURVE25519_RFC7748): New preprocessor
+	constant.
+	* nettle.texinfo: Document it.
+
 2016-09-03  Niels Möller  <nisse@lysator.liu.se>
 
 	* config.make.in (.SUFFIXES): Delete no longer used .p$(OBJEXT).
diff --git a/curve25519.h b/curve25519.h
index b47200b92dbc5337112eefd05fb9162f99af3874..1dcd94da0d410db9279499f60e3c81a8a8489633 100644
--- a/curve25519.h
+++ b/curve25519.h
@@ -44,6 +44,9 @@ extern "C" {
 
 #define CURVE25519_SIZE 32
 
+/* Indicates that curve25519_mul conforms to RFC 7748. */
+#define NETTLE_CURVE25519_RFC7748 1
+
 void
 curve25519_mul_g (uint8_t *q, const uint8_t *n);
 
diff --git a/nettle.texinfo b/nettle.texinfo
index e539dbe619cd308eed2c87d55c92387d5a92ba93..cbcad2592caa2e2d670a93319bf2b4783d8b4b82 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -4337,6 +4337,20 @@ by @cite{RFC 7748}. Its the output is therefore well defined for
 @emph{all} possible inputs, no matter if the input string represents a
 valid point on the curve or not.
 
+Note that the curve25519 implementation in earlier versions from Nettle
+deviates slightly from @cite{RFC 7748}, in that bit 255 of the @math{x}
+coordinate of the point input to curve25519_mul was not ignored. The
+@file{nette/curve25519.h} defines a preprocessor symbol
+@code{NETTLE_CURVE25519_RFC7748} to indicate conformance with the
+standard.
+
+Nettle defines Curve 25519 in @file{<nettle/curve25519.h>}.
+
+@defvr Constant NETTLE_CURVE25519_RFC7748
+Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in
+earlier versions.
+@end defvr
+
 @defvr Constant CURVE25519_SIZE
 The size of the strings representing curve25519 points and scalars, 32.
 @end defvr