Note side-channel resistance of probable primes.

This came in around d8fda3b6da.

doc/pubkey.but

@@ -177,6 +177,13 @@ are prime, because it generates the output number together with a
 proof of its primality. This takes more effort, but it eliminates that
 theoretical risk in the probabilistic method.
 
+There in one way in which PuTTYgen's proven-primes method is not
+strictly better than its probable-primes method. If you use PuTTYgen
+to generate RSA or DSA keys on a computer that is potentially
+susceptible to timing- or cache-based \i{side-channel attacks}, such
+as a shared computer, the \q{probable primes} method is designed to
+resist such attacks, whereas the \q{proven primes} methods are not.
+
 You might choose to switch from probable to proven primes if you have
 a local security standard that demands it, or if you don't trust the
 probabilistic argument for the safety of the usual method.
@@ -389,8 +396,8 @@ These options only affect PPK version 3.
 \dt Key derivation function
 
 \dd The variant of the \i{Argon2} key derivation function to use.
-You might change this if you consider your exposure to side-channel
+You might change this if you consider your exposure to \i{side-channel
-attacks to be different to the norm.
+attacks} to be different to the norm.
 
 \dt Memory to use for passphrase hash