clarify which signature to check (#3573)

changelogs/client_server/newsfragments/3573.clarification

@@ -0,0 +1 @@
+Clarify which signature to check when decrypting `m.olm.v1.curve25519-aes-sha2` messages.

content/client-server-api/modules/end_to_end_encryption.md

@@ -1461,11 +1461,11 @@ user, and `recipient_keys` to the local ed25519 key.
 
 Clients must confirm that the `sender_key` and the `ed25519` field value
 under the `keys` property match the keys returned by [`/keys/query`](/client-server-api/#post_matrixclientv3keysquery) for
-the given user, and must also verify the signature of the payload.
+the given user, and must also verify the signature of the keys from the
-Without this check, a client cannot be sure that the sender device owns
+`/keys/query` response. Without this check, a client cannot be sure that
-the private part of the ed25519 key it claims to have in the Olm
+the sender device owns the private part of the ed25519 key it claims to
-payload. This is crucial when the ed25519 key corresponds to a verified
+have in the Olm payload. This is crucial when the ed25519 key corresponds
-device.
+to a verified device.
 
 If a client has multiple sessions established with another device, it
 should use the session from which it last received and successfully