mirror of
https://github.com/BLAKE3-team/BLAKE3
synced 2024-03-28 14:29:54 +01:00
replace a copy-pasted Rust API reference in the C docs
This commit is contained in:
parent
79d270283f
commit
09df11731e
15
c/README.md
15
c/README.md
|
@ -196,14 +196,13 @@ BLAKE3 output is intended to provide N bits of first and second preimage resista
|
|||
bits of collision resistance, for any N up to 256. Longer outputs don't provide any additional
|
||||
security.
|
||||
|
||||
Avoid relying on the secrecy of the output offset, that is, the number of output bytes read or
|
||||
the arguments to [`seek`](struct.OutputReader.html#method.seek) or
|
||||
[`set_position`](struct.OutputReader.html#method.set_position). [_Block-Cipher-Based Tree
|
||||
Hashing_ by Aldo Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows
|
||||
both the message and the key (if any) can easily determine the offset of an extended output.
|
||||
For comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block
|
||||
from an unknown position in the output stream to recover its block index. Callers with strong
|
||||
secret keys aren't affected in practice, but secret offsets are a [design
|
||||
Avoid relying on the secrecy of the output offset, that is, the `seek` argument of
|
||||
`blake3_hasher_finalize_seek`. [_Block-Cipher-Based Tree Hashing_ by Aldo
|
||||
Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows both the message
|
||||
and the key (if any) can easily determine the offset of an extended output. For comparison,
|
||||
AES-CTR has a similar property: if you know the key, you can decrypt a block from an unknown
|
||||
position in the output stream to recover its block index. Callers with strong secret keys
|
||||
aren't affected in practice, but secret offsets are a [design
|
||||
smell](https://en.wikipedia.org/wiki/Design_smell) in any case.
|
||||
|
||||
# Building
|
||||
|
|
Loading…
Reference in New Issue