1
0
Fork 0
mirror of https://github.com/BLAKE3-team/BLAKE3 synced 2024-03-28 14:29:54 +01:00

replace a copy-pasted Rust API reference in the C docs

This commit is contained in:
Jack O'Connor 2022-07-22 10:47:04 -07:00
parent 79d270283f
commit 09df11731e

View File

@ -196,14 +196,13 @@ BLAKE3 output is intended to provide N bits of first and second preimage resista
bits of collision resistance, for any N up to 256. Longer outputs don't provide any additional
security.
Avoid relying on the secrecy of the output offset, that is, the number of output bytes read or
the arguments to [`seek`](struct.OutputReader.html#method.seek) or
[`set_position`](struct.OutputReader.html#method.set_position). [_Block-Cipher-Based Tree
Hashing_ by Aldo Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows
both the message and the key (if any) can easily determine the offset of an extended output.
For comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block
from an unknown position in the output stream to recover its block index. Callers with strong
secret keys aren't affected in practice, but secret offsets are a [design
Avoid relying on the secrecy of the output offset, that is, the `seek` argument of
`blake3_hasher_finalize_seek`. [_Block-Cipher-Based Tree Hashing_ by Aldo
Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows both the message
and the key (if any) can easily determine the offset of an extended output. For comparison,
AES-CTR has a similar property: if you know the key, you can decrypt a block from an unknown
position in the output stream to recover its block index. Callers with strong secret keys
aren't affected in practice, but secret offsets are a [design
smell](https://en.wikipedia.org/wiki/Design_smell) in any case.
# Building