From 09df11731e9762315698653da13c2dfcf56b82bc Mon Sep 17 00:00:00 2001 From: Jack O'Connor Date: Fri, 22 Jul 2022 10:47:04 -0700 Subject: [PATCH] replace a copy-pasted Rust API reference in the C docs --- c/README.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/c/README.md b/c/README.md index ad8e5fb..259af2a 100644 --- a/c/README.md +++ b/c/README.md @@ -196,14 +196,13 @@ BLAKE3 output is intended to provide N bits of first and second preimage resista bits of collision resistance, for any N up to 256. Longer outputs don't provide any additional security. -Avoid relying on the secrecy of the output offset, that is, the number of output bytes read or -the arguments to [`seek`](struct.OutputReader.html#method.seek) or -[`set_position`](struct.OutputReader.html#method.set_position). [_Block-Cipher-Based Tree -Hashing_ by Aldo Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows -both the message and the key (if any) can easily determine the offset of an extended output. -For comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block -from an unknown position in the output stream to recover its block index. Callers with strong -secret keys aren't affected in practice, but secret offsets are a [design +Avoid relying on the secrecy of the output offset, that is, the `seek` argument of +`blake3_hasher_finalize_seek`. [_Block-Cipher-Based Tree Hashing_ by Aldo +Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows both the message +and the key (if any) can easily determine the offset of an extended output. For comparison, +AES-CTR has a similar property: if you know the key, you can decrypt a block from an unknown +position in the output stream to recover its block index. Callers with strong secret keys +aren't affected in practice, but secret offsets are a [design smell](https://en.wikipedia.org/wiki/Design_smell) in any case. # Building