diff options
| author | Jack O'Connor <[email protected]> | 2022-03-04 10:19:14 -0500 |
|---|---|---|
| committer | Jack O'Connor <[email protected]> | 2022-03-04 10:19:14 -0500 |
| commit | 48c4621edc5be916e47581c3f68dd259a89dbf19 (patch) | |
| tree | deb9a676eadbd44032d314b9cbf6a435950ca98d | |
| parent | 3e67a8f45bcfa906da53728f5f4d09c41fb476d2 (diff) | |
add "(if any)" regarding keying in the security notes
| -rw-r--r-- | c/README.md | 11 | ||||
| -rw-r--r-- | src/lib.rs | 8 |
2 files changed, 10 insertions, 9 deletions
diff --git a/c/README.md b/c/README.md index 06e7a00..6807bee 100644 --- a/c/README.md +++ b/c/README.md @@ -197,12 +197,13 @@ bits of collision resistance, for any N up to 256. Longer outputs don't provide security. Avoid relying on the secrecy of the output offset, that is, the number of output bytes read or -the `seek` argument of `blake3_hasher_finalize_seek`. [_Block-Cipher-Based Tree +the arguments to [`seek`](struct.OutputReader.html#method.seek) or +[`set_position`](struct.OutputReader.html#method.set_position). [_Block-Cipher-Based Tree Hashing_ by Aldo Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows -both the message and the key can easily determine the offset of an extended output. For -comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block from -an unknown position in the output stream to recover its block index. Callers with strong secret -keys aren't affected in practice, but secret offsets are a [design +both the message and the key (if any) can easily determine the offset of an extended output. +For comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block +from an unknown position in the output stream to recover its block index. Callers with strong +secret keys aren't affected in practice, but secret offsets are a [design smell](https://en.wikipedia.org/wiki/Design_smell) in any case. # Building @@ -1355,10 +1355,10 @@ impl std::io::Write for Hasher { /// the arguments to [`seek`](struct.OutputReader.html#method.seek) or /// [`set_position`](struct.OutputReader.html#method.set_position). [_Block-Cipher-Based Tree /// Hashing_ by Aldo Gunsing](https://eprint.iacr.org/2022/283) shows that an attacker who knows -/// both the message and the key can easily determine the offset of an extended output. For -/// comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block from -/// an unknown position in the output stream to recover its block index. Callers with strong secret -/// keys aren't affected in practice, but secret offsets are a [design +/// both the message and the key (if any) can easily determine the offset of an extended output. +/// For comparison, AES-CTR has a similar property: if you know the key, you can decrypt a block +/// from an unknown position in the output stream to recover its block index. Callers with strong +/// secret keys aren't affected in practice, but secret offsets are a [design /// smell](https://en.wikipedia.org/wiki/Design_smell) in any case. #[derive(Clone)] pub struct OutputReader { |