zig

fork of https://codeberg.org/ziglang/zig
Log | Files | Refs | README | LICENSE

commit 32aeb2c2ec09de78d9e2b9274015249b4994e160 (tree)
parent cec1e973b626ae6bd8ce1891537926e59c814463
Author: Frank Denis <124872+jedisct1@users.noreply.github.com>
Date:   Thu, 20 Jul 2023 01:59:24 +0200

Be more conservative in the description of Aegis256Mac (#16452)

It is assumed that generating a collision requires more than 2^156
ciphertext modifications. This is plenty enough for any practical
purposes, but it hasn't been proven to be >= 2^256.

Be consistent and conservative here; just claim the same security
as the other variants.
Diffstat:
Mlib/std/crypto/aegis.zig | 2+-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/std/crypto/aegis.zig b/lib/std/crypto/aegis.zig @@ -411,7 +411,7 @@ pub const Aegis128LMac = AegisMac(Aegis128L_256); /// concern, the AEGIS-128L variant should be preferred. /// AEGIS' large state, non-linearity and non-invertibility provides the /// following properties: -/// - 256 bit security against forgery. +/// - More than 128 bit security against forgery. /// - Recovering the secret key from the state would require ~2^256 attempts, /// which is infeasible for any practical adversary. /// - It has a large security margin against internal collisions.