Add issue #439 warning

dedis · Aug 6, 2024 · 857eaa0 · 857eaa0
1 parent 833137e
commit 857eaa0
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pairing/bn256/README.md b/pairing/bn256/README.md
@@ -13,13 +13,18 @@ Barreto-Naehrig curve as described in
 http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with
 the implementation described in that paper.
 
-### Warning
+### Security Warnings
+---
 This package previously claimed to operate at a 128-bit security level. However,
 recent improvements in attacks mean that is no longer true. See
 https://moderncrypto.org/mail-archive/curves/2016/000740.html. 
 We strongly recommend using the `BLS12-381` curve that still provide ~128-bit security and is not vulnerable to these improved attacks.
 
+#### Modulo bias in Hash()
+A modulo bias was found in [hashToPoint()](https://github.com/dedis/kyber/blob/9ac80102d756a21f318685e230e33791c44b5e2e/pairing/bn256/point.go#L239), for reason of backward compatibility we did not fix it. This problem was raised in issue [#439](https://github.com/dedis/kyber/issues/439).
+
 ### Benchmarks
+---
 
 branch `master`:
 ```