From e7adebcc7ee4dd67cc5d1d624ea47d203a5a33d7 Mon Sep 17 00:00:00 2001
From: Paragon Initiative Enterprises <security@paragonie.com>
Date: Thu, 3 Dec 2020 10:54:29 -0500
Subject: [PATCH] Add note about message commitment

---
 doc/Primitives.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/Primitives.md b/doc/Primitives.md
index b7d04d7..5873dbd 100644
--- a/doc/Primitives.md
+++ b/doc/Primitives.md
@@ -9,3 +9,6 @@
 * Password-Based Key Derivation: [**Argon2**](https://paragonie.com/book/pecl-libsodium/read/07-password-hashing.md#crypto-pwhash-str)
 
 In all cases, we follow an Encrypt then MAC construction, thus avoiding the [cryptographic doom principle](https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html).
+
+As a consequence of our use of a keyed BLAKE2b hash as a MAC, instead of GCM/Poly1305,
+Halite ciphertexts are [**message committing**](https://eprint.iacr.org/2020/1456) which makes ciphertexts random key robust.