From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
X-Received: by 10.180.187.238 with SMTP id fv14mr2899158wic.0.1375680344880;
 Sun, 04 Aug 2013 22:25:44 -0700 (PDT)
Path: 
 border1.nntp.dca3.giganews.com!border2.nntp.dca3.giganews.com!border4.nntp.dca.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!g3no9099786wic.0!news-out.google.com!ed8ni11014wic.0!nntp.google.com!feeder1.cambriumusenet.nl!feed.tweaknews.nl!195.62.100.243.MISMATCH!newsfeed0.kamp.net!newsfeed.kamp.net!eternal-september.org!feeder.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Paul Rubin <no.email@nospam.invalid>
Newsgroups: comp.lang.ada
Subject: Re: The future of Spark . Spark 2014 : a wreckage
Date: Sun, 04 Aug 2013 22:43:36 -0700
Organization: Nightsong/Fort GNOX
Message-ID: <7xtxj41ylz.fsf@ruckus.brouhaha.com>
References: <d84b2eb2-eab3-4dec-917c-0498473c1e93@googlegroups.com>
 <krfb56$332$1@loke.gir.dk>
 <alpine.DEB.2.10.1307090935310.23845@debian>
 <krhss4$6dr$1@loke.gir.dk>
 <alpine.DEB.2.10.1307100904530.27942@debian>
 <krkpkq$ff9$1@loke.gir.dk> <alpine.DEB.2.10.1307112112110.8707@debian>
 <krni5s$uum$1@loke.gir.dk>
 <alpine.DEB.2.10.1307120950410.10151@debian>
Mime-Version: 1.0
Injection-Info: mx05.eternal-september.org;
 posting-host="d94d289a4df6ae47ea4d4f8b2ae808e7";
 logging-data="6944"; mail-complaints-to="abuse@eternal-september.org";
 posting-account="U2FsdGVkX19znIG2Bbt2uxY3Fzmyvlqn"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
Cancel-Lock: sha1:iv2iifb+MZ2BQk+uYBql0eZD5NM=
 sha1:7HSZ/A1XENoVajfKhILpeyKMLIY=
Content-Type: text/plain; charset=us-ascii
X-Original-Bytes: 2121
Xref: number.nntp.dca.giganews.com comp.lang.ada:182835
Date: 2013-08-04T22:43:36-07:00
List-Id: <comp.lang.ada>

Stefan.Lucks@uni-weimar.de writes:
> the implementation an authenticated encryption scheme.... The
> output of the authenticated encryption is the ciphertext (X xor Y),
> followed by a cryptographic checksum(*) of X under the key K. ...
> The flow annotations specified the flow from X
> and K to Z. And that actually caught my error of using (X xor Y)
> instead of X in the implementation.

Surely you wanted to authenticate the ciphertext and not the plaintext?
Authenticating the plaintext can leak information about it.