I think the separate integrity tag is more general, flexible and more secure
where the flexibility is needed. Tahoe has more complex requirements and
hence needds to make use of a separate integrity tag.
I guess in general it is going to be more general, flexible if there are
separate keys (including none with keyless self-authenticated URLs) for
different properties.
Hence there remains a need for separate integrity and encryption even with
authenticated encryption modes.
And typically AE modes have a cost - several of the standardized encryption
modes are actually just standardizing ways to combine separate integrity &
encryption primitives. The others are mostly patented. They tend to be
more fragile through binary reliance on strictly one use nonces, XOR via
counter mode and such modes which are I think in implementation terms
unforgiving or fragile.
Exercise for the reader to list the non-patented, non-trivial (combining an
integrity & encryption primitive) modes :)
Adam
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography