] NIST is trying to update the venerable set
] (CBC/OFB/CFB/counter) of encryption modes. Some of the new
] ones provide "authenticated encryption," i.e. the equivalent
] of encryption and MACing with one key and significantly less
] cost than encrypt-then-MAC.
] In light of Vaudenay's CBC padding attack, authenticated
] encryption seems prudent.
Has there been any survey of the field here? Are these all acceptable from a security standpoint? Are they all useful in particular circumstances? Is there anyone who has written a paper which sorts them out and explains whats good for what?