hutorny
commented
4 years ago Yes, you right. Chaskey is a MAC algorithm and using its block cipher for other encryption modes is a trade-off for the applications that cannot afford standard encryption algorithms
While Chaskey is it self constructed as CMAC/OMAC with EvanMansour block cipher, afaik it was never claimed its building block (EM block cipher) is safe to be used as standalone building block for encryption. More over, cryptoanalyzes have sentences about "attaker has no way for chosen ciphertext attack".
May be I'm missing something? Can you point on investigations?