1 files changed, 16 insertions, 22 deletions

diff --git a/src/lib.rs b/src/lib.rs
index a362946..163279a 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -469,7 +469,6 @@ fn encipher_aez_core(aez: &Aez, tweaks: Tweak, message: &mut [u8]) {
     let mut y = Block::null();
     let mut e2_eval = E::new(2, 0, aez);
     let mut e1_eval = E::new(1, 0, aez);
-    let e0_eval = E::new(0, 0, aez);
     for (raw_wi, raw_xi) in blocks.pairs_mut() {
         e2_eval.advance();
         e1_eval.advance();
@@ -677,35 +676,26 @@ fn aez_hash(aez: &Aez, tweaks: Tweak) -> Block {
     for (i, tweak) in tweaks.iter().enumerate() {
         // Adjust for zero-based vs one-based indexing
         let j = i + 2 + 1;
+        let mut ej = E::new(j.try_into().unwrap(), 0, aez);
         // This is somewhat implicit in the AEZ spec, but basically for an empty string we still
         // set l = 1 and then xor E_K^{j, 0}(10*). We could modify the last if branch to cover this
         // as well, but then we need to fiddle with getting an empty chunk from an empty iterator.
         if tweak.is_empty() {
-            hash = hash ^ e(j.try_into().unwrap(), 0, aez, Block::one());
+            hash = hash ^ ej.eval(Block::one());
         } else if tweak.len() % 16 == 0 {
-            for (l, chunk) in tweak.chunks(16).enumerate() {
-                hash = hash
-                    ^ e(
-                        j.try_into().unwrap(),
-                        (l + 1).try_into().unwrap(),
-                        aez,
-                        Block::from_slice(chunk),
-                    );
+            for chunk in tweak.chunks(16) {
+                ej.advance();
+                hash = hash ^ ej.eval(Block::from_slice(chunk));
             }
         } else {
             let blocks = pad_to_blocks(tweak);
             for (l, chunk) in blocks.iter().enumerate() {
-                hash = hash
-                    ^ e(
-                        j.try_into().unwrap(),
-                        if l == blocks.len() - 1 {
-                            0
-                        } else {
-                            (l + 1).try_into().unwrap()
-                        },
-                        aez,
-                        *chunk,
-                    );
+                ej.advance();
+                if l == blocks.len() - 1 {
+                    hash = hash ^ e(j.try_into().unwrap(), 0, aez, *chunk);
+                } else {
+                    hash = hash ^ ej.eval(*chunk);
+                }
             }
         }
     }
@@ -773,7 +763,11 @@ impl<'a> E<'a> {
 /// Shorthand to get E_K^{j,i}(block)
 fn e(j: i32, i: u32, aez: &Aez, block: Block) -> Block {
     if j == -1 {
-        let delta = aez.key_l * i;
+        let delta = if i < 8 {
+            aez.key_l_multiples[i as usize]
+        } else {
+            aez.key_l * i
+        };
         aez.aes.aes10(block ^ delta)
     } else {
         E::new(j, i, aez).eval(block)