The Most Complicated Attack on a Paper

The NACL-A-E scheme uses a key derivation step and then they use the same nonce, I think, across the two different. So you think you've got a nonce, re-use vulnerability, but you haven't, actually, because the two heasier are different. And there it would be much nicer, I guess, if the metadata could just have been incorporated as associated data and you had an AAD kind of interface, but that's not what NACL provides. so indeed, I think they were a bit hamstrung by her.