MAC computation inefficiency
Created by: sebastianv89
The message authentication is currently defined as:
Authenticator = KDF_1(usageAuthenticator || MKmac || KDF_1(usageDataMessageSections || data_message_sections, 64), 64)
This requires two calls to the KDF function, whereas one would be sufficient when using SHAKE256. See for example KMAC for a standardized solution using only one call.
(As an aside: defining the MAC function in terms of the KDF seems unusual).