Attacking NIST SP 800-108 (Loss of Key Control Security)

I don't know this author, nor do I have much stake in this article, but I don't like this recent wave of blog posts that are riddled with low-effort memes. It's very distracting

Another good post. I thought that reduction-based security proofs were supposed to save us from this kind of thing. What happened? I also got the impression, back when I was into this stuff, that these proofs are quite hard to formalize. I never understood why. Otherwise, maybe model checking could find such attacks.

This appears to me similar to the attack against weak Fiat Shamir presented at RWC this year.