First, the flaw in Keyczar didn't affect CCM (or CBC-MAC) or EAX (or OMAC).
Of course not -- keyczar doesn't implement CCM or EAX. But the fact that CCM and EAX are obscure shouldn't count as a point in their favour.
There's an obvious difference between the two sets: one consists of real attacks, the other of speculative attacks.
The Bernstein and Oskiv-Shamir-Tromer attacks were not at all speculative. They showed the concrete theft of a key.
If your point is valid, it shouldn't be hard for you to name one system in which CCM or EAX were "broken" --- and I'll give you any definition of broken you choose --- because of these papers.
I don't know of any systems which use CCM or EAX in software on general-purpose hardware -- but if you name me a system which uses OpenSSL's AES code circa early 2005 in EAX mode, I'll name you a system which was vulnerable to a timing side channel.
Tally ho, Colin! Looking forward to what you find; I'm sure I'll learn something. If Bernstein's attack was really that relevant to real-world cryptosystems, I'm sure you'll come back with something fun.
Of course not -- keyczar doesn't implement CCM or EAX. But the fact that CCM and EAX are obscure shouldn't count as a point in their favour.
There's an obvious difference between the two sets: one consists of real attacks, the other of speculative attacks.
The Bernstein and Oskiv-Shamir-Tromer attacks were not at all speculative. They showed the concrete theft of a key.
If your point is valid, it shouldn't be hard for you to name one system in which CCM or EAX were "broken" --- and I'll give you any definition of broken you choose --- because of these papers.
I don't know of any systems which use CCM or EAX in software on general-purpose hardware -- but if you name me a system which uses OpenSSL's AES code circa early 2005 in EAX mode, I'll name you a system which was vulnerable to a timing side channel.