This implementation is vulnerable to the 2008 attack which can potentially discover up to 32 bits of plaintext.
