1. Is the randomized mode IND-CPA secure? This definition boils down to "The enc

1. 1. Is the randomized mode IND-CPA secure? This definition boils down to "The encryption doesn't leak any information about the plaintext, except about its length to attackers with limited computational power." It's the standard security property every randomized symmetric encryption should aim for.
2. 2. Why is deterministic encryption the default? Normally we prefer randomized encryption since it offers stronger security guarantees (doesn't leak if messages are identical) and only requires a single pass over the message. Deterministic encryption is only used in rare niche applications where randomization cannot be used.
3. 3. What security claims do you make about the deterministic mode? Does it leak any information except messages being identical? Or does it leak if messages share a common prefix? Or even more than that?
4. 4. How does key-length relate to security? Does a 128-bit key offer 128 bits of security?
5. 5. Does the scheme include any integrity checks? i.e. is it an authenticated encryption algorithm? If not, why not? Many of the famous cryptographic weaknesses of the last few years were due to missing or weak integrity checks.
6. 6. What do you mean by fastmode being "little less secure"? Does that mean you don't claim fastmode is secure?
7.  
8. Why do you need a fast mode in the first place? Standard crypto can easily encrypt hundreds of MB per second (highly optimized implementations of AES can even reach more than 3 GB/s on a single Intel core) without compromising security.