Regarding the attack:
I think the attack would not work since the hash part of the key would be different with other than 0 out value.
Nevertheless the point is fair, separators would be appropriate here to cast any doubt.
I suggest to raise these issues on the github link below, so I can refer them in code/version as resolved.
i would have proposed standard java object oriented notation. create a value object (all final values) of the key, provide efficient equal/hashcode implementations, build a Cache from that. that way the impl. is both correct and the fastest possible.
Object key would not work since the byte arrays are instantiated from the script, their content matches, not their identity.