Encrypt or decrypt? to make a single-key beyond birthday secure nonce-based MAC

Abstract

At CRYPTO 2016, Cogliati and Seurin have proposed a highly secure nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer (EWCDM) construction, as EK2(formula presented) for a nonce N and a message M. This construction achieves roughly 22n/3 bit MAC security with the assumption that E is a PRP secure n-bit block cipher and H is an almost xor universal n-bit hash function. In this paper we propose Decrypted Wegman-Carter with Davies-Meyer (DWCDM) construction, which is structurally very similar to its predecessor EWCDM except that the outer encryption call is replaced by decryption. The biggest advantage of DWCDM is that we can make a truly single key MAC: the two block cipher calls can use the same block cipher key K= K1= K2. Moreover, we can derive the hash key as Kh= EK(1), as long as | Kh| = n. Whether we use encryption or decryption in the outer layer makes a huge difference; using the decryption instead enables us to apply an extended version of the mirror theory by Patarin to the security analysis of the construction. DWCDM is secure beyond the birthday bound, roughly up to 22n/3 MAC queries and 2n verification queries against nonce-respecting adversaries. DWCDM remains secure up to 22n/2 MAC queries and 2n verification queries against nonce-misusing adversaries.