Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC

At CRYPTO 2016, Cogliati and Seurin have proposed a highly secure nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer (EWCDM) construction, as E-K2(E-K1(N) circle plus N circle plus H-Kh (M)) for a nonce N and a message M. This construction achieves roughly 2(2n/3) bit MAC security with the assumption that E is a PRP secure n-bit block cipher and H is an almost xor universal n-bit hash function. In this paper we propose Decrypted Wegman-Carter with Davies-Meyer (DWCDM) construction, which is structurally very similar to its predecessor EWCDM except that the outer encryption call is replaced by decryption. The biggest advantage of DWCDM is that we can make a truly single key MAC: the two block cipher calls can use the same block cipher key K = K-1 = K-2. Moreover, we can derive the hash key as K-h = E-K(1), as long as vertical bar K-h vertical bar = n. Whether we use encryption or decryption in the outer layer makes a huge difference; using the decryption instead enables us to apply an extended version of the mirror theory by Patarin to the security analysis of the construction. DWCDM is secure beyond the birthday bound, roughly up to 2(2n/3) MAC queries and 2(n) verification queries against nonce-respecting adversaries. DWCDM remains secure up to 2(n/2) MAC queries and 2(n) verification queries against noncemisusing adversaries.