sfDWCDM+: A BBB secure nonce based MAC.

In CRYPTO 2016, Cogliati and Seurin have proposed a nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer (EWCDM), from an n-bit block cipher E and an n-bit almost xor universal hash function H as E-K2 (E-K1 (N) circle plus N circle plus H-Kh (M)), for a nonce N and a message M that provides roughly 2n/3-bit MAC security. However, obtaining the similar security using a single block cipher key was posed as an open research problem. In this paper, we present Decrypted Wegman-Carter with Davies-Meyer (DWCDM+) construction based on a single block cipher key that provides 2n/3-bit MAC security from an n-bit block cipher E and an n-bit k-regular (for all k <= n), almost xor universal hash function H as E-K(-1) (E-K(N) circle plus N circle plus H-Kh (M)). DWCDM+ is structurally very similar to its predecessor EWCDM except that the facts that (i) the number of block cipher keys reduced from 2 to 1 and (ii) the outer encryption call is replaced by a decryption one. To make the construction truely single-keyed, here we derive the hash key K-h as the block cipher output of a fixed string 0(n-2)parallel to 10 as long as the hash key is of n bits. We show that if the nonce space is restricted to (n - 1) bits, DWCDM+ is secured roughly up to 2(2n/3) MAC queries (2(n/2) MAC queries) and 2(n) verification queries against nonce respecting (nonce misuse resp.) adversaries.