[Resource Topic] 2018/500: Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC

Welcome to the resource topic for 2018/500

Title:
Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC

Authors: Nilanjan Datta, Avijit Dutta, Mridul Nandi, Kan Yasuda

Abstract:

In CRYPTO 2016, Cogliati and Seurin have proposed a highly secure nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer (\textsf{EWCDM}) construction, as \textsf{E}_{K_2}\bigl(\textsf{E}_{K_1}(N)\oplus N\oplus \textsf{H}_{K_h}(M)\bigr) for a nonce N and a message M. This construction achieves roughly 2^{2n/3} bit MAC security with the assumption that \textsf{E} is a PRP secure n-bit block cipher and \textsf{H} is an almost xor universal n-bit hash function. In this paper we propose Decrypted Wegman-Carter with Davies-Meyer (\textsf{DWCDM}) construction, which is structurally very similar to its predecessor \textsf{EWCDM} except that the outer encryption call is replaced by decryption. The biggest advantage of \textsf{DWCDM} is that we can make a truly single key MAC: the two block cipher calls can use the same block cipher key K=K_1=K_2. Moreover, we can derive the hash key as K_h=\textsf{E}_K(1), as long as |K_h|=n. Whether we use encryption or decryption in the outer layer makes a huge difference; using the decryption instead enables us to apply an extended version of the mirror theory by Patarin to the security analysis of the construction. \textsf{DWCDM} is secure beyond the birthday bound, roughly up to 2^{2n/3} MAC queries and 2^n verification queries against nonce-respecting adversaries. \textsf{DWCDM} remains secure up to 2^{n/2} MAC queries and 2^n verification queries against nonce-misusing adversaries.

ePrint: https://eprint.iacr.org/2018/500

Talk: https://www.youtube.com/watch?v=SUK984ESaK4

Slides: https://crypto.iacr.org/2018/slides/Encrypt%20or%20Decrypt%20To%20Make%20a%20Single-Key%20Beyond%20Birthday%20Secure%20Nonce-Based%20MAC.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .