Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC

“…Published and new contents. In [8], Datta et al proposed DWCDM and showed that if the nonce space is restricted to 2n/3 bits, DWCDM is secured roughly up to 2 2n/3 MAC queries and 2 n verification queries against nonce respecting adversaries. Here we extend this result and prove that the result holds even if we restrict the nonce space to (n − 1)-bits.…”

“…The basic structure remains same. We begin with the Extended Mirror Theory as was used in [8]. However, the result proven in [8] is valid when the block maximality (as defined in [16]) or equivalently component size is restricted to 2.…”

“…We begin with the Extended Mirror Theory as was used in [8]. However, the result proven in [8] is valid when the block maximality (as defined in [16]) or equivalently component size is restricted to 2. Here, restricting the nonce space to (n − 1)-bits demands extending the analysis with component size restricted to n (the size of the underlying block cipher).…”

“…In section 4, we present our proposed construction DWCDM+ which is structurally identical to 1K-DWCDM, mentioned in [8], but extends the domain of the nonce to allow nonces up to (n − 1) bits. We used a different name here to explicitly indicate the domain extension of the nonce space.…”

“…We begin with presenting an attack in the case when the nonce space is n, depicting that having n − 1 bit nonce space is optimal. This attack was also presented in [8]. Next, we state the nonce respecting and nonce misuse security of DWCDM+ and an instantiation of DWCDM+ with Polyhash function, which we refer as nPolyMAC+.…”

<inline-formula><tex-math id="M1">\begin{document}$\textsf{DWCDM+}$\end{document}</tex-math></inline-formula>: A BBB secure nonce based MAC

“…Published and new contents. In [8], Datta et al proposed DWCDM and showed that if the nonce space is restricted to 2n/3 bits, DWCDM is secured roughly up to 2 2n/3 MAC queries and 2 n verification queries against nonce respecting adversaries. Here we extend this result and prove that the result holds even if we restrict the nonce space to (n − 1)-bits.…”

“…The basic structure remains same. We begin with the Extended Mirror Theory as was used in [8]. However, the result proven in [8] is valid when the block maximality (as defined in [16]) or equivalently component size is restricted to 2.…”

“…We begin with the Extended Mirror Theory as was used in [8]. However, the result proven in [8] is valid when the block maximality (as defined in [16]) or equivalently component size is restricted to 2. Here, restricting the nonce space to (n − 1)-bits demands extending the analysis with component size restricted to n (the size of the underlying block cipher).…”

“…In section 4, we present our proposed construction DWCDM+ which is structurally identical to 1K-DWCDM, mentioned in [8], but extends the domain of the nonce to allow nonces up to (n − 1) bits. We used a different name here to explicitly indicate the domain extension of the nonce space.…”

“…We begin with presenting an attack in the case when the nonce space is n, depicting that having n − 1 bit nonce space is optimal. This attack was also presented in [8]. Next, we state the nonce respecting and nonce misuse security of DWCDM+ and an instantiation of DWCDM+ with Polyhash function, which we refer as nPolyMAC+.…”

<inline-formula><tex-math id="M1">\begin{document}$\textsf{DWCDM+}$\end{document}</tex-math></inline-formula>: A BBB secure nonce based MAC

Tweakable HCTR: A BBB Secure Tweakable Enciphering Scheme

Beyond Birthday Bound Secure MAC in Faulty Nonce Model