Birthday Attack on Dual EWCDM

M. Nandi
Abstract:In CRYPTO 2017, Mennink and Neves showed almost nbit security for a dual version of EWCDM. In this paper we describe a birthday attack on this construction which violates their claim.
What problem does this paper attempt to address?