Does authenticating fake Carter Wegman protected OTP messages consume key material at the receiving node?

The Carter–Wegman system of authenticating multiple messages works as follows:

• Sender and receiver agree in advance on a key $(f, (b_1, \dotsc, b_n))$ to authenticate a sequence of $n$ messages.

  $f$ is a random choice of a function from messages to hash values in a universal hash family, and $b_1, \dotsc, b_n$ are uniform random hash values that serve as one-time pads. Hash values can be added and subtracted (e.g., mod $2^{128}$, or with xor).

• Messages are sent in order or otherwise identified with their message number. For example, the number $i$ may be affixed to the message $m_i$, or the messages may be placed in numbered mailboxes.

• When the sender wants to send the $i^{\mathit{th}}$ message $m_i$, they affix the authentication tag $t_i = f(m_i) + b_i$ and send $(m_i, t_i)$. They will reuse $f$, but never again reuse $b_i$.

• When receiver receives a pair $(m'_i, t'_i)$ alleged to be the $i^{\mathit{th}}$ authenticated message, they accept it as genuine only if $$t'_i = f(m'_i) + b_i,$$ after which they will never again reuse $b_i$.

  Otherwise, they reject it as a forgery. Next time the receiver receives pairs $(m''_i, t''_i), (m'''_i, t'''_i), \dotsc$, alleged to be the $i^{\mathit{th}}$ authenticated message, they recompute the same equation with the same $b_i$, and continue to reuse it until they accept a message.

  Of course, for two different message numbers $i \ne j$ (or two different message mailboxes), the receiver will use the appropriate independent $b_i$ and $b_j$ pads.

In other words, the sender discards the one-time pad material $b_i$ after sending each message. The receiver discards the one-time pad material $b_i$ only after accepting an alleged $i^{\mathit{th}}$ message as genuine, not after merely receiving an alleged message which may be a forgery.

Of course, if $(m'_i, t'_i) = (m_i, t_i)$, then the receiver will correctly accept the sender's message. But if $m'_i \ne m_i$ because $m'_i$ is a forgery attempt, the probability that the receiver accepts it is small, bounded by the largest value of $$\Pr[f(x) = h \mathrel\vert f(y) = k]$$ for all $x \ne y, h, k$ over random choices $f$ in a universal hash family—even if the forger knows all the legitimate authenticated messages $(m_1, t_1), \dotsc, (m_n, t_n)$, and even if the messages are all cleartext and chosen by the forger.

Actually it is bounded by $\Pr[f(x) - f(y) = h]$ for all $x, y, h$ over random choices of $f$, but Carter and Wegman didn't realize they could use this weaker property. In typical universal hash families like GHASH and Poly1305,* this probability is below $L/2^{100}$, where $L$ is the maximum length of a message (in some appropriate units) that the receiver will accept.

_{* Poly1305 was introduced in an instance of the Carter–Wegman authentication system called Poly1305-AES, but today it is very seldom used in the Carter–Wegman system—almost all use of it is in the ChaCha/Poly1305 authenticated cipher, which doesn't follow the Carter–Wegman system at all.}