The padding fix by Albertini et al. for AEAD key commitment (pp. 3292 and 3301-3302) involves prepending a block or two of zeros to the plaintext before encrypting. After decryption, these bytes are checked to be zero to verify that the same key was used for decryption.
The Counter-then-Xor (CX) construction by Bellare and Hoang (pp. 25-26) involves encrypting a nonce padded with zeros concatenated with a counter using a block cipher like AES. The first 128 (or 256) bits are used as a commitment, and the latter 128 or 256 bits are used as a subkey. However, Davies-Meyer is used on the first block for the commitment.
Both approaches seem to assume an ideal cipher, and it's generally not recommended to use AES with Davies-Meyer due to the short block size.
Therefore, why is Davies-Meyer being used instead of merely encrypting and using the output as a commitment like the padding fix? What benefit does Davies-Meyer provide here?
Is it to do with whether it's possible to find two keys $k1,k2$ such that $AESk1(0) = AESk2(0)$ in less than ≈ $2^{64}$ trials? A problem for which there are apparently no specific results according to Albertini et al.
