\xcalways\section{Integrated public-key encryption schemes}\x
The formulation here is original work by the author. I've tried to
-generalize the work by (among others), Shoup, and Abdalla, Bellare and
-Rogaway. The final proof is from a Usenet article prompted by David
-Hopwood, but based on the DHAES proof by ABR.
+generalize the work by (among others), Shoup \cite{Shoup:2001:PIS}, and
+Abdalla, Bellare and Rogaway \cite{Abdalla:2001:DHIES}. The final proof is
+from a Usenet article prompted by David Hopwood, but based on the DHIES proof
+in \cite{Abdalla:2001:DHIES}.
\xcalways\subsection{Introduction and definitions}\x
\head{An obvious approach}
A simple approach would be to generate a random key for some secure (i.e.,
- IND-CCA) symmetric scheme, encrypt the message under that key, and, encrypt
- the key under the recipient's public key (using some IND-CCA2 public-key
- scheme).
+ IND-CCA2) symmetric scheme, encrypt the message under that key, and,
+ encrypt the key under the recipient's public key (using some IND-CCA2
+ public-key scheme).
This is obviously secure. But the security results for most public-key
schemes are less than encouraging: the reductions, even for OAEP+, are
\[ \Pr[S] =
\frac{\Adv{ohd}{\Xid{\mathcal{K}}{OWF}^{\mathcal{T}, H}}(A)}{2} +
\frac{1}{2}. \]%
- Let $F$ be the event that $A$ queries $H$ at $x^*$. Then by Shoup's Lemma
- (lemma~\ref{lem:shoup}, page~\pageref{lem:shoup}),
+ Let $F$ be the event that $A$ queries $H$ at $x^*$. Then by
+ Lemma~\ref{lem:shoup} (slide~\pageref{lem:shoup}),
\[ \left|\Pr[S] - \frac{1}{2}\right| \le \Pr[F]. \]
Now consider this adversary $I$, attempting to invert the one-way function.
\InSec{ind-cca2}(\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}; t, q_D) \\
& \le
2 \cdot \InSec{ohd}(\mathcal{K}; t + O(q_D), q_D) +
- \InSec{ftg-cca}(\mathcal{E}; t + O(q_D), 0, q_D).
+ \InSec{ftg-cca2}(\mathcal{E}; t + O(q_D), 0, q_D).
\end{eqnarray*}
Note how weak the security requirements on the encryption scheme are: no
chosen-plaintext queries are permitted!
simulation of $A$'s attack game, and hence wins with probability
\[ \frac{\Adv{ind-cca2}{\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}}}{2} +
\frac{1}{2}. \]%
- We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA
+ We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA2
sense, to help us bound $B$'s probability of success when $h$ is chosen
randomly.
\begin{program}