\head{An obvious approach}
A simple approach would be to generate a random key for some secure (i.e.,
- IND-CCA) symmetric scheme, encrypt the message under that key, and, encrypt
- the key under the recipient's public key (using some IND-CCA2 public-key
- scheme).
+ IND-CCA2) symmetric scheme, encrypt the message under that key, and,
+ encrypt the key under the recipient's public key (using some IND-CCA2
+ public-key scheme).
This is obviously secure. But the security results for most public-key
schemes are less than encouraging: the reductions, even for OAEP+, are
\InSec{ind-cca2}(\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}; t, q_D) \\
& \le
2 \cdot \InSec{ohd}(\mathcal{K}; t + O(q_D), q_D) +
- \InSec{ftg-cca}(\mathcal{E}; t + O(q_D), 0, q_D).
+ \InSec{ftg-cca2}(\mathcal{E}; t + O(q_D), 0, q_D).
\end{eqnarray*}
Note how weak the security requirements on the encryption scheme are: no
chosen-plaintext queries are permitted!
simulation of $A$'s attack game, and hence wins with probability
\[ \frac{\Adv{ind-cca2}{\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}}}{2} +
\frac{1}{2}. \]%
- We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA
+ We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA2
sense, to help us bound $B$'s probability of success when $h$ is chosen
randomly.
\begin{program}