X-Git-Url: https://git.distorted.org.uk/~mdw/doc/ips/blobdiff_plain/41761fdc7bb8f1ed87f5e1116d389158513ee280..b912aadfc4eb26f1c4cf3332eb510b41a4d9a036:/enc-ies.tex

diff --git a/enc-ies.tex b/enc-ies.tex
index cd0f5c6..3f53936 100644
--- a/enc-ies.tex
+++ b/enc-ies.tex
@@ -1,9 +1,10 @@
 \xcalways\section{Integrated public-key encryption schemes}\x
 
 The formulation here is original work by the author.  I've tried to
-generalize the work by (among others), Shoup, and Abdalla, Bellare and
-Rogaway.  The final proof is from a Usenet article prompted by David
-Hopwood, but based on the DHAES proof by ABR.
+generalize the work by (among others), Shoup \cite{Shoup:2001:PIS}, and
+Abdalla, Bellare and Rogaway \cite{Abdalla:2001:DHIES}.  The final proof is
+from a Usenet article prompted by David Hopwood, but based on the DHIES proof
+in \cite{Abdalla:2001:DHIES}.
 
 \xcalways\subsection{Introduction and definitions}\x
 
@@ -28,9 +29,9 @@ Hopwood, but based on the DHAES proof by ABR.
   \head{An obvious approach}
   
   A simple approach would be to generate a random key for some secure (i.e.,
-  IND-CCA) symmetric scheme, encrypt the message under that key, and, encrypt
-  the key under the recipient's public key (using some IND-CCA2 public-key
-  scheme).
+  IND-CCA2) symmetric scheme, encrypt the message under that key, and,
+  encrypt the key under the recipient's public key (using some IND-CCA2
+  public-key scheme).
 
   This is obviously secure.  But the security results for most public-key
   schemes are less than encouraging: the reductions, even for OAEP+, are
@@ -133,8 +134,8 @@ Hopwood, but based on the DHAES proof by ABR.
   \[ \Pr[S] =
        \frac{\Adv{ohd}{\Xid{\mathcal{K}}{OWF}^{\mathcal{T}, H}}(A)}{2} +
        \frac{1}{2}. \]%
-  Let $F$ be the event that $A$ queries $H$ at $x^*$.  Then by Shoup's Lemma
-  (lemma~\ref{lem:shoup}, page~\pageref{lem:shoup}),
+  Let $F$ be the event that $A$ queries $H$ at $x^*$.  Then by 
+  Lemma~\ref{lem:shoup} (slide~\pageref{lem:shoup}),
   \[ \left|\Pr[S] - \frac{1}{2}\right| \le \Pr[F]. \]
 
   Now consider this adversary $I$, attempting to invert the one-way function.
@@ -321,7 +322,7 @@ Hopwood, but based on the DHAES proof by ABR.
      \InSec{ind-cca2}(\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}; t, q_D) \\
      & \le
        2 \cdot \InSec{ohd}(\mathcal{K}; t + O(q_D), q_D) +
-       \InSec{ftg-cca}(\mathcal{E}; t + O(q_D), 0, q_D).
+       \InSec{ftg-cca2}(\mathcal{E}; t + O(q_D), 0, q_D).
   \end{eqnarray*}
   Note how weak the security requirements on the encryption scheme are: no
   chosen-plaintext queries are permitted!
@@ -348,7 +349,7 @@ Hopwood, but based on the DHAES proof by ABR.
   simulation of $A$'s attack game, and hence wins with probability
   \[ \frac{\Adv{ind-cca2}{\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}}}{2} +
      \frac{1}{2}. \]%
-  We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA
+  We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA2
   sense, to help us bound $B$'s probability of success when $h$ is chosen
   randomly.
   \begin{program}