X-Git-Url: https://git.distorted.org.uk/~mdw/doc/ips/blobdiff_plain/53aa10b5d9431ced4e98673cc872c6627cac1d5f..6278c386d4ce1feeab4adba11c161602ade00414:/enc-ies.tex

diff --git a/enc-ies.tex b/enc-ies.tex
index 7150019..9916a18 100644
--- a/enc-ies.tex
+++ b/enc-ies.tex
@@ -29,9 +29,9 @@ in \cite{Abdalla:2001:DHIES}.
   \head{An obvious approach}
   
   A simple approach would be to generate a random key for some secure (i.e.,
-  IND-CCA) symmetric scheme, encrypt the message under that key, and, encrypt
-  the key under the recipient's public key (using some IND-CCA2 public-key
-  scheme).
+  IND-CCA2) symmetric scheme, encrypt the message under that key, and,
+  encrypt the key under the recipient's public key (using some IND-CCA2
+  public-key scheme).
 
   This is obviously secure.  But the security results for most public-key
   schemes are less than encouraging: the reductions, even for OAEP+, are
@@ -50,7 +50,7 @@ in \cite{Abdalla:2001:DHIES}.
   \item a probabilistic \emph{key-generation} algorithm~$G$, which takes no
     input (or a security parameter for asymptotic types) and returns a pair
     $(P, K)$;
-  \item a probabilistic \emph{exchange} algorithm~$E$, which is given a
+  \item a probabilistic \emph{exchange} algorithm~$X$, which is given a
     as input a public key~$P$ and returns a \emph{public value}~$y$ and a
     \emph{hash} $h \in \{0, 1\}^k$; and
   \item a deterministic \emph{recovery} algorithm~$R$, which is given as
@@ -235,17 +235,18 @@ in \cite{Abdalla:2001:DHIES}.
   scheme is \emph{malleable} in a group of composite order.  For example,
   suppose that $q = 2r$ for some $r$; then if $\alpha$ is even, we have
   $(b\cdot g^r)^\alpha = b^\alpha$.  Passing $b$ to the oracle ensures that
-  these queries given independent answers, even if the shared secret is the
-  same.
+  these queries are given independent answers, even if the shared secret is
+  the same.
 \end{slide}
 
 \begin{proof}
   Suppose that $A$ solves the oracle hash decision problem for
   $\Xid{\mathcal{K}}{DH}^{G, H}$.  Let the input to~$A$ be the triple $(a, b,
-  h^*)$, where $a = g^\alpha$ and $b = g^\beta$; and let $h^* =
-  H(g^{\alpha\beta})$.  $A$ must decide whether $h = h^*$.  Clearly, if $A$
-  never queries $H$ at $(g^\beta, g^{\alpha\beta})$ then its advantage is
-  zero, since it has no information about $h^*$.
+  h)$, where $a = g^\alpha$, $b = g^\beta$ and $h$ is some string in $\{0,
+  1\}^k$; and let $h^* = H(g^\beta, g^{\alpha\beta})$.  $A$ must decide
+  whether $h = h^*$.  Clearly, if $A$ never queries $H$ at $(g^\beta,
+  g^{\alpha\beta})$ then its advantage is zero, since it has no information
+  about $h^*$.
 
   As in the one-way function case, we have
   \[ \Pr[F] \ge \frac{1}{2} \Adv{ohd}{\Xid{\mathcal{K}}{DH}^{G, H}}(A) \]
@@ -257,7 +258,7 @@ in \cite{Abdalla:2001:DHIES}.
   \begin{program}
     Algorithm $B^{C(\cdot, \cdot)}(a^*, b^*)$: \+ \\
       $\Xid{R}{map} \gets \emptyset$; $\Xid{H}{map} \gets \emptyset$; \\
-      $h^* \gets \{0, 1\}^k$; \\
+      $h^* \getsr \{0, 1\}^k$; \\
       $c^* \gets \bot$; \\
       $b \gets A^{\Xid{R}{sim}(\cdot), \Xid{H}{sim}(\cdot)}
         (a^*, b^*, h^*)$; \\
@@ -265,7 +266,7 @@ in \cite{Abdalla:2001:DHIES}.
     Oracle $\Xid{R}{sim}(b)$: \+ \\
       \IF $b \in \dom\Xid{R}{map}$ \\
       \THEN \RETURN $\Xid{R}{map}(b)$; \\
-      $h \gets \{0, 1\}^k$; \\
+      $h \getsr \{0, 1\}^k$; \\
       $\Xid{R}{map} \gets \Xid{R}{map} \cup \{ b \mapsto h \}$; \\
       \RETURN $h$;
   \next
@@ -274,7 +275,7 @@ in \cite{Abdalla:2001:DHIES}.
         \IF $(b, c) \in \dom\Xid{H}{map}$ \THEN
           \RETURN $\Xid{H}{map}(b, c)$; \\
         $h \gets \{0, 1\}^k$; \\
-        $\Xid{H}{map} \gets \Xid{H}{map} \cup \{ (b, c) \mapsto h \}$; \\
+        $\Xid{H}{map} \getsr \Xid{H}{map} \cup \{ (b, c) \mapsto h \}$; \\
         \RETURN $h$; \- \\
       \IF $b = b^*$ \THEN \\ \quad \= \+ \kill
         $c^* \gets c$; \\
@@ -322,7 +323,7 @@ in \cite{Abdalla:2001:DHIES}.
      \InSec{ind-cca2}(\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}; t, q_D) \\
      & \le
        2 \cdot \InSec{ohd}(\mathcal{K}; t + O(q_D), q_D) +
-       \InSec{ftg-cca}(\mathcal{E}; t + O(q_D), 0, q_D).
+       \InSec{ftg-cca2}(\mathcal{E}; t + O(q_D), 0, q_D).
   \end{eqnarray*}
   Note how weak the security requirements on the encryption scheme are: no
   chosen-plaintext queries are permitted!
@@ -349,7 +350,7 @@ in \cite{Abdalla:2001:DHIES}.
   simulation of $A$'s attack game, and hence wins with probability
   \[ \frac{\Adv{ind-cca2}{\Xid{G}{IES}^{\mathcal{K}, \mathcal{E}}}}{2} +
      \frac{1}{2}. \]%
-  We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA
+  We construct a new adversary $C$, attacking $\mathcal{E}$ in the FTG-CCA2
   sense, to help us bound $B$'s probability of success when $h$ is chosen
   randomly.
   \begin{program}