SECURITY PROOFS FOR ECIES 53 algorithm B would not be significant However, then the attacker would still

be able to break the scheme if the keys used by the symmetric encryption algorithm and the MAC algorithm were completely random.

The idea that we can replace the key used to encrypt the challenge ci-

phertext with a random key means that we can construct an algorithm C

that breaks the symmetric cipher. Remember that here C = (C1,C2) is a two-stage algorithm that has access to a decryption oracle for the symmetric cipher with an unknown, randomly selected symmetric key and is trying to decide which of two messages (m0 and m1) a given symmetric ciphertext is an encryption of (see Section III.1.3). AlgorithmC works by using the sym- metric cipher as part of ECIES and usingAto break it. The first algorithm

C1 works as follows:

1. C1picks a private keyxuniformly at random from the set{1, . . . , q−1} and sets the public keyY to be [x]P.

2. C1 runsA1 on the input Y. A1 will return two messages m0 and m1, as well as some state informations.

3. C1 returns the two messages, m0 and m1, and some state information s= (s, x).

The challenger then picks a bitσ∈ {0,1}uniformly at random and computes

c∗ =Enc(mσ, k1), wherek1 is some random (unknown) secret key that the

challenger chose at the start. The attacker then runsC2 on the input (c∗, s). AlgorithmC2 runs as follows.

1. C2 takess and recovers the secret keyxandA’s state information s. 2. C2 chooses a random pointU∗ in P.

3. C2 chooses a random MAC keyk2 and computes r∗=MAC(c∗, k2). 4. The challenge ciphertext forAis set to beC∗ = (U∗, c∗, r∗). 5. C2 runsA2 on the input (C∗, Y, s). A2 outputs a guessσ forσ. 6. C2 outputsσ.

Algorithm C makes the problem of breaking the symmetric cipher look exactly like the problem of breaking ECIES, except for the fact that the challenge ciphertext was computed using randomly generated symmetric keys rather than from the keys given by (k1||k2) =KD([x]U∗, l). We have already shown that ifB’s advantage in solving the hash Diffie–Hellman problem is not significant, thenAshould still be able to break ECIES in this case. HenceC should have a significant advantage in breaking the symmetric cipher.

Again the only problem we haven’t explained is how to respond to the decryption requests A makes. Once again, this is fairly simple. Since C knows the private keyx, it can easily decrypt any ciphertext (U, c, r) where U =U∗ in the normal way. IfArequests a decryption of the form (U∗, c, r), thenCsimply responds with‘‘invalid ciphertext’’. It does this because it does not wish to confuseA. All decryption requests for ciphertexts of the form (U∗, c, r) should use the same symmetric key to decrypt c as was used to encrypt the challenge ciphertext c∗ – but it does not know what this is!

Hence it is easier forC to just ignore any requests to decrypt ciphertexts of the form (U∗, c, r) than to try and guess what the answer should be.

Obviously this means there is a chance thatCwill respond to a ciphertext query (U∗, c, r) by saying ‘‘invalid ciphertext’’when the ciphertext is valid and should be decrypted. However, then we must have thatc=c∗, as otherwise r = r∗ and A is querying the decryption oracle on the challenge ciphertext, which would mean thatC has succeeded in forging the MAC pair (c, r). We can use this to build an attackerF that breaks the MAC scheme. If F does not have a significant success probability, then we know that all of the decryption oracle responses thatA is given byC are correct and soC should have a significant advantage in breaking the symmetric scheme.

III.2.2. Using an Idealized Key Derivation Function. If one is uneasy about the validity of a security proof based on a non-standard and unstudied problem (like the hash Diffie–Hellman problem), then one can find a proof of security for ECIES based on the gap Diffie–Hellman problem if one is prepared to accept the use of the random oracle methodology [24].

The random oracle methodology is a model in which the key derivation function is modelled as being perfect, i.e., as a completely random function. The attacker, who needs to be able to compute the value of the key derivation function, is given access to this random function by means of an oracle that will evaluate it for him. Unfortunately this model has been shown to have some theoretical weaknesses [54]. Nevertheless security proofs constructed using the random oracle methodology (in the “random oracle model”) are still considered a very goodheuristic guide to the security of a cryptosystem. The security proof for ECIES in the random oracle model shows the fol- lowing:

Result III.8. SupposeA is an IND-CCA2 attacker that breaks ECIES with a significant advantage in the random oracle model, and that A runs in a reasonable amount of time and only makes a reasonable number of queries to the decryption oracle. Then either

• there exists an algorithmBthat solves the gap Diffie–Hellman problem with a significant probability, runs in a reasonable amount of time and only makes a reasonable number of queries to the decisional Diffie– Hellman oracle;

• there exists an attacker C = (C1,C2) that breaks the symmetric cipher

with a significant advantage and runs in a reasonable amount of time; or

• there exists an attackerF that breaks the MAC scheme with a signifi- cant probability and runs in a reasonable amount of time.

For the most part the proof is very similar to the proof given in Sec- tion III.2.1. The only difference is in how one constructs the algorithmB.

III.2. SECURITY PROOFS FOR ECIES 55