SECURITY PROOFS FOR ECIES

a group element U, will return KD([b]U, l). The attacker will not be allowed to query this oracle with the input [a]P.

The advantage that an algorithmAhas in solving the hash Diffie–Hellman problem is equal to

|P r[Acorrectly solves the hash Diffie–Hellman problem]−1/2|. This definition is fairly sneaky. It is not actually a single definition but a family of definitions that depend upon your choice of a key derivation function. The hash Diffie–Hellman problem may indeed be hard to solve for many key derivation functions (and choices of l), but it is also possible that, for a particular choice of key derivation function andl, the hash Diffie– Hellman problem is easy to solve. In many ways, adopting the hash Diffie– Hellman problem as the basis for a security proof only changes the problem from proving the security of the cryptosystem to proving that the hash Diffie– Hellman problem is hard to solve for your chosen key derivation function.

The security proof for ECIES in this model shows the following:

Result _III.7. _{SupposeA is an IND-CCA2 attacker that breaks ECIES with} a “significant” advantage, runs in a “reasonable” amount of time and only makes a “reasonable” number of queries to the decryption oracle. Then either • there exists an algorithmBthat solves the hash Diffie–Hellman problem with a significant advantage, runs in a reasonable amount of time and only makes a reasonable number of queries to the hash Diffie–Hellman oracle;

• there exists an attacker C = (C1,C2) that breaks the symmetric cipher

with a significant advantage and runs in a reasonable amount of time; or

• there exists an attackerF that breaks the MAC scheme with a signifi- cant probability and runs in a reasonable amount of time.

The terms “significant” and “reasonable” all have precise technical defi- nitions, but it will be unnecessary to consider these in detail. It will suffice to think of “significant” as meaning “large enough to be useful” and “reason- able” as “not too large”.

We will now sketch the proof.

Suppose we have an IND-CCA2 attackerA= (A1,A2) that breaks ECIES with a significant advantage, runs in a reasonable amount of time and only makes a reasonable number of queries to the decryption oracle.

We begin by defining an algorithm B that attempts to solve the hash

Diffie–Hellman problem. At the start of its execution,B is presented with a triple ([a]P,[b]P, α). The algorithmBruns in several stages:

1. B sets the public keyY = [b]P and runs A1 on the input Y until it outputs two messages,m0 and m1, and some state informations. 2. B picks a bit σ ∈ {0,1} uniformly at random and sets (k1||k2) =

Enc(mσ, k1) and r∗ = MAC(c∗, k2). Note that if α = KD([ab]P, l),

thenC∗ is a correct encryption of the messagemσ.

3. Next,BrunsA2 on the input (C∗, Y, s). A2 returns a guessσ forσ. 4. Ifσ=σ, thenBreturnstrue(i.e., that α=KD([ab]P, l)), otherwise

Breturnsfalse.

The idea behind the proof is that ifα =KD([ab]P, l), then the attacker

A will be attacking a valid instance of ECIES and so will have a significant advantage in guessing σ correctly. Ifα=KD([ab]P, l), thenα is completely

random. This means that the messagemσ has been encrypted and the MAC

of the ciphertext computed with random keys. If this is the case, then one of two things will happen: either (1) the attackerAwill still be able to break the scheme and recoverσwith a significant probability, in which case the attacker doesn’t really care about the keys and must be attacking the symmetric part of the scheme, or (2) the attacker can no longer break the scheme.

Suppose that an attackerA’s advantage in breaking the scheme is signif- icantly reduced whenα=KD([ab]P, l). In this case Ais less likely to guess σ correctly if random keys are used to encryptmσ and to create the MAC of

the ciphertext, which in turn means that B is more likely to outputtrue if α =KD([ab]P, l) than if it doesn’t. In other words,B has a significant ad- vantage in breaking the hash Diffie–Hellman problem. So, if we assume that solving the hash Diffie–Hellman problem is hard to do, then any attacker that is trying to break the scheme must still be able to do so when performing the symmetric encryption and MAC using random keys.

The only problem that remains with the algorithm B is that it has to be able to respond to the decryption queries thatA makes. Normally these would be answered by a decryption oracle, but since B has no access to a decryption oracle, it must answer these queries itself. Fortunately this is fairly easy to do. IfAasks for the decryption of a ciphertext (U, c, r) where U = [a]P, then we may find the relevant symmetric keys k1||k2 by querying the hash Diffie–Hellman oracle on the input U; then we may decryptc and r as normal. If A asks for the decryption of a ciphertext ([a]P, c, r) with (c, r)= (c∗, r∗), then we can use the symmetric keys (k1||k2) =α to decrypt candras normal. Of course there is a possibility thatA1 might request the decryption of the challenge ciphertext C∗ (remember thatA2 is not allowed to request the decryption of C∗), but, in order to do this, A1 would have to guess that the challenge ciphertext would contain [a]P. Since [a]P is chosen at random from all the non-identity points of P, and because A is only allowed to make a reasonable number of decryption queries, this will happen with such a small probability that we may cheerfully ignore it.

As we mentioned earlier, it is, of course, possible that the attacker A gained his advantage in breaking ECIES not by determining some informa- tion about the symmetric keys but by attacking the symmetric part of the algorithm without knowing those keys. In that case the advantage of the

III.2. SECURITY PROOFS FOR ECIES 53