[
[
['4','add','hl'],
['5','add','hl'],
['11','add','hl'],
['232','add','hl'],
['38','remove','slide-up'],
['15','add','slide-down']
],
[
['19','add','hl'],
['19','remove','hidden'],
['255','add','hl'],
['255','remove','slide-left'],
['233','add','hl'],
['233','remove','slide-left'],
['234-slide','remove','slide-left'],
['3','add','hidden'],
['4','remove','hl'],
['4','add','hidden'],
['5','remove','hl'],
['5','add','hidden'],
['11','remove','hl'],
['11','add','hidden'],
['232','remove','hl'],
['232','add','slide-right']
],
[
['19','remove','hl'],
['255','remove','hl'],
['233','remove','hl']
],
[
['234-flip','add','flipped'],
['62','remove','slide-up'],
['38','add','slide-down']
],
[
['19','add','hl'],
['12','add','hl'],
['238','add','hl'],
['76','remove','slide-up'],
['62','add','slide-down']
],
[
['5','add','hl'],
['5','remove','hidden'],
['232','add','hl'],
['232','remove','slide-right'],
['72','add','hl'],
['72','remove','hidden'],
['73','add','hl'],
['73','remove','hidden'],
['19','remove','hl'],
['19','add','hidden'],
['12','remove','hl'],
['12','add','hidden'],
['238','remove','hl'],
['238','add','slide-left'],
['234-slide','add','slide-left']
],
[
['5','remove','hl'],
['232','remove','hl'],
['72','remove','hl'],
['73','remove','hl'],
['237','add','hl'],
['90','remove','slide-up'],
['76','add','slide-down']
],
[
['238','add','hl'],
['238','remove','slide-left'],
['237','remove','hl'],
['237','add','slide-right']
],
[
['238','remove','hl'],
['73','add','hl'],
['240','add','hl'],
['109','remove','slide-up'],
['90','add','slide-down']
],
[
['237','add','hl'],
['237','remove','slide-right'],
['241','add','hl'],
['241','remove','slide-left'],
['242-slide','remove','slide-left'],
['73','remove','hl'],
['73','add','hidden'],
['240','remove','hl'],
['240','add','slide-right']
],
[
['237','remove','hl'],
['241','remove','hl']
],
[
['242-flip','add','flipped'],
['128','remove','slide-up'],
['109','add','slide-down']
],
[
['247','add','hl'],
['243','add','hl'],
['142','remove','slide-up'],
['128','add','slide-down']
],
[
['139','add','hl'],
['139','remove','hidden'],
['244','add','hl'],
['244','remove','slide-right'],
['247','remove','hl'],
['247','add','slide-left'],
['243','remove','hl'],
['243','add','slide-left'],
['242-slide','add','slide-left']
],
[
['139','remove','hl'],
['244','remove','hl'],
['246','add','hl'],
['156','remove','slide-up'],
['142','add','slide-down']
],
[
['247','add','hl'],
['247','remove','slide-left'],
['246','remove','hl'],
['246','add','slide-right']
],
[
['247','remove','hl'],
['5','add','hl'],
['72','add','hl'],
['139','add','hl'],
['252','add','hl'],
['156','add','slide-down']
],
[
['19','add','hl'],
['19','remove','hidden'],
['246','add','hl'],
['246','remove','slide-right'],
['166','add','hl'],
['166','remove','hidden'],
['249-slide','remove','slide-left'],
['5','remove','hl'],
['5','add','hidden'],
['72','remove','hl'],
['72','add','hidden'],
['139','remove','hl'],
['139','add','hidden'],
['252','remove','hl'],
['252','add','slide-right']
],
[
['19','remove','hl'],
['246','remove','hl'],
['166','remove','hl']
],
[
['249-flip','add','flipped']
],
[
['19','add','hl'],
['251','add','hl']
],
[
['5','add','hl'],
['5','remove','hidden'],
['252','add','hl'],
['252','remove','slide-right'],
['19','remove','hl'],
['19','add','hidden'],
['251','remove','hl'],
['251','add','slide-left'],
['249-slide','add','slide-left']
],
[
['5','remove','hl'],
['252','remove','hl'],
['254','add','hl'],
['229','remove','slide-up']
],
[
['217','remove','hidden'],
['4','add','hl'],
['4','remove','hidden'],
['11','add','hl'],
['11','remove','hidden'],
['254','remove','hl'],
['254','add','slide-right']
],
[
['4','remove','hl'],
['11','remove','hl']
]
]
The starting point is
Lpke-cpa-leftHyb.Rewrite in a logically equivalent way so that an instance of
Lkem-cpa-realKEM appears.
KEM is CPA-secure, so
Lkem-cpa-realKEM can be replaced by
Lkem-cpa-idealKEM with only negligible effect on the calling program.
Inline the instance of
Lkem-cpa-idealKEM.By our assumption,
KEM.M=DEM.K.Rewrite in a logically eqivalent way, so that an instance of
Lske-ots-leftDEM appears.
DEM has cOTS security, so
Lske-ots-leftDEM can be replaced by
Lske-ots-rightDEM with only negligible effect on the calling program.
Inline the instance of
Lske-ots-rightDEM.The next few steps are identical to some previous steps, but taken in reverse order.
What remains is exactly
Lpke-cpa-rightHyb.
Lpke-cpa-leftHyb
Lpke-cpa-rightHyb
(PK,SK):=KEM.KeyGen()
PK:=kem.cpa.pk()
(Ckem,K)
↞KEM.Encaps(PK)
:=kem.cpa.enc()
(Ckem,−):=KEM.Encaps(PK)
K↞
KEM.M
DEM.K
K↞
DEM.K
KEM.M
(Ckem,K):=
kem.cpa.enc()
KEM.Encaps(PK)
Cdem
↞DEM.Enc(K,ML)
:=
ske.ots.enc(ML,MR)
DEM.Enc(K,MR)
return
(Ckem,Cdem)
⋄
Lkem-cpa-realKEM
(PK,SK):=KEM.KeyGen()
(C,M):=KEM.Encaps(PK)
return
(C,M)
Lkem-cpa-idealKEM
(PK,SK):=KEM.KeyGen()
(C,−):=KEM.Encaps(PK)
M↞KEM.M
return
(C,M)
⋄
Lske-ots-leftDEM
K↞DEM.K
C:=DEM.Enc(K,ML)
Lske-ots-rightDEM
K↞DEM.K
C:=DEM.Enc(K,MR)
⋄
Lkem-cpa-idealKEM
(PK,SK):=KEM.KeyGen()
(C,−):=KEM.Encaps(PK)
M↞KEM.M
return
(C,M)
Lkem-cpa-realKEM
(PK,SK):=KEM.KeyGen()
(C,M):=KEM.Encaps(PK)
return
(C,M)
The Joy of Cryptography