Add a paragraph about security proofs for the encryption scheme.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -3013,6 +3013,15 @@ The motivations for this change were as follows:
         encrypted in each \joinSplitDescription.
 \end{itemize}
 
+The security proofs of \cite{ABR1999} can be adapted straightforwardly to the
+resulting scheme. Although DHAES as defined in that paper does not pass the
+recipient public key or a public seed to the hash function $H$, this does not
+impair the proof because we can consider $H$ to be the specialization of our
+KDF to a given recipient key and seed. It is necessary to adapt the
+``HDH independence'' assumptions and the proof slightly to take into account
+that the ephemeral key is reused for two encryptions.
+
+
 \nsubsection{Omission in \Zerocash security proof} \label{crprf}
 
 The abstract \Zerocash protocol requires $\PRFaddr{}$ only to be a PRF;