Chapter 7 Public-Key Encryption with Random Oracles In this chapter, we mainly use a variant of ElGamal encryption to introduce how to prove the security of encryption schemes under computational hardness assump- tions. The basic scheme is called the hashed ElGamal scheme [1]. The twin ElGa- mal scheme and the iterated ElGamal scheme are from [29] and [55], respectively, and introduce two totally different approaches for addressing the reduction loss of finding a correct solution from hash queries. The ElGamal encryption scheme with CCA security is introduced using the Fujisaki-Okamoto transformation [42]. The given schemes and/or proofs may be different from the original ones. 7.1 Hashed ElGamal Scheme SysGen: The system parameter generation algorithm takes as input a secu- rity parameter λ . It chooses a cyclic group (G, p, g), selects a cryptographic hash function H : {0, 1} ∗ →{0, 1} n , and returns the system parameters SP = (G, p, g, H). KeyGen: The key generation algorithm takes as input the system parameters SP. It randomly chooses α ∈ Z p , computes g 1 = g α , and returns a public/secret key pair ( pk, sk) as follows: pk = g 1 , sk = α . Encrypt: The encryption algorithm takes as input a message m ∈{0, 1} n , the public key pk, and the system parameters SP. It chooses a random number r ∈ Z p and returns the ciphertext CT as CT =( C 1 , C 2 )=  g r , H(g r 1 ) ⊕ m  . 193 © Springer International Publishing AG, part of Springer Nature 2018 F. Guo et al., Introduction to Security Reduction, https://doi.org/10.1007/978-3-319-93049-7_7