Problem Set 3, Problem 2

Consider the following encryption scheme. Fix a finite cyclic group G = < g >. A party's secret key is x, a random number in [1..|G|], and its public key is (an encoding of) X = g^x. Let H be a hash function, modeled as a random oracle. Consider the encryption scheme where, to encrypt a message M using public key X, the sender computes a random number y in [1..|G|], sets Y=g^y, K=g^{xy}=X^y, and transmits (Y, H(K) xor M). Decryption proceeds in the natural way. Prove that the scheme is IND-CPA secure in the RO model under the CDH assumption.