Practical chosen ciphertext secure encryption from factoring (Q1946594)

From the introduction: ``In this paper we propose a new public-key encryption scheme that is based on \textit{M. O. Rabin}'s trapdoor one-way permutation [Digital signatures and public key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, Massachusetts Institute of Technology (January 1979)]. We can prove that the security of our scheme against adaptive chosen-ciphertext attacks (CCA security) is equivalent to the factoring assumption. Furthermore, the scheme is practical as its encryption performs only roughly two, and its decryption roughly one modular exponentiation. To the best of our knowledge, this is the first scheme that simultaneously enjoys those two properties.'' The highly readable introduction contains, moreover, more interesting information, a.o. on the history of the problem, random oracle schemes, details of the authors' construction, details of proof, and the efficiency. The result of this paper were announced by the first two authors in [Advances in cryptology -- EUROCRYPT 2009. 28th annual international conference on the theory and applications of cryptographic techniques. Lect. Notes Comput. Sci. 5479, 313--332 (2009; Zbl 1239.94052)].