Taken from
Cambridge University Press 0521830842 - Foundations of Cryptography: Basic Applications, Volume 2 CHAPTER FIVE - Encryption Schemes
which can be downloaded here
Notation. In the rest of this text, we write $E_e (\alpha)$ instead of $E(e, \alpha)$ and $D_d (\beta)$ instead of $D(d, \beta)$. Sometimes, when there is little risk of confusion, we drop these subscripts. Also, we let $G_1 (1^n)$ (resp., $G_2 (1^n )$) denote the first (resp., second) element in the pair G(1n ). That is, $G(1n ) = (G_1 (1^n ), G_2 (1^n))$. Without loss of generality, we may assume that $|G_1 (1^n )|$ and $|G_2 (1^n > )|$ are polynomially related to n, and that each of these integers can be efficiently computed from the other. (In fact, we may even assume that $|G_1 > (1^n )| = |G_2 (1^n)| = n$; see Exercise 6.)