A Modified Blum-Goldwasser resistant to chosen ciphertext attack

A Modified Blum-Goldwasser resistant to chosen ciphertext attack.

I have added a change that I believe makes Blum-Goldwasser resistant to chosen ciphertext attack and a couple of orders of magnitude faster.

Key generation is the same.

n is the public key. p and q are the Blum integers that create n. a, b, p, q are the trapdoor information that makes the private key.

n= p*q where p and q are large, random and distinct primes congruent to 3 modulo 4

a and b are integers ap + bp = 1 (mod n)
n is the public key .
p, q, a, b is the private key

Sending a message to the owner of the public key n has changed

the message is m(i)
get the public key n
choose a large random number r such that 1 < r < n
x(0) = r**2 mod n
repeat as necessary
x(i) = x(i-1)**2
c(i) = h(x(i)) XOR m(i) 'where h() is a a non-invertible (preimage resistant) hash function
send c, x(i+1) to the private key holder

Decryption uses the trapdoor information to recover x(0) as per normal Blum-Goldwasser. The message is recovered by

m(i)= h(x(i)) XOR c(i)

This is computationally secure providing that
1).factoring n is infeasible and
2).it is infeasible to invert the hash function.

I can see no reason not to use the entire value of x(i) as input to the hash function. In fact quite the opposite. Use only the “secure” few bits of x(i) to feed the hash function makes the encryption vulnerable to a dictionary attack.

If the hash function is secure the entire hash function output can be used and not give away information about the private key. Speed is greatly improved by using the entire output of a hash function.

Or not?
I am concerned about having overlooked something (probably simple) or reinventing the wheel. So comments are appreciated.

David Eather