Indistinguishability under chosen-ciphertext attack (IND-CCA) is now considered the de facto security notion for public-key encryption. However, this sometimes offers a stronger security guarantee than what is needed. In this study, the authors consider a weaker security notion, termed as indistinguishability under plaintext-checking attacks (IND-PCA), in which the adversary has only access to an oracle indicating whether or not a given ciphertext encrypts a given message. After formalising this notion, the authors design a new public-key encryption scheme satisfying it. The new scheme is a variant of the Cramer–Shoup encryption scheme with shorter ciphertexts. Its security is also based on the plain decisional Diffie–Hellman (DDH) assumption. Additionally, the algebraic properties of the new scheme allow proving plaintext knowledge using Groth–Sahai non-interactive zero-knowledge proofs or smooth projective hash functions. Finally, as a concrete application, the authors show that, for many password-based authenticated key exchange (PAKE) schemes in the Bellare–Pointcheval–Rogaway security model, they can safely replace the underlying IND-CCA encryption schemes with their new IND-PCA one. By doing so, they reduce the overall communication complexity of these protocols and obtain the most efficient PAKE schemes to date based on plain DDH.