To encrypt a group element $P$ with public key $K$ and randomness $r$ using ElGamal on elliptic curves with base point $G$ we do the following $(c_1, c_2) = (r\cdot G; P+r\cdot K)$.

When we want to encrypt a free-form message $m$, we have to convert it to a group element $P$ first. For that, we can either use scalar multiplication $P=m\cdot G$ (additively homomorphic) or map the message $P = map(m)$ (multiplicative homomorphic). The former gives *not just a point*, but a group element. The latter is more complicated.

All methods I found map a message to a curve point (Koblitz's approach, its variant, injective encoding article). However, there is no guarantee that the resulting point belongs to the cyclic group (i.e. has the right order).

So using **encoding to just EC point** results in **not semantically securing ElGamal**. It's basically similar to leaking if the message is a quadratic residue or not when using $G_q$ over finite fields with $p = 2q+1$ and messages from $Z_p^*$ without encoding (details about why the leakage happens are here or here).

Is there any way to encode a random message to the EC point of the correct order (i.e. group element)? Is there a way to convert EC point to a group element?