Suppose an adversary wins IND-CPA against ElGamal,
- They're given public key $h=g^x$,
- Give a pair of messages $m = [m0,m1]$,
- Get back ciphertext $(a,b) = (g^r, g^{xr} \cdot g^{m[b]})$,
from which they determine $b$ with probability better than guessing (plus some negligible probability):
How can such an adversary be used to solve DDH?
Katz & Lindell (Introduction to Modern Cryptography), Shoup (Sequences of Games), et al., present game hopping proofs whereby an adversary's advantage in IND-CPA against ElGamal is transferred to an advantage against some ElGamal variant with uniformly-distributed group elements in place of ciphertexts: That's the aspect I don't follow; I'll hone in on my confusion below, other solutions may also exist. (Above and below I use $g^m$, whilst Katz & Lindell use $m$, this seems irrelevant.)
Katz & Lindell introduce adversary $\mathcal A$ with advantage $\epsilon(n)$ against IND-CPA of ElGamal, and consider a variant of ElGamal which outputs ciphertexts $(g^r, g^z \cdot g^m)$, i.e., a variant in which "the second component of the ciphertext...is a uniformly-distributed group element...independent of the message $m$...The first component of the ciphertext is trivially independent of $m$. Taken together...the entire ciphertext contains no information about $m$." This I understand. Next they assert the advantage of $\mathcal A$ against the ElGamal variant is $\frac{1}{2}$, I don't follow this inference.
Perhaps the inference is simply: The advantage of any algorithm $\mathcal B$ against the ElGamal variant is $\frac{1}{2}$. Intuitively, always returning zero results in success half the time, as does always returning one at the other extreme, as does any alternative strategy—the ElGamal variant delivers perfect secrecy.
