Cryptography Foundations Solution Exercise 4 4 . 1 The ( In ) security of the ElGamal Public - Key

b) Let RDDH be the system that (when interacting with a distinguisher) outputs a triple (ga, gb, gab) for uniformly distributed a, b ∈ Zq, SDDH the system that outputs (ga, gb, gc) for uniformly distributed a, b, c ∈ Zq, and S ind the system implementing the IND-CPA game for the ElGamal encryption scheme. From a distinguisher D for the bit-guessing problem (S ind, β), we construct a distinguisher D′ for the problem of distinguishing RDDH and SDDH. Upon obtaining a triple (A,B,C), D′ first sends B to D as the public key. When D submits two challenge messages m0 and m1, D ′ chooses a bit β uniformly at random and sends (A,mβ · C) to D. When D issues a bit Z, D′ outputs the bit Z ′ := Z ⊕ β. Note that when D′ interacts with RDDH, it perfectly emulates S ind towards D. Assume D′ interacts with SDDH; in this case, (A,B,C) are uniform and independent, and therefore mβ ·C is distributed uniformly by Exercise 1.2. Moreover, A, B, and mβ ·C are independent since