Why CPA-secure implies with overwhelming probability, there will be no repeated ciphertext?

Question

5.12 (Repeating ciphertexts). Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Assume that there are at least two messages in $\mathcal{M}$, that all messages have the same length, and that we can efficiently generate messages in $\mathcal{M}$ uniformly at random. Show that if $\mathcal{E}$ is CPA secure, then it is infeasible for an adversary to make an encryptor generate the same ciphertext twice. The precise attack game is as follows. The challenger chooses $k \in \mathcal{K}$ at random and the adversary makes a series of queries; the $i$th query is a message $m_i$, to which the challenger responds with $c_i\overset{R}{\leftarrow} E(k, m_i)$. The adversary wins the game if any two $c_i$’s are the same. Show that if $\mathcal{E}$ is CPA secure, then every efficient adversary wins this game with negligible probability. In particular, show that the advantage of any adversary $A$ in winning the repeated-ciphertext attack game is at most $2\epsilon$, where $\epsilon$ is the advantage of an adversary $B$ (which is an elementary wrapper around $A$) that breaks the scheme’s CPA security.

I'm going to changing my research field from coding theory to cryptography. Here is a problem from the book "A Graduate Course in Applied Cryptography" that confused me for days.

This problem requires us to make a reduction from the CPA security to the "Repeated-ciphertext security". Actually I don't know: when the adversary $\mathcal A$ finds repeated ciphertext, how the elementary wrapper $\mathcal B$ would use it to gain its CPA-advantage over this probabilistic cipher. Could anyone help to give a reduction on it? Thank you.

Answer 1

Here is my intuition for the reduction. Suppose $m_i$ and $m_j$ give the same ciphertext $C = c_i = c_j$. By the correctness of the encryption scheme, it's necessary that $m_i = m_j$. Let $M_0 = m_i = m_j$. To break IND-CPA, pick any $M_1 \neq M_0$ and send $(M_0, M_1)$ to the challenger. If secret bit is $b = 0$, there's a non-negligible chance that the challenge ciphertext is again $C$. (The intuition for this is that if it's negligible, you probably wouldn't have seen it give a repeating ciphertext before.) If the secret bit is $b = 1$, the challenge ciphertext would be different than $C$ with probability 1 by the correctness of the scheme. If the challenge ciphertext is $C$, output 0, else output 1. The adversarial advantage is the non-negligible probability mentioned before.

Answer 2

Quoting the question..

Actually I don't know: when the adversary A finds repeated ciphertext, how the elementary wrapper B would use it to gain its CPA-advantage over this probabilistic cipher

IND-CPA implies that the encryption give no information about any plaintext. Because decryption is a deterministic process (unlike CPA-secure encryption, which is probablistic), seeing the same ciphertext twice categorically mean that they corresponds to the same plaintext, which itself is an important piece of information about the plaintext.

Take this backwards, if an algorithm is CPA-secure, encryption should give no information about the plaintext, thus make the event of seeing the same ciphertext an improbable event (i.e. negligible).