Let (E,D) be an AE-secure cipher (remember that AE = authenticated encryption).

Show that the following derived cipher is not AE-secure where k is the key:

Hints: Remember that AE-security implies chosen-ciphertext security. Also, note that the encryption algorithm E is probabilistic, and therefore each computation of E(k,m) (as in the above scheme) results in a different ciphertext (with overwhelming probability), and therefore we have c1 ? c2 with overwhelming probability.

D(k,c if D(k,c) D(k,ca) reject otherwise D(k,c if D(k,c) D(k,ca) reject otherwise