Let (E,D) be an AE-secure cipher (remember that AE = authenticated encryption). Show that the following derived cipher is not AE-secure:

E1(k,m) = ( E(k,m) , E(k,m) ) = (c1,c2) ; D2 = ( k , (c1,c2) ) = D(k,c1), if D(k,c1) = D(k,c2) | reject otherwise

Hints: Remember that AE-security implies chosen-ciphertext security. Also, note that the encryption algorithm E is probabilistic, and therefore each computation of E(k,m) (as in the above scheme) results in a different ciphertext (with overwhelming probability), and therefore we have c1 ? c2 with overwhelming probability.