Let (E,D) be an AE-secure cipher (remember that AE =authenticated encryption).
Show that the following derived cipher is not AE-secure where kis the key:
Hints: Remember that AE-security implies chosen-ciphertextsecurity. Also, note that the encryption algorithm āEā isprobabilistic, and therefore each computation of āE(k,m)ā (as inthe above scheme) results in a different ciphertext (withoverwhelming probability), and therefore we have c1 ? c2 withoverwhelming probability.
D(k,c if D(k,c) D(k,ca) reject otherwise Show transcribed image text
Expert Answer
An answer will be send to you shortly. . . . .