Self$-$referential encryption. Normally, encryption is used only on messages that are

independent of the secret key, thus security guarantee implicitly assumes this. However, situations may

arise due to careless key management, for example a backup system may store the backup encryption key

on disk and then encrypt the entire disk, including the key, and backup the result. Another example

is the BitLocker disk encryption utility $($used in WindowsVista$)$ where the disk encryption key can end

up on disk and be encrypted along with the disk contents. In those cases, adversary obtains normal

ciphertext c that encrypting some content, as well as a special token c $=$ Enc$($k; k$)($using the same key

to encrypt the key itself as a message$).$ It might be possible to specially design encryption and strengthen

the security to handle this, but conventional encryptions may not be safe to be directly used this way.

Design an IND$-$CPA secure encryption that can be easily broken when used this way, and brie

y

analyze why it is IND$-$CPA secure when c is not present, and why it is broken when c is also given.

$($Hint: you do not need to worry about any mathematical details, just use an IND$-$CPA encryption as a

blackbox and modify a bit$).$