Hi,

I saw a construction that given CPA secure encryption scheme, you construct a MAC scheme as follows:

$Auth_{sk}(m) = Enc_{sk}(m)$

The question was either it's secure or not.

The answer that it's not, and the solution was to create a new encryption scheme E' such that for every key (sk) the text $0^n$ is encoded to $0^n$ with some negligible probability. Then, an adversary can simply generate $(0^n, 0^n)$ as a forgery.

I don't see why this is correct, because it will only happen with negligible probability (by the definition of E').

What am I missing here?

Thanks!