#
Question

**Question**

Show that CBC encryption where the IV is random but known in advance is not indistinguishable, under chosen plaintext attack. Directions: assume attacker sees the ciphertext blocks c1 , c2 resulting from CBC encryption of plaintext messages m1, m2. Furthermore, attacker is now given a random value I, to be used in CBC encryption of a message X that the attacker can choose. The attacker is given the result of that encryption; e.g., if X is exactly one block long, then attacker is given the output of E(X LI). Show that this allows attacker to find if m2 is a block of all zeros or block of all 1 bits. Conclude that such CBC encryption is not CPA-IND.