91Ó°ÊÓ

CBC and OFB modes are malleable in very different ways. For that reason, Mallory claims that encrypting a plaintext (independently) with both modes results in CCA security, when the Dec algorithm rejects ciphertexts whose OFB and CBC plaintexts don't match. The reasoning is that it will be hard to tamper with both ciphertexts in a way that achieves the same effect on the plaintext. Let \(\mathrm{CBC}\) denote the encryption scheme obtained by using a secure PRF in \(\mathrm{CBC}\) mode. Let OFB denote the encryption scheme obtained by using a secure PRF in OFB mode. Below we define an encryption scheme \(\Sigma^{\prime}:\) Show that \(\Sigma^{\prime}\) does not have CCA security. Describe a distinguisher and compute its distinguishing advantage.