Alice is trying to decide between two different block ciphers, FOO and BAR, for her application. Both FOO and BAR have the same block size and key length: {0,1}n{0,1}l{0,1}l She's confident that at least one of them is secure, in that it doesn't have known vulnerabilities (beyond exhaustive key search), but isn't sure which of the two it is. As a hedge, she decides to combine them into a single new block cipher BAZ, that is also {0,1}k{0,1}l{0,1}l and is defined for all x,y{0,1}l and all K{0,1}k as: BAZK(x)BAZK1(y)=FOOK(BARK(x))=BARK1(FOOK1(y)) Lecturer: Sasha Boldyreva 1 Homework 2 CS6260: Applied Cryptography Alice finds its performance to be acceptable, but is BAZ a sound design from a security point of view? Find a convincing argument that BAZ can be insecure. (This can be shown even for the case when both blockciphers are secure.) Also, suggest a better design (no formal proof of security is required). Hint: I know of only one solution, for which I cannot give additional hints