Alice is trying to decide between two different block ciphers, FOO and BAR, for her application. Both FOO and BAR have the same block size and key length: {0, 1}ⁿ {0, 1}^l {0, 1}^l

Shes confident that at least one of them is secure, in that it doesnt have known vulnerabilities (beyond exhaustive key search), but isnt sure which of the two it is. As a hedge, she decides to combine them into a single new block cipher BAZ, that is also {0, 1}^k {0, 1}^l {0, 1}^l and is defined for all x, y {0, 1}^l and all K {0, 1}^k as: BAZ^K(x) = FOO^K(BAR^K(x)) BAZ₁^K (y) = BAR₁^K (FOO₁^K(y))

Alice finds its performance to be acceptable, but is BAZ a sound design from a security point of view? Find a convincing argument that BAZ can be insecure. (This can be shown even for the case when both blockciphers are secure.) Also, suggest a better design (no formal proof of security is required).