Consider the following modified version of padded RSA encryption: Assume messages to be encrypted have length exactly [|iV||/2. To encrypt, first compute m:= 0x00||r 0x00||m where r is a uniform string of length ||N||/2 - 16. Then compute the ciphertext c:= [rrfmodN], When decrypting a ci-phertext c, the receiver computes m:= [cdmodN] and returns an error of m does not consist of 0x00 followed by ||N||/2 - 16 arbitrary bits followed by 0x00. Show that this scheme is not CCA-secure. Why is it easier to construct a chosen-ciphertext attack on this scheme than on PKCS #1 v1.5