In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn't work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as VMAC(K, M) CBC(KM) ? K. Now suppose an adver- sary is able to ask for the MACs of three messages: the message 00", where n is the cipher block size; the message 1-; and the message 10. As a result of these three queries, the adversary gets ???CBC(K, 0) ? K?; T-CBCK. 1) ? K and T; = CBCK. [CBC(K, 1)]) K. Show that the adversary can compute the correct MAC for the (unque ried) message ? (T?T?). 12.4 In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn't work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as VMAC(K, M) CBC(KM) ? K. Now suppose an adver- sary is able to ask for the MACs of three messages: the message 00", where n is the cipher block size; the message 1-; and the message 10. As a result of these three queries, the adversary gets ???CBC(K, 0) ? K?; T-CBCK. 1) ? K and T; = CBCK. [CBC(K, 1)]) K. Show that the adversary can compute the correct MAC for the (unque ried) message ? (T?T?). 12.4