(a) Give a formal definition of a block cipher. Your answer should make reference to the block size n and the key size k.. (b) Explain why block ciphers are usually used in modes of operation. (c) Describe the Electronic Code Book (ECB) mode of operation, using a diagram to illustrate your answer if you wish.[2 marks] (d) Explain what the main security limitation of ECB mode is. Illustrate your answer with reference to a specific example.[4 marks] (i) Draw a diagram to illustrate the encryption algorithm of this mode. (ii) Write down equations, similar to those above for encryption, that describe thedecryption operation for CBC mode.[2 marks] (f) The XML encryption scheme operates on byte-oriented data and uses the following padding method for CBC mode: at least 1 byte of padding is always appended to the raw message M, and at most one complete block of padding is appended; if s bytes of padding are needed for some s > 1, then appends - 1 random bytes to M followed by the byte encoding of integer s. So, for example, if s = 1, then the padding appended to the message M is just 0x01, while if s = 2, then a random byte followed by 0x02 is appended, and so on. (i) Explain in detail, using pseudo-code, how a typical implementation would re-move the padding from a plain text to recover M for this padding scheme. Your pseudo-code should work for general block sizes, and you should use a variable name block size in your pseudo-code to reflect this. Your pseudo-code should also generate an error message "padding error" if the padding is in-valid in some way. (Hint: your pseudo-code should check that the number of padding bytes does not exceed the maximum possible value that is implied by there being at most one complete block of padding.)[4 marks] (ii) A simplified version of XML permits bytes of any value to occur in messages M except for 0x00. After CBC mode decryption and padding removal, a simplified XML implementation checks whether the resulting message M contains byte value 0x00. If a byte with this value is found in any position of M, then the implementation returns an error string "parsing error", otherwise normal XML processing continues (and no error is returned).Now suppose you have a target block of cipher text C that is known to correspond to a full message block P* (that is, P* is a plain text block entirely from M, not containing any padding). Suppose you also know C+₁, the cipher textblock preceding C".-15

(iii) By modifying delta in other positions, or otherwise, show how to recover the value of the last byte of plain text (the padding byte) in the cipher text IV*, C* that you obtained in the previous part of the question. (Hint: consider modifying IV* by all possible XOR offsets in each position and requesting decryptions. One offset will produce 0x00 in the plaintext in position j. Does this cause a parsing error or not?) (iv) By further modifying the ciphertext IV*,C", or otherwise, sketch how you would recover the complete plaintext block P. (Hint: consider modifying IV*so that the padding byte now contains 0x01, and then doing a similar analysis to that in the previous part.)