For any block cipher, the fact that it is a nonlinear function is crucial to its security. To see this, suppose that we have a linear block cipher EL that encrypts 128-bit blocks of plaintext into 128-bit blocks of ciphertext. Let \(\operatorname{EL}(k, m)\) denote the encryption of a 128-bit message \(m\) under a key \(k\) (the actual bit length of \(k\) is irrelevant). Thus,

\[\mathrm{EL}\left(k,\left[m_{1} \oplus m_{2}ight]ight)=\mathrm{EL}\left(k, m_{1}ight) \oplus \mathrm{EL}\left(k, m_{2}ight) \text { for all 128-bit patterns } m_{1}, m_{2}\]

Describe how, with 128 chosen ciphertexts, an adversary can decrypt any ciphertext without knowledge of the secret key \(k\). (A "chosen ciphertext" means that an adversary has the ability to choose a ciphertext and then obtain its decryption. Here, you have 128 plaintext/ciphertext pairs to work with and you have the ability to chose the value of the ciphertexts.)

Note: The following problems refer to simplified DES, described in Appendix G.