In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn't work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as \(\operatorname{VMAC}(K, M)=\mathrm{CBC}(K, M) \oplus K_{1}\). Now suppose an adversary is able to ask for the MACs of three messages: the message \(\mathbf{0}=0^{n}\), where \(n\) is the cipher block size; the message \(\mathbf{1}=1^{n}\); and the message \(\mathbf{1} \| \mathbf{0}\). As a result of these three queries, the adversary gets \(T_{0}=\mathrm{CBC}(K, \mathbf{0}) \oplus K_{1} ; T_{1}=\mathrm{CBC}(K, \mathbf{1}) \oplus K_{1}\) and \(T_{2}=\mathrm{CBC}(K,[C B C(K, 1)]) \oplus K_{1}\). Show that the adversary can compute the correct MAC for the (unqueried) message \(\mathbf{0} \|\left(T_{0} \oplus T_{1}ight)\).