A plaintext message is encrypted using AES with a $256-$bit key in CBC mode, but with an IV of all zeros $($a

common mistake$).$ Then there's a straight decrypt with the correct IV gives back the original message. But an

attacker who does a malleability attack can decrypt the message using a different IV $($modified$)$ where he can

make the output plaintext different from the original encrypted one.

Encryption command:

echo $"2000$ to John" $|$ openssl aes$-256-$cbc $-$nosalt $-$iv $00000000000000000000000000000000-$e $>$ message.enc

A normal decrypt with the correct IV would would be:

openssl aes$-256-$cbc $-$nosalt $-$iv $00000000000000000000000000000000-d$ message.enc

Then what would the attacker replace the IV with to make the decrypted plaintext to output $"8000$ to John"

instead of the original $"2000$ to John".

Explain how this would work, use the CBC formulas to show how an attacker that knows the first character of

the plaintext can modify the IV so that the receiver's decryption will start with any character of the

attacker's choice. Don't just assume an IV of all zeroes $-$ you should describe a general attack, that would

work with any plaintext any any IV$.$

Justify that this works using properties of exclusive$-$or $($XOR$).$ For instance, we know that XOR is associative $($

so $(xo+y)o+z=xo+(yo+z)),$ commutative $($ soxo$+y=yo+x),$ zero is the identity element $($ soxo$+0=x),$ and every element is

its own inverse $($so $xo+x=0.$

Lastly, given this attack what would the modifed IV be for it to output $"8000$ to John"