a = Problem 2. A tweakable blockcipher (TBC) is a mapping &: {0,1}* xT {0,1}" + {0,1}" with the property that, for each tweak T E T and key K {0,1}", the mapping Eko) = E(K, T, :) is a permutation. Looked at another way, once the key K is fixed, the family {RO}tet is a blockcipher: changing the tweak (with a fixed key K) gives a potentially new permutation. For example, if T = {0, 1}" and E: {0,1}* * {0,1}" + {0,1}" is a blockcipher, the mapping F(X)= Ek(XT) is a TBC; so is the mapping &R (X) = Ek(X)^T. The security notion for a TBC is defined by the tweakable PRP experiment Exp PIP(A). It is the same as the normal PRP experiment, except in the oracle behavior. In the TPRP experiment, the adversary A is given an oracle OC:-) that, on input (T, X) Tx {0,1}", returns K (X) if the challenge bit b = 1; otherwise, it returns at(X) where {at}TeT is a family of independent, random permutations, each sampled from Perm(n). As in the normal PRP experiment, the adversary's goal is to guess the value of the challenge bit, i.e., with which oracle it has interacted. Repeated queries are pointless in this experiment; however, asking (T, X) and (T, X') for X #X', or (T, X) and (T', X) for T # T' is not pointless. The advantage of adversary A in the tweakable-PRP experiment is AdvPP(A) = 2Pr ExpPpP(A) (A) = 1] -1. . (b) Let T C {0,1}*, let E: {0,1} x {0,1}" +{0,1}" be a blockcipher, and let H:{0,1}* * {0,1}* +{0,1}" be a hash function. Prove that the TBC : ({0,1}* * {0,1}") x Tx {0,1}" + {0,1}" defined by K1,K2(X) = Eki(X + HK2(T)) is a secure tweakable-PRP, under the assump- tion that blockcipher E is a secure PRP, and hash function H is -XOR-AU, i.e. for all T #T' and Y {0,1}" we have Pr [K2 $ {0,114: H x2(T) # Hk2(T') =Y]. (Note that when you fix Y