CBC Bitflipping Attack

CBC decryption computes:

Pi = Dec(Ci) XOR C(i-1)

If an attacker can modify C(i-1), they can flip arbitrary bits in Pi.

You are given:

• prevCipher: the previous ciphertext block (C(i-1)).
• origPlain: the original plaintext block (Pi).
• targetPlain: the desired plaintext block.

Compute a forged previous block prevCipher' such that decrypting Ci yields targetPlain.

Function signature

func ForgeCBCBlock(prevCipher, origPlain, targetPlain [16]byte) [16]byte

Notes

• The correct formula is: prevCipher' = prevCipher XOR origPlain XOR targetPlain.
• This illustrates why CBC is malleable without authentication.