[infraruby]

> You could "weaken" a protocol so that attackers can replace an original plaintext with 16 uniform random bits. If the protocol is using CBC mode, you've allowed attackers to recover whole plaintexts.

Do you have a link explaining this?

[tptacek]

I'm describing the CBC padding oracle attack.

I'm surprised this is the thing you want the link for, and not "1 biased bit destroys the security of a 256 bit nonce where the other 255 bits come from secure random".

[infraruby]

> I'm describing the CBC padding oracle attack.

Ah! Wouldn't that be "attackers can replace an original ciphertext with two chosen blocks"?

> I'm surprised this is the thing you want the link for, and not "1 biased bit destroys the security of a 256 bit nonce where the other 255 bits come from secure random".

IIRC the link for that is in your hiring post!