-%% I suspect David will want to put some negative results here, and complain
-%% about Alkassar et al.'s alleged proof. I'll press on with the positive
-%% stuff.
-%%
-%% The problems come when $t < \ell$. Then C-mode isn't necessarily secure
-%% (well, we get a similar bound with $t$ instead of $\ell$, which isn't very
-%% impressive). The L-mode needs careful selection of the initial IV.
+Consider for a moment the mode CFBL, i.e., with carry-over of IV from one
+plaintext to the next, with $t < \ell$. Then we find that some IVs are
+weak.
+
+Pretend for a moment that we're an adversary playing the LOR-CPA game using
+an ideal random function $F \inr \Func{\ell}{t}$, and that the initial IV
+$V_0 = 0^\ell$. We choose two distinct 8-bit plaintexts $l$ and $r$ as our
+first left-or-right query. With probability $2^{-t}$, the result of
+encrypting that first query is $0^t$. However, in this case, the IV for the
+\emph{next} query is $V_0 \shift{t} 0^t = 0^\ell = V_0$. If this happens,
+we have only to submit the pair $(l, l)$ as our second query. If the
+ciphertext to this second query also comes back zero, we guess that we're
+dealing with a left oracle; otherwise we guess right. If we don't get lucky
+with our first query, we just guess randomly.
+
+\begin{figure}
+ \begin{program}
+ Adversary $S^{E(\cdot, \cdot)}$: \+ \\
+ $l \gets 0^t$; $r \gets 0^{t - 1} 1$; \\
+ $y \gets E(l, r)$; \\
+ \IF $y[\ell \bitsto \ell + t] = 0^t$ \THEN \\ \ind
+ \IF $E(l, l) = y$ \THEN $b \gets 0$ \ELSE $b \gets 1$; \- \\
+ \ELSE \\ \ind
+ $b \getsr \{0, 1\}$; \- \\
+ \RETURN $b$;
+ \end{program}
+ \caption{Adversary $S$ attacking $\Xid{\E}{CFBL}^{\Func{\ell}{t}, 0^\ell}$}
+ \label{fig:adv-sliding}
+\end{figure}
+
+This attack is shown more formally as adversary~$S$ in
+figure~\ref{fig:adv-sliding}. Its resource usage is almost trivial --
+negligible computation and at most two encryption queries. However, its
+advantage is quite good:
+\[ \Adv{LOR-CPA}{\Xid{\E}{CFBL}^{\Func{\ell}{t}, 0^\ell}}(S) =
+ \frac{1}{2^t} \biggl( 1 - \frac{1}{2^t} \biggr).
+\]
+
+This attack works because $V_0[t \bitsto \ell] = V_0[0 \bitsto \ell - t]$.
+There are similar attacks for other such relationships. The following
+definition characterizes these kinds of `bad' IVs.