Provable security just gives you this warm fuzzy feeling of cryptography you can rely on.
We have the flag encrypted by ECB mode, and the service provide us an encryption/decryption oracle in OCB mode.
- Construct some plain/ciphertext pair.
- Forge last block and tag.
- Decrypt the flag.
So, what's wrong?
It turns out that the code is actually OCB2, and an attack on it was just published recently.
Using the method in the paper, we can decrypt the flag.
Here's the script.