# HW3

### 1. This problem is about ElGamal encryption and signature schemes. (20 points)

##### (a) Let p = 83 and g = 16 be a generator of $Z^{*}_{83}$. Assume that the public key is (p, g, 60) and the secret key (p, g, 29). Encrypt the plaintext m = 25 and decrypt the ciphertext (56, 13).

##### Answer

To encrypt message m = 25, choose a random k, $ 1 \leq k \leq p - 2 $, let k = 2.

* $ c = (c_1, c_2) = (g^k, m*y^k) = (16, 25*60^2) = (7, 28) \mod 83 $

To decrypt a ciphertext $ c = (c_1, c_2) $

* $ c_1^{-x}c_2 = y^{-k}y^km = m = 56^{-29}*13 = 56^{82-29} * 13 =  56^{53} * 13 = 16 \mod 83 $

##### Code

In [1]:
def encrypt(g, y, m, k, mod):
    c1 = g ** k % mod
    c2 = m * y**k % mod
    return (c1, c2)

In [2]:
def decrypt(c1, c2, pk, mod):
    m = c1 ** (mod - 1 - pk) * c2 % mod
    return m

In [3]:
g = 16
y = 60
m = 25
k = 2
mod = 83
c1, c2 = encrypt(g, y, m, k, mod)
print((c1, c2))

(7, 28)


In [4]:
c1 = 56
c2 = 13
pk = 29
m = decrypt(c1, c2, pk, mod)
print(m)

16


##### (b) Use the secret key as the signing key to sign the message m = 25. The randomly chosen k is 28. You don’t need to do hashing before signing.

##### Answer

$ 
\because \gcd(k, p - 1) = \gcd(28, 82) \neq 1 \\ 
\therefore \text{let } k = 23 \\
r = g^k \mod p = 16^{23} \mod 83 = 28 \mod 83 \\
s = k^{-1} * (m - rx) \mod (p-1) = 23^{-1}*(25-28*29)\mod 82 = 25*33\mod 82 = 5
$

In [14]:
(25-28*29)%82

33

##### Code

In [5]:
def mod_inverse(a, mod):
    for x in range(1, mod):
        if (((a % mod) * (x % mod)) % mod == 1):
            return x
    return -1

In [6]:
def get_B(p, a, z):
    return a ** z % p

In [7]:
def signature(p, k, z, m):
    r = a ** k % p
    s = mod_inverse(k, p - 1) * (m - z * r) % (p - 1)
    return (r, s)

In [8]:
def verify(p, B, a, m, r, s):
    v1 = (B ** r) * (r ** s) % p
    v2 = a ** m % p
    return (v1, v2)

In [9]:
p = 83
a = 16
z = 29
B = get_B(p, a, z)
print(B)

59


In [10]:
k = 23
m = 25
r, s = signature(p, k, z, m)
print((r, s))

(28, 5)


In [11]:
v1, v2 = verify(p, B, a, m, r, s)
print((v1, v2))

(30, 30)


### 2. For DSA, let the public key be (p = 149, q = 37, g = 41, y = 120), and the secret key be (p = 149, q = 37, g = 41, x = 26). Assume that the hash function is h(m) = $m^{21}$ mod 37. (30 points)

##### (a) Compute the signature of m = 9876543210.

##### Answer

##### (b) Is (12, 25) a valid signature for m = 3248?

##### Answer

3. Show that the regular RSA signature scheme is ”arbitrarily forgeable” (forging the signature of any challenge message m) if the attacker is allowed to ask the signing oracle. Note that the challenge message m cannot be queried to the signing oracle. (20 points)

4. Why is the ”sequential” DL-based interactive proof system zero-knowledge? Why isn’t the ”parallel” DL-based interactive proof system zero-knowledge? (30 points)