# HW3

### 1. This problem is about ElGamal encryption and signature schemes. (20 points)

##### (a) Let p = 83 and g = 16 be a generator of $Z^{*}_{83}$. Assume that the public key is (p, g, 60) and the secret key (p, g, 29). Encrypt the plaintext m = 25 and decrypt the ciphertext (56, 13).

##### Answer

To encrypt message m = 25, choose a random k, $ 1 \leq k \leq p - 2 $, let k = 2.

$ 
c = (c_1, c_2) = (g^k, m*y^k) = (16, 25*60^2) = (7, 28) \mod 83 \\
\rightarrow c = (c_1, c_2) = (7, 28)
$

To decrypt a ciphertext $ c = (c_1, c_2) $

$ 
c_1^{-x}c_2 = y^{-k}y^km = m = 56^{-29}*13 = 56^{82-29} * 13 =  56^{53} * 13 = 16 \mod 83 \\
\rightarrow m = 16
$

In [1]:
def encrypt(g, y, m, k, mod):
    c1 = g ** k % mod
    c2 = m * y**k % mod
    return (c1, c2)

In [2]:
def decrypt(c1, c2, pk, mod):
    m = c1 ** (mod - 1 - pk) * c2 % mod
    return m

In [3]:
g = 16
y = 60
m = 25
k = 2
mod = 83
c1, c2 = encrypt(g, y, m, k, mod)
print((c1, c2))

(7, 28)


In [4]:
c1 = 56
c2 = 13
pk = 29
m = decrypt(c1, c2, pk, mod)
print(m)

16


##### (b) Use the secret key as the signing key to sign the message m = 25. The randomly chosen k is 28. You don’t need to do hashing before signing.

##### Answer

$ 
\because \gcd(k, p - 1) = \gcd(28, 82) \neq 1 \\ 
\therefore \text{let } k = 23 \\
r = g^k \mod p = 16^{23} \mod 83 = 28 \\
s = k^{-1} * (m - rx) \mod (p-1) = 23^{-1}*(25-28*29)\mod 82 = 25*33\mod 82 = 5 \\
\rightarrow (r, s) = (28, 5)
$

In [5]:
def mod_inverse(a, mod):
    for x in range(1, mod):
        if (((a % mod) * (x % mod)) % mod == 1):
            return x
    return -1

In [6]:
def get_B(p, a, z):
    return a ** z % p

In [7]:
def signature(p, k, z, m):
    r = a ** k % p
    s = mod_inverse(k, p - 1) * (m - z * r) % (p - 1)
    return (r, s)

In [8]:
def verify(p, B, a, m, r, s):
    v1 = (B ** r) * (r ** s) % p
    v2 = a ** m % p
    print(v1, v2)
    if v1 == v2:
        return True
    else:
        return False

In [9]:
p = 83
a = 16
z = 29
B = get_B(p, a, z)
print(B)

59


In [10]:
k = 23
m = 25
r, s = signature(p, k, z, m)
print((r, s))

(28, 5)


In [11]:
print(verify(p, B, a, m, r, s))

30 30
True


### 2. For DSA, let the public key be (p = 149, q = 37, g = 41, y = 120), and the secret key be (p = 149, q = 37, g = 41, x = 26). Assume that the hash function is h(m) = $m^{21}$ mod 37. (30 points)

##### (a) Compute the signature of m = 9876543210.

##### Answer

$
\text{Let } k = 1 \\
h(m) = m^{21} \mod q = h(9876543210) = 9876543210^{21} \mod 37 = 1 \\
r = (g^k \mod p) mod q = (41^21 \mod 149) \mod 37 = 42 \mod 37 = 5 \\
s = k^{-1} * (h(m) + r * x) \mod q = 2^{-1} * (1 + 5 * 26) \mod 37 = 19 * 20 \mod 37 = 10 \\
\rightarrow (r, s) = (5, 10)
$

In [12]:
def h(m, i, mod):
    return m ** i % mod

In [13]:
def signature(p, q, g, x, k, i, m):
    r = g ** k % p % q
    s = mod_inverse(k, q) * (h(m, i, q) + r * x) % q
    return (r, s)

In [14]:
p = 149
q = 37
g = 41
y = 120
x = 26
k = 2
i = 21
m = 9876543210
r, s = signature(p, q, g, x, k, i, m)
print((r, s))

(5, 10)


##### (b) Is (12, 25) a valid signature for m = 3248?

##### Answer

$
1 \leq (r, s) \leq q - 1 \rightarrow 1 \leq (12, 25) \leq 36 \rightarrow True \\ 
t = s^{-1} \mod q = 25^{-1} \mod 37 = 3 \\
v = ((g^{h(x)} * y^r)^t \mod p) \mod q = ((41^{31} * 120^{12})^3 \mod 149) \mod 37 = 4 \\
\because t = 3 \neq v = 4 \\
\therefore (12, 25) is 
$

In [15]:
def verify(r, s, q, g, y, i, m):
    if r < 1 or r > q - 1 or s < 1 or s > q - 1:
        return False
    t = mod_inverse(s, q)
    v = (g ** h(m, i, q) * y ** r) ** t % p % q
    print(t, v)
    if t == v:
        return True
    else:
        return False

In [16]:
r = 12
s = 25
m = 3248
verify(r, s, q, g, y, i, m)

3 4


False

##### Answer

3. Show that the regular RSA signature scheme is ”arbitrarily forgeable” (forging the signature of any challenge message m) if the attacker is allowed to ask the signing oracle. Note that the challenge message m cannot be queried to the signing oracle. (20 points)

##### Answer

4. Why is the ”sequential” DL-based interactive proof system zero-knowledge? Why isn’t the ”parallel” DL-based interactive proof system zero-knowledge? (30 points)

##### Answer