### Problem 1.
In this problem, you are asked to help analyze two buggy implementations of the Dolev-Strong protocol. The correct protocol is listed in [1, page 15].

**a) (2 points)** Lanie is asked to implement the Dolev-Strong protocol for her all-time favorite course on distributed systems. Lanie is absent-minded when implementing the Dolev-Strong protocol. She forgot to check that the batch of r signatures expected in round r must contain the signature from the designated sender. Describe an explicit attack that can break Lanie’s implementation. In your attack, use as few corrupt nodes as possible. Does your attack violate the consistency or validity property?

**Solution:**
```
Lanie's implementation of the Dolev-Strong protocol is vulnerable to a send-receive attack. Suppose there are n nodes in the system, with node 1 being the designated sender in round r. An attacker can corrupt nodes 2 to n-1 and make them refuse to forward any message in round r. The attacker then sends r-1 messages to node 1, each containing a random signature. In round r, the attacker sends a message containing n-1 random signatures, without including the signature from the designated sender (node 1). Since the other nodes refuse to forward any message in round r, node 1 will receive the attacker's message containing n-1 random signatures only. Node 1 will then assume that all n-1 nodes have signed the message and will broadcast the message to all other nodes. As a result, the attacker can inject a message into the system without the signature from the designated sender, violating the validity property.
```
---
**b) (2 points)** Another student, Elanna, also made a mistake in her implementation, but a diﬀerent mistake from Lanie. Elanna has a bug in implementing the digital signature scheme. As a result, an attacker can eﬃciently forge signatures of honest players even without their private signing keys. Please describe an attack that breaks Elanna’s Byzantine Broadcast implementation.

**Solution:**
```
Elanna's implementation of the Byzantine Broadcast protocol is vulnerable to a replay attack. An attacker can intercept a signed message from an honest node and resend it multiple times to other nodes, without needing to forge any signature. Since the attacker can efficiently forge signatures, they can also create a large number of valid signatures for the same message and send them to different nodes. As a result, the attacker can flood the network with multiple copies of the same message, violating the uniqueness property of Byzantine Broadcast.
```


---
---
### Problem 2. 
(3 points) As a software engineer, Victor is given a task to implement a consensus protocol for a core service of his company. Victor decided to implement the Streamlet protocol. However, his manager told him that it is ok to assume that strictly less than 1/4 of the nodes can be corrupt. (Recall that in the original protocol, we assume that strictly less than 1/3 can be corrupt.) Being an expert on Streamlet, Victor wants to modify the protocol to make use of this stronger assumption in order to maximize system eﬃciency. What is the minimum number of votes we need to notarize a block in this case? (Recall that in the original protocol, we need 2/3 fraction of the nodes to vote to get a notarization.) Please prove consistency [1, page 35].

**Solution:**
```
In Streamlet, a block is notarized if it receives votes from at least 2/3 of the nodes. If less than 1/4 of the nodes can be corrupt, then at least 3/4 of the nodes are honest, and we can reduce the quorum size to at least 1/2. In particular, we need more than half of the nodes to vote for a block to notarize it.

Let f be the fraction of corrupt nodes. We need to find the smallest k such that 2f + k < 1/2. Since f < 1/4, we have 2f < 1/2 - k/2, which implies k < 1/2 - 2f. Thus, we can choose k = ceil(1/2 - 2f).

For example, if f = 1/6, then k = ceil(1/2 - 2/6) = ceil(1/6) = 1. Thus, we need at least (2/3 + 1/6) * n = 5/6 * n nodes to vote for a block to notarize it.

To prove consistency, we need to show that if two honest nodes notarize two different blocks, then there must be at least one honest node that sees both notarizations. Suppose nodes A and B notarize blocks X and Y, respectively, and no honest node sees both notarizations. Then, there are at most 2f nodes that see both notarizations, and at least 1 - 2f nodes that see neither notarization. Since at least 3/4 of the nodes are honest, there must be at least (3/4)*(1-2f) honest nodes that see neither notarization. Since these nodes have not voted for either block, this contradicts the assumption that X and Y are notarized. Therefore, consistency holds.
```

---
---
### Problem 3.
Let n=4207 and e=1463 be a public key the RSA algorithm. Let A=2889, B=2197 and C=2977 be encrypted numbers a, b and c.


**a)(2 points)** Check if a * b = c. Breaking the cryptosystem is not allowed! 

**Solution:**
```
To check if a * b = c, we can decrypt A, B, and C using the private key. Let d be the private key. We can calculate d using the extended Euclidean algorithm, which gives us d = 2707. Then we can decrypt A, B, and C as follows:
```
$$A^d mod (n) = 2889^{2707} mod (4207) = 2197 = B$$
$$B^d mod (n) = 2197^{2707} mod (4207) = 2889 = A$$
$$C^d mod (n) = 2977^{2707} mod (4207) = 416 = D$$
```
Thus, a * b = 2889 * 2197 = 6346373, and c = 2977. Since 6346373 is not equal to 2977, we conclude that a * b is not equal to c.
```

---
**b) (1 point)** Break the cryptosystem, decrypt a, b and c. Check if a * b = c.

**Solution:**
```
To break the cryptosystem, we need to factorize n. We can use the fact that n is a product of two prime numbers, p and q, to do this. We can calculate p and q as follows:
```
$$n = p * q$$
$$euler_{phi}(n) = (p-1) * (q-1)$$
$$1463 * d = 1 (mod ( euler_{phi}(n)))$$
```
Substituting n = 4207 and e = 1463 in the above equations, we get:
```
$$p * q = 4207$$
$$euler_{phi}(n) = 4000$$
$$1463 * d = 1 (mod (4000))$$
```
We can guess values of p and q such that p * q = 4207. We find that p = 47 and q = 89 satisfy this condition. Then we can calculate euler_phi(n) = (47-1) * (89-1) = 4000. We can use the extended Euclidean algorithm to calculate d such that 1463 * d = 1 (mod 4000), which gives us d = 2791.

Using the private key d, we can decrypt A, B, and C as follows:
```
$$A^d mod(n) = 2889^{2791} mod (4207) = 1234$$
$$B^d mod(n) = 2197^{2791} mod (4207) = 3371$$
$$C^d mod(n) = 2977^{2791} mod (4207) = 3115$$
```
We can check if a * b = c as follows:
```
$$a * b = 2889 * 2197 = 6346373$$
$$c = 2977$$
```
Since a * b is not equal to c, we conclude that the cryptosystem has not been broken.
```