Problems

Prev: Protocols

This chapter contains some problems for you to look at.

E.1 Secret Key Encryption

E.1.1 DES

Let $\bar{m}$ be the bitwise complement of the string $m$. Let ${\mathrm{DES}}_K(m)$ denote the encryption of $m$ under DES using key $K$. It is not hard to see that if

$$c={\mathrm{DES}}_K(m)$$

then

$$\bar{c}={\mathrm{DES}}_{\bar{K}}(\bar{m}).$$

We know that a brute-force attack on DES requires searching a space of $2^{56}$ keys. This means that we have to perform that many DES encryptions in order to find the key, in the worst case.

1. Under known plaintext attack, meaning you are given a single pair $(m,c)$ where $c={\mathrm{DES}}_K(m)$, do the equations above change the number of DES encryptions you perform in a brute-force attack to recover $K$?
2. What is the answer to the above question in the case of chosen plaintext attack, meaning when you are allowed to choose many $m$‘s for which you get the pair $(m,c)$ with $c={\mathrm{DES}}_K(m)$?

---

E.1.2 Error Correction in DES Ciphertexts

Suppose that $n$ plaintext blocks $x_1,\dots ,x_n$ are encrypted using DES, producing ciphertexts $y_1,\dots ,y_n$. Suppose that one ciphertext block, say $y_i$, is transmitted incorrectly, meaning some $1$‘s are changed into $0$‘s and vice versa.

How many plaintext blocks will be decrypted incorrectly if ECB mode was used for encryption? What if CBC is used?

---

E.1.3 Brute Force Search in CBC Mode

A brute-force key search for a known-plaintext attack for DES in ECB mode is straightforward: given the $64$-bit plaintext and the $64$-bit ciphertext, try all of the possible $2^{56}$ keys until one is found that generates the known ciphertext from the known plaintext. The situation is more complex for CBC mode, which includes the use of a $64$-bit IV. This seems to introduce an additional $64$ bits of uncertainty.

1. Suggest strategies for known-plaintext attack on CBC mode that are of the same order of magnitude of effort as the ECB attack.
2. Now consider a ciphertext-only attack. For ECB mode the strategy is to try to decrypt the given ciphertext with all possible $2^{56}$ keys and test each result to see if it appears to be a syntactically correct plaintext. Will this strategy work for CBC mode? If so, explain. If not, describe an attack strategy for CBC mode and estimate its level of effort.

---

E.1.4 E-mail

Electronic mail systems differ in the way in which multiple recipients are handled. In some systems the originating mail handler makes all the necessary copies, and these are sent out independently. An alternative approach is to determine the route for each destination first. Then a single message is sent out on a common portion of the route and copies are made when the routes diverge. This system is known as mail-bagging.

1. Leaving aside security considerations, discuss the relative advantages and disadvantages of the two methods.
2. Discuss the security requirements and implications of the two methods.

---

E.2 Passwords

The framework of a simplified version of the Unix password scheme is this. We fix some function $h:\{0,1{\}}^k\to \{0,1{\}}^L$. The user chooses a $k$-bit password, and the system stores the value $y=h(K)$ in the password file. When the user logs in, they must supply $K$. The system then computes $h(K)$ and declares the user authentic if this value equals $y$.

We assume the attacker has access to the password file and hence to $y$. The intuition is that it is computationally infeasible to recover $K$ from $y$. Thus $h$ must be chosen to make this true.

The specific choice of $h$ made by Unix is $h(K)={\mathrm{DES}}_K(0)$, where $0$ represents the $64$-bit string of all zeros. Thus $k=56$ and $L=64$.

In this problem you will analyze the generic scheme and the particular DES-based instantiation. The goal is to see how, given a scheme like this, to use the models we have developed in class, in particular to think of DES as a pseudorandom function family.

To model the scheme, let $F:\{0,1{\}}^k\times \{0,1{\}}^{\ell }\to \{0,1{\}}^L$ be a pseudorandom function family, having some given insecurity function ${\mathrm{Adv}}_F^{\mathrm{prf}}(\cdot ,\cdot )$, and with $L>k$. We let $T_F$ denote the time to compute $F$, namely the time, given $K,x$, to compute $F_K(x)$. See below for the definition of a one-way function, which we will refer to now.

1. Define $h:\{0,1{\}}^k\to \{0,1{\}}^L$ by $h(K)=F_K(0)$, where $0$ represents the $\ell$-bit string of all zeros. Prove that $h$ is a one-way function with

   $${\mathrm{Adv}}^{\mathrm{owf}}(h,t)\le 2\cdot {\mathrm{Adv}}_F^{\mathrm{prf}}(t^{\prime },1),$$

   where

   $$t^{\prime }=t+O(\ell +L+k+T_F).$$

   Hints: Assume you are given an inverter $I$ for $h$, and construct a distinguisher $D$ such that

   $${\mathrm{Adv}}_F^{\mathrm{prf}}(D)\ge \frac{1}{2}\cdot {\mathrm{Adv}}_{h,I}^{\mathrm{owf}}.$$

   Use this to derive the claimed result.

2. Can you think of possible threats or weaknesses that might arise in a real-world usage of such a scheme, but are not covered by our model? Can you think of how to protect against them? Do you think this is a good password scheme in practice?

One-Way Function Definition Used Above

Let $h:\{0,1{\}}^k\to \{0,1{\}}^L$ be a function. It is one-way if, intuitively speaking, it is hard, given $y$, to compute a point $x^{\prime }$ such that $h(x^{\prime })=y$, when $y$ was chosen by drawing $x$ at random from $\{0,1{\}}^k$ and setting $y=h(x)$.

In formalizing this, we say an inverter for $h$ is an algorithm $I$ that given a point $y\in \{0,1{\}}^L$ tries to compute this $x^{\prime }$. We let

$${\mathrm{Adv}}_{h,I}^{\mathrm{owf}}=\mathrm{Pr}\left[h(x^{\prime })=y:x\leftarrow \{0,1{\}}^k;y\leftarrow h(x);x^{\prime }\leftarrow I(y)\right]$$

be the probability that the inverter is successful, taken over a random choice of $x$ and any coins the inverter might toss. We let

$${\mathrm{Adv}}_h^{\mathrm{owf}}(t^{\prime })=\underset{I}{\max }\left\{{\mathrm{Adv}}_{h,I}^{\mathrm{owf}}\right\},$$

where the maximum is over all inverters $I$ that run in time at most $t^{\prime }$.

---

E.3 Number Theory

E.3.1 Number Theory Facts

Prove the following facts:

1. If $k$ is the number of distinct prime factors of $n$, then the equation $x^2=1\mathrm{mod}n$ has $2^k$ distinct solutions in ${\mathbb{Z}}_n^{\ast }$. Hint: use the Chinese Remainder Theorem.

2. If $p$ is prime and $x\in {\mathbb{Z}}_p^{\ast }$, then

   $$\left(\frac{x}{p}\right)=x^{(p-1)/2}\mathrm{mod}p.$$

3. $g$ is a generator of ${\mathbb{Z}}_p^{\ast }$ for a prime $p$ iff $g^{p-1}=1\mathrm{mod}p$ and $g^q\ne 1\mathrm{mod}p$ for all prime divisors $q$ of $p-1$.

---

E.3.2 Relationship Between Problems

Let $n$ be the product of two primes, $n=pq$. Describe reducibilities between the following problems. For example, if we can factor then we can invert RSA. Do not prove anything formally; just state the result.

• computing $\phi (n)$
• factoring $n$
• computing ${\mathrm{QR}}_n(a)$ for some $a\in {\mathbb{Z}}_n^{\ast }$
• computing square roots modulo $n$
• computing $k$-th roots modulo $n$, where $\gcd (k,\phi (n))=1$

---

E.3.3 Probabilistic Primality Test

Let $\mathrm{SQRT}(p,a)$ denote an expected polynomial-time algorithm that on input $p,a$ outputs $x$ such that $x^2=a\mathrm{mod}p$ if $a$ is a quadratic residue modulo $p$. Consider the following probabilistic primality test, which takes as input an odd integer $p>1$ and outputs "composite" or "prime".

1. Test if there exist $b,c>1$ such that $p=bc$. If so output "composite".

2. Choose $i\in {\mathbb{Z}}_p^{\ast }$ at random and set $y=i^2$.

3. Compute $x=\mathrm{SQRT}(p,y)$.

4. If $x=i\mathrm{mod}p$ or $x=-i\mathrm{mod}p$, output "prime"; otherwise output "composite".

5. Does the above primality test always terminate in expected polynomial time? Prove your answer.

6. What is the probability that the above algorithm makes an error if $p$ is prime?

7. What is the probability that the above algorithm makes an error if $p$ is composite?

---

E.4 Public Key Encryption

E.4.1 Simple RSA Question

Suppose that we have a set of blocks encoded with the RSA algorithm and we do not have the private key. Assume $n=pq$, and $e$ is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with $n$. Does this help us in any way?

---

E.4.2 Another Simple RSA Question

In the RSA public-key encryption scheme each user has a public key $n,e$ and a private key $d$. Suppose Bob leaks his private key. Rather than generating a new modulus, he decides to generate a new pair $e^{\prime },d^{\prime }$. Is this a good idea?

---

E.4.3 Protocol Failure Involving RSA

Remember that an RSA public key is a pair $(n,e)$ where $n$ is the product of two primes.

$${\mathrm{RSA}}_{(n,e)}(m)=m^e\mathrm{mod}n$$

Assume that three users in a network, Alice, Bob, and Carl, use RSA public keys $(n_A,3)$, $(n_B,3)$, and $(n_C,3)$ respectively. Suppose David wants to send the same message $m$ to the three of them. So David computes

$$y_A=m^3\mathrm{mod}{n}_A,y_B=m^3\mathrm{mod}{n}_B,y_C=m^3\mathrm{mod}{n}_C$$

and sends the ciphertext to the respective user.

Show how an eavesdropper Eve can now compute the message $m$ even without knowing any of the secret keys of Alice, Bob, and Carl.

---

E.4.4 RSA for Paranoids

The best factoring algorithm known to date, the number field sieve, runs in

$$e^{O\left((\log n{)}^{1/3}(\log \log n{)}^{2/3}\right)}.$$

That is, the running time does not depend on the size of the smallest factor, but rather on the size of the whole composite number.

The above observation seems to suggest that in order to preserve the security of RSA, it may not be necessary to increase the size of both prime factors, but only of one of them.

Shamir suggested the following version of RSA that he called unbalanced RSA, also known as RSA for paranoids. Choose the RSA modulus $n$ to be $5,000$ bits long, the product of a $500$-bit prime $p$ and a $4,500$-bit prime $q$. Since usually RSA is used just to exchange DES keys, we can assume that the messages being encrypted are smaller than $p$.

1. How would you choose the public exponent $e$? Is $3$ a good choice?

2. Once the public exponent $e$ is chosen, one computes $d=e^{-1}\mathrm{mod}\phi (n)$ and keeps it secret. The problem with such a big modulus $n$ is that decrypting a ciphertext $c=m^e\mathrm{mod}n$ may take a long time, since one has to compute $c^d\mathrm{mod}n$. But since we know that $m<p$ we can just use the Chinese Remainder Theorem and compute

   $$m_1=c^d\mathrm{mod}p=m.$$

   Shamir claimed that this variant of RSA achieves better security against advances in factoring, without losing efficiency.

   Show how, with a single chosen-message attack, meaning obtaining the decryption of a message of your choice, you can completely break the unbalanced RSA scheme by factoring $n$.

---

E.4.5 Hardness of Diffie-Hellman

Recall the Diffie-Hellman key exchange protocol. $p$ is a prime and $g$ a generator of ${\mathbb{Z}}_p^{\ast }$. Alice’s secret key is a random $a<p$ and her public key is $g^a\mathrm{mod}p$. Similarly Bob’s secret key is a random $b<p$ and his public key is $g^b\mathrm{mod}p$. Their common key is $g^{ab}$.

In this problem we will prove that if the Diffie-Hellman key exchange protocol is secure for a small fraction of the values $(a,b)$, then it is secure for almost all values $(a,b)$.

Assume that there is a ppt algorithm $A$ such that

$$\mathrm{Pr}[A(g^a,g^b)=g^{ab}]>\frac{1}{2}+\epsilon ,$$

where the probability is taken over the choices of $(a,b)$ and the internal coin tosses of $A$.

Your task is to prove that for any $\delta <1$ there exists a ppt algorithm $B$ such that for all $(a,b)$

$$\mathrm{Pr}[B(g^a,g^b)=g^{ab}]>1-\delta ,$$

where the probability is now taken only over the coin tosses of $B$.

---

E.4.6 Bit Commitment

Consider the following real-life situation. Alice and Bob are playing “Guess the bit I am thinking.” Alice thinks of a bit $b\in \{0,1\}$ and Bob tries to guess it. Bob declares his guess and Alice tells him if the guess is right or not.

However Bob is losing all the time so he suspects that Alice is cheating. She hears Bob’s guess and then declares she was thinking of the opposite bit. So Bob requires Alice to write down the bit on a piece of paper, seal it in an envelope, and place the envelope on the table. At this point Alice is committed to the bit. However Bob has no information about what the bit is.

Our goal is to achieve this bit commitment without envelopes. Consider the following method. Alice and Bob together choose a prime $p$ and a generator $g$ of ${\mathbb{Z}}_p^{\ast }$. When Alice wants to commit to a bit $b$, she chooses a random $x\in {\mathbb{Z}}_p^{\ast }$ such that $\mathrm{lsb}(x)=b$ and she publishes $y=g^x\mathrm{mod}p$.

Is this a good bit commitment? Do you have a better suggestion?

---

E.4.7 Perfect Forward Secrecy

Suppose two parties, Alice and Bob, want to communicate privately. They both hold public keys in the traditional Diffie-Hellman model.

An eavesdropper Eve stores all the encrypted messages between them and one day she manages to break into Alice and Bob’s computers and find their secret keys corresponding to their public keys.

Show how, using only public-key cryptography, we can achieve perfect forward secrecy, meaning Eve will not be able to gain any knowledge about the messages Alice and Bob exchanged before the disclosure of the secret keys.

---

E.4.8 Plaintext-Awareness and Non-Malleability

We say that an encryption scheme is plaintext-aware if it is impossible to produce a valid ciphertext without knowing the corresponding plaintext.

Usually plaintext-aware encryption schemes are implemented by adding some redundancy to the plaintext. Decryption of a ciphertext results either in a valid message or in a flag indicating non-validity, if the redundancy is not of the correct form. Correct decryption convinces the receiver that the sender knows the plaintext that was encrypted.

The concept of plaintext-awareness is related to the concept of malleability. We say that an encryption scheme $E$ is non-malleable if, given a ciphertext $c=E(m)$, it is impossible to produce a valid ciphertext $c^{\prime }$ of a related message $m^{\prime }$.

Compare the two definitions and tell us if one implies the other.

---

E.4.9 Probabilistic Encryption

Assume that you have a message $m$ that you want to encrypt in a probabilistic way. For each of the following methods, tell us if you think it is a good or a bad method.

1. Fix a large prime $p$ and let $g$ be a generator. For each bit $b_i$ in $m$, choose at random $x_i\in {\mathbb{Z}}_{p-1}$ such that $\mathrm{lsb}(x_i)=b_i$, where $\mathrm{lsb}(x)$ is the least significant bit of $x$. The ciphertext is the concatenation of the $y_i=g^{x_i}\mathrm{mod}p$. What about if you use $x_i$ such that $\mathrm{msb}(x_i)=b_i$?
2. Choose an RSA public key $n,e$ such that $|n|>2|m|$. Pad $m$ with random bits to get it to the same length as $n$. Let $m^{\prime }$ be the padded plaintext. Encrypt $c=(m^{\prime }{)}^e\mathrm{mod}n$.
3. Choose an RSA public key $n,e$. Assume that $|m|$ is smaller than $\log \log n$; you can always break the message in blocks of that size. Pad $m$ with random bits to get it to the same length as $n$. Let $m^{\prime }$ be the padded plaintext. Encrypt $c=(m^{\prime }{)}^e\mathrm{mod}n$.
4. Choose two large primes $p,q\equiv 3(\mathrm{mod}4)$. Let $n=pq$. For each bit $b_i$ in $m$, choose at random $x_i\in {\mathbb{Z}}_n^{\ast }$ and set $y_i=x_i^2\mathrm{mod}n$ if $b_i=0$ or $y_i=-x_i^2\mathrm{mod}n$ if $b_i=1$. The ciphertext is the concatenation of the $y_i$‘s.

---

E.5 Secret Key Systems

E.5.1 Simultaneous Encryption and Authentication

Let $(E,D)$ be a symmetric encryption scheme, cf. Chapter 6, and let $\mathrm{MAC}$ be a message authentication code, cf. Chapter 9.

Suppose Alice and Bob share two keys $K_1$ and $K_2$ for privacy and authentication respectively. They want to exchange messages $M$ in a private and authenticated way. Consider sending each of the following as a means to this end:

1. $M,{\mathrm{MAC}}_{K_2}(E_{K_1}(M))$
2. $E_{K_1}(M,{\mathrm{MAC}}_{K_2}(M))$
3. $E_{K_1}(M),{\mathrm{MAC}}_{K_2}(M)$
4. $E_{K_1}(M),E_{K_1}({\mathrm{MAC}}_{K_2}(M))$
5. $E_{K_1}(M),{\mathrm{MAC}}_{K_2}(E_{K_1}(M))$
6. $E_{K_1}(M,A)$ where $A$ encodes the identity of Alice. Bob decrypts the ciphertext and checks that the second half of the plaintext is $A$.

For each, say if it is secure or not and briefly justify your answer.

---

E.6 Hash Functions

E.6.1 Birthday Paradox

Let $H$ be a hash function that outputs $m$-bit values. Assume that $H$ behaves as a random oracle, meaning that for each string $s$, $H(s)$ is uniformly and independently distributed between $0$ and $2^m-1$.

Consider the following brute-force search for a collision: try all possible $s_1,s_2,\dots$ until a collision is found. That is, keep hashing until some string yields the same hash value as a previously hashed string.

Prove that the expected number of hashings performed is approximately

$$2^{m/2}.$$

---

E.6.2 Hash Functions from DES

In this problem we will consider two proposals to construct hash functions from symmetric block encryption schemes such as DES.

Let $E$ denote a symmetric block encryption scheme. Let $E_k(M)$ denote the encryption of the one-block message $M$ under key $k$. Let

$$M=M_0\circ M_1\circ M_2\circ \cdots \circ M_n$$

denote a message of $n+1$ blocks.

The first proposed hash function $h_1$ works as follows: let $H_0=M_0$ and then define

$$H_i=E_{M_i}(H_{i-1})\oplus H_{i-1}\text{for }i=1,\dots ,n.$$

The value of the hash function is defined as

$$h_1(M)=H_n.$$

The second proposed hash function $h_2$ is similar. Again $H_0=M_0$ and then

$$H_i=E_{H_{i-1}}(M_i)\oplus M_i\text{for }i=1,\dots ,n.$$

The value of the hash function is defined as

$$h_2(M)=H_n.$$

For both proposals, show how to find collisions if the encryption scheme $E$ is chosen to be DES.

---

E.6.3 Hash Functions from RSA

Consider the following hash function $H$. Fix an RSA key $n,e$ and denote

$${\mathrm{RSA}}_{n,e}(m)=m^e\mathrm{mod}n.$$

Let the message to be hashed be $m=m_1\dots m_k$. Denote $h_1=m_1$ and for $i>1$,

$$h_i={\mathrm{RSA}}_{n,e}(h_{i-1})\oplus m_i.$$

Then $H(m)=h_n$. Show how to find a collision.

---

E.7 Pseudo-randomness

E.7.1 Extending PRGs

Suppose you are given a PRG $G$ which stretches a $k$-bit seed into a $2k$-bit pseudorandom sequence. We would like to construct a PRG $G^{\prime }$ which stretches a $k$-bit seed into a $3k$-bit pseudorandom sequence.

Let $G_1(s)$ denote the first $k$ bits of the string $G(s)$ and let $G_2(s)$ denote the last $k$ bits, that is

$$G(s)=G_1(s)\cdot G_2(s),$$

where $a\cdot b$ denotes the concatenation of strings $a$ and $b$.

Consider the two constructions:

1. $G^{\prime }(s)=G_1(s)\cdot G(G_1(s))$
2. $G^{\prime \prime }(s)=G_1(s)\cdot G(G_2(s))$

For each construction say whether it works or not and justify your answer. That is, if the answer is no, provide a simple statistical test that distinguishes the output of, say, $G^{\prime }$ from a random $3k$-bit string. If the answer is yes, prove it.

---

E.7.2 From PRG to PRF

Let us recall the construction of PRFs from PRGs we saw in class. Let $G$ be a length-doubling PRG, from seeds of length $k$ to sequences of length $2k$.

Let $G_0(x)$ denote the first $k$ bits of $G(x)$ and $G_1(x)$ the last $k$ bits. In other words

$$G_0(x)\circ G_1(x)=G(x)$$

and

$$|G_0(x)|=|G_1(x)|.$$

For any bit string $z$, recursively define

$$G_{0\circ z}(x)\circ G_{1\circ z}(x)=G(G_z(x))$$

with

$$|G_{0\circ z}(x)|=|G_{1\circ z}(x)|.$$

The PRF family we constructed in class was defined as $F=\{f_i\}$ where

$$f_i(x)=G_x(i).$$

Suppose instead that we defined

$$f_i(x)=G_i(x).$$

Would that be a PRF family?

---

E.8 Digital Signatures

E.8.1 Table of Forgery

For both RSA and ElGamal, say if the scheme is:

1. universally forgeable
2. selectively forgeable
3. existentially forgeable

and under which kind of attack.

---

E.8.2 ElGamal

Suppose Bob is using the ElGamal signature scheme. Bob signs two messages $m_1$ and $m_2$ with signatures $(r,s_1)$ and $(r,s_2)$, where the same value of $r$ occurs in both signatures. Suppose also that

$$\gcd (s_1-s_2,p-1)=1.$$

1. Show how $k$ can be computed efficiently given this information.
2. Show how the signature scheme can subsequently be broken.

---

E.8.3 Suggested Signature Scheme

Consider the following discrete-log-based signature scheme. Let $p$ be a large prime and $g$ a generator. The private key is $x<p$. The public key is $y=g^x\mathrm{mod}p$.

To sign a message $M$, calculate the hash $h=H(M)$. If $\gcd (h,p-1)$ is different from $1$ then append $h$ to $M$ and hash again. Repeat this until $\gcd (h,p-1)=1$. Then solve for $Z$ in

$$Zh=x\mathrm{mod}(p-1).$$

The signature of the message is

$$s=g^Z\mathrm{mod}p.$$

To verify the signature, a user checks that

$$s^h=y\mathrm{mod}p.$$

1. Show that valid signatures are always accepted.
2. Is the scheme secure?

---

E.8.4 Ong-Schnorr-Shamir

Ong, Schnorr, and Shamir suggested the following signature scheme.

Let $n$ be a large integer; it is not necessary to know the factorization of $n$. Then choose $k\in {\mathbb{Z}}_n^{\ast }$. Let

$$h=-k^{-2}\mathrm{mod}n=-(k^{-1}{)}^2\mathrm{mod}n.$$

The public key is $(n,h)$, and the secret key is $k$.

To sign a message $M$, generate a random number $r$ such that $r$ and $n$ are relatively prime. Then calculate

$$S_1=\frac{M/r+r}{2}\mathrm{mod}n$$

and

$$S_2=\frac{k}{2}(M/r-r).$$

The pair $(S_1,S_2)$ is the signature.

To verify the signature, check that

$$M=S_1^2+h{S}_2^2\mathrm{mod}n.$$

1. Prove that reconstructing the private key from the public key is equivalent to factoring $n$.
2. Is that enough to say that the scheme is secure?

---

E.9 Protocols

E.9.1 Unconditionally Secure Secret Sharing

Consider a generic secret-sharing scheme. A dealer $D$ wants to share a secret $s$ between $n$ trustees so that no $t$ of them have any information about $s$, but $t+1$ can reconstruct the secret. Let $s_i$ be the share of trustee $T_i$. Let $v$ denote the number of possible values that $s$ might have, and let $w$ denote the number of different possible share values that a given trustee might receive, as $s$ is varied. Assume that $w$ is the same for each trustee.

Argue that $w\ge v$ for any secret-sharing scheme. It then follows that the number of bits needed to represent a share cannot be smaller than the number of bits needed to represent the secret itself.

Hint: Use the fact that $t$ players have no information about the secret. No matter what $t$ values they have received, any value of $s$ is possible.

---

E.9.2 Secret Sharing with Cheaters

Dishonest trustees can prevent the reconstruction of the secret by contributing bad shares ${\hat{s}}_i\ne s_i$. Using the cryptographic tools you have seen so far in the class, show how to prevent this denial-of-service attack.

---

E.9.3 Zero-Knowledge Proof for Discrete Logarithms

Let $p$ be a prime and $g$ a generator modulo $p$. Given $y=g^x$, Alice claims she knows the discrete logarithm $x$ of $y$. She wants to convince Bob of this fact but she does not want to reveal $x$ to him. How can she do that?

Give a zero-knowledge protocol for this problem.

---

E.9.4 Oblivious Transfer

An oblivious transfer protocol is a communication protocol between Alice and Bob. Alice runs it on input a value $s$. At the end of the protocol either Bob learns $s$ or he has no information about it. Alice has no idea which event occurred.

A $1$-$2$ oblivious transfer protocol is a communication protocol between Alice and Bob. Alice runs it on input two values $s_0$ and $s_1$. Bob runs it on input a bit $b$. At the end of the protocol, Bob learns $s_b$ but has no information about $s_{1-b}$. Alice has no information about $b$.

Show that given an oblivious transfer protocol as a black box, one can design a $1$-$2$ oblivious transfer protocol.

---

E.9.5 Electronic Cash

Real-life cash has two main properties:

• It is anonymous, meaning when you use cash to buy something your identity is not revealed, compared with credit cards where your identity and spending habits are disclosed.
• It is transferable, that is the vendor who receives cash from you can in turn use it to buy something else. They would not have this possibility if you had paid with a non-transferable check.

The electronic cash proposals we saw in class are all non-transferable. That is, the user gets a coin from the bank, spends it, and the vendor must return the coin to the bank in order to get credit. As such they really behave as anonymous non-transferable checks. In this problem we are going to modify such proposals in order to achieve transferability.

The proposal we saw in class can be abstracted as follows. We have three agents: the Bank, the User, and the Vendor.

The Bank has a pair of keys $(S,P)$. A signature with $S$ is a coin worth a fixed amount, say $1$. It is possible to make blind signatures, meaning the User gets a signature $S(m)$ on a message $m$, but the Bank gets no information about $m$.

Withdrawal protocol:

1. The User chooses a message $m$.
2. The Bank blindly signs $m$ and withdraws $1$ from the User’s account.
3. The User recovers $S(m)$. The coin is the pair $(m,S(m))$.

Payment protocol:

1. The User gives the coin $(m,S(m))$ to the Vendor.
2. The Vendor verifies the Bank’s signature and sends a random challenge $c$ to the User.
3. The User replies with an answer $r$.
4. The Vendor verifies that the answer is correct.

The challenge-response protocol is needed in order to detect double-spending. Indeed the system is constructed in such a way that if the User answers two different challenges on the same coin, meaning they are trying to spend the coin twice, their identity will be revealed to the Bank when the two coins return to the bank. This is why the whole history of the payment protocol must be presented to the Bank when the Vendor deposits the coin.

Deposit protocol:

1. The Vendor sends $m,S(m),c,r$ to the Bank.
2. The Bank verifies it and adds $1$ to the Vendor’s account.
3. The Bank searches its database to see if the coin was deposited already and, if it was, reconstructs the identity of the double-spender User.

In order to make the whole scheme transferable we give the bank a different pair of keys $(S^{\prime },P^{\prime })$. It is still possible to make blind signatures with $S^{\prime }$. However messages signed with $S^{\prime }$ have no value. We will call them pseudo-coins. When people open an account with the Bank, they get a lot of these anonymous pseudo-coins by running the withdrawal protocol with $S^{\prime }$ as the signature key.

Suppose now the Vendor received a paid coin $m,S(m),c,r$ and instead of depositing it wants to use it to buy something from another vendor. What they could do is the following:

Transfer protocol:

1. The Vendor sends $m,S(m),c,r$ and a pseudo-coin $m^{\prime },S^{\prime }(m^{\prime })$ to OtherVendor.
2. OtherVendor verifies all signatures and the pair $(c,r)$. Then sends a random challenge $c^{\prime }$ for the pseudo-coin.
3. Vendor replies with $r^{\prime }$.
4. OtherVendor checks the answer.

Notice however that Vendor can still double-spend the coin $m,S(m),c,r$ if they use two different pseudo-coins to transfer it to two different people. Indeed since they will never answer two different challenges on the same pseudo-coin, their identity will never be revealed. The problem is that there is no link between the real coin and the pseudo-coin used during the transfer protocol. If we could force Vendor to use only one pseudo-coin for each real coin they want to transfer, then the problem would be solved.

Show how to achieve the above goal. You will need to modify both the payment and the transfer protocol.

Hint: If Vendor wants to transfer the true coin they are receiving during the payment protocol, they must be forced then to create a link between the true coin and the pseudo-coin they will use for the transfer later. Notice that Vendor chooses $c$ at random; maybe $c$ can be chosen in some different way?

---

E.9.6 Atomicity of Withdrawal Protocol

Recall the protocol that allows a User to withdraw a coin of $1$ from the Bank. Let $(n,3)$ be the RSA public key of the Bank.

1. The User prepares $100$ messages $m_1,\dots ,m_{100}$ which are all $1$-dollar coins. The User blinds them, that is, they choose at random $r_1,\dots ,r_{100}$ and compute

   $$w_i=r_i^3{m}_i.$$

   The User sends $w_1,\dots ,w_{100}$ to the Bank.

2. The Bank chooses at random $99$ of the blindings and asks the User to open them. That is, the Bank chooses $i_1,\dots ,i_{99}$ and sends them to the User.

3. The User opens the required blindings by revealing $r_{i_1},\dots ,r_{i_{99}}$.

4. The Bank checks that the blindings are constructed correctly and then finally signs the unopened blinding. Without loss of generality, assume this to be the first one. So the Bank signs $w_1$ by sending to the User

   $$w_1^{1/3}=r_1{m}_1^{1/3}.$$

5. The User divides this signature by $r_1$ and gets a signature on $m_1$ which is a valid coin.

Notice that the User has a probability of $1/100$ to successfully cheat.

Suppose now that the protocol is not atomic. That is, the communication line may go down at the end of each step between the Bank and the User. What protocol should be followed for each step if the line goes down at the end of that step in order to prevent abuse or fraud by either party?

---

E.9.7 Blinding with ElGamal/DSS

In class we saw a way to blind messages for signatures using RSA. In this problem we ask you to construct blind signatures for a variation of the ElGamal signature scheme.

The ElGamal-like signature we will consider is as follows. Let $p$ be a large prime, $q$ a large prime dividing $p-1$, $g$ an element of order $q$ in ${\mathbb{Z}}_p^{\ast }$, $x$ the secret key of the Bank, and $y=g^x$ the corresponding public key. Let $H$ be a collision-free hash function.

When the Bank wants to sign a message $m$ she computes

$$a=g^k\mathrm{mod}p$$

for a random $k$, and

$$c=H(m,a)$$

and finally

$$b=kc+xa\mathrm{mod}q.$$

The signature of the message $m$ is $\mathrm{sig}(m)=(a,b)$. Given the triple $(m,a,b)$ the verification is performed by computing $c=H(m,a)$ and checking that

$$g^b=a^c{y}^a.$$

So the withdrawal protocol could be as follows:

1. The User tells the bank she wants a $1$-dollar coin.

2. The Bank replies with $100$ values $a_i=g^{k_i}$ for random $k_i$.

3. The User sends back $c_i=H(m_i,a_i)$ where the $m_i$ are all $1$-dollar coins.

4. The Bank asks the user to open $99$ of those.

5. The User reveals $99$ of the $m_i$‘s.

6. The Bank replies with

   $$b_i=k_i{c}_i+x{a}_i\mathrm{mod}(p-1)$$

   for the unopened index $i$.

However this is not anonymous since the Bank can recognize the User when the coin comes back. In order to make the protocol really anonymous, the User has to change the value of the “challenge” $c_i$ computed at step $3$. This modification will allow the User to compute a different signature on $m_i$ on their own which will not be recognizable to the Bank when the coin comes back. During the protocol the Bank will check as usual that this modification has been performed correctly by asking the User to open $99$ random blindings.