COMPSCI 3IS3 - Assignment 5

1. (10 marks) Let p be a prime and let g be a generator of Z×

p . In the Diffie-Hellman problem
we are given a pair (g , g ) for some unknown a, b, and we are asked to compute g ab
a b

(everything is mod p). In the Elgamal encryption scheme, Bob sends Alice h = g d where
d is private. To send a message x to Bob, Alice first chooses a random i ∈ {2, . . . , p − 2}
and keeps i private. She then computes kE = g i , kM = hi , and y = kM x, and then sends
Bob the ciphertext (kE , y). Show that if Trudy has access to an oracle that solves the
Diffie-Hellman problem, then he can break the Elgamal encryption scheme.

2. (30 marks) Recall the padded RSA signature scheme, RSA-PSS, we talked about in the
class. In RSA-PSS, the message x is first encoded and then signed. Therefore, the values
that Alice receives are (x, s) where s = EM d mod n, where EM is the encoded message.
The encoding procedure is shown in following

M' = padding1 mHash salt

DB = padding2 salt h

MGF

EM = maskedDB H bc

In this encoding, M is the input message, and the values of padding1, padding2, the
hash function h and the function MGF are publicly known. However, the value salt
is an unknown random number. When Alice recive (x, s), she computes se mod n to
obtain EM . To check the validity of the signature, Alice needs to somehow reproduce
the encoding of the message x and check it against the received EM . Explain step by
step how she can reproduce the encoding. Hint: she first needs to extract the unknown
salt from the received EM .

1
3. (30 marks)

(a) We talked about an existential forgery attack against the plain RSA digital signature
in the class. In that attack, Trudy can forge signatures for random messages, i.e., he
has no control over the content of the messages. Explain why Trudy cannot forge a
signature for a given message.
(b) Another way of forging RSA signatures is as follows: If (x1 , s1 ) and (x2 , s2 ) are two
message-signature pairs for the plain RSA signature scheme, show that the product
s1 s2 is a valid signature.
(c) Recall the existential forgery attack against the plain Elgamal signature scheme.
To prevent such an attack all we needed to do was to sign the hashed message
instead of the plain message. In that case, what Alice received was x, (r, s) where
r = αkE mod p and s = (h(x) − d · r)kE−1 mod p − 1. Is using the same strategy for
the Plain RSA makes it secure against the existential forgery attack? Write down
the hashed version of the RSA signature scheme and explain why signing the hashed
message does, or does not, prevent the existential forgery attack.

4. (30 marks) Alice and Bob agree to use the prime p = 669379343040372993112682310767
and the generator α = 476219007220973994303455600579 of Z× p for the plain Elgamal
signature scheme.

(a) Bob chooses d = 113087485233248996526571115482 as his private key. What is his

public key?
(b) Bob then chooses the random ephemeral key kE = 291905782067546206475817580403.
Compute the signature for the message x = 621822214279358881560423056296.
(c) Trudy claims that he has forged the following signature using Bob’s public key that
was computed in Part (4.a),

x = 435774528075745568404129942557,
r = 177713884672348018778214374286,
s = 648290288896956791824851873445.

Is this a valid signature?