Question 1: Questions for short answers
1) Suppose that f: {0, 1}n → Zp where p is a large prime and n > p. Prove that f(x) = gx
(mod p) is not second pre-image resistant, where g is a generator of Zp. What is the security assumption you use, if to make it pre-image resistant.
2) Show that the active CCA against ElGamal encryption given in the lecture does not work when against the Cramer-Shoup encryption.
3) Show that the RSA encryption is insecure against a chosen ciphertext attack. In particular, given a ciphertext y, describe how to choose a ciphertext y' such that knowledge of the plaintext x' = DK(y') allows the attacker to determine x = DK(y).
4) Show that the RSA encryption is not semantically secure. Provide a game between an adversary A and a simulator (or challenger) B.
5) Let p = 151. Choose a generator for GF(143)*�. Choose an appropriate private and ephemeral key. Perform the following on the message m = 113, or the next appropriate message:
(a) Encrypt m using ElGamal.
(b) Signing m using ElGamal.
You can use Pari/GP.
6) Assume an elliptic curve with points whose coordinates P = (x; y) satisfy the following congruence y2 = x3 + x mod 23. Given two points P = (1; 5) and Q = (9; 5), what are the points P + Q, P + P, and Q + Q?
7) Show that if the Gap Di�e-Hellman Problem is easy, then the Cha-Cheon signature scheme will be broken.
8) Show that the Cha-Cheon signature scheme will be broken if the Gap Di�e-Hellman Problem is solved in a signature forgery reduction by forking. Do not need to give a formal proof.
9) Describe the Bilinear Di�e-Hellman (BDH) Problem and explain why the Boneh-Franklin identity-based encryption scheme is broken if the BDH problem is easy. Is the Basic version of Boneh-Franklin identity-based encryption scheme CCA secure? Why?
Question 2: Design a communication protocol based on identity-based cryptography
Alice and Bob are located at di�erent locations and want to communicate securely by the computer network. Their identities are public. They are equipped with the Bone-Franklin ID-based encryption scheme, the Cha-Cheon signature scheme and AES, which should be properly used in their communication protocol. Your protocol must meet the following requirements:
A) Key generation: They need to generate their keys. Describe it in detail. Include all parties who have to be involved in key generation.
B) Mutual Authentication: They should know the origin of a message, i.e., who sent the message.
C) Con�dentiality: Messages must be protected and should not be disclosed to others.
D) Session Key Establishment: Alice and Bob need a symmetric session for each of their communication session.
Your protocol should have three steps:
�
Step 1: Alice sends a message to Bob.
Upon receiving this message, Bob is convinced that the message comes from Alice and no one else apart from Alice has seen the message.
�
Step 2: Bob responds:
Upon receiving the response, Alice is convinced that Bob has received her previous message and has read the content. She is also sure that Bob's response must come from Bob and no one else apart from Bob has seen it.
�
Step 3: They communicate each other with a symmetric session key, which was established in Steps 1 and 2. Provide detailed protocol steps.
The protocol will be assessed in terms of these requirements. Describe how these requirements are met in your protocol. You must provide the algorithms (math) in your protocol.