6. Let
p
≥
3 be a prime number, and let
g
be a primitive root modulo
p
. (These are public
keys, known to all parties including the adversary.) Assume the discrete logarithm problem
is hard. Consider the digital signature scheme
DS
= (
K
;
Sign
;
Ver
):
Key generation
K
: Choose
x,y
∈
Z
p
uniformly at random, and set
X
=
g
x
,
Y
=
g
y
.
X,Y
is a public key,
x,y
private.
Signing
Sign
(
M
):
z
:=
y
+
xM
(mod
p
),
return
z
.
Veriﬁcation
Ver
(
M
;
z
):
if
M
6∈
Z
p
then return
0
if
g
z
=
Y X
M
then return
1
else return
0
(a) Show that
Ver
(
M
;
z
) = 1 for any keypair ((
X
;
Y
); (
x
;
y
)) that might be output by K,
any message
M
∈
Z
p
, and any
z
that might be output by
Sign
(
M
).
(b) Show that this scheme is insecure with regard to Chosen Message attacks by presenting
a practical adversary
Eve
. You should specify the adversary, state the number of oracle
queries it makes, and justify the correctness of the adversary.
7. Let
f
be a oneway permutation. Consider the following signature scheme for messages in
the set
{
1
,...,n
}
:
 To generate keys, choose random
x
∈ {
0
,
1
}
n
and set
y
=
f
n
(
x
) (that is,
f
applied
n
times).
The public key is
y
and the private key is
x
.
 To sign message
i
∈ {
1
,...,n
}
, output
f
n

i
(
x
) (where
f
0
(
x
) =
x
by deﬁnition).
 To verify signature
σ
on message
i
with respect to public key
y
, check whether
y
=
f
i
(
σ
).
(a) Show that the above is not a secure (even onetime) signature scheme. Given a signature
on a message
i
, for what messages
j
can an adversary output a forgery?
(b) Prove that no polytime adversary, given a signature on
i
can output a forgery on any
message
j > i
except with negligible probability
(c) Suggest how to modify the scheme so as to obtain a onetime secure signature scheme.
8.
(optional)
Write an implementation (using pseudocode or your favorite programming lan
guage) of the ‘ideal’ key exchange protocol. This implementation should include all necessary
details and checks of parameters. It can be based on DiﬃeHellman idea, as we did in the
class, or any other valid approach. If you need to use a hash function or primality check,
imaging you have a library with necessary functions. You also do not need to care about
realization of integer arithmetic.
2