cryptographic protocols (2dmi00) exam, june 23, 2021, …berry/cryptographicprotocols/... · 2021....

TU/e, Department of Mathematics and Computer Science 1

Cryptographic Protocols (2DMI00)

Exam, June 23, 2021, 18:00–21:00h

Solve the following four problems, providing full motivation for the correctness of your solutions.

No calculators or any other electronic devices are allowed, nor any notes or books.

Please, hand in your answer pages, not your scratch paper.

1. Let 〈g〉 be a cyclic group of order n.

Let distributions X, Y, Z be given by:

X = {(gx, g1/x) : x ∈R Z∗n},

Y = {(gx, gy) : x ∈R Z∗n, y ∈R Zn},

Z = {(gx, gy) : x ∈R Z∗n, y ∈R Zn, y − 1/x ∈ Z∗

n}.

Let ∆ denote statistical distance.

a) Assume n is prime. Determine ∆(X;Y ), ∆(X;Z), and ∆(Y ;Z).

b) Determine ∆(X;Y ), ∆(X;Z), and ∆(Y ;Z) for any n, n ≥ 2.


Show that each of the following computational problems is random self-reducible.

a) Given gx, gy, gx2/y, compute gx

3/y2, where x, y ∈ Z∗n.

b) Given gx, gy, gx2/y, compute gx

3/y2, where x ∈ Zn and y ∈ Z∗n.

3. Let 〈g〉 be a cyclic group of large prime order n.

Consider relation R:

R = {(A,B,C;x, y) : A = gx ∧ B = gy ∧ y 6= 0 ∧ (C = gx/y ∨ C = g−x/y)}.

a) Give a Σ-protocol for relation R and prove that it is complete, special sound, andspecial honest-verifier zero-knowledge.

b) Let H be a cryptographic hash function. Turn your Σ-protocol into a noninteractiveΣ-proof (using the Fiat-Shamir heuristic) and show how the Σ-proof is verified.

Cryptographic Protocols (2DMI00) June 23, 2021


4) Let 〈g〉 be a cyclic group of large prime order n. Let h ∈ 〈g〉 denote a random groupelement such that logg h is unknown to anyone.

Recall Fermat’s little theorem, which states that xn = x holds for all x ∈ Zn.

Consider the following protocol for relation {(A,B;x, y, z) : A = gxhy, B = gxn−1

hz},which proves that B is a Pedersen commitment to a bit xn−1 ∈ {0, 1} indicatingwhether the value x in the Pedersen commitment A is nonzero (or not):

Prover Verifier

t, u, v1, v2, w ∈R Zn

C ← gxn−2

ht

a1 ← guhv1

a2 ← Buhv2

b← Cuhw−C, a1, a2, b−−−−−−−−→

r ←n u + cx ←−−−−c−−−− c ∈R Zn

r1 ←n v1 + cyr2 ←n v2 + c(y − zx)

s←n w + c(z − tx) −r, r1, r2, s−−−−−−−→ grhr1 ?

= a1Ac

Brhr2 ?= a2A

c

Crhs ?= bBc

Show that the protocol is a Σ-protocol:

a) Show that the protocol is complete.

b) Show that the protocol is special sound.

c) Show that the protocol is special honest-verifier zero-knowledge.

1a: 6 2a: 6 3a: 11 4a: 3 4c: 3

1b: 6 2b: 6 3b: 3 4b: 6

The final mark is the total number of points divided by 5, rounded to one decimal place.




Exam, April 16, 2021, 13:30–16:30h






X = {(gx, gy) : x ∈R Z∗n, y ∈R Zn},

Y = {(gx, g1/x) : x ∈R Z∗n},

Z = {(gx, gy) : x ∈R Z∗n, y ∈R Zn, y − 1/x 6∈ Z∗

n}.






a) Given gx, gy, gx/y, compute gx2/y, where x, y ∈ Z∗

n.

b) Given gx, gy, gx/y, compute gx2/y, where x ∈ Zn and y ∈ Z∗

n.

3. Let 〈g〉 be a cyclic group of large prime order n.

Consider relation R:

R = {(A,B,C;x) : A = gx ∧ (B = g−1/x ∨ C = g1/x) ∧ x 6= 0}.


b) Let H be a cryptographic hash function. Turn your Σ-protocol into a non-interactiveΣ-proof (using the Fiat-Shamir heuristic) and show how the Σ-proof is verified.

Cryptographic Protocols (2DMI00) April 16, 2021


4. Let 〈g〉 be a cyclic group of order n, where n is a large prime.

Let S be a nonempty subset of Zn.

Consider the following protocol for relation {(h;x) : h = gx}:

Prover Verifier

u ∈R Z∗n

a← gu

b ∈R S −−−−a, b−−−−−−→

←−−−−c−−−− c ∈R Zn

r ←n (b + c)u + x −−−−r−−−−→

gr?= ab+ch



Next, consider the case that S = {0}, hence b = 0 always holds in the protocol.

c) Show that the protocol with S = {0} cannot be special honest-verifier zero-knowledgeunder the DL assumption.

However, the following simulation shows that the protocol with S = {0} is actually(plain) honest-verifier zero-knowledge:{

(a, 0; c; r) : r ∈R Zn;{ c← 0;u ∈R Z∗

n; a← gu, if gr = hc ∈R Z∗

n; a← (gr/h)1/c, if gr 6= h

}.

Finally, consider the case that S = Zn.

d) Show that the protocol with S = Zn is special honest-verifier zero-knowledge by adapt-ing the above simulation.

1a: 6 2a: 6 3a: 11 4a: 1 4c: 4

1b: 6 2b: 6 3b: 3 4b: 3 4d: 4





Exam, June 26, 2020, 18:00–21:00h




1) Let 〈g〉 be a cyclic group of order n.


X = {(gu, guv) : u ∈R Z∗n, v ∈R Zn},

Y = {(gu, guv) : u, v ∈R Z∗n},

Z = {(gu, gu/v) : u, v ∈R Z∗n}.






a) Given gx, gy, gz, compute gxy/z, where x, y, z ∈ Z∗n.

b) Given gx, gy, gz, compute gxy/z, where x ∈ Zn and y, z ∈ Z∗n.

3) Let 〈g〉 be a cyclic group of large prime order n. Let h ∈ 〈g〉 denote a random groupelement such that logg h is unknown to anyone. Consider relation R:

R = {(A,B,C;x, y) : A = gx ∧ (B = gx2 ∨ B = gxy) ∧ C = g−xhy}.









Prover Verifier

(case x = 0) (case x 6= 0)

c1, r1, s1, t1, v0, w0 ∈R Zn c0, s0, t0, u1, v1, w1 ∈R Zn

a0 ← hv0 a0 ← hs0A−c0

b0 ← hw0 b0 ← ht0B−c0

a1 ← Ar1hs1g−c1 a1 ← Au1hv1

b1 ← ht1(B/g)−c1 b1 ← hw1

−−−−a0, a1, b0, b1−−−−−−−−−−−−→

c ∈R Zn

←−−−−−−−−c−−−−−−−−

c0 ←n c− c1 c1 ←n c− c0r1 ←n u1 + c1/x

s0 ←n v0 + c0y s1 ←n v1 − c1y/xt0 ←n w0 + c0z t1 ←n w1 + c1z

−c0, c1, r1, s0, s1, t0, t1−−−−−−−−−−−−−−−→

c0 + c1?=n c

hs0 ?= a0A

c0

ht0 ?= b0B

c0

Ar1hs1 ?= a1g

c1

ht1 ?= b1(B/g)c1





1a: 6 2a: 6 3a: 11 4a: 4 4c: 2

1b: 6 2b: 6 3b: 3 4b: 6





Exam, April 18, 2020, 13:30–16:30h






X = {(gu, gv) : u, v ∈R Zn},Y = {(gu, guv) : u ∈R Z∗

n, v ∈R Zn},Z = {(gu, guv) : u, v ∈R Z∗

n}.






a) Given gx, g1x , compute gx

2, where x ∈ Z∗

n.

b) Given gx, gy, g1

x+y , compute gx−yx+y , where x, y ∈ Zn and x + y ∈ Z∗

n.


R = {(A,B,C;x, y) : A = gx ∧ (B = g−x2 ∨ B = gx2

) ∧ C = gx3

hy}.









Prover Verifier

t, u, v1, v2, w ∈R Zn

C ← gxn−2

ht

a1 ← guhv1

a2 ← Buhv2

b← Cuhw−C, a1, a2, b−−−−−−−−→

r ←n u + cx ←−−−−c−−−− c ∈R Zn

r1 ←n v1 + cyr2 ←n v2 + c(y − zx)

s←n w + c(z − tx) −r, r1, r2, s−−−−−−−→ grhr1 ?

= a1Ac

Brhr2 ?= a2A

c

Crhs ?= bBc





1a: 6 2a: 6 3a: 11 4a: 3 4c: 3

1b: 6 2b: 6 3b: 3 4b: 6





Exam, June 28, 2019, 18:00–21:00h


Use of a simple, non-programmable pocket calculator is allowed, but not necessary.Any other electronic equipment is not allowed, nor any notes or books.



For n ≥ 2, let distributions X, Y, Z be given by:

X = {(gx, gx2

) : x ∈R Zn},Y = {(gx, gy) : x, y ∈R Zn, y − x2 ∈ Z∗

n},Z = {(gx, gy) : x, y ∈R Zn}.






a) Given gx, gy, gz, compute gxy/z3, where x, y, z ∈ Z∗

n.

b) Given gx, gy, gz, compute gxy+z3, where x, y ∈ Zn and z ∈ Z∗n.


R = {(A,B,C;x, y) : A = gx ∧ B = hy ∧ (C = (gh)xy ∨ C = (gh)x+y)}.





4) Let 〈g〉 be a cyclic group of large prime order n.

Consider the following protocol as a potential alternative to OR-composition ofSchnorr’s protocol. That is, the protocol is intended as a Σ-protocol for relation{(h1, h2;x1, x2) : h1 = gx1 ∨ h2 = gx2}.

Prover Verifier

(using x1 = logg h1) (using x2 = logg h2)

r2, u1 ∈R Zn r1, u2 ∈R Zn

a1 ← gu1 a1 ← gr1

a2 ← gr2 a2 ← gu2

−a1, a2−−−−−→

c ∈R Zn

←−−c−−

r1 ←n u1 + cx1 r2 ←n u2 + cx2

−r1, r2−−−−→

gr1?= a1h

c1 ∨ gr2

?= a2h

c2


b) Determine if the protocol is special sound. If so, provide a proof; otherwise, showwhy not.

c) Determine if the protocol is special honest-verifier zero-knowledge. If so, provide aproof; otherwise, show why not.

1a: 6 2a: 6 3a: 11 4a: 2 4c: 5

1b: 6 2b: 6 3b: 3 4b: 5





Exam, April 12, 2019, 13:30–16:30h




1) For 1 ≤ d < n, consider distributions X, Y, Z given by:

X = {u : u ∈R {1, . . . , dn}},Y = {un : u ∈R {1, . . . , d}},Z = {ud : u ∈R {1, . . . , n}}.


a) Determine ∆(X;Y ) and ∆(X;Z).

b) Determine ∆(Y ;Z) assuming that also gcd(d, n) = 1.

c) Determine ∆(Y ;Z) for arbitrary d, n with 1 ≤ d < n.



a) Given gx, gy, gz, compute gx−yz, where x, y, z ∈ Zn.

b) Given gx, gy, gz, compute g1/(x−yz), where x, y ∈ Zn and z, x− yz ∈ Z∗n.


R = {(A,B;x, y) : A = gx ∧ (B = g−2xhy ∨ B = gx2

hy)}.






Consider the following basic idea for constructing an (`, `)-threshold Schnorr signa-ture scheme. Suppose parties Pi each hold a private key xi and a public key hi = gxi ,for 1 ≤ i ≤ `. Define h =

∏`i=1 hi as the public key of parties P1, . . . ,P` together.

For a given message M , the goal is to jointly generate a Schnorr signature (c, r) forpublic key h, where c = H(grh−c,M). Suppose party C acts as a “combiner,” actingas the verifier in a run of the Schnorr protocol with each of the parties Pi.

a) Show how C can generate a Schnorr signature (c, r) on message M for public key h,by running the Schnorr protocol ` times in parallel, once with each party Pi for publickey hi. Argue why the scheme is secure.Hint: how should C choose the challenges ci such that the conversations (ai; ci; ri) ofthe runs of the Schnorr protocol can be combined?

b) Describe how your scheme can be extended to a (t, `)-threshold Schnorr signaturescheme, 1 ≤ t ≤ `. You may assume that the parties have already run a distributedkey generation protocol such that Pi holds a share xi, where xi = a(i) for somepolynomial a(X) ∈ Zn[X] of degree less than t, and x = a(0). As before, the publickey of party Pi is hi = gxi.Hint: how do you compute the public key h = gx from h1, . . . , h`?

1a: 6 1c: 4 2a: 6 3a: 11 4a: 51b: 4 2b: 6 3b: 3 4b: 5





Exam, July 3, 2018, 18:00–21:00h





For n ≥ 2, consider distributions X, Y +, Y −, Z+, Z− given by:

X = { (gu, gv) : u, v ∈R Zn },Y + = { (gu, gv) : u ∈R Zn; v ∈R Zn \ {u} },Y − = { (gu, gv) : u ∈R Zn; v ∈R Zn \ {−u} },Z+ = { (gu, gu) : u ∈R Zn },Z− = { (gu, g−u) : u ∈R Zn }.


a) Determine ∆(X;Y +), ∆(X;Z+), ∆(Y +;Z+).

b) Given your answers to part (a), what are ∆(X;Y −), ∆(X;Z−), ∆(Y −;Z−)?

c) Determine ∆(Z+;Z−).



a) Given gx, gy, compute g(x+y)2, where x, y ∈ Zn.

b) Given gx, gy, compute g(x+y)2, where x, y ∈ Zn and x + y ∈ Z∗n.

3) Let 〈g〉 be a cyclic group of large prime order n. Consider relation R:

R = {(A,B,C;x, y) : A = gx ∧ B = gy ∧ (C = g(x+y)2 ∨ C = g(x−y)2)}.



Cryptographic Protocols (2DMI00) July 3, 2018



Consider the following protocols as potential alternatives to EQ-composition of Schnorr’sprotocol. That is, both protocols are intended as Σ-protocols for relation R ={(g1, h1, g2, h2;x) : h1 = gx1 , h2 = gx2}.

Prover Verifier(x = logg1 h1,x = logg2 h2)

u ∈R Zn

a1 ← gu1a2 ← gu2

−a1, a2−−−−−→

c ∈R Zn

←−−−c−−−

r1 ←n u + cx

r2 ←n u + cx −−r1, r2−−−−−→

gr11?= a1h

c1

gr22?= a2h

c2

Prover Verifier(x = logg1 h1,x = logg2 h2)

r1, r2 ∈R Zn

−−r1, r2−−−−−→

c ∈R Zn

←−−−c−−−

a1 ← gr1−cx1

a2 ← gr2−cx2 −

a1, a2−−−−−→

gr11?= a1h

c1

gr22?= a2h

c2

Note that R ⊆ V ×W , where V = 〈g〉∗ × 〈g〉 × 〈g〉∗ × 〈g〉 and W = Zn. Hence, for(g1, h1, g2, h2;x) ∈ R, we have that both g1 and g2 are generators of 〈g〉, h1 and h2 arearbitrary elements of 〈g〉, and x is an element of Zn such that x = logg1 h1 = logg2 h2.

a) Show that both protocols are complete.

b) For each of the protocols determine if it is special sound. If so, provide a proof;otherwise, show why not.

c) For each of the protocols determine if it is special honest-verifier zero-knowledge. Ifso, provide a proof; otherwise, show why not.

1a: 6 1c: 4 2a: 6 3a: 11 4a: 2 4c: 5 homework1b: 2 2b: 6 3b: 3 4b: 5 min. 0, max. 5

The final mark is the total number of points divided by 5, rounded to a multiple of 0.5,not exceeding 10.

Cryptographic Protocols (2DMI00) July 3, 2018



Exam, April 20, 2018, 13:30–16:30h





For n ≥ 2, let distributions X, Y, Z be given by:

X = {(gx, gy, gxy) : x, y ∈R Zn},Y = {(gx, gy, gz) : x, y, z ∈R Zn, z − xy 6∈ Z∗

n},Z = {(gx, gy, gz) : x, y, z ∈R Zn}.






a) Given gx, gy, gz, compute gx/(yz), where x, y, z ∈ Z∗n.

b) Given gx, gy, gz, compute gx/(y+z), where x ∈ Z∗n, y, z ∈ Zn, and y + z ∈ Z∗

n.


R = {(A,B,C;x, y, z) : A = gx ∧ B = hy ∧ (C = gxyhz ∨ C = gzhxy)}.






Consider the following protocols as potential alternatives to AND-composition ofSchnorr’s protocol. That is, the protocol is intended as a Σ-protocol for relationR = {(h1, h2;x1, x2) : h1 = gx1 , h2 = gx2}.

Prover Verifier(x1 = logg h1,x2 = logg h2)

r1, r2 ∈R Zn

−−r1, r2−−−−−→

c ∈R Zn

←−−−c−−−

a1 ← gr1−cx1

a2 ← gr2−cx2 −a1, a2−−−−−→

gr1?= a1h

c1

gr2?= a2h

c2

Prover Verifier(x1 = logg h1,x2 = logg h2)

u ∈R Zn

a1 ← gu

a2 ← gu

−a1, a2−−−−−→

c ∈R Zn

←−−−c−−−

r1 ←n u + cx1

r2 ←n u + cx2 −−r1, r2−−−−−→

gr1?= a1h

c1

gr2?= a2h

c2




1a: 6 2a: 6 3a: 12 4a: 2 4c: 4 homework1b: 6 2b: 6 3b: 3 4b: 5 min. 0, max. 5




Cryptographic Protocols (2DMI00)Exam, June 30, 2017, 18:00–21:00h





Let h ∈ 〈g〉∗, hence h is a generator of 〈g〉 as well.Distributions Xs, Ys, where s ∈ {1,−1}, are defined by:

Xs = {guhs : u ∈R Zn},Ys = {guhs : u ∈R Z∗

n}.


a) Determine ∆(X1;X−1).

b) Assume n = p, where p > 2 is prime. Determine ∆(Y1;Y−1).

c) Assume n = 2p, where p > 2 is prime. Determine ∆(Y1;Y−1).



a) Given gx, gy, compute gy3/x, where x, y ∈ Z∗

n.

b) Given gx, gy, compute g1/(x−y)2, where x, y ∈ Zn, x− y ∈ Z∗n.


R = {(A,B,C;x) : A = gx2 ∧ ((B = gx ∧ C = gx

3

) ∨ (B = gx3 ∧ C = gx))}.





4) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Let h ∈ 〈g〉 denote arandom group element such that logg h is unknown to anyone.

Consider the following protocol for relation {(B;x, y) : B = gxhy ∧ x ∈ {1,−1}}:

Prover Verifier

u, v, w ∈R Zn

a← guhv

b← Buhw−−−−−

a, b−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cx

s←n v + cy

t←n w − cxy −−−−−r, s, t−−−−−−−−→

grhs ?= aBc

Brht ?= bgc









Cryptographic Protocols (2DMI00)Exam, April 18, 2017, 9:00–12:00h




1) For n ≥ 1, consider distributions X, Y, Z given by

X = {u : u ∈R {0, . . . , n− 1}},Y = {3u : u ∈R {0, . . . , n− 1}},Z = {3u + 1 : u ∈R {0, . . . , n− 1}}.


a) Determine ∆(Y ;Z).

b) Determine ∆(X;Y ) and ∆(X;Z) for n a multiple of 3.

c) Determine ∆(X;Y ) for arbitrary n ≥ 1.



a) Given gx, gy, compute gx+y, where x ∈ Zn and y ∈ Z∗n.

b) Given gx, gy, compute gx2+y3, where x ∈ Zn and y ∈ Z∗

n.


R = {(A,B,C;x, y) : A = gx ∧ B = hy ∧ (C = gx2−y ∨ C = hxy)}.






Consider the following protocol for relation {(B;x, y) : B = gxhy ∧ x ∈ {0, 1}}:

Prover Verifier

u, v, w ∈R Zn

a← guhv

b← (B/g)uhw−−−−−

a, b−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cx

s←n v + cy

t←n w − cxy −−−−−r, s, t−−−−−−−−→

grhs ?= aBc

(B/g)rht ?= b










Exam, June 24, 2016, 18:00–21:00h




1) For k, n ≥ 1 such that n ≤ 2k, consider distributions X and Y given by:

X = {u : u ∈R Zn},Y = {u mod n : u ∈R {0, . . . , 2k − 1}}.


a) Show that ∆(X;Y ) = 0 if n = 2k.

b) Show that ∆(X;Y ) = (2k mod n)(n−(2k mod n))2kn

.

c) Show that ∆(X;Y ) ≤ n/2k.

Suppose k random bits b0 ∈R {0, 1}, . . . , bk−1 ∈R {0, 1} are used to generate arandom value modulo n by returning z = (

∑k−1i=0 bi2

i) mod n as output.

d) Suggest a value for k as a function of n such that z is approximately uniformlydistributed in Zn.



a) Given gx, compute g1/x3, where x ∈ Z∗n.

b) Given gx, gx2, compute gx

3, where x ∈ Zn.


R = {(A,B,C;x) : A = gx ∧ B = gx2 ∧ (C = gx

3 ∨ C = g−x3

)}.

a) Give a Σ-protocol for relation R and show that it is complete, special sound, andspecial honest-verifier zero-knowledge.





Let h ∈ 〈g〉 denote a random group element such that logg h is unknown to anyone.

Party A holds private input bits x0, x1 and party B holds a private input bit s.

Parties A and B run the following(21

)-OT protocol such that party B obtains xs as

private output bit.

Party A Party B(x0, x1 ∈ {0, 1}) (s ∈ {0, 1})

uB ∈R Zn

hs ← guB

h1−s ← h/guB

←−−−h0, h1−−−−−−−

uA ∈R Zn

(A,B0, B1)← (guA , huA0 gx0 , huA

1 gx1)

−(A,B0, B1)−−−−−−−−−→

xs ← logg(Bs/AuB)

First, assume that parties A and B are honest.

a) Show that party B indeed obtains the intended value.

b) Argue why party B is not able to recover x1−s—nor any other information than thevalue of xs.

Next, assume that party B is corrupt.

c) Show how party B can break the protocol.

d) Assume that party A aborts the protocol if h0h1 = h does not hold. Show how partyB can still break the protocol.

1a: 2 1c: 3 2a: 6 3a: 11 4a: 2 4c: 3 homework1b: 4 1d: 3 2b: 6 3b: 3 4b: 3 4d: 4 min. 0, max. 5





Exam, April 8, 2016, 9:00–12:00h





Let k denote the bit length of n, hence 2k−1 ≤ n < 2k.

Distributions X and Y are defined by:

X = {gx : x ∈R Zn},Y = {gx : x ∈R {0, . . . , 2k − 1}}.


a) Show that ∆(X;Y ) = 0 if n = 2k−1.

b) Show that ∆(X;Y ) = (2k−n)(2n−2k)2kn

.

Suppose k random bits x0 ∈R {0, 1}, . . . , xk−1 ∈R {0, 1} are used to generate an

element in 〈g〉 by returning g∑k−1

i=0 xi2i

as output.

c) Give an approximate analysis, in terms of n and k, to show when the statistical

distance between the distribution of g∑k−1

i=0 xi2i

and the uniform distribution on 〈g〉 ismaximal.



a) Given gx, gy, compute g(x−y)2, where x, y ∈ Zn.

b) Given gx, gy, compute g(x−y)2, where x, y ∈ Zn and x− y ∈ Z∗n.


R = {(A,B,C;x, y) : A = gx ∧ B = gy ∧ (C = gx2−y2 ∨ C = gx

2+y2)}.






Let h be a public key for a (2, 2)-threshold homomorphic ElGamal cryptosystem usedby two partiesA and B, which each hold one of the private shares of the correspondingprivate key.

Party A holds a private bit x and party B holds a private bit y.

Parties A and B run the following protocol (over a public channel) to securely mul-tiply x and y.

Party A Party B(x ∈ {0, 1}) (y ∈ {0, 1})u ∈R Zn

A← gu

B ← hugx −−−−−−−(A,B)−−−−−−−−−−−→ v ∈R Zn

C ← gvAy

←−−−−−−−(C,D)−−−−−−−−−−− D ← hvBy

←−jointly decrypt−−−−−−−−−−−−−

(C,D)−−−−−→

output xy output xy

The output xy is public.

a) Show that the protocol indeed outputs xy if A and B follow the protocol.

b) Show how party A can learn bit y by deviating from the protocol.

c) Show how an active adversary (not involving A or B) can learn both bits x and y byattacking the protocol run between honest parties A and B.





Cryptography 2 (2XC13)/Cryptographic Protocols 1 (2WC17)

Exam, Oct. 28, 2015, 1:30–4:30pm




1) For n ≥ 3, consider distributions Xb, Yb, for b ∈ {0, 1}, given by:

Xb = {u + b : u ∈R {1, . . . , n}},Yb = {u + (−1)b : u ∈R {1, . . . , n}}.


a) Determine ∆(X0;X1) and ∆(Y0;Y1). Show that ∆(Y0;Y1) = 2∆(X0;X1).

Now, consider the following symmetric cryptosystem. Given security parameter k,the key is generated as K ∈R {1, . . . , 2k}. For a plaintext M ∈ Z, the ciphertextis computed as C = M + K. For a ciphertext C ∈ Z, the plaintext is recovered asM = C −K.

Suppose the cryptosystem is used in either of these modes: mode (i) with plaintextsM ∈ {0, 1}, or mode (ii) with plaintexts M ∈ {1,−1}.

b) Assume an attacker knows which mode applies. Argue in terms of statistical distance,which mode is to be preferred.

Consider the following protocol for sending a bit b ∈ {0, 1} from party A to party Bover a public channel, where the security objective is to keep bit b hidden from anyparty other than A and B.

Party A Party BuA ∈R {1, . . . , 2k}

cA ← b + uA −−−−−−cA−−−−−−−→ uB ∈R {1, . . . , 2k}

←−−−−−cAB−−−−−−− cAB ← cA + uB

cB ← cAB − uA −−−−−−cB−−−−−−−→ b′ ← cB − uB

c) Verify that b′ = b if parties A and B follow the protocol.

d) Analyze whether the protocol is secure against passive attacks, and whether it is secureagainst active attacks.



a) Given gx, gy, gz, compute gx2+yz, where x, y, z ∈ Zn.

b) Given gx, gy, gz, compute gx2+(y/z)2, where x ∈ Zn and y, z ∈ Z∗n.

Cryptography 2 (2XC13)/Cryptographic Protocols 1 (2WC17) Oct. 28, 2015



R = {(A,B,C;x, y) : A = gx ∧ B = hy ∧ (C = gx2 ∨ C = hy2)}.




Consider the following protocol as a potential alternative to EQ-composition ofSchnorr’s protocol. That is, the protocol is intended as a Σ-protocol for relationR = {(g1, h1, g2, h2;x) : h1 = gx1 , h2 = gx2}.

Prover Verifier(x = logg1 h1 = logg2 h2)

u1, u2 ∈R Zn

a1 ← gu11

a2 ← gu22

−−−a1, a2−−−−−−−→

c ∈R Zn

←−−−−−c−−−−−

r1 ←n u1 + cxr2 ←n u2 + cx

−−−r1, r2−−−−−−→

gr11?= a1h

c1

gr22?= a2h

c2

Note that R ⊆ V ×W , where V = 〈g〉∗ × 〈g〉 × 〈g〉∗ × 〈g〉 and W = Zn. Hence, for(g1, h1, g2, h2;x) ∈ R, we have that g1 and g2 are both generators of 〈g〉, h1 and h2 arearbitrary elements of 〈g〉, and x is an element of Zn such that x = logg1 h1 = logg2 h2.




1a: 4 1c: 1 2a: 6 3a: 11 4a: 2 4c: 5 homework1b: 3 1d: 4 2b: 6 3b: 3 4b: 5 min. 0, max. 5

The final mark is the total number of points divided by 5, rounded to a multiple of 0.5 (for2XC13) and rounded to an integer (for 2WC17), not exceeding 10.

Cryptography 2 (2XC13)/Cryptographic Protocols 1 (2WC17) Oct. 28, 2015



Exam, June 25, 2015, 1:30–4:30pm





Let h ∈ 〈g〉∗, hence h is a generator of 〈g〉 as well.

Distributions Xb, Yb, where b ∈ {0, 1}, are defined by:

Xb = {guhb : u ∈R Zn},Yb = {guhb : u ∈R Z∗

n}.


a) Assume n is prime. Determine ∆(X0;X1) and ∆(Y0;Y1).

b) Assume n = 2p, where p is prime. Determine ∆(X0;X1) and ∆(Y0;Y1).

c) Does ∆(X0;Y0) = ∆(X1;Y1) hold for arbitrary n? Explain your answer.



a) Given gx, gy, gz, compute gxy+z2, where x, y, z ∈ Zn.

b) Given gx, gy, gz, compute gxy+(1/z)2, where x, y ∈ Zn and z ∈ Z∗n.


R = {(A,B,C;x, y) : A = gx ∧ B = hy ∧ (C = g2x+y ∨ C = h2xy)}.



Cryptography 2 (2XC13)/Cryptographic Protocols 1 (2WC17) June 25, 2015



Consider the following protocol as a potential alternative to OR-composition ofSchnorr’s protocol. That is, the protocol is intended as a Σ-protocol for relation{(h1, h2;x1, x2) : h1 = gx1 ∨ h2 = gx2}.

Prover Verifier

(using x1 = logg h1) (using x2 = logg h2)

r2, u1 ∈R Zn r1, u2 ∈R Zn

a1 ← gu1 a1 ← gr1

a2 ← gr2 a2 ← gu2

−a1, a2−−−−−→

c ∈R Zn

←−−c−−

r1 ←n u1 + cx1 r2 ←n u2 + cx2

−r1, r2−−−−→

gr1?= a1h

c1 ∨ gr2

?= a2h

c2









Exam, April 16, 2015, 1:30–4:30pm





Let x, y ∈ Z∗n be fixed.


X = {(gxu, gyu) : u ∈R Z∗n},

Y = {(gxt, gyu) : t, u ∈R Z∗n},

Z = {(gt, gu) : t, u ∈R Z∗n}.



b) Determine ∆(X;Y ), ∆(X;Z), and ∆(Y ;Z) for arbitrary n.



a) Given gx, gy, gx/y, compute gy/x, where x, y ∈ Z∗n.

b) Given gx, gy, compute g1/(x+y), where x, y ∈ Zn, x + y ∈ Z∗n.


R = {(A,B,C;x, y) : A = gx ∧ B = hy ∧ (C = gxy ∨ C = hx+y)}.



Cryptography 2 (2XC13)/Cryptographic Protocols 1 (2WC17) April 16, 2015


4) Let 〈g〉 be a cyclic group of large prime order n. Consider the following two protocolsas variations of the Schnorr Σ-protocol for relation {(h;x) : h = gx}:

Prover Verifier(x = logg h)

u ∈R Zn

a← gu

−−−a−−−→

c ∈R Zn

←−−−c−−−

r ←n 2u + cx

−−−r−−−→

gr?= a2hc


u ∈R Zn

a← gu

−−−a−−−→

c ∈R Zn

←−−−c−−−

r ←n u + c2x

−−−r−−−→

gr?= ahc2




1a: 6 2a: 6 3a: 11 4a: 2 4c: 5 homework1b: 6 2b: 6 3b: 3 4b: 5 min. 0, max. 5





Exam, June 26, 2014, 2:00–5:00pm




1) Let 〈g〉 be a cyclic group of order n, n ≥ 2.


X = {(gx, gy, gxy) : x, y ∈R Zn},Y = {(gx, gy, gz) : x, y, z ∈R Zn, z − xy ∈ Z∗

n},Z = {(gx, gy, gz) : x, y, z ∈R Zn}.



b) Assume n is an arbitrary integer n ≥ 2. Determine ∆(X;Y ), ∆(X;Z), and ∆(Y ;Z).



a) Given gx, gy, compute g(x−1+y)2, where x, y ∈ Zn.

b) Given gx, gy, compute g(x−1)/y, where x ∈ Zn \ {1} and y ∈ Z∗n.


R = {(A,B,C;x, y) : A = gx ∧ B = gy ∧ (C = hx+y ∨ C = hx−y)}.







u1, u2 ∈R Zn

a1 ← gu1

a2 ← gu2

−a1, a2−−−−−→

c1, c2 ∈R Zn

←−−c1, c2−−−−−

r1 ←n u1 + c1x

r2 ←n u2 + c2x −−r1, r2−−−−−→

gr1?= a1h

c1

gr2?= a2h

c2


r1, r2 ∈R Zn

−−r1, r2−−−−−→

c1, c2 ∈R Zn

←−−c1, c2−−−−−

a1 ← gr1−c1x

a2 ← gr2−c2x −a1, a2−−−−−→

gr1?= a1h

c1

gr2?= a2h

c2




1a: 6 2a: 6 3a: 11 4a: 2 4c: 51b: 6 2b: 6 3b: 3 4b: 5

The final mark is the total number of points divided by 5, rounded to a multiple of 0.5 (for2XC13) and rounded to an integer (for 2WC17).




Exam, April 17, 2014, 2:00–5:00pm




1) Let 〈g〉 be a cyclic group of large prime order n.Consider the following parameterized Diffie-Hellman key exchange protocol:

Party A Party BxA ∈R VA xB ∈R VBhA ← gxA hB ← gxB

−−−−hA−−−−−−→

←−−−−hB−−−−−

K ← hxAB K ← hxB

A

Let distributions X and Y be given by:

X = {gt : t ∈R Z∗n},Y = {gu : u ∈R Zn}.


a) Determine ∆(K;X) if VA = Z∗n and VB = Z∗n.

b) Determine ∆(K;X) and ∆(K;Y ) if VA = Zn and VB = Z∗n.

c) Determine ∆(K;Y ) if VA = Zn and VB = Zn.



a) Given gx, gy, gxy, compute g1xy , where x, y ∈ Z∗n.

b) Given gx, gy, compute g(x−1)/y, where x ∈ Zn and y ∈ Z∗n.




R = {(A,B,C;x, y) : A = gx ∧ B = gy ∧ (C = hx ∨ C = hy)}.





r ∈R Zn

−−−r−−−→

c1, c2 ∈R Zn

←−−c1, c2−−−−−

a1 ← gr−c1x

a2 ← gr−c2x −a1, a2−−−−−→

gr?= a1h

c1

gr?= a2h

c2


u ∈R Zn

a← gu

−−−a−−−→

c1, c2 ∈R Zn

←−−c1, c2−−−−−

r1 ←n u + c1x

r2 ←n u + c2x −−r1, r2−−−−−→

gr1?= ahc1

gr2?= ahc2




1a: 3 1c: 3 2a: 6 3a: 11 4a: 2 4c: 51b: 6 2b: 6 3b: 3 4b: 5





Exam, June 25, 2013, 2:00–5:00pm




1) For integer n ≥ 3, consider distributions Xb, Yb, b ∈ {0, 1}, given by:

Xb = {u + b : u ∈R {1, . . . , n}},Yb = {u + (−1)b : u ∈R {1, . . . , n}}.


a) Determine ∆(X0;X1) and ∆(Y0;Y1). Show that ∆(Y0;Y1) = 2∆(X0;X1).

Now, consider the following symmetric cryptosystem. Given security parameter k,the key is generated as K ∈R {1, . . . , 2k}. For a plaintext M ∈ Z, the ciphertextis computed as C = M + K. For a ciphertext C ∈ Z, the plaintext is recovered asM = C −K.

Suppose the cryptosystem is used in either of these modes: mode (i) with plaintextsM ∈ {0, 1}, or mode (ii) with plaintexts M ∈ {1,−1}.

b) Assume an attacker knows which mode applies. Argue in terms of statistical distance,which mode is to be preferred.

Consider the following protocol for sending a bit b ∈ {0, 1} from party A to party Bover a public channel, where the security objective is to keep bit b hidden from anyparty other than A and B.

Party A Party BuA ∈R {1, . . . , 2k}

cA ← b + uA −−−−−−cA−−−−−−−→ uB ∈R {1, . . . , 2k}

←−−−−−cAB−−−−−−− cAB ← cA + uB

cB ← cAB − uA −−−−−−cB−−−−−−−→ b′ ← cB − uB

c) Verify that b′ = b if parties A and B follow the protocol.

d) Analyze whether the protocol is secure against passive attacks, and whether it is secureagainst active attacks.

2) Let 〈g〉 be a cyclic group of order n, where n is a large prime.


a) Given gx, gy, g1xy , compute gxy, where x, y ∈ Z∗n.

b) Given gx, gy, compute gx2+y2, where x ∈ Zn and y ∈ Z∗n.



3) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Let h ∈ 〈g〉 denote arandom group element such that logg h is unknown to anyone. Consider relation R:

R = {(A,B,C;x, y) : A = gx ∧ B = hy ∧ (C = gxy ∨ C = hxy)}.



4) Let 〈g〉 be a cyclic group of prime order n. Consider the following two protocols asvariations of the Schnorr Σ-protocol for relation {(h;x) : h = gx}:


u ∈R Zn

−−−−u−−−−−→

c ∈R Zn

←−−−−c−−−−

r ←n u + cx

−−−−r−−−−→

gr?= guhc


r ∈R Zn

−−−−r−−−−→

c ∈R Zn

←−−−−c−−−−

a← gr−cx

−−−−a−−−−→

gr?= ahc




1a: 4 1c: 1 2a: 6 3a: 11 4a: 2 4c: 51b: 3 1d: 4 2b: 6 3b: 3 4b: 5





Exam, April 11, 2013, 2:00–5:00pm

Solve the following four problems, providing full motivation for the correctness and completenessof your solutions.

Use of a simple, non-programmable pocket calculator is allowed, but not necessary. All otherelectronic equipment is not allowed, nor any notes or books.

Hand in your answer pages, not your scratch paper. GOOD LUCK!

1) Let 〈g〉 be a cyclic group of order n, where n is prime. Let g1, g2, h1, h2 ∈ 〈g〉 \ {1}.For fixed c ∈ Z∗n, consider distributions R, S given by:

R = {(a1, a2; c; r) : u ∈R Zn; a1 ← gu1 ; a2 ← gu2 ; r ←n u + cx},S = {(a1, a2; c; r) : r ∈R Zn; a1 ← gr1h

−c1 ; a2 ← gr2h

−c2 }.


a) Determine ∆(R;S) if logg1 h1 = logg2 h2.

b) Determine ∆(R;S) if logg1 h1 6= logg2 h2.

Next, assume logg1 h1 = logg2 h2. For fixed c ∈ Z∗n, consider also distributions R′, S ′

given by:

R′ = {(a1, a2; c; r) : u ∈R Z∗n; a1 ← gu1 ; a2 ← gu2 ; r ←n u + cx},S ′ = {(a1, a2; c; r) : r ∈R Z∗n; a1 ← gr1h

−c1 ; a2 ← gr2h

−c2 }.

c) Determine both ∆(R;R′) and ∆(S;S ′).

d) Show that ∆(R′;S ′) ≤ 2/n using triangle inequalities for ∆.



a) Given gx, gy, compute gx2/y, where x, y ∈ Z∗n.

b) Given gx, gy, compute gx/y, where x ∈ Zn and y ∈ Z∗n.



3) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider relation R:

R = {(A,B,C;x, y) : (A = gx ∨ B = gy) ∧ C = gxy}.


b) Let H be a cryptographic hash function. Turn your Σ-protocol into a non-interactiveΣ-proof (using the Fiat-Shamir heuristic) and show how the proof is verified.

4) Let 〈g〉 be a cyclic group of prime order n. Let g1, g2, h1, h2 ∈ 〈g〉 \ {1}. Considerthe following Σ-protocol for relation {(g1, h1, g2, h2;x1, x2) : h1 = gx1

1 , h2 = gx22 }.

Prover Verifier((x1, x2) = (logg h1, logg h2))

(if x1 = x2) (if x1 6= x2)

u1 ∈R Zn c1, r1 ∈R Zn

a11 ← gu11 a11 ← gr11 h−c11

a12 ← gu12 a12 ← gr12 h−c12

c2, r21, r22, r23, r24 ∈R Zn u21, u22, u23, u24 ∈R Zn

a21 ← gr211 h−c21 a21 ← gu211

a22 ← gr222 h−c22 a22 ← gu222

a23 ← (g1g2)r23(h1h2)

r24g−c22 a23 ← (g1g2)u23(h1h2)

u24 −−a11, a12, a21, a22, a23−−−−−−−−−−−−−−−−→

c ∈R Zn

c1 ←n c− c2 c2 ←n c− c1 ←−−−−−−−−−c−−−−−−−−−

r1 ←n u1 + c1x1 r21 ←n u21 + c2x1

r22 ←n u22 + c2x2

r23 ←n u23 + c2x1/(x1 − x2)

r24 ←n u24 + c2/(x2 − x1) −c1, c2, r1, r21, r22, r23, r24−−−−−−−−−−−−−−−−−−→ c1 + c2

?=n c

gr11?= a11h

c11

gr12?= a12h

c12

gr211?= a21h

c21

gr222?= a22h

c22

(g1g2)r23(h1h2)

r24 ?= a23g

c22




1a: 3 1c: 4 2a: 6 3a: 12 4a: 2 4c: 41b: 3 1d: 3 2b: 6 3b: 3 4b: 4




Cryptography 2 (2XC13) / Cryptographic Protocols (2XC10)

Exam, June 25, 2012, 2:00–5:00pm

Solve the following four problems, providing full motivation for the correctness and completeness

of your solutions.

Use of a simple, non-programmable pocket calculator is allowed, but not necessary. All other

electronic equipment is not allowed, nor any notes or books.


1) For integer n ≥ 1, consider distributions U,U+, U− given by:

U = { u : u ∈R {1, . . . , n} },

U+ = { u+ b : u ∈R {1, . . . , n}, b ∈R {0, 1}},

U− = { u− b : u ∈R {1, . . . , n}, b ∈R {0, 1}}.


a) Determine ∆(U ;U+), ∆(U ;U−), and ∆(U+;U−).

Let X and Y be random variables taking on values in a finite set V .

b) Show that |Pr[X = v]− Pr[Y = v]| ≤ ∆(X;Y ) for all v ∈ V .

c) Does ∆(X;Y ) = maxv∈V |Pr[X = v] − Pr[Y = v]| hold in general? Explain youranswer.



a) Given gx, gy, compute g(x−y)2, where x, y ∈ Zn.

b) Given gx, gy, compute g1/(x−y), where x, y ∈ Zn and x 6= y.

Cryptography 2 (2XC13) / Cryptographic Protocols (2XC10) June 25, 2012



Consider the relation R given by

R = {(A,B,C; x, y) : A = gx ∧ B = gy ∧ (C = gx2

∨ C = gy2

)}.


b) Let H denote a cryptographic hash function. Turn the above Σ-protocol into a non-interactive Σ-proof (using the Fiat-Shamir heuristic) and show how the proof is ver-ified.


Consider the following protocol for relation {(B; x, y) : B = gxhy ∧ xy = 1}:

Prover Verifier

u, v, w ∈R Zn

a← guhv

b← gwBu−−−−−

a, b−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u+ cx

s←n v + cy

t←n w − cx2−−−−−

r, s, t−−−−−−−−→

grhs ?= aBc

gtBr ?= bhc

a) Show that the protocol is a Σ-protocol.

b) What happens if the challenge is generated as c = H(a, b) (hence omitting B from theinput to H) to obtain a non-interactive Σ-proof? Is it secure? Explain your answer.

1a: 6 1c: 3 2a: 6 3a: 11 4a: 61b: 4 2b: 6 3b: 3 4b: 5





Exam, April 16, 2012, 2:00–5:00pm


of your solution.




1) For integer n ≥ 2, consider distributions X, Y +, Z+, Y −, Z− given by:

X = { (u, v) : u, v ∈R Zn },

Y + = { (u, v) : u ∈R Zn; v ∈R Zn \ {u} },

Z+ = { (u, u) : u ∈R Zn },

Y − = { (u, v) : u ∈R Zn; v ∈R Zn \ {−u} },

Z− = { (u,−u) : u ∈R Zn }.


a) Determine ∆(X, Y +), ∆(X,Z+), ∆(Y +, Z+).

b) Given the answer to part (a), what are ∆(X, Y −), ∆(X,Z−), ∆(Y −, Z−)?

c) Determine ∆(Z+, Z−).



a) Given gx, gy, compute gx/y, where x, y ∈ Z∗

n.

b) Given gx, gy, compute gx+1/y, where x ∈ Zn and y ∈ Z∗

n.

Cryptography 2 (2XC13) / Cryptographic Protocols (2XC10) April 16, 2012




R = {(A,B,C; x, y) : A = gx ∧ (B = gxhy ∨ C = gx2

hy)}.




Consider the following protocol for relation {(B; x, y) : B = gxhy ∧ xy = 1}:

Prover Verifier

u, v, w ∈R Zn

a← guhv

b← Bvhw−−−−−

a, b−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u+ cx

s←n v + cy

t←n w − cy2 −−−−−r, s, t−−−−−−−−→

grhs ?= aBc

Bsht ?= bgc

a) Show that the protocol is a Σ-protocol.

b) What happens if the challenge is generated as c = H(a, b) (hence omitting B from theinput to H) to obtain a non-interactive Σ-proof? Is it secure? Explain your answer.

1a: 6 1c: 4 2a: 6 3a: 11 4a: 6 homework1b: 3 2b: 6 3b: 3 4b: 5 min. 0, max. 5





Exam, June 27, 2011, 2:00–5:00pm


of your solution.



Hand in your answer pages, not your scrap paper. GOOD LUCK!

1) Let K,M be positive integers with K ≤M .

Consider distributions X and Y given by

X = {r + s : r ∈R {0, . . . ,M − 1}, s ∈R {0, . . . , K − 1}},

Y = {u : u ∈R {0, . . . ,M +K − 2}}.


a) Determine ∆(X, Y ) for K = 1 and arbitrary M ≥ K.

b) Determine ∆(X, Y ) for K = 2 and arbitrary M ≥ K.

c) Determine ∆(X, Y ) for K = 3 and arbitrary M ≥ K.

d) Determine ∆(X, Y ) for K = 4 and arbitrary M ≥ K.

e) Do you think that to obtain a uniform value on {0, 1, . . . , 2M − 2} it is a good ideato add two (independent) uniform random values from {0, 1, . . . ,M − 1}?


Consider the following two computational problems:

DH2-invsqm problem: given gx, gy, compute gx2−1/y2 , where x ∈ Zn and y ∈ Z

∗

n.

DH-rec1 problem: given gx, compute g1/(x−1)2 , where x ∈ Zn \ {1}.

a) Show that the DH2-invsqm problem is random self-reducible.

b) Show that the DH-rec1 problem is random self-reducible.





R = {(A,B,C; x) : A = gx ∧ (B = gx+x2

∨ C = gx−x2

)}.




Consider the following protocol for relation {(h; x) : h = gx}:

Prover Verifier

u ∈R Z∗

n

a← gu

b ∈R Zn −−−−a, b−−−−−−→

←−−−−c−−−− c ∈R Zn

r ←n (b+ c)u+ x −−−−r−−−−→

gr?= ab+ch

a) Show that the protocol is complete and special sound.

b) Show that the protocol is special honest-verifier zero-knowledge.

c) Is the protocol secure against a cheating verifier?

1a: 1 1c: 3 1e: 3 2a: 6 3a: 10 4a: 4 4c: 31b: 2 1d: 4 2b: 6 3b: 3 4b: 5





Exam, April 4, 2011, 2:00–5:00pm


of your solution.




1) Let K, M be a positive integers with K < M . Consider distributions X, Y, Z givenby

X = {u : u ∈R {1, . . . , KM}}

Y = {uM : u ∈R {1, . . . , K}}

Z = {uK : u ∈R {1, . . . ,M}}.


a) Determine ∆(X, Y ) and ∆(X, Z).

b) Determine ∆(Y, Z) assuming that gcd(K, M) = 1.

c) Determine ∆(Y, Z) for arbitrary positive integers K, M with K < M .

2) Let 〈g〉 be a cyclic group of order n, where n is a large prime.Consider the following two computational problems:

DH2-3S problem: given (gx, gy, g(x+y)2), compute g(x+y)3 , where x, y ∈ Zn;

DH-rat problem: given (gx, gx2

, gy), compute (g1/x, gy/x), where x ∈ Z∗

n and y ∈ Zn.

a) Show that the DH2-3S problem is random self-reducible.

b) Show that the DH-rat problem is random self-reducible.





R = {(A, B, C; x) : A = gx ∧ (B = gx2

∨ C = g−x2

)}.



4) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingprotocol for relation {(h1, h2; x1, x2) : h1 = gx1 , h2 = gx2}:

Prover Verifier

u ∈R Zn

a← gu

−−−−−−a−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cx1 + c2x2

−−−−−−r−−−−−−→

gr ?= ahc

1hc2

2

a) Show that the protocol is complete and special honest-verifier knowledge.

b) Why does special soundness not hold for this protocol? Hint: consider a prover whoknows x1 = logg h1 but does not know x2 = logg h2.

c) Show that soundness holds in the following sense. For any (h1, h2) ∈ 〈g〉× 〈g〉, giventhree accepting conversations (a; c; r), (a; c′; r′), (a; c′′; r′′) with c 6= c′, c 6= c′′, c′ 6= c′′,show how to efficiently compute witness (x1, x2) satisfying h1 = gx1 and h2 = gx2.






Exam, June 28, 2010, 2:00–5:00pm


of your solution.




1) Let p denote an odd prime. Recall that Z∗

p = QRp ∪ QRp, where

QRp = {x : ∃y∈Z∗px = y2}

QRp = Z∗

p \ QRp

denote the set of quadratic residues modulo p and the set of quadratic nonresiduesmodulo p, respectively.

Let g denote a generator of Z∗

p, hence Z∗

p = {1, g, g2, ..., gp−2} and gp−1 = 1 where allmultiplications are modulo p.

Consider distributions X, Y, Z given by

X = {u2 : u ∈R Z∗

p},

Y = {gbu2 : b ∈R {0, 1}, u ∈R Z∗

p},

Z = {gu2 : u ∈R Z∗

p},

where all multiplications are modulo p.


a) Determine ∆(X, Y ).

b) Determine ∆(X, Z).

c) Determine ∆(Y, Z).


DH-sumsq problem: given (gx, gy), compute g(x+y)2 , where x, y ∈ Zn.

DH-4inv2 problem: given (gx, gy), compute g(1/x4)+y2

, where x ∈ Z∗

n and y ∈ Zn;

a) Show that the DH-sumsq problem is random self-reducible.

b) Show that the DH-4inv2 problem is random self-reducible.



3) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Further, let f, h ∈ 〈g〉denote random group elements, such that logg f , logg h, and logf h are unknown toanyone.


R = {(B; w, x, y) | B = fwgxhy ∧ w + x ∈ {1,−1}}.




Consider the following voting scheme, involving voters V0, . . . , Vℓ, ℓ ≥ 1. Each voterVi, 0 ≤ i < ℓ has a public key hi = gxi , where xi ∈R Zn is Vi’s private key. (Voter Vℓ

does not need a public key.) Each voter Vi selects a vote vi ∈ {0, 1}, 0 ≤ i ≤ ℓ.

Let Hi =∏i

j=0 hj, for 0 ≤ i < ℓ. First, voter Vℓ publishes an encryption of its votevℓ under public key Hℓ−1:

(aℓ−1, bℓ−1) = (grℓ , Hrℓ

ℓ−1gvℓ),

where rℓ ∈R Zn.

For i = ℓ − 1, . . . , 1 (in this order), voter Vi publishes the following encryption:

(ai−1, bi−1) = (aigri , bia

−xi

i Hri

i−1gvi),

where ri ∈R Zn.

Finally, voter V0 publishes b0a−x0

0 gv0 .

a) Let ti =∑ℓ

j=i+1 vj, for 0 ≤ i < ℓ. Prove (by induction on i) that (ai, bi) is anElGamal encryption of gti under public key Hi.

b) Show that V0 outputs g∑ℓ

j=0vj .

c) Show how V0, . . . , Vi are jointly able to decrypt (ai, bi), for any i, 1 ≤ i < ℓ. Shouldthis be considered a breach of security of the voting scheme?

d) Describe the relations that need to be proved by each voter Vi to show that its output isformed correctly. Distinguish the three cases i = 0, 0 < i < ℓ, and i = ℓ, and let eachvoter use its private values (where applicable) and any publicly available information.

1a: 4 1c: 4 2a: 6 3a: 10 4a: 5 4c: 31b: 4 2b: 6 3b: 3 4b: 2 4d: 3





Exam, April 12, 2010, 2:00–5:00pm


of your solution.




1) Let p denote an odd prime. Recall that Z∗

p = QRp ∪QRp, where

QRp = {x : ∃y∈Z∗p

x = y2}

denotes the set of quadratic residues modulo p and

QRp = Z∗

p \QRp

denotes the set of quadratic nonresidues modulo p.

Let g denote a generator of Z∗

p, hence Z∗

p = {1, g, g2, ..., gp−2} and gp−1 = 1 where allmultiplications are modulo p.

a) Express the sets QRp and QRp in terms of powers of generator g.


X = {u : u ∈R Z∗

p}

Y = {u2 : u ∈R Z∗

p}

Z = {g u2 : u ∈R Z∗

p},

where all multiplications are modulo p.


b) Show that ∆(Y, Z) = 1.

c) Show that ∆(X, Y ) = ∆(X, Z) = 1/2.


DH2-3 problem: given (gx, gy, gx2

, gy2

), compute gx3+y3

, where x, y ∈ Zn;

DH-pol problem: given (gx, g1/x, gy), compute (gx2

, gx2y), where x ∈ Z∗

n and y ∈ Zn.

a) Show that the DH2-3 problem is random self-reducible.

b) Show that the DH-pol problem is random self-reducible.





R = {(A, B, C; x, y, z) : A = gx ∧ B = gy ∧ C = gxyz ∧ z ∈ {1,−1}}.



4) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingprotocol for relation {(h1, h2; x1, x2) : h1 = gx1 , h2 = gx2}:

Prover Verifier

u ∈R Zn

a← gu

−−−−−−a−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cx1 + c2x2

−−−−−−r−−−−−−→

gr ?= ahc

1hc2

2

a) Show that the protocol is complete and special honest-verifier knowledge.

b) Why does special soundness not hold for this protocol? Hint: consider a prover whoknows x1 = logg h1 but does not know x2 = logg h2.

c) Show that soundness holds in the following sense. For any (h1, h2) ∈ 〈g〉× 〈g〉, giventhree accepting conversations (a; c; r), (a; c′; r′), (a; c′′; r′′) with c 6= c′, c 6= c′′, c′ 6= c′′,show how to efficiently compute witness (x1, x2) satisfying h1 = gx1 and h2 = gx2.






Exam, August 28, 2009, 2:00–5:00pm


of your solution.




1) Let m be an RSA modulus, hence m = pq, where p and q are large, distinct primesof equal bit length k. Recall that Z

∗

m = {x : 0 ≤ x < m, gcd(x, m) = 1}.

Let Um denote the uniform distribution on Zm, and let Vm denote the uniform dis-tribution on Z

∗

m.

a) Determine the statistical distance ∆(Um, Vm).

b) Suppose a protocol requires a party to use a uniformly random value in Z∗

m. Explainwhether using a uniformly random value in Zm instead is good idea or not.


DH-sq2 problem: given gx, gy, gxy, compute gx2+y2

, where x, y ∈ Zn;

DL2-invsq problem: given gx, gy, compute g(1/x2)+y2

, where x ∈ Z∗

n and y ∈ Zn.

a) Show that the DH-sq2 problem is random self-reducible.

b) Show that the DL2-invsq problem is random self-reducible.

3) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Further, let h ∈ 〈g〉denote a random group element, such that logg h is unknown to anyone.


R = {(A, B; w, x, y, z) | A = gwhx ∧ B = gyhz ∧ y = wz ∧ w ∈ {0, 1}}.

a) Give a Σ-protocol for relation R and show that it is complete, special sound, andhonest-verifier zero-knowledge.


Cryptography 2 (2XC13) / Cryptographic Protocols (2XC10)August 28, 2009


4) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingΣ-protocol for relation {(B; x, y) : B = gxhy,∃χ∈Zn

x = χ2}:

Prover Verifier

z, u, v, w ∈R Zn

A← gχhz

a← guhv

b← Auhw

−−−−A, a, b−−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cχ

s←n v + cz

t←n w + c(y − zχ)

−−−−−r, s, t−−−−−−−−→

grhs ?= aAc

Arht ?= bBc

a) Show that the protocol is complete, special sound, and honest-verifier knowledge.

b) What happens if we generate the challenge as c = H(a, b) (hence omitting A from theinput to H) to obtain a non-interactive version of the protocol? Is it secure? Explainyour answer.

1a: 7 2a: 7 3a: 12 4a: 61b: 4 2b: 7 3b: 3 4b: 4


Cryptography 2 (2XC13) / Cryptographic Protocols (2XC10)August 28, 2009



Exam, June 15, 2009, 2:00–5:00pm


of your solution.




1) Let n be an odd prime. Consider distributions X, Y, Z given by:

X = {xy mod n : x ∈R Zn, y ∈R Zn},

Y = {xy mod n : x ∈R Zn, y ∈R Z∗

n},

Z = {xy mod n : x ∈R Z∗

n, y ∈R Z∗

n}.


a) Determine ∆(X, Y ) and ∆(Y, Z).

b) Show that ∆(X, Z) ≤ 2/n.

Let 〈g〉 be a cyclic group of order n. Define:

X ′ = {gxy : x ∈R Zn, y ∈R Zn},

Z ′ = {gxy : x ∈R Z∗

n, y ∈R Z∗

n}.

c) Is ∆(X ′, Z ′) ≤ 2/n? Explain your answer.


DH3-inv problem: given gx, gx2

, gx3

, compute g1/x, where x ∈ Z∗

n;

DH3-diffinv problem: given gx, gy, g1/z, compute g(x−y)/z, where x, y ∈ Zn, z ∈ Z∗

n.

a) Show that the DH3-inv problem is random self-reducible.

b) Show that the DH3-diffinv problem is random self-reducible.





R = {(A, B; w, x, y, z) | A = gwhx ∧ B = gyhz ∧ y = wz ∧ w ∈ {1,−1}}.



4) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingΣ-protocol for relation {(B; x, y) : B = gxhy,∃χ∈Zn

x = χ2}:

Prover Verifier

z, u, v, w ∈R Zn

A← gχhz

a← guhv

b← Auhw

−−−−A, a, b−−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cχs←n v + cz

t←n w + c(y − zχ)

−−−−−r, s, t−−−−−−−−→

grhs ?= aAc

Arht ?= bBc


b) What happens if we generate the challenge as c = H(a, b) (hence omitting A from theinput to H) to obtain a non-interactive version of the protocol? Is it secure? Explainyour answer.

1a: 6 1c: 3 2a: 6 3a: 11 4a: 6 homework1b: 5 2b: 6 3b: 3 4b: 4 min. 0, max. 5





Exam, June 23, 2008, 2:00–5:00pm


of your solution.




1) Let k be a positive integer, and let n be an odd prime with n < 2k. Consider:

Un = {x | x ∈R Zn},

Vn,k = {x mod n | x ∈R {0, . . . , 2k − 1}}.


a) Show that ∆(Un, Vn,k) = (2k mod n)(n−(2k mod n))2kn

.

b) Show that ∆(Un, Vn,k) ≤ n/2k.

Suppose k random bits x0 ∈R {0, 1}, . . . , xk−1 ∈R {0, 1} are used to generate arandom value modulo n by returning (

∑k−1i=0 xi2

i) mod n as output.

c) Suggest a value for k as a function of n such that the resulting value is approximatelyuniformly distributed in Zn.

2) Let 〈g〉 and 〈G〉 be two, different, cyclic groups both of order n, where n is a largeprime. The DL problem is assumed to be hard for both groups. Suppose that afunction S : 〈g〉 → 〈G〉 is given satisfying:

S(gx) = Gx2

, for all x ∈ Zn,

and that S can be computed efficiently.

We consider a generalization of Diffie-Hellman key exchange with three parties A, B,and C. Party A picks xA ∈R Zn and sends gxA to parties B and C. Similarly, partyB picks xB ∈R Zn and sends gxB to parties A and C, and party C picks xC ∈R Zn

and sends gxC to parties A and B.

a) Show how each party can compute the common key K = GxAxBxC .

b) Show that the DDH problem is easy for the group 〈g〉.

Consider the following computational problem:

DH3 problem: given gx, gy, gz, compute Gxyz, where x, y, z ∈ Zn.



c) Show that the DH3 problem is random self-reducible.

Finally, we consider active attacks for the above key exchange protocol. The attackercan intercept and modify all traffic between parties A, B, C, and its goal is to know allof the keys that parties A, B, C will hold once the key exchange protocol is completed.

d) Show a man-in-the-middle attack for the above key exchange protocol.



R = {(A, B; x, y) | A = fx ∧ B = gxhy ∧ x2 = y2}}.

a) Give a Σ-protocol for relation R and show that it is complete, special sound, andhonest-verifier zero-knowledge. Hint: first solve the equation x2 = y2 (mod n).


4) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingvariant of Schnorr’s protocol, where F : 〈g〉 → Zn denotes an arbitrary function:

Prover Verifier

(x = logg h)

u ∈R Z∗

n

a← gu−−−−

a−−−−→

←−−−−c−−−− c ∈R Zn

r ←n (c− F (a))u + x −−−−r−−−−→

gr ?= ac−F (a)h


b) What happens if we generate the challenge as c = F (a) to obtain a non-interactiveversion of the protocol?

1a: 7 1c: 2 2a: 4 2c: 4 3a: 11 4a: 71b: 2 2b: 3 2d: 3 3b: 3 4b: 4

The final mark is the total number of points divided by 5, rounded to a multiple of 0.5.




Exam, April 28, 2008, 2:00–5:00pm


of your solution.




1) Let M and K be positive integers, M ≤ K. Consider distributions Vm, 0 ≤ m < M ,given by

Vm = {m + r | r ∈R {0, . . . , K − 1}}.


a) Determine ∆(Vm, Vm′) for any m, m′ ∈ {0, . . . ,M − 1}.

Consider the following (2, 2)-threshold secret sharing scheme. The dealer holds asecret s ∈ {0, ...,M − 1}. The dealer picks r ∈R {0, . . . , K − 1} and sets shares1 = s + r and s2 = r. The secret is recovered by computing s = s1 − s2.

b) Propose a value for K as a function of M and argue why the secret sharing schemeis secure (against passive attacks).

2) Let 〈g〉 and 〈G〉 be two, different, cyclic groups both of order n, where n is a largeprime. The DL problem is assumed to be hard for both groups. Suppose that afunction P : 〈g〉 × 〈g〉 → 〈G〉 is given satisfying:

P (gx, gy) = Gxy, for all x, y ∈ Zn,

and that P can be computed efficiently.

We consider a generalization of Diffie-Hellman key exchange with three parties A, B,and C. Party A picks xA ∈R Zn and sends gxA to parties B and C. Similarly, partyB picks xB ∈R Zn and sends gxB to parties A and C, and party C picks xC ∈R Zn

and sends gxC to parties A and B.

a) Show how each party can compute the common key K = GxAxBxC .

b) Show that the DDH problem is easy for the group 〈g〉.

Consider the following two computational problems:

DH3* problem: given gx, gy, gz, compute Gxyz, where x, y, z ∈ Z∗

n;

DH3 problem: given gx, gy, gz, compute Gxyz, where x, y, z ∈ Zn.



c) Show that the DH3* problem is random self-reducible.

d) Show that the DH3 problem is random self-reducible.

Finally, we consider active attacks for the above key exchange protocol. The attackercan intercept and modify all traffic between parties A, B, C, and its goal is to know allof the keys that parties A, B, C will hold once the key exchange protocol is completed.

e) Show a man-in-the-middle attack for the above key exchange protocol.



R = {(B; w, x, y) | B = fwgxhy ∧ w − x ∈ {0, 1}}.




Consider the following basic idea for constructing an (ℓ, ℓ)-threshold Schnorr signa-ture scheme. Suppose parties Pi each hold a private key xi and a public key hi = gxi ,for 1 ≤ i ≤ ℓ. Define h =

∏ℓ

i=1hi as the public key of parties P1, . . . , Pℓ together.

For a given message m, the goal is to jointly generate a Schnorr signature (c, r) forpublic key h, where c = H(grh−c, m). Suppose party P0 acts as a ‘combiner’, actingas the verifier in a run of the Schnorr protocol with each of the parties Pi.

a) Show how P0 can generate a Schnorr signature (c, r) for public key h, by runningthe Schnorr protocol ℓ times in parallel, once with each party Pi for public key hi (Pi

acting as the prover, P0 as the verifier). Argue why the scheme is secure.Hint: how should P0 choose the challenges ci such that the conversations (ai, ci, ri)of the runs of the Schnorr protocol can be combined?

b) Describe how your scheme can be extended to a (t, ℓ)-threshold Schnorr signaturescheme, 1 ≤ t ≤ ℓ. You may assume that the parties have already run a distributedkey generation protocol such that Pi holds a share xi, where xi = f(i) for somepolynomial f of degree < t, and x = f(0). As before, the public key of party Pi ishi = gxi.Hint: how do you compute the public key h = gx from h1, . . . , hℓ?

1a: 5 2a: 3 2c: 5 2e: 4 3a: 10 4a: 4 homework1b: 3 2b: 4 2d: 5 3b: 3 4b: 4 min. 0, max. 5




Cryptography 2 (2WC13) / Cryptographic Protocols (2WC10)

Exam, July 6, 2007, 2:00–5:00pm

Solve the following problems, providing full motivation for the correctness and completeness of

your solution.




1) Let m be a positive integer. Consider distributions X, Y, Z given by

X = {x | x ∈R {0, . . . ,m− 1}}

Y = {2x | x ∈R {0, . . . ,m− 1}}

Z = {2x + 1 | x ∈R {0, . . . ,m− 1}}.


a) Show that ∆(Y, Z) = 1.

b) Show that ∆(X, Y ) = ∆(X, Z) = 1/2 for even m.

c) Also determine ∆(X, Y ) and ∆(X, Z) for odd m.


DH3-sym problem: given gx, gy, gz, compute gxy+yz+zx, where x, y, z ∈ Zn;

DH3-suminv problem: given gx, gy, g1/z, compute g(x+y)/z, where x, y ∈ Zn, z ∈ Z∗

n.

a) Show that the DH3-sym problem is random self-reducible.

b) Show that the DH3-suminv problem is random self-reducible.



R = {(A, B; x, y) | A = gx ∧ B = hy ∧ x2 = y2}.

a) Give a Σ-protocol for relation R and show that it is complete, special sound, andhonest-verifier zero-knowledge. (Hint: first solve the equation x2 = y2 (mod n).)


Cryptography 2 (2WC13) / Cryptographic Protocols (2WC10) July 6, 2007



Consider the following protocol:

Prover Verifier

(B = gxhy)

u, v ∈R Zn

a← gu

b← hv

−−−−a, b−−−−−−→

c ∈R Zn

←−−−−c−−−−

r ←n u + cxs←n v + cy

−−−−r, s−−−−−−→

grhs ?= abBc

a) Verify that the protocol is complete and special sound for the relation R given by

R = {(B; x, y) | B = gxhy}.

b) Is the protocol honest-verifier zeroknowledge for relation R? If yes, give a simulation;if no, show what information leaks.

5) Consider the following basic idea for constructing a (t, ℓ)-threshold cryptosystem froma given public key cryptosystem with message space Zn, for a prime n.

Each party Pi, 1 ≤ i ≤ ℓ, generates its own key pair consisting of a private keyand a public key for the basic public key cryptosystem, and all these public keys aremade public. To encrypt a message m ∈ Zn, one first splits m into shares m1, . . . ,mℓ

as in the distribution protocol of Shamir’s (t, ℓ)-threshold scheme (using m as thesecret). Then one encrypts one share for each party. All encryptions together form aciphertext. For decryption, a sufficient number of shares need to be decrypted to beable to reconstruct message m from it (hence t or more parties must use their privatekey).

a) Give a full description of such a (t, ℓ)-threshold cryptosystem, specifying the exactsteps for the Distributed Key Generation protocol, for the Encryption algorithm andfor the Threshold Decryption protocol.

b) Discuss the security of this threshold cryptosystem.

1a: 2 1c: 4 2a: 5 3a: 9 4a: 4 5a: 41b: 6 2b: 5 3b: 2 4b: 5 5b: 4

The final mark is the total number of points divided by 5, rounded to a multiple of 0.5,but not exceeding 10.

Cryptography 2 (2WC13) / Cryptographic Protocols (2WC10) July 6, 2007


Cryptographic Protocols (2WC01) / Cryptography 2 (2WC13)

Exam, May 9, 2007, 2:00–5:00pm


your solution.




1) Consider the following protocol for transferring a message m ∈ {0, 1, . . . , 216 − 1}from party A to party B, where k ≥ 0 is a security parameter. The object of theprotocol is to hide message m from other parties than A and B.

Party A Party BuA ∈R {0, . . . , 2

k − 1} uB ∈R {0, . . . , 2k − 1}

cA ← m + uA −−−cA−−−−→

←−−cAB−−−− cAB ← cA + uB

cB ← cAB − uA −−−cB−−−−→ m′ ← cB − uB

Note that cA, cAB, cB and m′ are computed using addition and subtraction are overZ.

a) Verify that m′ = m if A and B follow the protocol.

Next, consider distributions U and Vm, given by

U = {u | u ∈R {0, . . . , 2k − 1}}, and

Vm = {m + u | u ∈R {0, . . . , 2k − 1}}.

b) Compute the statistical distance ∆(U, Vm) as a function of m and k.

c) Prove that ∆(Vm, Vn) ≤ (m + n)/2k for any m, n ∈ {0, 1, . . . , 216 − 1}, using thetriangle inequality for ∆. Is this upper bound tight?

d) Suppose that we want a passive attacker who only knows cA to be able to guess thevalue for m with probability at most 2−80. What value should we set for k approxi-mately? Is the protocol also secure against an arbitrary passive attacker?


DH-INV problem: given gx, gy, gxy, compute g1/(xy), where x, y ∈ Z∗

n = Zn \ {0};

DH-INV+ problem: given gx, gy, gxy, compute g(1/x)+y, where x ∈ Z∗

n and y ∈ Zn.

a) Show that the DH-INV problem is random self-reducible.

b) Show that the DH-INV+ problem is random self-reducible.

Cryptographic Protocols (2WC01) / Cryptography 2 (2WC13) May 9, 2007


3) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Further, let f, h ∈ 〈g〉denote random group elements, such that logg f , logg h and logf h are unknown toanyone.


R = {(B; w, x, y) | B = fwgxhy ∧ (w = x ∨ x = y)}.




Consider the following basic idea for constructing an (ℓ, ℓ)-threshold Schnorr signa-ture scheme. Suppose parties Pi each hold a private key xi and a public key hi = gxi ,for 1 ≤ i ≤ ℓ. Define h =

∏ℓi=1 hi as the public key of parties P1, . . . , Pℓ together.

For a given message m, the goal is to jointly generate a Schnorr signature (c, r) forpublic key h, where c = H(grh−c, m). Suppose party P0 acts as a ‘combiner’, actingas the verifier in a run of the Schnorr protocol with each of the parties Pi.

a) Show how P0 can generate a Schnorr signature (c, r) for public key h, by runningthe Schnorr protocol ℓ times in parallel, once with each party Pi for public key hi (Pi

acting as the prover, P0 as the verifier). Argue why the scheme is secure.Hint: how should P0 choose the challenges ci such that the conversations (ai, ci, ri)of the runs of the Schnorr protocol can be combined?

b) Describe how your scheme can be extended to a (t, ℓ)-threshold Schnorr signaturescheme, 1 ≤ t ≤ ℓ. You may assume that the parties have already run a distributedkey generation protocol such that Pi holds a share xi, where xi = f(i) for somepolynomial f of degree < t, and x = f(0). As before, the public key of party Pi ishi = gxi.Hint: how do you compute the public key h = gx from h1, . . . , hℓ?

1a: 2 1c: 4 2a: 6 3a: 10 4a: 6 homework1b: 5 1d: 4 2b: 6 3b: 3 4b: 4 min. 0, max. 5

The final mark is the total number of points divided by 5, rounded to an integer value (for2WC01) and rounded to a multiple of 0.5 (for 2WC13), but not exceeding 10.

Cryptographic Protocols (2WC01) / Cryptography 2 (2WC13) May 9, 2007


Cryptographic Protocols (2WC01)

Exam, March 19, 2007, 9:00–12:00am


your solution.


electronic equipment is not allowed.


1) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingtwo protocols between parties A and B connected by an insecure communicationchannel: Protocol I for sending a message m ∈ 〈g〉, m 6= 1, securely from party A toparty B, and Protocol II for sending a message b ∈ {0, 1}, securely from party A toparty B (with ⊕ denoting exclusive-or).

Protocol IParty A Party B

xA ∈R Z∗

n

yA ← mxA

−−−yA−−−−→

xB ∈R Z∗

n

←−−yAB−−−− yAB ← yxB

A

yB ← y1/xA

AB

−−−yB−−−−→

m′ ← y1/xB

B

Protocol IIParty A Party B

bA ∈R {0, 1}

cA ← b⊕ bA −−−cA−−−−→

bB ∈R {0, 1}

←−−cAB−−−− cAB ← cA ⊕ bB

cB ← cAB ⊕ bA

−−−cB−−−−→

b′ ← cB ⊕ bB

The object of both protocols is that the message sent remains completely hiddenfor other parties than A and B, and that the message cannot be modified by otherparties than A or B.

a) Verify that m′ = m and b′ = b if A and B follow protocols I and II, respectively.

b) Compute the statistical distance between {u | u ∈R Zn} and {u | u ∈R Z∗

n}. Now,does it matter if party B decides to generate xB ∈R Zn instead of xB ∈R Z

∗

n ?

Next, answer the following questions with ‘yes’ or ‘no’; in case of a ‘yes’ describe therelevant computational assumption (if any), in case of a ‘no’ show an attack.

c) Is protocol I secure against passive attacks?

d) Is protocol I secure against active attacks?

e) Is protocol II secure against passive attacks?

f) Is protocol II secure against active attacks?

Cryptographic Protocols (2WC01) March 19, 2007



DL-INV3 problem: given gx, gx2

, gx3

, compute g1/x, where x ∈ Z∗

n = Zn \ {0};

DH3 problem: given gx, gy, gz, compute g(x+y)z, where x, y, z ∈ Zn.

a) Show that the DL-INV3 problem is random self-reducible.

b) Show that the DH3 problem is random self-reducible.



R = {(B; x, y) | B = gxhy ∧ (x = 0 ∨ y = 0 ∨ x = y)}.



4) Recall Shamir’s (t, ℓ)-threshold secret sharing scheme, 1 ≤ t ≤ ℓ, for sharing a secretby a dealer among participants P1, . . . , Pℓ such that any set of t (or more) participantsis able to recover the (unique) secret, but any set of t − 1 (or less) participants isnot able to find any information on the secret. Assume that the scheme is used forsecrets belonging to Zp for a prime p, where p > ℓ.

Note that Shamir’s scheme only protects against passive attacks.

a) Show how the dealer can mount an active attack by deviating from the distributionprotocol such that the secret recovered will not be independent of the particular set oft participants taking part in the reconstruction protocol.

b) Let s be the value of the secret corresponding to the shares as distributed among theparticipants by an honest dealer. Suppose that participants P1, . . . , Pt decide to recoverthe secret by combining their shares. Show how participant P1 can mount an activeattack by deviating from the reconstruction protocol such that an arbitrary given value∆s ∈ Zp will be added to the result (yielding s + ∆s (mod p) as reconstructed valuefor the secret).

1a: 1 1c: 3 1e: 3 2a: 5 3a: 11 4a: 51b: 2 1d: 3 1f: 3 2b: 5 3b: 4 4b: 5

The final mark is the total number of points divided by 5, rounded to the nearest integer.




Exam, May 11, 2006, 9:00–12:00am


your solution.




1) Let m be an RSA modulus, hence m = pq, where p and q are large, distinct primesof equal bit length k. Recall that Z

∗

m = {x : 0 ≤ x < m, gcd(x, m) = 1} is a set ofintegers co-prime with m, and that |Z∗

m| = φ(m) = (p− 1)(q − 1).

Let Um denote the uniform distribution on Zm, and let Vm denote the uniform dis-tribution on Z

∗

m.

a) Determine the statistical distance ∆(Um, Vm).

b) Suppose a protocol requires a party to use a uniformly random value in Z∗

m. Explainwhether using a uniformly random value in Zm instead is good idea or not.

Next, let integer e > 1 satisfy gcd(e, φ(m)) = 1. The RSA problem is to computex = y1/e mod m, given y ∈ Z

∗

m.

c) Show that the RSA problem is random self-reducible. Also, explain why the reductionis polynomial time (as a function of the security parameter k) and why it is correct.

2) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Furthermore, letE,D : {0, 1}∗ × 〈g〉 → 〈g〉 denote the encryption and decryption algorithms of asymmetric cryptosystem, respectively, such that for any s ∈ {0, 1}∗ and for anyy ∈ 〈g〉, we have that Ds(Es(y)) = y. The symmetric cryptosystem is assumed to besecure.

Let pw ∈ {0, 1}∗ denote a password, which is known to parties A and B only. Con-sider the following password-based authenticated key exchange protocol:

Party A Party B

xA ∈R Zn xB ∈R Zn

yA ← gxA yB ← gxB

cA ← Epw(yA) cB ← Epw(yB)

−−−cA−−−−→

←−−−cB−−−−

KA ← (Dpw(cB))xA KB ← (Dpw(cA))xB

Cryptographic Protocols (2WC01) May 11, 2006


a) Show that KA = KB if the parties follow the protocol.

b) Explain why a passive attacker (eavesdropper) cannot find pw nor K, where K =KA = KB. Also, explain which computational assumption is needed.

Next, suppose parties A and B want to confirm to each other that they got the samekey K. To this end, A sends to B the ciphertext Epw(KA) and B sends to A theciphertext Epw(KB), after running the above protocol.

c) Again, explain why a passive attacker (eavesdropper) cannot find pw nor K. Also,explain which computational assumption is needed in this case.



R = {(B; x, y) | B = gxhy ∧ (x = 0 ∨ x = y)}.



4) Consider the following basic idea for constructing a (t, ℓ)-threshold cryptosystemfrom a given public key cryptosystem with message space Zn, for a prime n. Eachparty Pi, 1 ≤ i ≤ ℓ, generates its own key pair consisting of a private key and apublic key for the basic public key cryptosystem, and all these public keys are madepublic. To encrypt a message m ∈ Zn, one first splits m into shares m1, . . . ,mℓ

as in the distribution protocol of Shamir’s (t, ℓ)-threshold scheme (using m as thesecret). Then one encrypts one share for each party. All encryptions together form aciphertext. For decryption, a sufficient number of shares need to be decrypted to beable to reconstruct message m from it (hence t or more parties must use their privatekey).

a) Give a full description of such a (t, ℓ)-threshold cryptosystem, specifying the exactsteps for the Distributed Key Generation protocol, for the Encryption algorithm andfor the Threshold Decryption protocol.

b) Argue why the scheme is secure.

1a: 7 1c: 7 2a: 2 2c: 5 3a: 10 4a: 4 homework1b: 3 2b: 5 3b: 4 4b: 3 min. 0, max. 5

The final mark is the total number of points divided by 5, rounded to the nearest integer,but not exceeding 10.




Exam, March 20, 2006, 9:00–12:00am


your solution.




1) Consider the following protocol for transferring a message b ∈ {0, 1} from party A toparty B, where k ≥ 0 is a security parameter. The object of the protocol is to hidemessage b from other parties than A and B.

Party A Party B

uA ∈R {0, . . . , 2k − 1} uB ∈R {0, . . . , 2

k − 1}

cA ← b + uA −−−cA−−−−→

←−−cAB−−−− cAB ← cA + uB

cB ← cAB − uA −−−cB−−−−→ b′ ← cB − uB

Note that cA, cAB, cB and b′ are computed using addition and subtraction are over Z.

a) Verify that b′ = b if A and B follow the protocol.

Next, consider distributions Uk and Vk, k ≥ 0, given by

Uk = {u | u ∈R {0, . . . , 2k − 1}}, and

Vk = {u + 1 | u ∈R {0, . . . , 2k − 1}}.

b) Compute the statistical distance ∆(Uk, Vk) as a function of k.

Finally, suppose k is set such that ∆(Uk, Vk) ≤ 2−80. Answer the following questionswith ‘yes’ or ‘no’, and explain your answer.

c) Is the protocol secure against a passive attacker who only knows cA?

d) Is the protocol secure against a passive attacker who knows cA, cAB, and cB?


DL-INV problem: given gx, compute g1/x, where x ∈ Z∗

n = Zn \ {0};

DL-SQ2 problem: given gx, gy, compute gx2+y2

, where x, y ∈ Zn.

a) Show that the DL-INV problem is random self-reducible.

b) Show that the DL-SQ2 problem is random self-reducible.





R = {(h0, h1, h2; x) | h0 = gx ∧ (h1 = hx ∨ h2 = hx)}.




We consider a secret sharing scheme with a dealer D and participants P1, P2, P3. Lets ∈ Zn be a secret to be distributed. Suppose the dealer picks shares s1, s2, s3 asfollows, for a random r ∈R Zn:

s1 = r, s2 = s− r mod n, s3 = s,

and sends in private si to Pi, for i = 1, 2, 3.

a) Explain which subsets of participants are qualified (i.e., are able to reconstruct thesecret) and which subsets are not qualified.

b) Using g, extend the basic secret sharing scheme to a Feldman VSS scheme. De-scribe the distribution protocol and the reconstruction protocol. Explain the securityproperties of your scheme.

c) Using h in addition to g, show how to change your Feldman VSS scheme into aPedersen VSS scheme and explain the security properties of the resulting scheme.

1a: 2 1c: 4 2a: 4 3a: 11 4a: 3 4c: 3 homework1b: 5 1d: 4 2b: 6 3b: 4 4b: 4 min. 0, max. 5

The final mark is the total number of points divided by 5, rounded to the nearest integer,but not exceeding 10.




Exam, April 28, 2005, 9:00–12:00am

Solve the following problems, providing full motivation for the correctness and completenessof your solution.

Use of a simple, non-programmable pocket calculator is allowed, but not necessary. Allother electronic equipment is not allowed.


Throughout, let 〈g〉 be a cyclic group of order n, where n is a large prime. Let h denotean arbitrary, fixed element of 〈g〉, h 6= 1.

1) Consider distributions X, Y, Z given by

X = {(e, f) | e ∈R 〈g〉, f ∈R 〈g〉},

Y = {(gr, hrm) | r ∈R Zn, m ∈R 〈g〉},

Z = {(gr, hrm0) | r ∈R Zn}, for a fixed value m0 ∈ 〈g〉,


a) Show that ∆(X, Y ) = 0.

b) Show that ∆(Y, Z) = 1 − 1/n.

c) Show that also ∆(X, Z) = 1 − 1/n, using triangle inequalities.

2) Consider the following computational problem. Given a pair of values (gr, hrm) wherer ∈ Zn and m ∈ 〈g〉, compute m.

Show that this problem is random self-reducible.

3) Consider a homomorphic ElGamal encryption of the form (e, f) = (gr, hrgx), withr ∈R Zn. Assume that either x = 0 or x = 1. You are asked to provide a proof thatindeed (e, f) is of this form without revealing any further information on r and x.That is, you are asked to provide a Σ-proof for relation R given by

R = {(e, f ; r, x) | e = gr, f = hrgx, x ∈ {0, 1}}.

a) Give a Σ-protocol for relation R and show it is complete, special sound, and honest-verifier zero-knowledge. (Hint: Solve cases x = 0 and x = 1 separately, each usingEQ composition, and then combine using OR-composition.)

b) Is the Σ-protocol witness indistinguishable?

Cryptographic Protocols (2WC01) April 28, 2005


c) Let H denote a cryptographic hash function. Turn the above Σ-protocol into a non-interactive Σ-proof (using the Fiat-Shamir heuristic) and show how the proof is ver-ified.

4) Recall Shamir’s (t, ℓ)-threshold secret sharing scheme, 1 ≤ t ≤ ℓ, for sharing a secretby a dealer among participants P1, . . . , Pℓ such that any set of t (or more) participantsis able to recover the (unique) secret, but any set of t − 1 (or less) participants isnot able to find any information on the secret. Assume that the scheme is used forsecrets belonging to Zp for a prime p, where p > ℓ.

Note that Shamir’s scheme only protects against passive attacks.

a) Show how the dealer can mount an active attack by deviating from the distributionprotocol such that the secret recovered will not be independent of the particular set oft participants taking part in the reconstruction protocol.

b) Suppose that participants P1, . . . , Pt decide to recover the secret by combining theirshares. Show how participant Pt can mount an active attack by deviating from thereconstruction protocol such that an arbitrary given value s̃ ∈ Zp will result as thesecret recovered by P1, . . . , Pt. (Hint: participant Pt may wait until P1, . . . , Pt−1 havereleased their shares s1, . . . , st−1, before releasing its share s̃t.)

1a: 3 1c: 4 2: 10 3a: 10 3c: 3 4a: 61b: 5 3b: 3 4b: 6


Cryptographic Protocols (2WC01) April 28, 2005



Exam, March 14, 2005, 2:00–5:00pm




1) Consider distributions U and V given by

U = {u | u ∈R Zm}, and

V = {u + k | u ∈R Zm},

for positive integers m and k (with Zm = {0, . . . ,m− 1}).


a) Assume k ≤ m. Compute ∆(U, V ).

b) What is ∆(U, V ) if k > m?

2) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider the followingtwo protocols between parties A and B connected by an insecure communicationchannel: Protocol I for sending a message m ∈ 〈g〉, m 6= 1, securely from party A toparty B, and Protocol II for sending a message b ∈ {0, 1}, securely from party A toparty B (with ⊕ denoting exclusive-or).

Protocol IParty A Party B

xA ∈R Z∗

n

yA ← mxA

−−−yA−−−−→

xB ∈R Z∗

n

←−−yAB−−−− yAB ← yxB

A

yB ← y1/xA

AB

−−−yB−−−−→

m′ ← y1/xB

B

Protocol IIParty A Party B

bA ∈R {0, 1}

cA ← b⊕ bA −−−cA−−−−→

bB ∈R {0, 1}

←−−cAB−−−− cAB ← cA ⊕ bB

cB ← cAB ⊕ bA

−−−cB−−−−→

b′ ← cB ⊕ bB

The object of both protocols is that the message sent remains completely hiddenfor other parties than A and B, and that the message cannot be modified by otherparties than A or B.

a) Verify that m′ = m and b′ = b if A and B follow protocols I and II, respectively.



Next, answer the following questions with ‘yes’ or ‘no’; in case of a ‘yes’ describe therelevant computational assumption (if any), in case of a ‘no’ show an attack.

b) Is protocol I secure against passive attacks?

c) Is protocol I secure against active attacks?

d) Is protocol II secure against passive attacks?

e) Is protocol II secure against active attacks?

3) Let 〈g〉 be a cyclic group of order n, where n is a large prime. Consider an (ℓ, ℓ)-threshold ElGamal cryptosystem for parties P1, . . . , Pℓ with public key h given byh = gx and x =

∑ℓi=1

xi, where xi denotes party Pi’s private share, 1 ≤ i ≤ ℓ, andlet hi = gxi denote party Pi’s (public) verification key.

Recall that given an encryption (a, b) = (gr, hrm), r ∈R Zn, of a message m ∈ 〈g〉,the threshold decryption protocol requires each party Pi to release value di = axi anda Σ-proof that loga di = logg hi.

Now, consider the following modification of the threshold decryption protocol. LetH ∈ 〈g〉 denote a public key of an additional party Q, and let X = logg H denoteparty Q’s private key. Instead of releasing di = axi in the clear, each party Pi encryptsthe value di under Q’s public key and provides a Σ-proof that the encryption isdone correctly. That is, each party Pi releases an encryption (ei, fi) = (gsi , Hsidi),si ∈R Zn, and a Σ-proof for the relation:

Ri = {(a, H, ei, fi, hi; si, xi) | ei = gsi , fi = Hsiaxi , hi = gxi}.

a) Show how party Q is able to recover message m using its private key X, given (a, b)and correct encryptions (e1, f1), . . . , (eℓ, fℓ).

b) Show how to construct an encryption (e, f) of message m for public key H, given(a, b) and correct encryptions (e1, f1), . . . , (eℓ, fℓ), but without using private key X.

c) Give a Σ-protocol for relation Ri and show it is complete, special sound, and honest-verifier zero-knowledge. (Hint: Use Schnorr’s protocol both for ei and hi, Okamoto’sprotocol for fi, and combine these three protocols using EQ-composition.)

d) Let H denote a cryptographic hash function. Turn the above Σ-protocol into a non-interactive Σ-proof (using the Fiat-Shamir heuristic) and show how the proof is ver-ified.

4) See the previous problem. Describe how the scheme can be extended for (t, ℓ)-threshold ElGamal cryptosystems, 1 ≤ t ≤ ℓ, by describing the necessary changes:let the shares xi be defined as in Shamir’s threshold scheme, and explain how partiesP1, . . . , Pℓ and party Q proceed to perform their decryption steps.

1a: 7 2a: 2 2c: 3 2e: 3 3a: 3 3c: 10 4: 71b: 3 2b: 3 2d: 3 3b: 4 3d: 2





Exam, May 12, 2004, 9:00–12:00am




The topic of the four problems below is the construction of a particular electronic votingscheme. Throughout, let 〈g〉 be a cyclic group of order n, where n is a large prime. Further,let h ∈ 〈g〉 denote a random group element, such that logg h is unknown to anyone.

1) Each voter casts either a ‘yes’-vote or a ‘no’-vote, represented by 1 ∈ Zn and −1 ∈ Zn,respectively. As a first step, a voter commits to its vote v ∈ {1,−1} by choosing avalue r ∈R Zn and broadcasting the commitment C = gvhr.


X = {ghr | r ∈R Zn},

Y = {hr | r ∈R Zn},

Z = {g−1hr | r ∈R Zn}.


a) Compute ∆(X, Y ), ∆(X, Z), and ∆(Y, Z).

b) Does C reveal any information about the value of v?

2) To prevent a voter from casting an illegal vote v 6∈ {1,−1}, the voter is required toprove that v ∈ {1,−1} holds, without disclosing any further information on v.

a) Using OR-composition, give a Σ-protocol for the relation

R = {(C; v, r) | C = gvhr, v ∈ {1,−1}}.

Hence C is public and v, r is the witness, which is known only to the voter. Provethat the Σ-protocol is complete, special sound, and honest-verifier zero-knowledge.


See overleaf.



3) The votes will be counted by ℓ talliers T1, . . . , Tℓ. Each voter splits its vote v and com-mitment C into ℓ parts C1, . . . , Cℓ such that C =

∏ℓ

j=1Cj. To do so, a voter chooses

v1, r1, . . . , vℓ, rℓ ∈R Zn subject to the condition that∑ℓ

j=1vj = v and

∑ℓ

j=1rj = r

and sets Cj = gvjhrj for j = 1, . . . , ℓ.

A voter broadcasts the values C1, . . . , Cℓ. In addition, a voter sends the values vj, rj

in private to tallier Tj, for j = 1, . . . , ℓ.

a) Show that indeed C =∏ℓ

j=1Cj.

b) Show that even if ℓ−1 talliers collude and combine all their shares vj, rj, the value ofv remains completely hidden. Without loss of generality, you may assume that tallierT1 is honest, whereas talliers T2, . . . , Tℓ try to cheat.

4) Finally, assume that ℓ′ voters V1, . . . , Vℓ′ take part in the election. Voter Vi proceeds asabove producing values for a vote vi ∈ {1,−1} indexed by i, 1 ≤ i ≤ ℓ′: commitmentCi accompanied by a non-interactive proof that vi ∈ {1,−1} and values C1,i, . . . , Cℓ,i.The corresponding values vj,i, rj,i are sent in private to the talliers Tj, for j = 1, . . . , ℓ,respectively.

a) Recall the homomorphic property for Pedersen’s commitment scheme. Show how

tallier Tj computes values Vj, Rj ∈ Zn such that∏ℓ′

i=1Cj,i = gVjhRj , for j = 1, . . . , ℓ,

and show how the correctness of these values is verified.

b) Show how the election result V =∑ℓ′

i=1vi is computed from the values V1, R1, . . . , Vℓ, Rℓ.

c) Consider the case that a single tallier tries to cheat. Is the integrity of the electionresult protected information-theoretically: that is, is a computationally unboundedtallier able to see to it that an election result V ′ 6= V results, which still passesverification? Explain your answer.

1a: 7 2a: 10 3a: 2 4a: 81b: 3 2b: 4 3b: 10 4b: 3

4c: 3





Exam, March 15, 2004, 9:00–12:00am




The topic of the four problems below is the construction of a particular verifiable secretsharing scheme. Throughout, let 〈g〉 be a cyclic group of order n, where n is a large prime.Note that Z

∗

n = Zn \ {0}.

1) Recall that the Diffie-Hellman (DH) problem is as follows: given gx, gy, compute gxy,where x, y ∈ Zn. Consider the following variant of the Diffie-Hellman problem: givengx, gy, compute gx/y, where x, y ∈ Z

∗

n. We call this the DH-INV problem.

Show that the DH-INV problem is random self-reducible by showing how to transforman input pair gx, gy into a pair gx′

, gy′

for suitably chosen, uniformly distributed valuesx′, y′ ∈ Z

∗

n, and showing how to extract the value of gx/y from the value of gx′/y′

.

2) Consider distributions X, Y, Z given by

X = {(gx, gy) | x ∈R Zn, y ∈R Zn},

Y = {(gx, gy) | x ∈R Zn, y ∈R Z∗

n},

Z = {(gx, gy) | x ∈R Z∗

n, y ∈R Z∗

n}.


a) Show that ∆(X, Y ) = 1/n.

b) Show that also ∆(Y, Z) = 1/n.

c) Show that ∆(X, Z) ≤ 2/n, by the triangle inequality for ∆.

It follows that the statistical distances ∆(X, Y ), ∆(Y, Z), ∆(X, Z) are negligible ifwe take n ≈ 2k for a security parameter k.

As a conclusion from (1) and (2) we have that the problem of computing gx/y from gx, gy

is hard, where x, y ∈ Zn and the special cases x = 0 or y = 0 do not really matter.

See overleaf.



3) We consider a secret sharing scheme with a dealer D and participants P1, . . . , Pℓ,ℓ ≥ 1. Each participant Pi has a private key xi ∈ Z∗

n and a public key hi = gxi ,1 ≤ i ≤ ℓ. The secrets to be distributed by D and to be reconstructed by P1, . . . , Pℓ

are random elements of 〈g〉.

– Distribution protocol. The dealer chooses z ∈R Zn, and sets the secret s tos = gz. The dealer chooses z2, . . . , zℓ ∈R Zn and sets z1 = z −

∑ℓi=2

zi (mod n).Then the dealer broadcasts the values ei = hzi

i , using the public keys hi of theparticipants, for i = 1, . . . , ℓ.

– Reconstruction protocol. Each participant Pi sets si = e1/xi

i , using its privatekey xi. The secret s is reconstructed as s =

∏ℓi=1

si.

Assume that the dealer and the participants follow the protocol.

a) Show that reconstruction works, hence that s = gz holds.

b) Fix a participant Pi. Show that a passive attacker who just sees the values hi and ei

cannot compute gzi, assuming that the above DH-INV problem is hard.

c) Is the secret s protected information-theoretically?

4) Next, we turn the above scheme into a verifiable secret sharing scheme by extendingthe reconstruction protocol as follows.

– Extended reconstruction protocol. Each participant Pi sets si = e1/xi

i ,using its private key xi, and provides a proof showing that the value of si iscorrect with respect to hi and ei. The secret s is reconstructed as s =

∏ℓi=1

si.

a) Using EQ-composition, give a Σ-protocol for the relation

Ri = {(hi, ei, si; xi) | hi = gxi , ei = sxi

i }.

Hence hi, ei, si are public and xi is the witness, which is known only to Pi. Provethat the Σ-protocol is complete, special sound, and honest-verifier zero-knowledge.


c) Explain why the dealer cannot give out inconsistent shares to the participants.

1: 10 2a: 4 3a: 4 4a: 102b: 3 3b: 7 4b: 32c: 3 3c: 3 4c: 3



cryptographic protocols (2dmi00) exam, june 23, 2021, …berry/cryptographicprotocols/... · 2021....

Documents