Pointers:

Allocated a unique public key and sequence of messages to use for this
task.

{"srn":"140250956","name":"EMRE NEZHAT","exercise":{"key":
{"p":"17616640590392624387","g":"2","pk":"7462958584846464278"},"intercep
ted":[{"text":"tambourine","signature":
{"r":"1657207568159922377","s":"14618561517488039109"}},
{"text":"playground","signature":
{"r":"10245172613620709054","s":"10268763073756714230"}},
{"text":"irrigation","signature":
{"r":"5904090421229568232","s":"2720667014476811786"}},
{"text":"indulgence","signature":
{"r":"7176617548726996184","s":"9363123168155182722"}},
{"text":"commission","signature":
{"r":"9843051593615636877","s":"10139523909522569853"}},
{"text":"excellence","signature":
{"r":"2863148543028861560","s":"13771600718139864338"}},
{"text":"liberation","signature":
{"r":"12999430834758915130","s":"4818751297555896815"}},
{"text":"silhouette","signature":
{"r":"5078725488875311357","s":"8574432540506082009"}},
{"text":"antagonist","signature":
{"r":"3303015212846896090","s":"16221183302957433045"}},
{"text":"restaurant","signature":
{"r":"2863148543028861560","s":"7858047615221387676"}}]}}

Intro
Digital signature schemes working with El Gamal signature scheme, large
primes and linear. How to exploit a simple mistake to recover the private key.
Verify a few messages that have been signed by active Alice using the El
Gamal signature scheme. Due to sloppy coding, rather than using a
unique k for each signature, has reused one k value across several
messages.
Exploiting this, you can perform a same-k attack, allowing you to recover
Alice’s private key. You will then be able to impersonate Alice by signing
a few messages on her behalf. The internet has plenty of information on
the subject, so you will not find it difficult to read up on the following
topics:
• El Gamal signature scheme.
• Same-k attack.
• Linear congruence.

1
 Should check a list of intercepted messages which were signed by Alice, and
then impersonate Alice by signing a list of subsequent messages on her
behalf.
Programming language required and any third-party libraries
available for SHA-256 and JSON. Libraries are available for most
languages, including – and not limited to – Java, C/C++, Scala, Python,
JavaScript, etc. Please include key snippets of your code as an annex.

Part A
Public key of Alice and a list of intercepted messages in a format provided:

{"srn":"887766554","name":"Carl Davis","exercise":{"key":
{"p":"17616640590392624387","g":"2","pk":"9540710599828830739"},"intercep
ted":[{"text":"vegetarian","signature":
{"r":"6639239524185765101","s":"3938252239699764786"}},
{"text":"television","signature":
{"r":"7997103750559419825","s":"11043117593640282650"}},
{"text":"toothpaste","signature":
{"r":"2807300125410466152","s":"16674534501237991620"}},
{"text":"providence","signature":
{"r":"16526574537075754551","s":"5176712809762123254"}},
{"text":"revelation","signature":
{"r":"13112042454473672026","s":"15496635786824103714"}},
{"text":"possession","signature":
{"r":"11881214669873679340","s":"12753916073846954214"}},
{"text":"laboratory","signature":
{"r":"11070815852751191729","s":"2419018265908646477"}},
{"text":"allegiance","signature":
{"r":"16526574537075754551","s":"4029293089712725140"}},
{"text":"enthusiast","signature":
{"r":"10428052768440187678","s":"1393740918527063389"}},
{"text":"gadolinium","signature":
{"r":"6707840473249891091","s":"16735677713165379735"}}]}}

It is in JSON format. The srn and name fields should correspond to your
details. Under hash you will find a key, which is Alice’s public key. The
key conforms to the El Gamal signature scheme, so it consists of a prime
number p, a corresponding generator g and a public key pk (from public
key).
The intercepted is a list of intercepted messages containing the plain text
and the El Gamal signature. The hash function used for the signature is
SHA-256.
For example, if you look at the message corresponding to providence in
Carl Davis’s assignment, providence is first hashed to

2
 bae3632ffa8b538a0930a41 0b2607cdba6bf8354798655a4fc925af32ef085d6.
This is then transformed to an integer:
515260227954214640070896060773998611699728261769405203180
834037179424846748423265479265106973181080273460993475850979391190
2924767267144784680717959652406, which is then used with the El Gamal
signature scheme to produce the signature, which is the (r, s) pair.
If use Java, you can use Apache Commons Codec to obtain the hash with the
following code:
public String hash(final String text) {
return DigestUtils.sha256Hex(text);
}

Furthermore, you can rely on the following code to transform a string to a

number:

Hash Providence -
5152602279542146400708960607739986116997282617694052031808340371794248467
4842326547926510697318108027346099347585097939119029247672671447846807179
59652406

3
 public BigInteger encode(final String text) {
return new BigInteger(text.getBytes(StandardCharsets.UTF_8));
}

Note: for simplicity, all numbers in all JSON references throughout this
assignment are given and expected as decimal integers written as strings (i.e.
integers between double quotes).

Step 1
The first part requires to filter the messages based on whether they verify
against the El Gamal signature scheme, and only include in the solutions those
messages that do. Only need Alice’s public key to do this. The solution is
expected to be included under a solution hash, which is expected to be on
the same level as the exercise hash. Include the verified messages under an
intercepted hash in the solution. For the sample above, the correct solution
is:
{
"srn": "887766554",
"name": "Carl Davis",
"exercise": {
"key": {
"p": "17616640590392624387",
"g": "2",
"pk": "9540710599828830739"
},
"intercepted": [
{
"text": "vegetarian",
"signature": {
"r": "6639239524185765101",
"s": "3938252239699764786"
}
},
{
"text": "television",
"signature": {
"r": "7997103750559419825",
"s": "11043117593640282650"
}
},
{
"text": "toothpaste",
"signature": {
"r": "2807300125410466152",
"s": "16674534501237991620"
}
},
{
4
 "text": "providence",
"signature": {
"r": "16526574537075754551",
"s": "5176712809762123254"
}
},
{
"text": "revelation",
"signature": {
"r": "13112042454473672026",
"s": "15496635786824103714"
}
},
{
"text": "possession",
"signature": {
"r": "11881214669873679340",
"s": "12753916073846954214"
}
},
{
"text": "laboratory",
"signature": {
"r": "11070815852751191729",
"s": "2419018265908646477"
}
},
{
"text": "allegiance",
"signature": {
"r": "16526574537075754551",
"s": "4029293089712725140"
}
},
{
"text": "enthusiast",
"signature": {
"r": "10428052768440187678",
"s": "1393740918527063389"
}
},
{
"text": "gadolinium",
"signature": {
"r": "6707840473249891091",
"s": "16735677713165379735"
}
}
]
},
"solution": {
"key": {

5
 "p": "17616640590392624387",
"g": "2",
"sk": "485897652",
"pk": "9540710599828830739"
},
"intercepted": [
{
"text": "providence",
"signature": {
"r": "16526574537075754551",
"s": "5176712809762123254"
}
},
{
"text": "possession",
"signature": {
"r": "11881214669873679340",
"s": "12753916073846954214"
}
},
{
"text": "laboratory",
"signature": {
"r": "11070815852751191729",
"s": "2419018265908646477"
}
},
{
"text": "allegiance",
"signature": {
"r": "16526574537075754551",
"s": "4029293089712725140"
}
},
{
"text": "enthusiast",
"signature": {
"r": "10428052768440187678",
"s": "1393740918527063389"
}
}
],
"impersonated": [
{
"text": "data confidentiality",
"signature": {
"r": "10583579181169233794",
"s": "10315443663673642759"
}
},
{
"text": "data integrity",

6
 "signature": {
"r": "15785763612909070588",
"s": "7116250536040742732"
}
},
{
"text": "authentication",
"signature": {
"r": "1469583134438742409",
"s": "4564211458941489633"
}
},
{
"text": "non-repudiation",
"signature": {
"r": "15750300550505847459",
"s": "7905047324117013608"
}
}
]
}
}
//JSON format
Note that providence and laboratory (among other words) are in the
solution as their signatures verify against Alice’s public key, but vegetarian
and television (among other words) are not, as their signatures do not verify.

Step 2
The second part requires to impersonate Alice and sign on her behalf the
following four texts using the El Gamal signature scheme:
data confidentiality
data integrity
authentication
non-repudiation
By looking carefully at the verified messages, you identify in Step 1, you
realized that rather than using a unique k for each signature, one k has been
reused, which allows you to perform a same-k attack. This will allow you
to find the private key, and thus produce counterfeit signatures. Make sure
that you do not make the same mistake when you produce the counterfeit
signatures. Include the private key in the key hash under the solution as

7
sk (from secret key) next to p, g and pk. Include the list of impersonated
messages under an impersonated hash on the same level as the intercepted
hash.
You can see in the sample solution the signatures for the required four
plain texts. Do not get distracted by the blank space or the hyphen in
the texts. Once you hash them, and subsequently encode them, these do
not make any difference. For example, data confidentiality hashes to
d02f03b38f33eca138eacf5b2f01a63aaef2bb4ba6b31cb1ec6fec49b92ccd0c,
which is then encoded as 5247285421845087059140387699923700103986285229
205296479476138331600546258380271833856861742724101495518137268812
152047708294477265904690099019107925241955.

Part B – Report
Use diagrams where possible and explain them. Explanations should use
Alice’s key and the signed messages provided.

Question 1
Using Fermat’s little theorem, show that 17616640590392624387 is a prime
number. Explain briefy the heuristic you use.

Question 2
Show that 2 is a generator for prime 17616640590392624387 in the context of
the El Gamal signature scheme.

Question 3
Explain in simple terms, using an example from the messages you have been
given, how messages are signed using the El Gamal signature scheme.

Question 4
Show how a signature produced with the El Gamal signature scheme can be
verified. Use an example from the messages that you have been given.

Question 5
Show the correctness of the scheme in the sense that a signature generated
with the El Gamal signing algorithm can be checked by a verifier.

8
Question 6
Find integer x such that 2491773869989059992 x = 4564732769545516204
(mod 17616640590392624386). Show your working methods.

Question 7
Explain how you find the solutions of the linear congruence equation: a x =
b (mod n), where a, b and n are given integers and x is an unknown integer.

Question 8
Show that where Alice uses the same value of k to sign two different
messages m1 and m2, using the El Gamal signature scheme, you can recover
the value of k. Show how once having k you can recover Alice’s private key.

Question 9
Explain step-by-step, using messages that you have been given, and with
the appropriate formulae, how would you recover Alice’s private key. Show
all your working. State the linear congruence equations that you have to
solve and explain how you select the right solution.

Question 10
Briefly – in one paragraph – describe the design of your code. Attach the
implementation of the signature, verification, linear congruence and
private key hacking methods. Don’t forget to acknowledge any code re-
use.

Question 11
Explain briefly, in your own words, what the implications are if you manage
to hack an institution’s private key.

9
 Submission requirements
Upload two single files only. These must not be placed in a folder, zipped,
etc.
The report should be submitted as a PDF document and to be
submitted as a JSON file with a strict format and naming scheme.

Note: as the JSON is evaluated by an algorithm, every quote, comma,

colon, curly brace upper/lower case is crucial. Please pay attention to
these, and check your JSON very carefully against the sample solution
provided.
[END OF ASSIGNMENT]

Unique public key and sequence of messages

{"srn":"140250956","name":"EMRE NEZHAT","exercise":{"key":
{"p":"17616640590392624387","g":"2","pk":"7462958584846464278"},"intercep
ted":[{"text":"tambourine","signature":
{"r":"1657207568159922377","s":"14618561517488039109"}},
{"text":"playground","signature":
{"r":"10245172613620709054","s":"10268763073756714230"}},
{"text":"irrigation","signature":
{"r":"5904090421229568232","s":"2720667014476811786"}},
{"text":"indulgence","signature":
{"r":"7176617548726996184","s":"9363123168155182722"}},
{"text":"commission","signature":
{"r":"9843051593615636877","s":"10139523909522569853"}},
{"text":"excellence","signature":
{"r":"2863148543028861560","s":"13771600718139864338"}},
{"text":"liberation","signature":
{"r":"12999430834758915130","s":"4818751297555896815"}},
{"text":"silhouette","signature":
{"r":"5078725488875311357","s":"8574432540506082009"}},
{"text":"antagonist","signature":
{"r":"3303015212846896090","s":"16221183302957433045"}},
{"text":"restaurant","signature":
{"r":"2863148543028861560","s":"7858047615221387676"}}]}}

1
0