b. x = 17 and k E = 49

c. x = 85 and k E = 77

2. You receive two alleged messages x 1 , x 2 with their corresponding signatures

( r i , s i ) from Bob. Verify whether the messages ( x 1 , r 1 , s 1 )=(22 , 37 , 33) and

( x 2 , r 2 , s 2 )=(82 , 13 , 65) both originate from Bob.

3. Compare the RSA signature scheme with the Elgamal signature scheme. Where

are their relative advantages and drawbacks?

10.11. Given is an Elgamal signature scheme with p = 31,

α

= 3 and

β

= 6. You

receive the message x = 10 twice with the signatures ( r , s ):

( i )(17 , 5)

( ii )(13 , 15)

1. Are both signatures valid?

2. How many valid signatures are there for each message x and the specific param-

eters chosen above?

10.12. Given is an Elgamal signature scheme with the public parameters ( p =

97 ,

= 15). Show how Oscar can perform an existential forgery attack

by providing an example for a valid signature.

α

= 23 ,

β

10.13. Given is an Elgamal signature scheme with the public parameters p ,

α ∈

Z p and an unknown private key d . Due to faulty implementation, the following

dependency between two consecutive ephemeral keys is fulfilled:

k E i +1 = k E i + 1 .

Furthermore, two consecutive signatures to the plaintexts x 1 and x 2

( r 1 , s 1 )

and

( r 2 , s 2 )

are given. Explain how an attacker is able to calculate the private key with the given

values.

10.14. The parameters of DSA are given by p = 59 , q = 29 ,

= 3, and Bob's pri-

vate key is d = 23. Show the process of signing (Bob) and verification (Alice) for

following hash values h ( x ) and ephemeral keys k E :

1. h ( x )=17 , k E = 25

2. h ( x )=2 , k E = 13

3. h ( x )=21 , k E = 8

α

10.15. Show how DSA can be attacked if the same ephemeral key is used to sign

two different messages.