密码学题型enCryptography Final Exam Key Problems - English Versio

Cryptography Final Exam Key Problems - English Version

Problem Type Description

This problem set contains four exam question types:

Concept Explanation: Explain cryptographic concepts, definitions, properties, etc.
Scheme Design: Design cryptographic schemes to meet specific security requirements
Proof Problems: Prove security or insecurity of cryptographic schemes
Calculation Problems: Perform specific cryptographic calculations

Part 1: Symmetric Tools

Type 1: Concept Explanation

Problem 1: Explain PRG Security Definition

Problem: Please explain in detail the security definition of Pseudo-Random Generator (PRG), including: (1) Formal definition (2) Concept of distinguisher (3) Meaning of negligible function (4) Why this definition ensures PRG security

Complete Solution:

(1) Formal Definition

Let $G: \{0,1\}^n \rightarrow \{0,1\}^l$ be a function where $l > n$ (expansion requirement). $G$ is a secure PRG if for all polynomial-time distinguishers $D$ , there exists a negligible function $\epsilon$ such that: $|\Pr[D(G(s)) = 1] - \Pr[D(r) = 1]| \leq \epsilon(n)$ where:

$s \leftarrow \{0,1\}^n$ is a random seed
$r \leftarrow \{0,1\}^l$ is a truly random string
$D$ is a distinguisher algorithm that outputs 0 or 1

(2) Concept of Distinguisher

A distinguisher $D$ is a polynomial-time algorithm that attempts to distinguish PRG output from a truly random string:

If $D$ outputs 1, it means it thinks the input is random
If $D$ outputs 0, it means it thinks the input is not random (possibly PRG output)

The distinguisher's goal is to maximize distinguishing advantage: $\text{Adv}_D = |\Pr[D(G(s)) = 1] - \Pr[D(r) = 1]|$

(3) Meaning of Negligible Function

A negligible function $\epsilon: \mathbb{N} \rightarrow \mathbb{R}$ satisfies: for all polynomials $p$ , there exists $N$ such that for all $n > N$ , we have $\epsilon(n) < 1/p(n)$ .

Intuitive understanding: A negligible function decays faster than the reciprocal of any polynomial. For example:

$\epsilon(n) = 2^{-n}$ is negligible
$\epsilon(n) = n^{-100}$ is negligible
$\epsilon(n) = 1/n$ is not negligible (because $1/n > 1/n^2$ for large $n$ )

(4) Why This Definition Ensures PRG Security

If PRG is secure, then:

Any polynomial-time algorithm cannot distinguish $G(s)$ from a truly random string $r$ with non-negligible advantage
This means $G(s)$ is computationally indistinguishable from a truly random string
Therefore, using $G(s)$ instead of a truly random string does not significantly reduce security
This ensures PRG can be safely used in cryptographic applications (e.g., generating key streams)

If there exists a distinguisher that can distinguish with non-negligible advantage, then PRG is insecure and cannot be used in cryptographic applications.

Problem 2: Explain the Role of IV in Stream Cipher

Problem: In stream ciphers, what is the role of Initialization Vector (IV)? Why does IV not need to be secret? What security problems occur if the same combination of key and IV is reused? Please explain in detail.

Complete Solution:

Role of IV

The Initialization Vector (IV) in stream ciphers has the following roles:

Ensures Uniqueness of Key Stream: Even with the same key $k$ , different IVs produce different key streams
- Key stream: $K = G(k, IV)$
- If $IV_1 \neq IV_2$ , then $G(k, IV_1) \neq G(k, IV_2)$ (for secure PRG)
Prevents Same Plaintext from Producing Same Ciphertext:
- If $IV$ is different, even if plaintext $m$ is the same, ciphertext $c = m \oplus G(k, IV)$ will be different
- This provides semantic security
Supports Parallel Encryption: Different messages can use different IVs, enabling parallel encryption

Why IV Does Not Need to Be Secret

Reasons why IV does not need to be secret:

IV's Role is to Provide Randomness, Not Confidentiality:
- Confidentiality is provided by key $k$ and encryption function
- IV's role is to ensure each encryption produces different ciphertexts
Even if Attacker Knows IV, Stream Cipher Remains CPA Secure as Long as IV is Random:
- Attacker knows $IV$ and $c = m \oplus G(k, IV)$
- But without knowing key $k$ , cannot compute $G(k, IV)$
- Therefore cannot obtain information about plaintext $m$
Practical Considerations:
- IV is usually transmitted together with ciphertext
- Can be stored publicly
- But must ensure IV uniqueness (cannot be reused)

Security Problems from Reusing Same Key and IV

If the same combination of key and IV is reused, serious security problems occur:

Attack Scenario: Assume using the same $(k, IV)$ to encrypt two messages $m_1$ and $m_2$ :

$c_1 = m_1 \oplus G(k, IV)$
$c_2 = m_2 \oplus G(k, IV)$

Attack Method: Attacker can compute: $c_1 \oplus c_2 = (m_1 \oplus G(k, IV)) \oplus (m_2 \oplus G(k, IV)) = m_1 \oplus m_2$

Security Consequences:

Leaks XOR of Plaintexts: Attacker obtains $m_1 \oplus m_2$ , which leaks the XOR of two plaintexts
If One Plaintext is Known, Can Recover the Other:
- If attacker knows $m_1$ , then $m_2 = c_1 \oplus c_2 \oplus m_1$
Pattern Analysis: Attacker can analyze patterns in plaintexts

Practical Example: If $m_1 = "HELLO"$ and $m_2 = "WORLD"$ , attacker computing $c_1 \oplus c_2$ may leak partial information.

Conclusion:

Absolutely forbidden to reuse the same $(k, IV)$ combination
Each encryption must use a different IV
IV can be a counter, random number, or timestamp, but must ensure uniqueness

Type 2: Scheme Design

Problem 3: Design a Secure File Transfer Scheme

Problem: Design a secure file transfer scheme that satisfies the following requirements:

File size is 10GB (very large)
Payment information is confidential (No one knows the payment amount)
File integrity (Integrity)
Only Bob can check the file content

Please: (1) Choose appropriate cryptographic tools (2) Explain the scheme's working process in detail (3) Explain how the scheme satisfies each requirement

Complete Solution:

(1) Choose Appropriate Cryptographic Tools

Based on requirements, we need the following tools:

Symmetric Encryption: For encrypting large files (efficient)
Public Key Encryption: For transmitting symmetric key (only Bob can decrypt)
Hash Function: For file integrity verification
Digital Signature (optional): For authenticating sender identity

Specific Choices:

Symmetric Encryption: AES-256-CTR (suitable for large files, supports parallelization)
Public Key Encryption: RSA-OAEP or Elgamal (for encrypting symmetric key)
Hash Function: SHA-256 (for integrity)
Digital Signature: RSA-FDH or Schnorr (for authentication)

(2) Detailed Scheme Design

Scheme: Hybrid Encryption + Hash + Digital Signature

Step 1: Sender (Alice) Prepares File

Generate random symmetric key: $k \leftarrow \{0,1\}^{256}$ (AES-256 key)
Choose random IV: $IV \leftarrow \{0,1\}^{128}$
Encrypt file using AES-CTR:
- Split 10GB file into blocks: $F_1, F_2, \ldots, F_n$
- Encrypt each block: $C_i = F_i \oplus AES_k(IV + i)$
- Ciphertext file: $C = C_1 || C_2 || \ldots || C_n$
Compute file hash: $h = SHA256(F)$ (compute for entire original file)
Encrypt symmetric key using Bob's public key: $K_{enc} = RSA\text{-}OAEP_{pk_B}(k || IV)$
(Optional) Sign hash value using Alice's private key: $\sigma = Sign_{sk_A}(h)$

Step 2: Send Alice sends to Bob:

Encrypted file: $C$ (10GB)
Encrypted key: $K_{enc}$
File hash value: $h$
(Optional) Signature: $\sigma$

Step 3: Receiver (Bob) Verifies and Decrypts

Decrypt key using Bob's private key: $(k || IV) = RSA\text{-}OAEP_{sk_B}^{-1}(K_{enc})$
Decrypt file using AES-CTR:
- Decrypt each block: $F_i = C_i \oplus AES_k(IV + i)$
- Recover file: $F = F_1 || F_2 || \ldots || F_n$
Compute hash of received file: $h' = SHA256(F)$
Verify integrity: Check if $h' = h$
- If equal, file is intact; otherwise file has been tampered with
(Optional) Verify signature: $Verify_{pk_A}(h, \sigma)$

(3) Explain How Each Requirement is Satisfied

Requirement 1: File Size is 10GB (Very Large)

Solution: Use symmetric encryption (AES-CTR)
- Symmetric encryption is fast, suitable for large files
- CTR mode supports parallel encryption/decryption
- 10GB file can be processed efficiently
Why Not Use Public Key Encryption Directly for File:
- Public key encryption is slow (100-1000 times slower than symmetric encryption)
- RSA can only encrypt data smaller than modulus
- Therefore use hybrid encryption: public key encrypts small key (256 bits), symmetric encrypts large file (10GB)

Requirement 2: Payment Information Confidential (No One Knows)

Solution: Use public key encryption to protect symmetric key
- Only Bob has private key $sk_B$ , only Bob can decrypt $K_{enc}$ to obtain $k$
- Without $k$ , cannot decrypt file $C$
- Therefore, except Bob, no one can know file content (including payment information)
Security Guarantee:
- RSA-OAEP is CPA secure
- Even if attacker intercepts $K_{enc}$ , cannot decrypt (unless can break RSA)

Requirement 3: File Integrity (Integrity)

Solution: Use hash function to verify integrity
- Alice computes hash of original file $h = SHA256(F)$
- Bob computes hash of received file $h' = SHA256(F')$ after decryption
- If $h' = h$ , file is intact; otherwise file has been tampered with
Security Guarantee:
- SHA-256 has collision resistance
- Attacker cannot find different files producing the same hash value
- Therefore can detect any tampering

Requirement 4: Only Bob Can Check File Content

Solution: Use Bob's public key encryption
- Symmetric key $k$ is encrypted using Bob's public key $pk_B$
- Only Bob has private key $sk_B$ , only Bob can decrypt to obtain $k$
- Without $k$ , cannot decrypt file
Security Guarantee:
- Public key encryption ensures only private key holder (Bob) can decrypt
- Even if attacker intercepts all transmitted data, cannot obtain file content

Scheme Summary:

✅ Satisfies large file requirement: Uses efficient symmetric encryption
✅ Satisfies confidentiality requirement: Uses public key encryption to protect key
✅ Satisfies integrity requirement: Uses hash function for verification
✅ Satisfies access control requirement: Only Bob can decrypt

Type 3: Proof Problems

Problem 4: Prove ECB Mode is Not CPA Secure

Problem: Please strictly prove that ECB (Electronic Codebook) mode is not CPA (Chosen Plaintext Attack) secure.

Requirements: (1) Give formal definition of CPA security (2) Construct attacker algorithm (3) Analyze attacker's success probability (4) Draw conclusion

Complete Solution:

(1) Formal Definition of CPA Security

Encryption scheme $(Gen, Enc, Dec)$ is CPA secure if for all polynomial-time attackers $A$ , there exists a negligible function $\epsilon$ such that: $\Pr[\text{CPA-Game}(A) = 1] \leq \frac{1}{2} + \epsilon(n)$

CPA Game:

Challenger generates key $k \leftarrow Gen(1^n)$
Attacker can query encryption oracle $Enc_k(\cdot)$ arbitrarily many polynomial times
Attacker chooses two equal-length plaintexts $m_0, m_1$ ( $|m_0| = |m_1|$ )
Challenger randomly chooses $b \leftarrow \{0,1\}$ , returns challenge ciphertext $c^* = Enc_k(m_b)$
Attacker continues to query encryption oracle
Attacker outputs $b' \in \{0,1\}$
If $b' = b$ , attacker wins, game outputs 1; otherwise outputs 0

Attacker's Advantage: $\text{Adv}_{CPA}(A) = |\Pr[\text{CPA-Game}(A) = 1] - \frac{1}{2}|$

If $\text{Adv}_{CPA}(A) \leq \epsilon(n)$ (negligible), then scheme is CPA secure.

(2) Construct Attacker Algorithm

ECB Mode Encryption: For message $m = P_1 || P_2 || \ldots || P_n$ (split into blocks), ECB mode encryption is: $C_i = E_k(P_i) \quad \text{for } i = 1, 2, \ldots, n$ Ciphertext: $c = C_1 || C_2 || \ldots || C_n$

Construction of Attacker $A$ :

Algorithm $A$ :

Choose Challenge Plaintexts:
- Choose two blocks $P$ and $Q$ such that $P \neq Q$ (e.g., $P = 0^{128}$ , $Q = 1^{128}$ )
- Set $m_0 = P || P$ (two identical blocks)
- Set $m_1 = P || Q$ (two different blocks)
- Send $(m_0, m_1)$ to challenger
Receive Challenge Ciphertext:
- Receive challenge ciphertext $c^* = c_1^* || c_2^*$ (two ciphertext blocks)
Distinguish:
- If $c_1^* = c_2^*$ , output $b' = 0$
- If $c_1^* \neq c_2^*$ , output $b' = 1$

(3) Analyze Attacker's Success Probability

Case 1: $b = 0$ (Encrypt $m_0 = P || P$ )

ECB encryption: $c_1^* = E_k(P)$ , $c_2^* = E_k(P)$
Since $E_k$ is deterministic function, $E_k(P) = E_k(P)$
Therefore $c_1^* = c_2^*$
Attacker observes $c_1^* = c_2^*$ , outputs $b' = 0$
Success: $b' = b = 0$ ✓

Case 2: $b = 1$ (Encrypt $m_1 = P || Q$ )

ECB encryption: $c_1^* = E_k(P)$ , $c_2^* = E_k(Q)$
Since $P \neq Q$ and $E_k$ is a permutation, $E_k(P) \neq E_k(Q)$
Therefore $c_1^* \neq c_2^*$
Attacker observes $c_1^* \neq c_2^*$ , outputs $b' = 1$
Success: $b' = b = 1$ ✓

Success Probability Analysis:

$\Pr[\text{CPA-Game}(A) = 1] = \Pr[b' = b]$
In Case 1: $\Pr[b' = 0 | b = 0] = 1$
In Case 2: $\Pr[b' = 1 | b = 1] = 1$
Since $b$ is uniformly random: $\Pr[b = 0] = \Pr[b = 1] = \frac{1}{2}$
Therefore: $\Pr[b' = b] = \Pr[b = 0] \cdot \Pr[b' = 0 | b = 0] + \Pr[b = 1] \cdot \Pr[b' = 1 | b = 1]$ $= \frac{1}{2} \times 1 + \frac{1}{2} \times 1 = 1$

Attacker's Advantage: $\text{Adv}_{CPA}(A) = |\Pr[\text{CPA-Game}(A) = 1] - \frac{1}{2}| = |1 - \frac{1}{2}| = \frac{1}{2}$

(4) Draw Conclusion

Attacker $A$ 's success probability is 1 (perfect distinguishing)
Attacker's advantage is $\frac{1}{2}$ , which is non-negligible (constant, not negligible function)
According to CPA security definition, if there exists attacker with non-negligible advantage, then scheme is not CPA secure
Therefore, ECB mode is not CPA secure

Further Explanation:

Problem with ECB mode: Identical plaintext blocks always produce identical ciphertext blocks
This allows attackers to infer plaintext information by observing ciphertext patterns
Therefore, ECB mode should not be used in practical applications
Should use CBC, CTR, etc., which are secure encryption modes

Problem 5: Prove Insecurity of Schnorr Signature When Random Number is Restricted

Problem: Prove that if in Schnorr signature the random number $r$ is only chosen from set $\{r_1, r_2, r_3\}$ (instead of uniformly randomly from entire $\mathbb{Z}_q$ ), then the signature scheme is insecure.

Require complete attack construction and success probability analysis.

Complete Solution:

Schnorr Signature Review:

Private key: $x \in \mathbb{Z}_q$
Public key: $y = g^x \bmod p$
Signature: Choose $r \leftarrow \mathbb{Z}_q$ , compute $R = g^r$ , $c = H(m || R)$ , $s = r + cx \bmod q$
Signature: $\sigma = (R, s)$
Verification: Check $g^s = R \cdot y^c$

(1) Attack Scenario Setup

Assume signer uses restricted random number set: $r \in \{r_1, r_2, r_3\}$ , instead of randomly from entire $\mathbb{Z}_q$ .

(2) Attacker Construction

Attacker $A$ 's Goal: Recover private key $x$ or forge signatures

Attack Algorithm:

Step 1: Observe Signatures

Attacker $A$ queries signature oracle, obtains signature $\sigma = (R, s)$ for message $m$
$A$ knows $R = g^r$ , where $r \in \{r_1, r_2, r_3\}$

Step 2: Exhaustive Search for $r$ For each $r_i \in \{r_1, r_2, r_3\}$ :

Compute $R_i = g^{r_i} \bmod p$
Check if $R_i = R$
If equal, found the used $r_i$

Step 3: Recover Private Key Once $r_i$ is found, attacker can recover private key:

From signature: $s = r_i + cx \bmod q$
Where $c = H(m || R)$ is known
Therefore: $x = (s - r_i) \cdot c^{-1} \bmod q$

(3) Success Probability Analysis

Probability of Finding $r$ :

Random number $r$ is uniformly chosen from $\{r_1, r_2, r_3\}$
Attacker needs to try at most 3 times
Success probability: $\Pr[\text{find } r] = 1$ (after at most 3 attempts)

Probability of Recovering Private Key:

Once $r$ is found, can deterministically compute $x$
Success probability: $\Pr[\text{recover } x | \text{find } r] = 1$

Overall Success Probability: $\Pr[\text{attack succeeds}] = \Pr[\text{find } r] \times \Pr[\text{recover } x | \text{find } r] = 1 \times 1 = 1$

Time Complexity:

Need to compute $g^{r_i}$ at most 3 times
Each computation requires $O(\log r_i)$ modular exponentiations
Total time complexity: $O(3 \times \log q) = O(\log q)$ (polynomial time)

(4) Forge Signatures

Once attacker obtains private key $x$ , can:

Generate valid signatures for arbitrary messages $m^*$
Choose arbitrary $r^*$ (even without restriction)
Compute $R^* = g^{r^*}$ , $c^* = H(m^* || R^*)$ , $s^* = r^* + c^* x \bmod q$
Output signature $\sigma^* = (R^*, s^*)$

(5) Comparison: If $r$ is Chosen from Entire $\mathbb{Z}_q$

If $r$ is uniformly randomly chosen from entire $\mathbb{Z}_q$ :

$|\mathbb{Z}_q| = q$ (typically $q \approx 2^{256}$ )
Attacker needs to try average $q/2$ times to find $r$
Success probability: $\Pr[\text{find } r] \approx 2^{-256}$ (negligible)
Therefore attack is infeasible

(6) Conclusion

If random number $r$ is only chosen from $\{r_1, r_2, r_3\}$ , attacker can recover private key in polynomial time with probability 1
This violates unforgeability of digital signatures (attacker can forge arbitrary signatures)
Therefore, Schnorr signature is insecure when random number is restricted
Must require $r$ to be uniformly randomly chosen from entire $\mathbb{Z}_q$

Type 4: Calculation Problems

Problem 6: Complete RSA Encryption/Decryption Calculation

Problem: Given RSA parameters:

$p = 17$ , $q = 19$
Public exponent $e = 5$
Plaintext $m = 123$

Please complete the following calculations: (1) Compute modulus $n$ and Euler's totient function $\phi(n)$ (2) Verify $e$ is coprime with $\phi(n)$ (3) Compute private exponent $d$ (4) Compute ciphertext $c$ (5) Verify decryption process

Complete Solution:

(1) Compute Modulus and Euler's Totient Function

Modulus: $n = p \times q = 17 \times 19 = 323$

Euler's Totient Function: $\phi(n) = (p-1)(q-1) = (17-1)(19-1) = 16 \times 18 = 288$

(2) Verify $e$ is Coprime with $\phi(n)$

Need to verify $\gcd(e, \phi(n)) = \gcd(5, 288) = 1$

Using Euclidean Algorithm:

$288 = 5 \times 57 + 3$
$5 = 3 \times 1 + 2$
$3 = 2 \times 1 + 1$
$2 = 1 \times 2 + 0$

Therefore $\gcd(5, 288) = 1$ ✓

(3) Compute Private Exponent $d$

Need to find $d$ such that $ed \equiv 1 \pmod{\phi(n)}$ , i.e., $5d \equiv 1 \pmod{288}$

Using Extended Euclidean Algorithm:

From above calculation:

$288 = 5 \times 57 + 3$ → $3 = 288 - 5 \times 57$
$5 = 3 \times 1 + 2$ → $2 = 5 - 3 \times 1$
$3 = 2 \times 1 + 1$ → $1 = 3 - 2 \times 1$

Back Substitution: $1 = 3 - 2 \times 1$ $= 3 - (5 - 3 \times 1) \times 1 = 3 - 5 + 3 = 2 \times 3 - 5$ $= 2 \times (288 - 5 \times 57) - 5 = 2 \times 288 - 114 \times 5 - 5$ $= 2 \times 288 - 115 \times 5$

Therefore $1 = 2 \times 288 - 115 \times 5$

So $d = -115 \bmod 288 = 288 - 115 = 173$

Verification: $5 \times 173 = 865$ $865 \bmod 288 = 865 - 3 \times 288 = 865 - 864 = 1$ ✓

Therefore $d = 173$

(4) Compute Ciphertext $c$

Public Key: $pk = (n, e) = (323, 5)$ Plaintext: $m = 123$

Check Plaintext Range: $123 < 323$ ✓ (plaintext is in valid range)

Encryption: $c = m^e \bmod n = 123^5 \bmod 323$

Using Modular Exponentiation:

First express exponent 5 in binary: $5 = 101_2 = 2^2 + 2^0 = 4 + 1$

Compute $123^{2^i} \bmod 323$ :

$123^1 = 123 \bmod 323 = 123$
$123^2 = 15129 \bmod 323$

Compute $15129 \bmod 323$ :

$323 \times 46 = 14858$
$15129 - 14858 = 271$
Therefore $123^2 = 271 \bmod 323$
$123^4 = (123^2)^2 = 271^2 \bmod 323$

Compute $271^2 = 73441 \bmod 323$ :

$323 \times 227 = 73321$
$73441 - 73321 = 120$
Therefore $123^4 = 120 \bmod 323$

Now compute $123^5$ : $123^5 = 123^4 \times 123^1 = 120 \times 123 \bmod 323$

Compute $120 \times 123 = 14760 \bmod 323$ :

$323 \times 45 = 14535$
$14760 - 14535 = 225$
Therefore $c = 225$

(5) Verify Decryption Process

Private Key: $sk = (n, d) = (323, 173)$ Ciphertext: $c = 225$

Decryption: $m' = c^d \bmod n = 225^{173} \bmod 323$

Using Modular Exponentiation:

Express exponent 173 in binary: $173 = 10101101_2 = 128 + 32 + 8 + 4 + 1$

Compute $225^{2^i} \bmod 323$ :

$225^1 = 225 \bmod 323 = 225$
$225^2 = 50625 \bmod 323$

Compute $50625 \bmod 323$ :

$323 \times 156 = 50388$
$50625 - 50388 = 237$
Therefore $225^2 = 237 \bmod 323$
$225^4 = (225^2)^2 = 237^2 \bmod 323$

Compute $237^2 = 56169 \bmod 323$ :

$323 \times 173 = 55879$
$56169 - 55879 = 290$
Therefore $225^4 = 290 \bmod 323$
$225^8 = (225^4)^2 = 290^2 \bmod 323$

Compute $290^2 = 84100 \bmod 323$ :

$323 \times 260 = 83980$
$84100 - 83980 = 120$
Therefore $225^8 = 120 \bmod 323$
$225^{16} = (225^8)^2 = 120^2 \bmod 323$

Compute $120^2 = 14400 \bmod 323$ :

$323 \times 44 = 14212$
$14400 - 14212 = 188$
Therefore $225^{16} = 188 \bmod 323$
$225^{32} = (225^{16})^2 = 188^2 \bmod 323$

Compute $188^2 = 35344 \bmod 323$ :

$323 \times 109 = 35207$
$35344 - 35207 = 137$
Therefore $225^{32} = 137 \bmod 323$
$225^{64} = (225^{32})^2 = 137^2 \bmod 323$

Compute $137^2 = 18769 \bmod 323$ :

$323 \times 58 = 18734$
$18769 - 18734 = 35$
Therefore $225^{64} = 35 \bmod 323$
$225^{128} = (225^{64})^2 = 35^2 \bmod 323$

Compute $35^2 = 1225 \bmod 323$ :

$323 \times 3 = 969$
$1225 - 969 = 256$
Therefore $225^{128} = 256 \bmod 323$

Now compute $225^{173}$ : $225^{173} = 225^{128} \times 225^{32} \times 225^8 \times 225^4 \times 225^1$ $= 256 \times 137 \times 120 \times 290 \times 225 \bmod 323$

Compute step by step:

$256 \times 137 = 35072 \bmod 323$

Compute $35072 \bmod 323$ :

$323 \times 108 = 34884$
$35072 - 34884 = 188$
Therefore intermediate result = $188$
$188 \times 120 = 22560 \bmod 323$

Compute $22560 \bmod 323$ :

$323 \times 69 = 22287$
$22560 - 22287 = 273$
Therefore intermediate result = $273$
$273 \times 290 = 79170 \bmod 323$

Compute $79170 \bmod 323$ :

$323 \times 245 = 79135$
$79170 - 79135 = 35$
Therefore intermediate result = $35$
$35 \times 225 = 7875 \bmod 323$

Compute $7875 \bmod 323$ :

$323 \times 24 = 7752$
$7875 - 7752 = 123$
Therefore $m' = 123$

Verification:

Original plaintext: $m = 123$
Decrypted plaintext: $m' = 123$
$m = m'$ ✓

Decryption Successful!

Problem 7: Complete Elgamal Encryption/Decryption Calculation

Problem: Given Elgamal encryption parameters:

$p = 23$ , $g = 5$
Private key $x = 6$
Plaintext $m = 7$
Random number $r = 3$

Please complete: (1) Compute public key $y$ (2) Compute ciphertext $(c_1, c_2)$ (3) Verify decryption process

Complete Solution:

(1) Compute Public Key $y$

Private Key: $x = 6$ Generator: $g = 5$ Modulus: $p = 23$

Public Key: $y = g^x \bmod p = 5^6 \bmod 23$

Compute $5^6 \bmod 23$ :

$5^2 = 25 \bmod 23 = 2$
$5^4 = (5^2)^2 = 2^2 = 4 \bmod 23 = 4$
$5^6 = 5^4 \times 5^2 = 4 \times 2 = 8 \bmod 23 = 8$

Therefore $y = 8$

Public Key: $pk = (p, g, y) = (23, 5, 8)$

(2) Compute Ciphertext $(c_1, c_2)$

Plaintext: $m = 7$ Random Number: $r = 3$ Public Key: $y = 8$

Elgamal Encryption Formula:

$c_1 = g^r \bmod p$
$c_2 = m \cdot y^r \bmod p$

Compute $c_1$ : $c_1 = g^r \bmod p = 5^3 \bmod 23 = 125 \bmod 23$

Compute $125 \bmod 23$ :

$23 \times 5 = 115$
$125 - 115 = 10$

Therefore $c_1 = 10$

Compute $c_2$ : $c_2 = m \cdot y^r \bmod p = 7 \cdot 8^3 \bmod 23$

First compute $8^3 \bmod 23$ :

$8^1 = 8 \bmod 23 = 8$
$8^2 = 64 \bmod 23 = 64 - 2 \times 23 = 64 - 46 = 18$
$8^3 = 8^2 \times 8 = 18 \times 8 = 144 \bmod 23$

Compute $144 \bmod 23$ :

$23 \times 6 = 138$
$144 - 138 = 6$

Therefore $8^3 = 6 \bmod 23$

So $c_2 = 7 \times 6 = 42 \bmod 23 = 42 - 1 \times 23 = 19$

Ciphertext: $c = (c_1, c_2) = (10, 19)$

(3) Verify Decryption Process

Private Key: $x = 6$ Ciphertext: $c = (10, 19)$

Elgamal Decryption Formula: $m = c_2 \cdot (c_1^x)^{-1} \bmod p$

Step 1: Compute $c_1^x$ $c_1^x = 10^6 \bmod 23$

Compute $10^6 \bmod 23$ :

$10^2 = 100 \bmod 23 = 100 - 4 \times 23 = 100 - 92 = 8$
$10^4 = (10^2)^2 = 8^2 = 64 \bmod 23 = 18$
$10^6 = 10^4 \times 10^2 = 18 \times 8 = 144 \bmod 23 = 6$

Therefore $c_1^x = 6$

Step 2: Compute $(c_1^x)^{-1} \bmod 23$

Need to find $6^{-1} \bmod 23$ , i.e., find $d$ such that $6d \equiv 1 \pmod{23}$

Using Extended Euclidean Algorithm:

$23 = 6 \times 3 + 5$
$6 = 5 \times 1 + 1$
$5 = 1 \times 5 + 0$

Back substitution:

$1 = 6 - 5 \times 1$
$5 = 23 - 6 \times 3$
$1 = 6 - (23 - 6 \times 3) = 6 - 23 + 6 \times 3 = 6 \times 4 - 23$

Therefore $6^{-1} \equiv 4 \pmod{23}$

Verify: $6 \times 4 = 24 \equiv 1 \pmod{23}$ ✓

Step 3: Compute Plaintext $m = c_2 \cdot (c_1^x)^{-1} \bmod p = 19 \times 4 \bmod 23 = 76 \bmod 23$

Compute $76 \bmod 23$ :

$23 \times 3 = 69$
$76 - 69 = 7$

Therefore $m = 7$

Verification:

Original plaintext: $m = 7$
Decrypted plaintext: $m = 7$
They are equal ✓

Decryption Successful!

Problem 8: Complete Schnorr Signature Calculation

Problem: Given Schnorr signature parameters:

$p = 23$ , $q = 11$ ( $11 | 22$ ✓)
$g = 5$ (generator)
Private key $x = 3$
Message $m = 7$
Random number $r = 4$
Hash function: $H(m || R) = (m \cdot R) \bmod 11$ (simplified)

Please complete: (1) Compute public key $y$ (2) Generate signature $(R, s)$ (3) Verify signature

Complete Solution:

(1) Compute Public Key $y$

Private Key: $x = 3$ Generator: $g = 5$ Modulus: $p = 23$

Public Key: $y = g^x \bmod p = 5^3 \bmod 23 = 125 \bmod 23 = 125 - 5 \times 23 = 125 - 115 = 10$

Therefore $y = 10$

Public Key: $pk = y = 10$

(2) Generate Signature $(R, s)$

Message: $m = 7$ Random Number: $r = 4$

Step 1: Compute Commitment $R$ $R = g^r \bmod p = 5^4 \bmod 23$

Compute $5^4 \bmod 23$ :

$5^2 = 25 \bmod 23 = 2$
$5^4 = (5^2)^2 = 2^2 = 4 \bmod 23 = 4$

Therefore $R = 4$

Step 2: Compute Challenge $c$ $c = H(m || R) = (m \cdot R) \bmod 11 = (7 \times 4) \bmod 11 = 28 \bmod 11 = 6$

Therefore $c = 6$

Step 3: Compute Response $s$ $s = r + cx \bmod q = 4 + 6 \times 3 \bmod 11 = 4 + 18 \bmod 11 = 22 \bmod 11 = 0$

Therefore $s = 0$

Signature: $\sigma = (R, s) = (4, 0)$

(3) Verify Signature

Public Key: $y = 10$ Message: $m = 7$ Signature: $\sigma = (R, s) = (4, 0)$

Verification Formula: Check if $g^s = R \cdot y^c \pmod{p}$

Step 1: Recompute Challenge $c$ $c = H(m || R) = (7 \times 4) \bmod 11 = 6$

Step 2: Compute Left Side $g^s$ $g^s = 5^0 \bmod 23 = 1$

Step 3: Compute Right Side $R \cdot y^c$ $R \cdot y^c = 4 \times 10^6 \bmod 23$

First compute $10^6 \bmod 23$ :

$10^2 = 100 \bmod 23 = 100 - 4 \times 23 = 100 - 92 = 8$
$10^4 = (10^2)^2 = 8^2 = 64 \bmod 23 = 18$
$10^6 = 10^4 \times 10^2 = 18 \times 8 = 144 \bmod 23 = 144 - 6 \times 23 = 144 - 138 = 6$

Therefore $R \cdot y^c = 4 \times 6 = 24 \bmod 23 = 24 - 23 = 1$

Step 4: Compare

Left side: $g^s = 1$
Right side: $R \cdot y^c = 1$
$1 = 1$ ✓

Verification Passed! Signature is Valid!

Part 2: Public Key Cryptography

Type 1: Concept Explanation

Problem 9: Explain Security of Diffie-Hellman Key Agreement

Problem: Please explain in detail the security of Diffie-Hellman key agreement protocol, including: (1) Basic principles of the protocol (2) Which hard problem the security is based on (3) Why attackers cannot obtain the shared key (4) Security assumptions of the protocol

Complete Solution:

(1) Basic Principles of the Protocol

Diffie-Hellman Key Agreement Protocol allows two communicating parties to establish a shared key over an insecure channel.

Protocol Steps:

Public Parameters: Choose large prime $p$ and generator $g \in \mathbb{Z}_p^*$ , parameters $(p, g)$ are public
Alice:
- Randomly choose private key $a \leftarrow \mathbb{Z}_{p-1}$
- Compute public key $A = g^a \bmod p$
- Send $A$ to Bob
Bob:
- Randomly choose private key $b \leftarrow \mathbb{Z}_{p-1}$
- Compute public key $B = g^b \bmod p$
- Send $B$ to Alice
Shared Key:
- Alice computes: $K = B^a \bmod p = (g^b)^a \bmod p = g^{ab} \bmod p$
- Bob computes: $K = A^b \bmod p = (g^a)^b \bmod p = g^{ab} \bmod p$
- Both parties obtain the same shared key $K = g^{ab} \bmod p$

(2) Which Hard Problem Security is Based On

The security of Diffie-Hellman key agreement is based on the hardness of the Discrete Logarithm Problem (DLP).

Discrete Logarithm Problem: Given group $G$ (e.g., $\mathbb{Z}_p^*$ ), generator $g$ , and element $h = g^x$ , computing $x = \log_g h$ is computationally infeasible.

In DH Protocol:

Attacker sees $A = g^a$ and $B = g^b$
Attacker wants to compute $K = g^{ab}$
This is equivalent to computing Diffie-Hellman problem (CDH)
Hardness of CDH is based on hardness of DLP

(3) Why Attackers Cannot Obtain Shared Key

Information Observed by Attacker:

Public parameters: $(p, g)$
Alice's public key: $A = g^a \bmod p$
Bob's public key: $B = g^b \bmod p$

What Attacker Wants to Compute:

Shared key: $K = g^{ab} \bmod p$

Attacker's Difficulties:

Method 1: Directly Compute $g^{ab}$

Attacker needs to know $a$ or $b$
But $a$ and $b$ are private keys, only known to Alice and Bob
Attacker cannot compute $a$ from $A = g^a$ (this is DLP, computationally infeasible)

Method 2: Compute $K$ from $A$ and $B$

This is equivalent to solving Computational Diffie-Hellman (CDH) problem
CDH problem is computationally infeasible (based on DLP hardness)

Method 3: Man-in-the-Middle Attack (MITM)

Attacker can intercept $A$ and $B$ , and send own public key
But this requires attacker to be able to modify communication channel
In standard DH protocol, assume communication channel is authenticated (or use digital signatures to prevent MITM)

(4) Security Assumptions of the Protocol

Computational Assumptions:

Discrete Logarithm Assumption (DL Assumption):
- In group $\mathbb{Z}_p^*$ , given $g$ and $g^x$ , computing $x$ is computationally infeasible
- This is the foundation of protocol security
Computational Diffie-Hellman Assumption (CDH Assumption):
- Given $g$ , $g^a$ , $g^b$ , computing $g^{ab}$ is computationally infeasible
- Directly guarantees security of shared key
Decisional Diffie-Hellman Assumption (DDH Assumption) (stronger assumption):
- Given $g$ , $g^a$ , $g^b$ , $Z$ , deciding whether $Z = g^{ab}$ or $Z$ is a random element is computationally infeasible
- Used for stronger security guarantees

Protocol Assumptions:

Parameter Selection:
- $p$ must be a large prime (typically 2048 bits or larger)
- $g$ must be a generator (or large-order element)
- Parameters must be correctly generated
Randomness:
- Private keys $a$ and $b$ must be uniformly randomly chosen from $\mathbb{Z}_{p-1}$
- Cannot use weak random number generators
Communication Security:
- Standard DH does not provide authentication, vulnerable to man-in-the-middle attacks
- In practice, need to combine with digital signatures or certificates

Security Summary:

DH key agreement is secure under DLP/CDH assumptions
Attackers cannot compute shared key from public information
But need to prevent man-in-the-middle attacks (use authentication mechanisms)

Type 2: Scheme Design

Problem 10: Design a Secure Electronic Voting Scheme

Problem: Design an electronic voting scheme using homomorphic encryption that satisfies the following requirements:

Each voter can only vote once
Votes are confidential (No one knows specific voting content)
Can correctly count voting results
Voters can verify their votes are correctly recorded

Please: (1) Choose appropriate cryptographic tools (2) Describe voting process in detail (3) Explain how each requirement is satisfied

Complete Solution:

(1) Choose Appropriate Cryptographic Tools

Based on requirements, we need the following tools:

Homomorphic Encryption: Allows computation on ciphertexts, used for vote counting
Zero Knowledge Proof: Used to prove vote validity (vote value is in allowed range)
Digital Signature: Used to authenticate voter identity
Commitment Protocol: Used to ensure vote binding

Specific Choices:

Homomorphic Encryption: Elgamal homomorphic encryption (supports multiplicative homomorphism)
Zero Knowledge Proof: Schnorr signature or Sigma protocol
Digital Signature: RSA-FDH or Schnorr
Commitment Protocol: Pedersen commitment

(2) Detailed Scheme Design

Scheme: Voting Scheme Based on Elgamal Homomorphic Encryption

Setup Phase:

Choose Elgamal parameters: large prime $p$ , generator $g \in \mathbb{Z}_p^*$
Voting authority generates key pair: private key $x$ , public key $y = g^x \bmod p$
Public parameters: $(p, g, y)$

Voting Phase (Voter $V_i$ ):

Identity Authentication: Voter uses digital signature to prove identity
Choose Vote: Voter chooses $b \in \{0, 1\}$ (support or oppose)
Encrypt Vote:
- Randomly choose $r \leftarrow \mathbb{Z}_{p-1}$
- Compute: $c_1 = g^r \bmod p$
- Compute: $c_2 = g^b \cdot y^r \bmod p$ (Note: here $g^b$ represents vote, $b \in \{0,1\}$ )
- Ciphertext: $C = (c_1, c_2)$
Zero Knowledge Proof: Voter generates ZK proof proving $b \in \{0, 1\}$ (using OR proof)
Submit: Voter submits $(C, \text{ZK proof}, \text{signature})$

Counting Phase:

Verify All Votes:
- Verify each voter's identity (digital signature)
- Verify each vote's ZK proof (ensure $b \in \{0,1\}$ )
Homomorphic Computation:
- For all valid vote ciphertexts $C_i = (c_{1,i}, c_{2,i})$ , compute:
- $C_{total} = \prod_{i=1}^n C_i = (\prod_{i=1}^n c_{1,i}, \prod_{i=1}^n c_{2,i})$
- Due to Elgamal's multiplicative homomorphism: $C_{total} = (g^{\sum r_i}, g^{\sum b_i} \cdot y^{\sum r_i})$
Decrypt Counting Result:
- Use private key $x$ to decrypt $C_{total}$
- Compute: $g^{\sum b_i} = c_{2,total} \cdot (c_{1,total})^{-x} \bmod p$
- Compute discrete logarithm: $\sum b_i = \log_g (g^{\sum b_i})$ (since $\sum b_i$ is small, can exhaustively search)
- Counting result: Support votes = $\sum b_i$ , Oppose votes = $n - \sum b_i$

(3) Explain How Each Requirement is Satisfied

Requirement 1: Each Voter Can Only Vote Once

Solution: Use digital signature to authenticate identity
- Each voter signs vote with own private key
- Voting authority maintains list of voters who have voted
- If same identity votes again, reject second vote
Technical Details:
- Voter submits $(C, \sigma)$ , where $\sigma = Sign_{sk_V}(C || timestamp)$
- Voting authority verifies signature and checks if identity has voted

Requirement 2: Votes are Confidential (No One Knows Specific Voting Content)

Solution: Use Elgamal encryption
- Each vote $b$ is encrypted as $C = (c_1, c_2)$
- Only voting authority has private key $x$ , can decrypt
- But voting authority can only see counting result, cannot see individual votes (if using threshold decryption)
Technical Details:
- Use random number $r$ to ensure same vote produces different ciphertexts
- Encryption is CPA secure
- Can further use threshold encryption, requiring multiple authorities to cooperate for decryption

Requirement 3: Can Correctly Count Voting Results

Solution: Use homomorphic encryption
- Elgamal supports multiplicative homomorphism: $Enc(b_1) \cdot Enc(b_2) = Enc(b_1 + b_2)$ (in exponent)
- Multiply all vote ciphertexts to get encryption of total votes
- After decryption, get $\sum b_i$ , which is support votes
Technical Details:
- Homomorphism: $Enc(b_1) \cdot Enc(b_2) = (g^{r_1+r_2}, g^{b_1+b_2} \cdot y^{r_1+r_2})$
- After decryption, get $g^{b_1+b_2}$ , compute discrete logarithm to get $b_1 + b_2$
- For $n$ votes, $\sum b_i \leq n$ , can exhaustively compute discrete logarithm

Requirement 4: Voters Can Verify Their Votes are Correctly Recorded

Solution: Use commitment and verification mechanism
- When voter submits vote, also submit commitment $commit = Commit(b, r')$
- Voting authority publishes all vote ciphertexts (without correspondence)
- Voters can verify their ciphertext is in the list
- After counting, voters can verify commitment (optional)
Technical Details:
- Voter computes $commit = H(b || r' || ID)$
- Submits $(C, commit)$
- Voting authority publishes list of all $(C_i, commit_i)$
- Voter checks own $(C, commit)$ is in list
- After counting, can reveal $b$ and $r'$ to verify commitment

Scheme Summary:

✅ Satisfies uniqueness: Digital signature prevents duplicate voting
✅ Satisfies confidentiality: Elgamal encryption protects vote content
✅ Satisfies correctness: Homomorphic encryption supports correct counting
✅ Satisfies verifiability: Commitment mechanism allows verification

Type 3: Proof Problems

Problem 11: Prove Relationship Between Three Security Properties of Hash Functions

Problem: Prove the relationship between three security properties of hash functions: (1) Collision Resistance (2) Second Preimage Resistance (3) Preimage Resistance

Please prove:

Collision Resistance $\Rightarrow$ Second Preimage Resistance
Second Preimage Resistance $\Rightarrow$ Preimage Resistance (in random oracle model)

Complete Solution:

(1) Define Three Security Properties

Preimage Resistance: For all polynomial-time attackers $A$ , there exists negligible function $\epsilon$ such that: $\Pr[x \leftarrow \{0,1\}^*, y = H(x), A(y) = x' \text{ and } H(x') = y] \leq \epsilon(n)$ That is: Given hash value $y$ , finding $x$ such that $H(x) = y$ is computationally infeasible.

Second Preimage Resistance: For all polynomial-time attackers $A$ , there exists negligible function $\epsilon$ such that: $\Pr[x \leftarrow \{0,1\}^*, A(x) = x' \neq x \text{ and } H(x') = H(x)] \leq \epsilon(n)$ That is: Given $x$ , finding $x' \neq x$ such that $H(x) = H(x')$ is computationally infeasible.

Collision Resistance: For all polynomial-time attackers $A$ , there exists negligible function $\epsilon$ such that: $\Pr[A() = (x, x') \text{ and } x \neq x' \text{ and } H(x) = H(x')] \leq \epsilon(n)$ That is: Finding arbitrary $x, x'$ such that $x \neq x'$ but $H(x) = H(x')$ is computationally infeasible.

(2) Prove: Collision Resistance $\Rightarrow$ Second Preimage Resistance

Proof Method: Proof by contradiction

Assume hash function $H$ is collision resistant but not second preimage resistant. We will construct an algorithm to find collision, contradicting collision resistance.

Construct Attacker $A_{collision}$ :

Algorithm $A_{collision}$ :

Randomly choose $x \leftarrow \{0,1\}^*$
Call second preimage attacker $A_{2nd}$ (assume exists), input $x$
$A_{2nd}$ outputs $x' \neq x$ such that $H(x') = H(x)$
Output collision $(x, x')$

Success Probability Analysis:

If $A_{2nd}$ can find second preimage with non-negligible probability $\delta$
Then $A_{collision}$ can find collision with same probability $\delta$
This contradicts assumption that $H$ is collision resistant

Conclusion:

If $H$ is collision resistant, then $H$ must be second preimage resistant
Therefore: Collision Resistance $\Rightarrow$ Second Preimage Resistance

(3) Prove: Second Preimage Resistance $\Rightarrow$ Preimage Resistance (in Random Oracle Model)

Proof Method: In random oracle model, if hash function is second preimage resistant, then it is also preimage resistant.

Proof Idea: In random oracle model, hash function $H$ behaves like a random function. If $H$ is second preimage resistant, then:

Properties of Random Oracle:
- For each input $x$ , $H(x)$ is uniformly random
- Outputs for different inputs are independent
Difficulty of Preimage Attack:
- Given hash value $y$ , attacker needs to find $x$ such that $H(x) = y$
- Since $H$ is random, attacker can only search by querying $H$
- Each query succeeds with probability approximately $2^{-n}$ ( $n$ is output length)
- Need average $2^n$ queries to find preimage
Relationship with Second Preimage Resistance:
- If $H$ is second preimage resistant, then given $x$ , finding $x'$ such that $H(x') = H(x)$ is difficult
- In random oracle model, this is equivalent to preimage resistance
- Because if can find preimage, then can find second preimage (by first randomly choosing $x$ , then finding preimage of $H(x)$ )

Formal Proof (simplified): Assume there exists preimage attacker $A_{preimage}$ that can find preimage with non-negligible probability. Construct second preimage attacker $A_{2nd}$ :

Algorithm $A_{2nd}(x)$ :

Compute $y = H(x)$
Call $A_{preimage}(y)$ , obtain $x'$
If $x' \neq x$ and $H(x') = y$ , output $x'$
Otherwise output failure

Success Probability:

If $A_{preimage}$ successfully finds preimage, and $x' \neq x$ (high probability, since input space is large)
Then $A_{2nd}$ successfully finds second preimage
This contradicts second preimage resistance

Conclusion:

In random oracle model, Second Preimage Resistance $\Rightarrow$ Preimage Resistance
Note: This conclusion depends on random oracle model, may not hold for actual hash functions

(4) Summary

Relationship between three security properties:

✅ Collision Resistance $\Rightarrow$ Second Preimage Resistance (unconditionally holds)
✅ Second Preimage Resistance $\Rightarrow$ Preimage Resistance (holds in random oracle model)
❌ Preimage Resistance $\not\Rightarrow$ Second Preimage Resistance (does not hold)
❌ Second Preimage Resistance $\not\Rightarrow$ Collision Resistance (does not hold)

Practical Significance:

Collision resistance is the strongest property
When designing hash functions, usually directly prove collision resistance
If hash function is collision resistant, automatically satisfies other two properties

Type 4: Calculation Problems

Problem 12: Complete Diffie-Hellman Key Agreement Calculation

Problem: Given Diffie-Hellman parameters:

$p = 23$ , $g = 5$ ( $5$ is a generator of $\mathbb{Z}_{23}^*$ )
Alice chooses private key $a = 6$
Bob chooses private key $b = 15$

Please complete: (1) Compute Alice's and Bob's public keys (2) Compute shared keys calculated by both parties (3) Verify both parties obtain the same key (4) Directly compute $g^{ab}$ to verify result

Complete Solution:

(1) Compute Alice's and Bob's Public Keys

Alice's Public Key: $A = g^a \bmod p = 5^6 \bmod 23$

Compute $5^6 \bmod 23$ :

$5^2 = 25 \bmod 23 = 25 - 23 = 2$
$5^4 = (5^2)^2 = 2^2 = 4 \bmod 23 = 4$
$5^6 = 5^4 \times 5^2 = 4 \times 2 = 8 \bmod 23 = 8$

Therefore $A = 8$

Bob's Public Key: $B = g^b \bmod p = 5^{15} \bmod 23$

Compute $5^{15} \bmod 23$ :

$15 = 8 + 4 + 2 + 1 = 2^3 + 2^2 + 2^1 + 2^0$
$5^1 = 5$
$5^2 = 2$ (already computed)
$5^4 = 4$ (already computed)
$5^8 = (5^4)^2 = 4^2 = 16 \bmod 23 = 16$
$5^{15} = 5^8 \times 5^4 \times 5^2 \times 5^1 = 16 \times 4 \times 2 \times 5 = 640 \bmod 23$

Compute $640 \bmod 23$ :

$23 \times 27 = 621$
$640 - 621 = 19$

Therefore $B = 19$

(2) Compute Shared Keys Calculated by Both Parties

Shared Key Calculated by Alice: $K_A = B^a \bmod p = 19^6 \bmod 23$

Compute $19^6 \bmod 23$ :

$19 \bmod 23 = 19$ (since $19 < 23$ )
$19^2 = 361 \bmod 23 = 361 - 15 \times 23 = 361 - 345 = 16$
$19^4 = (19^2)^2 = 16^2 = 256 \bmod 23 = 256 - 11 \times 23 = 256 - 253 = 3$
$19^6 = 19^4 \times 19^2 = 3 \times 16 = 48 \bmod 23 = 48 - 2 \times 23 = 48 - 46 = 2$

Therefore $K_A = 2$

Shared Key Calculated by Bob: $K_B = A^b \bmod p = 8^{15} \bmod 23$

Compute $8^{15} \bmod 23$ :

$8^1 = 8$
$8^2 = 64 \bmod 23 = 64 - 2 \times 23 = 64 - 46 = 18$
$8^4 = (8^2)^2 = 18^2 = 324 \bmod 23 = 324 - 14 \times 23 = 324 - 322 = 2$
$8^8 = (8^4)^2 = 2^2 = 4 \bmod 23 = 4$
$15 = 8 + 4 + 2 + 1$
$8^{15} = 8^8 \times 8^4 \times 8^2 \times 8^1 = 4 \times 2 \times 18 \times 8 = 1152 \bmod 23$

Compute $1152 \bmod 23$ :

$23 \times 50 = 1150$
$1152 - 1150 = 2$

Therefore $K_B = 2$

(3) Verify Both Parties Obtain the Same Key

Key calculated by Alice: $K_A = 2$
Key calculated by Bob: $K_B = 2$
$K_A = K_B = 2$ ✓

Shared Key: $K = 2$

(4) Directly Compute $g^{ab}$ to Verify Result

$g^{ab} = 5^{6 \times 15} = 5^{90} \bmod 23$

Since $5^{22} \equiv 1 \pmod{23}$ (by Fermat's little theorem, because $5$ is coprime with $23$ , and order of $5$ divides $22$ ), we can simplify:

$90 = 4 \times 22 + 2$
$5^{90} = (5^{22})^4 \times 5^2 \equiv 1^4 \times 2 \equiv 2 \pmod{23}$

Therefore $g^{ab} = 2$ , consistent with previous calculation ✓

Verification Complete!

Problem 13: Complete Elliptic Curve Point Operation Calculation

Problem: Given elliptic curve $E: y^2 = x^3 + 2x + 3 \pmod{11}$ , point $P = (2, 2)$ .

Please complete: (1) Verify point $P$ is on the curve (2) Compute $2P$ (point doubling) (3) If $Q = (3, 6)$ is also on the curve, compute $P + Q$ (point addition)

Complete Solution:

(1) Verify Point $P$ is on the Curve

Curve Equation: $y^2 = x^3 + 2x + 3 \pmod{11}$

Point $P = (2, 2)$ :

Left side: $y^2 = 2^2 = 4 \bmod 11 = 4$
Right side: $x^3 + 2x + 3 = 2^3 + 2 \times 2 + 3 = 8 + 4 + 3 = 15 \bmod 11 = 4$

$4 = 4$ ✓, therefore point $P = (2, 2)$ is on the curve.

(2) Compute $2P$ (Point Doubling)

Point Doubling Formula ( $P = P$ ):

Slope: $\lambda = \frac{3x_1^2 + a}{2y_1} \bmod p$
$x_3 = \lambda^2 - 2x_1 \bmod p$
$y_3 = \lambda(x_1 - x_3) - y_1 \bmod p$

Given Parameters:

$P = (x_1, y_1) = (2, 2)$
$a = 2$ (curve parameter)
$p = 11$

Compute Slope $\lambda$ : $\lambda = \frac{3x_1^2 + a}{2y_1} \bmod p = \frac{3 \times 2^2 + 2}{2 \times 2} \bmod 11 = \frac{3 \times 4 + 2}{4} \bmod 11 = \frac{14}{4} \bmod 11$

Compute $4^{-1} \bmod 11$ :

Need $4d \equiv 1 \pmod{11}$
$4 \times 3 = 12 \equiv 1 \pmod{11}$ , so $4^{-1} = 3$

Therefore $\lambda = 14 \times 3 \bmod 11 = 42 \bmod 11 = 42 - 3 \times 11 = 42 - 33 = 9$

Compute $x_3$ : $x_3 = \lambda^2 - 2x_1 \bmod p = 9^2 - 2 \times 2 \bmod 11 = 81 - 4 \bmod 11 = 77 \bmod 11 = 0$

Compute $y_3$ : $y_3 = \lambda(x_1 - x_3) - y_1 \bmod p = 9(2 - 0) - 2 \bmod 11 = 18 - 2 \bmod 11 = 16 \bmod 11 = 5$

Therefore $2P = (0, 5)$

Verification: Check if $(0, 5)$ is on the curve

Left side: $y^2 = 5^2 = 25 \bmod 11 = 3$
Right side: $x^3 + 2x + 3 = 0 + 0 + 3 = 3 \bmod 11 = 3$
$3 = 3$ ✓

(3) Compute $P + Q$ (Point Addition)

First Verify $Q = (3, 6)$ is on the Curve:

Left side: $y^2 = 6^2 = 36 \bmod 11 = 3$
Right side: $x^3 + 2x + 3 = 3^3 + 2 \times 3 + 3 = 27 + 6 + 3 = 36 \bmod 11 = 3$
$3 = 3$ ✓, $Q$ is on the curve

Point Addition Formula ( $P \neq Q$ ):

Slope: $\lambda = \frac{y_2 - y_1}{x_2 - x_1} \bmod p$
$x_3 = \lambda^2 - x_1 - x_2 \bmod p$
$y_3 = \lambda(x_1 - x_3) - y_1 \bmod p$

Given Parameters:

$P = (x_1, y_1) = (2, 2)$
$Q = (x_2, y_2) = (3, 6)$
$p = 11$

Compute Slope $\lambda$ : $\lambda = \frac{y_2 - y_1}{x_2 - x_1} \bmod p = \frac{6 - 2}{3 - 2} \bmod 11 = \frac{4}{1} \bmod 11 = 4$

Compute $x_3$ : $x_3 = \lambda^2 - x_1 - x_2 \bmod p = 4^2 - 2 - 3 \bmod 11 = 16 - 5 \bmod 11 = 11 \bmod 11 = 0$

Compute $y_3$ : $y_3 = \lambda(x_1 - x_3) - y_1 \bmod p = 4(2 - 0) - 2 \bmod 11 = 8 - 2 \bmod 11 = 6$

Therefore $P + Q = (0, 6)$

Verification: Check if $(0, 6)$ is on the curve

Left side: $y^2 = 6^2 = 36 \bmod 11 = 3$
Right side: $x^3 + 2x + 3 = 0 + 0 + 3 = 3 \bmod 11 = 3$
$3 = 3$ ✓

All Calculations Complete!

Part 3: Digital Signatures

Type 1: Concept Explanation

Problem 14: Explain EU-CMA Security Model of Digital Signatures

Problem: Please explain in detail the EU-CMA (Existential Unforgeability under Chosen Message Attack) security model of digital signatures, including: (1) Definition of EU-CMA game (2) Meaning of existential unforgeability (3) Meaning of adaptive chosen message attack (4) Why this security model is reasonable

Complete Solution:

(1) Definition of EU-CMA Game

EU-CMA Security Game is an interactive game used to define security of digital signatures:

Game Participants:

Challenger: Runs signature scheme, generates key pair
Attacker: Attempts to forge signatures

Game Steps:

Initialization Phase:
- Challenger generates key pair: $(pk, sk) \leftarrow Gen(1^n)$
- Challenger sends public key $pk$ to attacker
- Private key $sk$ is kept secret
Learning Phase:
- Attacker can query signature oracle $Sign_{sk}(\cdot)$ arbitrarily many polynomial times
- For each query message $m_i$ , attacker obtains signature $\sigma_i = Sign_{sk}(m_i)$
- Attacker obtains signature pairs: $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$
- Where $q$ is polynomially bounded number of queries
Forgery Phase:
- Attacker outputs forgery: $(m^*, \sigma^*)$
- Requirement: $m^* \notin \{m_1, m_2, \ldots, m_q\}$ ( $m^*$ is not a queried message)
Decision Phase:
- Challenger verifies: $Verify_{pk}(m^*, \sigma^*)$
- If verification passes (outputs 1), attacker wins, game outputs 1
- Otherwise attacker fails, game outputs 0

Attacker's Advantage: $\text{Adv}_{EU-CMA}(A) = \Pr[\text{EU-CMA-Game}(A) = 1]$

(2) Meaning of Existential Unforgeability

Existential Unforgeability:

Attacker cannot generate valid signatures for any message
Even if the message may be meaningless, random, or constructed by attacker
As long as attacker has not queried signature for that message, cannot forge

Difference from Strong Unforgeability:

Existential Unforgeability: Attacker cannot forge signatures for new messages
Strong Unforgeability: Even if attacker sees signature $\sigma$ for message $m$ , cannot generate another valid signature $\sigma' \neq \sigma$ for that message

Practical Significance:

Existential unforgeability is already strong enough, because attacker cannot forge signatures for any new message
This guarantees the basic security goal of digital signatures

(3) Meaning of Adaptive Chosen Message Attack

Adaptive Chosen Message Attack (CMA):

Attacker can adaptively choose messages to query signatures
Attacker can choose next message to query based on previous query results
This models real scenarios where attacker can observe signatures and choose attack strategy accordingly

Why "Adaptive":

Attacker does not need to submit all messages to query at once
Can dynamically choose next message based on previous query results
This makes attack more powerful, security model more strict

Comparison with Other Attack Models:

Known Message Attack: Attacker can only see random message-signature pairs, cannot choose messages
Chosen Message Attack: Attacker can choose messages, but must submit all messages at once (non-adaptive)
Adaptive Chosen Message Attack: Attacker can adaptively choose messages (strongest)

(4) Why This Security Model is Reasonable

Reasonableness Analysis:

Models Real Attack Scenarios:
- In reality, attacker may be able to obtain signatures for some messages
- Attacker can choose attack strategy based on observed signatures
- EU-CMA model accurately models this scenario
Provides Strong Enough Security Guarantee:
- Even if attacker obtains many message signatures, still cannot forge signatures for new messages
- This guarantees core security goal of digital signatures: unforgeability
Security in Practical Applications:
- If digital signature scheme is EU-CMA secure, then in practical applications, even if attacker observes many signatures, cannot forge
- This applies to most practical application scenarios
Relationship with Other Security Goals:
- EU-CMA security is the basic security requirement for digital signatures
- Stronger security models (such as strong unforgeability) are needed in some special scenarios, but EU-CMA is sufficient

Summary:

EU-CMA security model is the standard security definition for digital signature schemes
It accurately models real attack scenarios
Provides strong enough security guarantee
Is a reasonable standard for evaluating security of digital signature schemes

Type 2: Scheme Design

Problem 15: Design a Secure File Sharing Scheme

Problem: Design a secure file sharing scheme that satisfies the following requirements:

File size is 10GB (very large)
Payment information is confidential (Payment - No one knows)
File integrity (Integrity)
Only Bob can check the file content

Please: (1) Choose appropriate cryptographic tools (2) Explain the scheme's working process in detail (3) Explain how the scheme satisfies each requirement

Complete Solution:

(1) Choose Appropriate Cryptographic Tools

Based on requirement analysis:

Large File (10GB): Need to use efficient symmetric encryption
Payment Information Confidential: Need to use public key encryption to protect key
Integrity: Need to use hash function or MAC
Only Bob Can Access: Need to use Bob's public key encryption

Chosen Tools:

Symmetric Encryption: AES-256-CTR mode (suitable for large files, supports parallelization)
Public Key Encryption: RSA-OAEP or Elgamal (for encrypting symmetric key)
Hash Function: SHA-256 (for integrity verification)
Digital Signature (optional): For authenticating sender

(2) Detailed Scheme Design

Scheme: Hybrid Encryption + Hash Verification

Step 1: Sender (Alice) Prepares File

Generate Symmetric Key:
- Randomly generate symmetric key: $k \leftarrow \{0,1\}^{256}$ (AES-256 key)
- Choose random IV: $IV \leftarrow \{0,1\}^{128}$
Encrypt File:
- Split 10GB file $F$ into blocks: $F_1, F_2, \ldots, F_n$ (each block 128 bits)
- Use AES-CTR mode encryption:
  - For each block: $C_i = F_i \oplus AES_k(IV + i)$
  - Ciphertext file: $C = C_1 || C_2 || \ldots || C_n$
Compute File Hash:
- Compute hash of original file: $h = SHA256(F)$
- This is used for integrity verification
Encrypt Symmetric Key:
- Use Bob's public key encryption: $K_{enc} = RSA\text{-}OAEP_{pk_B}(k || IV)$
- Only Bob can decrypt to obtain $k$ and $IV$
(Optional) Sign Hash Value:
- Use Alice's private key to sign: $\sigma = Sign_{sk_A}(h)$
- Used to authenticate file source

Step 2: Send Alice sends to Bob:

Encrypted file: $C$ (10GB)
Encrypted key: $K_{enc}$
File hash value: $h$
(Optional) Signature: $\sigma$

Step 3: Receiver (Bob) Verifies and Decrypts

Decrypt Key:
- Use Bob's private key to decrypt: $(k || IV) = RSA\text{-}OAEP_{sk_B}^{-1}(K_{enc})$
- Only Bob has $sk_B$ , only Bob can decrypt
Decrypt File:
- Use AES-CTR decryption:
  - For each block: $F_i = C_i \oplus AES_k(IV + i)$
  - Recover file: $F = F_1 || F_2 || \ldots || F_n$
Verify Integrity:
- Compute hash of received file: $h' = SHA256(F)$
- Check if $h' = h$
- If equal, file is intact; otherwise file has been tampered with
(Optional) Verify Signature:
- Verify $Verify_{pk_A}(h, \sigma)$
- Confirm file is from Alice

(3) Explain How Each Requirement is Satisfied

Requirement 1: File Size is 10GB (Very Large)

Solution: Use symmetric encryption (AES-CTR)
- Symmetric encryption is fast, suitable for large files
- CTR mode supports parallel encryption/decryption
- 10GB file can be processed efficiently
Why Not Use Public Key Encryption Directly for File:
- Public key encryption is slow (100-1000 times slower than symmetric encryption)
- RSA can only encrypt data smaller than modulus (typically 2048 bits)
- Therefore use hybrid encryption: public key encrypts small key (256 bits), symmetric encrypts large file (10GB)

Requirement 2: Payment Information Confidential (Payment - No one knows)

Solution: Use Bob's public key encryption for symmetric key
- Symmetric key $k$ is encrypted using Bob's public key $pk_B$
- Only Bob has private key $sk_B$ , only Bob can decrypt $K_{enc}$ to obtain $k$
- Without $k$ , cannot decrypt file $C$
- Therefore, except Bob, no one can know file content (including payment information)
Security Guarantee:
- RSA-OAEP is CPA secure
- Even if attacker intercepts $K_{enc}$ , cannot decrypt (unless can break RSA)
- Even if attacker intercepts encrypted file $C$ , without $k$ cannot decrypt

Requirement 3: File Integrity (Integrity)

Solution: Use hash function to verify integrity
- Alice computes hash of original file $h = SHA256(F)$
- Bob computes hash of received file $h' = SHA256(F')$ after decryption
- If $h' = h$ , file is intact; otherwise file has been tampered with
Security Guarantee:
- SHA-256 has collision resistance
- Attacker cannot find different files producing the same hash value
- Therefore can detect any tampering
If File is Tampered:
- Attacker modifies $C$ to get $C'$
- Bob decrypts to get $F' \neq F$
- Computes $h' = SHA256(F') \neq h$
- Verification fails, Bob knows file has been tampered with

Requirement 4: Only Bob Can Check File Content

Solution: Use Bob's public key encryption
- Symmetric key $k$ is encrypted using Bob's public key $pk_B$
- Only Bob has private key $sk_B$ , only Bob can decrypt to obtain $k$
- Without $k$ , cannot decrypt file
Security Guarantee:
- Public key encryption ensures only private key holder (Bob) can decrypt
- Even if attacker intercepts all transmitted data ( $C$ , $K_{enc}$ , $h$ ), cannot obtain file content
- This provides access control

Scheme Summary:

✅ Satisfies large file requirement: Uses efficient symmetric encryption (AES-CTR)
✅ Satisfies confidentiality requirement: Uses public key encryption to protect key (RSA-OAEP)
✅ Satisfies integrity requirement: Uses hash function for verification (SHA-256)
✅ Satisfies access control requirement: Only Bob can decrypt (using Bob's public key)

Security Analysis:

Confidentiality: Guaranteed by RSA-OAEP and AES-CTR
Integrity: Guaranteed by SHA-256 hash verification
Authentication (optional): Guaranteed by digital signature
Access Control: Guaranteed by public key encryption, only Bob can access

Type 3: Proof Problems

Problem 16: Prove CBC Mode Security under CPA (Simplified Proof)

Problem: Please prove that CBC (Cipher Block Chaining) mode is semantically secure under CPA (Chosen Plaintext Attack).

Requirements: (1) Give proof assumptions (2) Use game hopping technique (3) Analyze differences between each game (4) Draw conclusion

Complete Solution:

(1) Proof Assumptions

Assumptions:

Underlying block cipher $E_k$ is a pseudo-random permutation (PRP)
Initialization vector $IV$ is randomly chosen (different for each encryption)

CBC Mode Review:

Encryption: $C_0 = IV$ , $C_i = E_k(P_i \oplus C_{i-1})$ for $i \geq 1$
Decryption: $P_i = D_k(C_i) \oplus C_{i-1}$

(2) Proof Using Game Hopping Technique

Game Hopping is a proof technique that proves security through a series of games, where each game differs only slightly from the previous one.

Game 0 (Real CBC Mode):

Challenger generates key $k \leftarrow Gen(1^n)$
Attacker queries encryption oracle, obtains $(m_i, Enc_{CBC}(m_i))$
Attacker chooses $(m_0, m_1)$ , obtains challenge ciphertext $c^* = Enc_{CBC}(m_b)$
Attacker outputs $b'$

Game 1 (Use Random Permutation Instead of Block Cipher):

Challenger chooses random permutation $\pi$ (instead of using $E_k$ )
Encryption uses: $C_i = \pi(P_i \oplus C_{i-1})$
Other steps same as Game 0

Game 2 (Use True Random Function):

Challenger chooses true random function $f$ (instead of permutation)
Encryption uses: $C_i = f(P_i \oplus C_{i-1})$
Other steps same as Game 1

Game 3 (Ideal Case):

Challenger directly outputs random ciphertext (independent of plaintext)
Attacker cannot obtain any information about $m_b$

(3) Analyze Differences Between Each Game

Difference from Game 0 to Game 1:

Use random permutation $\pi$ instead of $E_k$
If $E_k$ is PRP, then Game 0 and Game 1 are computationally indistinguishable
Difference: $|\Pr[Game_0] - \Pr[Game_1]| \leq \epsilon_{PRP}(n)$ (negligible)

Difference from Game 1 to Game 2:

Use random function $f$ instead of random permutation $\pi$
Since difference between permutation and function is small (birthday paradox), difference is negligible
Difference: $|\Pr[Game_1] - \Pr[Game_2]| \leq \epsilon_{birthday}(n)$ (negligible)

Difference from Game 2 to Game 3:

In Game 2, if $IV$ is random, then each block's input $P_i \oplus C_{i-1}$ looks random
Random function $f$ 's output also looks random
Therefore, entire ciphertext looks random, independent of plaintext
Difference: $|\Pr[Game_2] - \Pr[Game_3]| \leq \epsilon_{random}(n)$ (negligible)

(4) Draw Conclusion

Attacker's Advantage in Game 3:

In Game 3, ciphertext is completely random, contains no information about $m_b$
Attacker's advantage: $\text{Adv}_{Game_3}(A) = 0$ (cannot distinguish)

Attacker's Advantage in Game 0: $\text{Adv}_{Game_0}(A) \leq \text{Adv}_{Game_3}(A) + \epsilon_{PRP} + \epsilon_{birthday} + \epsilon_{random}$ $= 0 + \epsilon_{PRP} + \epsilon_{birthday} + \epsilon_{random}$ $= \epsilon(n)$ (negligible function)

Conclusion:

If underlying block cipher $E_k$ is PRP, and $IV$ is random
Then CBC mode is semantically secure under CPA
Attacker's advantage is negligible

Important Condition:

$IV$ must be random (different for each encryption)
If $IV$ is fixed or predictable, CBC mode is insecure

Type 4: Calculation Problems

Problem 17: Complete RSA-FDH Signature Calculation

Problem: Given RSA-FDH parameters:

$p = 17$ , $q = 19$
Public exponent $e = 5$
Message $m = "Hello"$ , assume $H("Hello") = 100$

Please complete: (1) Compute key pair (2) Generate signature $\sigma$ (3) Verify signature

Complete Solution:

(1) Compute Key Pair

Modulus: $n = p \times q = 17 \times 19 = 323$

Euler's Totient Function: $\phi(n) = (p-1)(q-1) = 16 \times 18 = 288$

Verify $e$ is Coprime with $\phi(n)$ :

$\gcd(5, 288) = 1$ ✓ (because 5 is prime, and 5 does not divide 288)

Compute Private Exponent $d$ : Need $5d \equiv 1 \pmod{288}$

Using extended Euclidean algorithm:

$288 = 5 \times 57 + 3$
$5 = 3 \times 1 + 2$
$3 = 2 \times 1 + 1$
$2 = 1 \times 2 + 0$

Back substitution:

$1 = 3 - 2 \times 1$
$2 = 5 - 3 \times 1$
$1 = 3 - (5 - 3) = 2 \times 3 - 5$
$3 = 288 - 5 \times 57$
$1 = 2 \times (288 - 5 \times 57) - 5 = 2 \times 288 - 115 \times 5$

Therefore $d = -115 \bmod 288 = 288 - 115 = 173$

Verification: $5 \times 173 = 865 \equiv 1 \pmod{288}$ ✓

Key Pair:

Public key: $pk = (n, e) = (323, 5)$
Private key: $sk = (n, d) = (323, 173)$

(2) Generate Signature $\sigma$

Message Hash: $h = H("Hello") = 100$

Check Range: $100 < 323$ ✓ (in valid range)

Compute Signature: $\sigma = h^d \bmod n = 100^{173} \bmod 323$

Using Modular Exponentiation:

Express exponent 173 in binary: $173 = 10101101_2 = 128 + 32 + 8 + 4 + 1$

Compute $100^{2^i} \bmod 323$ :

$100^1 = 100 \bmod 323 = 100$
$100^2 = 10000 \bmod 323 = 10000 - 30 \times 323 = 10000 - 9690 = 310$
$100^4 = (100^2)^2 = 310^2 = 96100 \bmod 323 = 96100 - 297 \times 323 = 96100 - 95931 = 169$
$100^8 = (100^4)^2 = 169^2 = 28561 \bmod 323 = 28561 - 88 \times 323 = 28561 - 28424 = 137$
$100^{16} = (100^8)^2 = 137^2 = 18769 \bmod 323 = 18769 - 58 \times 323 = 18769 - 18734 = 35$
$100^{32} = (100^{16})^2 = 35^2 = 1225 \bmod 323 = 1225 - 3 \times 323 = 1225 - 969 = 256$
$100^{64} = (100^{32})^2 = 256^2 = 65536 \bmod 323 = 65536 - 202 \times 323 = 65536 - 65246 = 290$
$100^{128} = (100^{64})^2 = 290^2 = 84100 \bmod 323 = 84100 - 260 \times 323 = 84100 - 83980 = 120$

Compute $100^{173}$ : $100^{173} = 100^{128} \times 100^{32} \times 100^8 \times 100^4 \times 100^1$ $= 120 \times 256 \times 137 \times 169 \times 100 \bmod 323$

Compute step by step:

$120 \times 256 = 30720 \bmod 323 = 30720 - 95 \times 323 = 30720 - 30685 = 35$
$35 \times 137 = 4795 \bmod 323 = 4795 - 14 \times 323 = 4795 - 4522 = 273$
$273 \times 169 = 46137 \bmod 323 = 46137 - 142 \times 323 = 46137 - 45866 = 271$
$271 \times 100 = 27100 \bmod 323 = 27100 - 83 \times 323 = 27100 - 26809 = 291$

Therefore $\sigma = 291$

(3) Verify Signature

Public Key: $(n, e) = (323, 5)$ Message Hash: $h = 100$ Signature: $\sigma = 291$

Verification: Check if $h \equiv \sigma^e \pmod{n}$ , i.e., $100 \equiv 291^5 \pmod{323}$

Compute $291^5 \bmod 323$ :

$291^2 = 84681 \bmod 323 = 84681 - 262 \times 323 = 84681 - 84626 = 55$
$291^4 = (291^2)^2 = 55^2 = 3025 \bmod 323 = 3025 - 9 \times 323 = 3025 - 2907 = 118$
$291^5 = 291^4 \times 291^1 = 118 \times 291 = 34338 \bmod 323$

Compute $34338 \bmod 323$ :

$323 \times 106 = 34238$
$34338 - 34238 = 100$

Therefore $291^5 \equiv 100 \pmod{323}$ ✓

Verification Passed! Signature is Valid!

Part 4: Advanced Topics

Type 1: Concept Explanation

Problem 18: Explain Three Properties of Zero Knowledge Proof

Problem: Please explain in detail the three properties of Zero Knowledge Proof: (1) Completeness (2) Soundness (3) Zero-Knowledge

And explain the practical significance of each property.

Complete Solution:

(1) Completeness

Definition: If the prover indeed knows the secret (or the statement is true), then an honest verifier always accepts the proof.

Formal Definition: $\Pr[\text{Verifier accepts} | \text{Prover knows secret}] = 1$

Intuitive Understanding:

If the prover really knows the secret and honestly executes the protocol
The verifier should always accept the proof (will not incorrectly reject)
This guarantees the "usability" of the protocol: honest prover can successfully prove

Practical Significance:

If completeness is not satisfied, even if prover knows the secret, may be rejected
This would make the protocol unusable
Completeness guarantees "true statements can always be proven"

Example: In zero knowledge proof of discrete logarithm:

If prover knows $x$ such that $y = g^x$
And honestly executes the protocol (computes correct response $z = r + cx$ )
Then verifier always accepts (because $g^z = g^r \cdot y^c$ )

(2) Soundness

Definition: If the prover does not know the secret (or the statement is false), then the verifier rejects the proof with high probability.

Formal Definition: $\Pr[\text{Verifier accepts} | \text{Prover doesn't know secret}] \leq \epsilon$ where $\epsilon$ is a negligible function.

Intuitive Understanding:

If the prover does not know the secret but tries to deceive the verifier
The verifier should reject with high probability (will not incorrectly accept)
This guarantees the "security" of the protocol: prover without secret cannot pass verification

Practical Significance:

If soundness is not satisfied, prover without secret may pass verification
This would make the protocol insecure
Soundness guarantees "false statements are almost always rejected"

Example: In zero knowledge proof of discrete logarithm:

If prover does not know $x$ , cannot compute correct response $z$
Verifier's check $g^z = R \cdot y^c$ will fail
Verifier rejects with high probability

(3) Zero-Knowledge

Definition: The verifier cannot obtain any information about the secret from the proof process (except the fact that the prover knows the secret).

Formal Definition (Simulator Definition): There exists a simulator $S$ that can generate proof records indistinguishable from real proofs without knowing the secret.

Intuitive Understanding:

The verifier can only know the fact that "the prover knows the secret"
Cannot obtain the secret itself or any other information about the secret
This guarantees the "privacy" of the protocol

Practical Significance:

If zero-knowledge is not satisfied, verifier may extract secret information from the proof process
This would cause privacy leakage
Zero-knowledge guarantees "except that the statement is true, no other information is leaked"

Example: In zero knowledge proof of discrete logarithm:

Verifier sees $(R, c, z)$
But cannot extract information about $x$ from these values
Because $R$ is random, $c$ is chosen by verifier itself, $z$ depends on random number $r$

Relationship Between Three Properties:

Completeness: Guarantees protocol usability (true statements can be proven)
Soundness: Guarantees protocol security (false statements are rejected)
Zero-Knowledge: Guarantees protocol privacy (does not leak secret information)

All Three Are Indispensable:

Only completeness: Protocol usable but insecure
Only soundness: Protocol secure but may be unusable
Only zero-knowledge: Protocol private but may be insecure
All three satisfied: Protocol is usable, secure, and privacy-preserving

Type 2: Scheme Design

Problem 19: Design Voting Scheme Based on Homomorphic Encryption

Problem: Design an electronic voting scheme using homomorphic encryption that satisfies the following requirements:

Each voter can only vote once
Votes are confidential (No one knows specific voting content)
Can correctly count voting results
If someone lies (vote value not in allowed range), use zero knowledge proof to prove

Please: (1) Choose appropriate cryptographic tools (2) Describe voting process in detail (3) Explain how to detect and prove vote value is not in $\{0,1\}$ range

Complete Solution:

(1) Choose Appropriate Cryptographic Tools

Based on requirements, we need the following tools:

Homomorphic Encryption: Elgamal encryption (supports multiplicative homomorphism, can be used for counting)
Zero Knowledge Proof: Sigma protocol (for proving vote value is in allowed range)
Digital Signature: For authenticating voter identity
Hash Function: For computing challenge

Specific Choices:

Homomorphic Encryption: Elgamal encryption ( $Enc(b) = (g^r, g^b \cdot y^r)$ , where $b \in \{0,1\}$ )
Zero Knowledge Proof: OR proof (prove $b \in \{0,1\}$ )
Digital Signature: Schnorr signature or RSA-FDH
Hash Function: SHA-256

(2) Detailed Scheme Design

Scheme: Voting Scheme Based on Elgamal Homomorphic Encryption

Setup Phase:

Choose Elgamal parameters: large prime $p$ , generator $g \in \mathbb{Z}_p^*$
Voting authority generates key pair: private key $x$ , public key $y = g^x \bmod p$
Public parameters: $(p, g, y)$

Voting Phase (Voter $V_i$ ):

Identity Authentication:
- Voter uses digital signature to prove identity
- Voting authority verifies signature and checks if already voted
Choose Vote:
- Voter chooses $b \in \{0, 1\}$ (0 = oppose, 1 = support)
Encrypt Vote:
- Randomly choose $r \leftarrow \mathbb{Z}_{p-1}$
- Compute: $c_1 = g^r \bmod p$
- Compute: $c_2 = g^b \cdot y^r \bmod p$
- Ciphertext: $C = (c_1, c_2)$
Zero Knowledge Proof:
- Generate ZK proof proving $b \in \{0, 1\}$
- Use OR proof: prove knowledge of $\log_g (c_2 / y^{r_0})$ or $\log_g (c_2 / y^{r_1})$ , where $r_0, r_1$ are random numbers for $b=0$ and $b=1$
Submit:
- Voter submits $(C, \text{ZK proof}, \text{signature})$

Counting Phase:

Verify All Votes:
- Verify each voter's identity (digital signature)
- Verify each vote's ZK proof (ensure $b \in \{0,1\}$ )
Homomorphic Computation:
- For all valid vote ciphertexts $C_i = (c_{1,i}, c_{2,i})$ , compute:
- $C_{total} = \prod_{i=1}^n C_i = (\prod_{i=1}^n c_{1,i}, \prod_{i=1}^n c_{2,i})$
- Due to Elgamal's multiplicative homomorphism: $C_{total} = (g^{\sum r_i}, g^{\sum b_i} \cdot y^{\sum r_i})$
Decrypt Counting Result:
- Use private key $x$ to decrypt $C_{total}$
- Compute: $g^{\sum b_i} = c_{2,total} \cdot (c_{1,total})^{-x} \bmod p$
- Compute discrete logarithm: $\sum b_i = \log_g (g^{\sum b_i})$ (since $\sum b_i \leq n$ , can exhaustively search)
- Counting result: Support votes = $\sum b_i$ , Oppose votes = $n - \sum b_i$

(3) Explain How to Detect and Prove Vote Value is Not in $\{0,1\}$ Range

Problem: If someone lies, vote value $b \notin \{0,1\}$ , how to detect?

Solution: Use Zero Knowledge Proof

OR Proof Construction:

Voter needs to prove: $b \in \{0, 1\}$ , i.e., prove one of the following two statements is true:

Statement 1: $b = 0$ , i.e., $c_2 / y^r = g^0 = 1$
Statement 2: $b = 1$ , i.e., $c_2 / y^r = g^1 = g$

OR Proof Steps:

For $b = 0$ case (if voter really chooses $b = 0$ ):
- True relation: $c_2 = y^r$ (because $g^0 = 1$ )
- Prover knows $r$ , can generate true proof
- For $b = 1$ relation, generate simulated proof
For $b = 1$ case (if voter really chooses $b = 1$ ):
- True relation: $c_2 = g \cdot y^r$ , i.e., $c_2 / y^r = g$
- Prover knows $r$ , can generate true proof
- For $b = 0$ relation, generate simulated proof
Verification:
- Verifier checks if OR proof is valid
- If $b \notin \{0,1\}$ , voter cannot generate valid OR proof
- Verifier rejects the vote

Specific Implementation (simplified):

Voter Generates Proof:

If $b = 0$ :
- True proof: Prove knowledge of $r$ such that $c_2 = y^r$ (i.e., $c_2 / y^r = 1$ )
- Simulated proof: Generate simulated proof for $b = 1$ case
If $b = 1$ :
- True proof: Prove knowledge of $r$ such that $c_2 = g \cdot y^r$ (i.e., $c_2 / y^r = g$ )
- Simulated proof: Generate simulated proof for $b = 0$ case

Verifier Verifies:

Verify validity of OR proof
If proof is invalid, reject vote

If Someone Lies ( $b \notin \{0,1\}$ ):

Voter cannot generate true proof for $b = 0$ or $b = 1$
Can only generate two simulated proofs
But simulated proofs cannot pass verification (because challenge distribution is incorrect)
Verifier detects proof is invalid, rejects vote

Scheme Summary:

✅ Satisfies uniqueness: Digital signature prevents duplicate voting
✅ Satisfies confidentiality: Elgamal encryption protects vote content
✅ Satisfies correctness: Homomorphic encryption supports correct counting
✅ Satisfies verifiability: Zero knowledge proof ensures vote value is in allowed range

Type 3: Proof Problems

Problem 20: Prove AND Proof Satisfies Soundness Property

Problem: Prove that AND proof in zero knowledge proof satisfies Soundness property.

Given: Prover wants to prove knowledge of $x_1$ and $x_2$ such that $y_1 = g_1^{x_1}$ and $y_2 = g_2^{x_2}$ .

Please prove: If prover does not know $x_1$ or $x_2$ , then verifier rejects proof with high probability.

Complete Solution:

AND Proof Protocol Review:

Protocol Steps:

Commitment: Prover sends $(a_1, a_2)$ , where $a_1 = g_1^{r_1}$ , $a_2 = g_2^{r_2}$ , $r_1, r_2 \leftarrow \mathbb{Z}_q$
Challenge: Verifier sends $c \leftarrow \mathbb{Z}_q$
Response: Prover sends $(z_1, z_2)$ , where $z_1 = r_1 + cx_1 \bmod q$ , $z_2 = r_2 + cx_2 \bmod q$
Verification: Verifier checks $g_1^{z_1} = a_1 \cdot y_1^c$ and $g_2^{z_2} = a_2 \cdot y_2^c$

(1) Proof Idea

Use proof by contradiction: Assume there exists attacker that can pass verification with non-negligible probability even without knowing $x_1$ or $x_2$ . We will prove this contradicts hardness of discrete logarithm problem.

(2) Case Analysis

Case 1: Prover Does Not Know $x_1$

Assume prover does not know $x_1$ but knows $x_2$ .

Attacker Strategy:

Attacker can correctly compute $z_2 = r_2 + cx_2$ (because knows $x_2$ )
But cannot correctly compute $z_1 = r_1 + cx_1$ (because does not know $x_1$ )

Verification Failure Analysis:

Verifier checks: $g_1^{z_1} = a_1 \cdot y_1^c$
If attacker does not know $x_1$ , cannot compute correct $z_1$
Assume attacker guesses $z_1'$ , then: $g_1^{z_1'} \neq a_1 \cdot y_1^c = g_1^{r_1} \cdot (g_1^{x_1})^c = g_1^{r_1 + cx_1}$
Verification failure probability: $\Pr[\text{verification fails}] \geq 1 - \epsilon$ , where $\epsilon$ is negligible

Case 2: Prover Does Not Know $x_2$

Similarly, if prover does not know $x_2$ , cannot correctly compute $z_2$ , verification fails.

Case 3: Prover Does Not Know $x_1$ and $x_2$

If prover knows neither $x_1$ nor $x_2$ , cannot correctly compute $z_1$ and $z_2$ , verification must fail.

(3) Formal Proof

Assumption: There exists attacker $A$ that can pass verification with non-negligible probability $\delta$ even without knowing $x_1$ or $x_2$ .

Construct Algorithm $B$ to Solve Discrete Logarithm Problem:

Given discrete logarithm problem instance: $(g_1, y_1)$ , want to compute $x_1 = \log_{g_1} y_1$ .

Algorithm $B$ :

Set $g_2$ and $y_2 = g_2^{x_2}$ ( $B$ knows $x_2$ )
Run AND proof protocol as verifier
If attacker $A$ passes verification, extract information from response

Key Observation:

If $A$ can pass verification, then $g_1^{z_1} = a_1 \cdot y_1^c$
I.e., $g_1^{z_1} = g_1^{r_1} \cdot y_1^c$
Therefore $z_1 = r_1 + c \cdot \log_{g_1} y_1 \bmod q$
If $B$ knows $r_1$ and $c$ , can compute: $\log_{g_1} y_1 = (z_1 - r_1) \cdot c^{-1} \bmod q$

Problem: $B$ does not know $r_1$ (because $a_1 = g_1^{r_1}$ is sent by attacker)

Use Replay Technique:

$B$ runs protocol, obtains $(a_1, a_2)$ , sends challenge $c$ , obtains $(z_1, z_2)$
$B$ replays protocol, uses same $(a_1, a_2)$ , but sends different challenge $c'$
If $A$ passes verification again, obtains $(z_1', z_2')$
From two responses:
- $z_1 = r_1 + cx_1 \bmod q$
- $z_1' = r_1 + c'x_1 \bmod q$
- Therefore: $z_1 - z_1' = (c - c')x_1 \bmod q$
- If $c \neq c'$ , then: $x_1 = (z_1 - z_1') \cdot (c - c')^{-1} \bmod q$

Success Probability:

If $A$ can pass verification with probability $\delta$
Then $B$ can solve discrete logarithm problem with probability approximately $\delta^2$
If $\delta$ is non-negligible, then $\delta^2$ is also non-negligible
This contradicts hardness of discrete logarithm problem

(4) Conclusion

If prover does not know $x_1$ or $x_2$ , cannot generate valid AND proof
Verifier rejects proof with high probability
Therefore, AND proof satisfies Soundness property

Soundness Error Probability:

If prover does not know secret, probability of passing verification $\leq \epsilon$ (negligible function)
This guarantees security of protocol

Type 4: Calculation Problems

Problem 21: Elgamal Homomorphic Encryption Voting Calculation

Problem: In voting scheme based on Elgamal homomorphic encryption, given:

Parameters: $p = 23$ , $g = 5$ , public key $y = 8$
Three voters' votes:
- Voter 1: $b_1 = 1$ (support), random number $r_1 = 3$
- Voter 2: $b_2 = 0$ (oppose), random number $r_2 = 4$
- Voter 3: $b_3 = 1$ (support), random number $r_3 = 5$

Please complete: (1) Compute ciphertext for each vote (2) Use homomorphic property to compute total vote ciphertext (3) If private key $x = 6$ , decrypt to get total vote count

Complete Solution:

(1) Compute Ciphertext for Each Vote

Elgamal Encryption Formula:

$c_1 = g^r \bmod p$
$c_2 = g^b \cdot y^r \bmod p$
Ciphertext: $C = (c_1, c_2)$

Voter 1: $b_1 = 1$ , $r_1 = 3$

$c_{1,1} = g^{r_1} = 5^3 \bmod 23 = 125 \bmod 23 = 125 - 5 \times 23 = 125 - 115 = 10$
$c_{2,1} = g^{b_1} \cdot y^{r_1} = 5^1 \cdot 8^3 \bmod 23$

Compute $8^3 \bmod 23$ :

$8^2 = 64 \bmod 23 = 18$
$8^3 = 18 \times 8 = 144 \bmod 23 = 6$

Therefore $c_{2,1} = 5 \times 6 = 30 \bmod 23 = 7$

Vote 1 Ciphertext: $C_1 = (10, 7)$

Voter 2: $b_2 = 0$ , $r_2 = 4$

$c_{1,2} = g^{r_2} = 5^4 \bmod 23 = 625 \bmod 23 = 4$ (from previous calculation)
$c_{2,2} = g^{b_2} \cdot y^{r_2} = 5^0 \cdot 8^4 \bmod 23 = 1 \cdot 8^4 \bmod 23$

Compute $8^4 \bmod 23$ :

$8^4 = (8^2)^2 = 18^2 = 324 \bmod 23 = 2$

Therefore $c_{2,2} = 1 \times 2 = 2 \bmod 23 = 2$

Vote 2 Ciphertext: $C_2 = (4, 2)$

Voter 3: $b_3 = 1$ , $r_3 = 5$

$c_{1,3} = g^{r_3} = 5^5 \bmod 23$

Compute $5^5 \bmod 23$ :

$5^4 = 4$ (already computed)
$5^5 = 5^4 \times 5 = 4 \times 5 = 20 \bmod 23 = 20$
$c_{2,3} = g^{b_3} \cdot y^{r_3} = 5^1 \cdot 8^5 \bmod 23$

Compute $8^5 \bmod 23$ :

$8^4 = 2$ (already computed)
$8^5 = 8^4 \times 8 = 2 \times 8 = 16 \bmod 23 = 16$

Therefore $c_{2,3} = 5 \times 16 = 80 \bmod 23 = 80 - 3 \times 23 = 80 - 69 = 11$

Vote 3 Ciphertext: $C_3 = (20, 11)$

(2) Use Homomorphic Property to Compute Total Vote Ciphertext

Elgamal Homomorphic Property: $Enc(b_1) \cdot Enc(b_2) = (g^{r_1}, g^{b_1} \cdot y^{r_1}) \cdot (g^{r_2}, g^{b_2} \cdot y^{r_2}) = (g^{r_1+r_2}, g^{b_1+b_2} \cdot y^{r_1+r_2})$

Compute Total Ciphertext: $C_{total} = C_1 \cdot C_2 \cdot C_3 = (\prod_{i=1}^3 c_{1,i}, \prod_{i=1}^3 c_{2,i})$

Compute $c_{1,total}$ : $c_{1,total} = c_{1,1} \times c_{1,2} \times c_{1,3} = 10 \times 4 \times 20 \bmod 23 = 800 \bmod 23$

Compute $800 \bmod 23$ :

$23 \times 34 = 782$
$800 - 782 = 18$

Therefore $c_{1,total} = 18$

Compute $c_{2,total}$ : $c_{2,total} = c_{2,1} \times c_{2,2} \times c_{2,3} = 7 \times 2 \times 11 \bmod 23 = 154 \bmod 23$

Compute $154 \bmod 23$ :

$23 \times 6 = 138$
$154 - 138 = 16$

Therefore $c_{2,total} = 16$

Total Vote Ciphertext: $C_{total} = (18, 16)$

(3) Decrypt to Get Total Vote Count

Private Key: $x = 6$

Elgamal Decryption Formula: $g^{\sum b_i} = c_{2,total} \cdot (c_{1,total})^{-x} \bmod p$

Step 1: Compute $(c_{1,total})^x$ $(c_{1,total})^x = 18^6 \bmod 23$

Compute $18^6 \bmod 23$ :

$18^2 = 324 \bmod 23 = 324 - 14 \times 23 = 324 - 322 = 2$
$18^4 = (18^2)^2 = 2^2 = 4 \bmod 23 = 4$
$18^6 = 18^4 \times 18^2 = 4 \times 2 = 8 \bmod 23 = 8$

Step 2: Compute $(c_{1,total})^{-x} = 8^{-1} \bmod 23$

Use extended Euclidean algorithm to find $8^{-1} \bmod 23$ :

$23 = 8 \times 2 + 7$
$8 = 7 \times 1 + 1$
$7 = 1 \times 7 + 0$

Back substitution:

$1 = 8 - 7 \times 1$
$7 = 23 - 8 \times 2$
$1 = 8 - (23 - 8 \times 2) = 8 \times 3 - 23$

Therefore $8^{-1} \equiv 3 \pmod{23}$

Verification: $8 \times 3 = 24 \equiv 1 \pmod{23}$ ✓

Step 3: Compute $g^{\sum b_i}$ $g^{\sum b_i} = c_{2,total} \cdot (c_{1,total})^{-x} = 16 \times 3 \bmod 23 = 48 \bmod 23 = 48 - 2 \times 23 = 48 - 46 = 2$

Therefore $g^{\sum b_i} = 2 \bmod 23$

Step 4: Compute Discrete Logarithm $\sum b_i = \log_5 2 \bmod 23$

Since $\sum b_i \leq 3$ (only 3 votes), can exhaustively search:

$5^0 = 1 \bmod 23 = 1$
$5^1 = 5 \bmod 23 = 5$
$5^2 = 25 \bmod 23 = 2$ ✓

Therefore $\sum b_i = 2$

Verification:

Voter 1: $b_1 = 1$
Voter 2: $b_2 = 0$
Voter 3: $b_3 = 1$
$\sum b_i = 1 + 0 + 1 = 2$ ✓

Counting Result:

Support votes: $\sum b_i = 2$
Oppose votes: $3 - 2 = 1$

Calculation Complete!

Problem 22: Complete Zero Knowledge Proof AND Proof Calculation

Problem: In zero knowledge proof AND proof, given:

Group $\mathbb{Z}_{23}^*$ , generators $g_1 = 2$ , $g_2 = 3$
$y_1 = 4$ (assume $y_1 = g_1^{x_1}$ , i.e., $2^{x_1} = 4$ , so $x_1 = 2$ )
$y_2 = 9$ (assume $y_2 = g_2^{x_2}$ , i.e., $3^{x_2} = 9$ , so $x_2 = 2$ )
Prover knows $x_1 = 2$ and $x_2 = 2$
Prover chooses: $r_1 = 4$ , $r_2 = 5$
Verifier chooses challenge: $c = 6$

Please complete: (1) Compute commitment $(a_1, a_2)$ (2) Compute response $(z_1, z_2)$ (3) Verify proof

Complete Solution:

(1) Compute Commitment $(a_1, a_2)$

Prover Knows: $x_1 = 2$ , $x_2 = 2$ Prover Chooses: $r_1 = 4$ , $r_2 = 5$

Compute Commitment:

$a_1 = g_1^{r_1} = 2^4 \bmod 23 = 16$
$a_2 = g_2^{r_2} = 3^5 \bmod 23$

Compute $3^5 \bmod 23$ :

$3^2 = 9 \bmod 23 = 9$
$3^4 = (3^2)^2 = 9^2 = 81 \bmod 23 = 81 - 3 \times 23 = 81 - 69 = 12$
$3^5 = 3^4 \times 3 = 12 \times 3 = 36 \bmod 23 = 36 - 1 \times 23 = 13$

Therefore $a_2 = 13$

Commitment: $(a_1, a_2) = (16, 13)$

(2) Compute Response $(z_1, z_2)$

Verifier Challenge: $c = 6$

Compute Response:

$z_1 = r_1 + cx_1 \bmod q = 4 + 6 \times 2 \bmod 11 = 4 + 12 \bmod 11 = 16 \bmod 11 = 5$
$z_2 = r_2 + cx_2 \bmod q = 5 + 6 \times 2 \bmod 11 = 5 + 12 \bmod 11 = 17 \bmod 11 = 6$

(Note: Here $q = 11$ is the order of the group, known from previous calculations)

Response: $(z_1, z_2) = (5, 6)$

(3) Verify Proof

Verification Formula:

Check $g_1^{z_1} = a_1 \cdot y_1^c$
Check $g_2^{z_2} = a_2 \cdot y_2^c$

Verify First Relation:

Left side: $g_1^{z_1} = 2^5 \bmod 23 = 32 \bmod 23 = 32 - 23 = 9$
Right side: $a_1 \cdot y_1^c = 16 \times 4^6 \bmod 23$

Compute $4^6 \bmod 23$ :

$4^2 = 16 \bmod 23 = 16$
$4^4 = (4^2)^2 = 16^2 = 256 \bmod 23 = 256 - 11 \times 23 = 256 - 253 = 3$
$4^6 = 4^4 \times 4^2 = 3 \times 16 = 48 \bmod 23 = 48 - 2 \times 23 = 48 - 46 = 2$

Therefore right side: $16 \times 2 = 32 \bmod 23 = 9$

Left side: $9$
Right side: $9$
$9 = 9$ ✓

Verify Second Relation:

Left side: $g_2^{z_2} = 3^6 \bmod 23$

Compute $3^6 \bmod 23$ :

$3^6 = 3^5 \times 3 = 13 \times 3 = 39 \bmod 23 = 39 - 1 \times 23 = 16$
Right side: $a_2 \cdot y_2^c = 13 \times 9^6 \bmod 23$

Compute $9^6 \bmod 23$ :

$9^2 = 81 \bmod 23 = 12$
$9^4 = (9^2)^2 = 12^2 = 144 \bmod 23 = 144 - 6 \times 23 = 144 - 138 = 6$
$9^6 = 9^4 \times 9^2 = 6 \times 12 = 72 \bmod 23 = 72 - 3 \times 23 = 72 - 69 = 3$

Therefore right side: $13 \times 3 = 39 \bmod 23 = 16$

Left side: $16$
Right side: $16$
$16 = 16$ ✓

Both Verifications Pass! AND Proof is Valid!

Document continues with more key exam problems...