(a) Aldebaran wishes to send a message m = 33 to Borealis. i. (2 marks) Confirm whether or not Aldebaran’s public key corresponds to the secret key skA = 7. ii. (5 marks) In the first step, Aldebaran must compute the Elgamal encryption (c1, c2) = Enc(pkB, m). Suppose during encryption, Aldebaran randomly samples a = 33, as in where c1 = g a . What is (c1, c2)? Note: Aldebaran will perform the rest of the steps to convey this message by themselves.

) The consortium decide to implement the final approach described in question 1, using Elgamal public key encryption with the following parameters: (p, g) = (103, 5). Aldebaran’s public key is pkA = 51, Borealis’ public key is pkB = 55 and Chandra’s public key is pkC = 38. Some time later, Chandra receives a different broadcast (38, cmsg, cdest) where cdest = (55, 10) and cmsg = (c1, c2) = ((101, 28),(90, 94)). i. (2 marks) Confirm whether or not Chandra’s public key corresponds to her secret key skC = 22. ii. (5 marks) Who is the final intended recipient of the message? (Hint: compute the Elgamal decryption Dec(skC, cdest) and compare with the known public keys.) iii. (6 marks) Hence, what does Chandra broadcast? (Hint: compute the Elgamal decryptions Dec(skC, c1) and Dec(skC, c2))

The consortium decide to implement the final approach described in question 1, using Elgamal public key encryption with the following parameters: (p, g) = (103, 5). Aldebaran’s public key is pkA = 51, Borealis’ public key is pkB = 55 and Chandra’s public key is pkC = 38. For each of the following questions, you may use an online tool or python to compute modular exponentiation and reduction, but show your working. (Hint: use the pow(x,y,z) function in python to compute x y (mod z), or using WolframAlpha, query “xˆy mod z ’’.) (a) Aldebaran wishes to send a message m = 33 to Borealis. i. (2 marks) Confirm whether or not Aldebaran’s public key corresponds to the secret key skA = 7. ii. (5 marks) In the first step, Aldebaran must compute the Elgamal encryption (c1, c2) = Enc(pkB, m). Suppose during encryption, Aldebaran randomly samples a = 33, as in where c1 = g a . What is (c1, c2)? Note: Aldebaran will perform the rest of the steps to convey this message by themselves.

Aldebaran computes cmsg = Enc(pkC , m), cdest = Enc(pkC , pkB ) and broadcasts (pkC , cmsg, cdest). Chandra observes the broadcast containing her public key. She then computes m = Dec(skC , cmsg) and pkdest = Dec(skC , cdest). Lastly, she re-encrypts c′ = Enc(pkdest, m) and broadcasts (pkdest, c′). Borealis identifies their public key in the broadcast and obtains the message m = Dec(skB , c′). state Secure or Insecure, and explain why that approach does or does not achieve the two desired notions of confidentiality described above.

(Sign-then-Encrypt 1) Aldebaran computes σ = Sign(sk′ A, m), and cσ = Enc(pkC, σ). Aldebaran sends this ciphertext along with their usual broadcast(pkC, cdest, cmsg). Chandra performs her usual steps, as well as decrypting to obtain σ = Dec(skC, cσ). She sends it along with her usual broadcast (pkB, c′ msg) for Borealis. Lastly, Borealis, decrypts to obtain the message m. Borealis believes the message should have come from Aldebaran. He runs Verify(pk′ A, m, σ) and is satisfied only if the signature accepts.

Some time later, Chandra receives a different broadcast (38, cmsg, cdest) where cdest = (55, 10) and cmsg = (c1, c2) = ((101, 28),(90, 94)). i. (2 marks) Confirm whether or not Chandra’s public key corresponds to her secret key skC = 22. ii. (5 marks) Who is the final intended recipient of the message? (Hint: compute the Elgamal decryption Dec(skC, cdest) and compare with the known public keys.) iii. (6 marks) Hence, what does Chandra broadcast? (Hint: compute the Elgamal decryptions Dec(skC, c1) and Dec(skC, c2))