微信客服:xiaoxionga100
微信客服:ITCS521
程序代写案例-COMP6451 T1-Assignment 1
时间:2021-03-03
COMP6451 T1 2021
Assignment 1 (version 2)
Total Marks: 30
(Each question is worth 5 marks)
Due: 23:59 Tuesday March 9, 2021
c©R. van der Meyden, UNSW
(All rights reserved - distribution to 3rd parties and/or
placement on non-UNSW websites prohibited.)
Submissions: Submit your solutions as a pdf or text file via the course
moodle page. Your submission must be your individual work - UNSW rules
concerning this will apply (see the Course Outline). Turnitin will be used
to perform similarity checks. In general, these are short answer questions —
aim to keep your answers brief but precise. Answer all parts, and show your
working.
Question 1 (Money, debt, and a reason some people worry about
fiat money and prefer Bitcoin):
In Australia, the Reserve Bank of Australia (RBA) is responsible for
creating fiat money, in a number of forms that include coins and (plastic)
notes. Similar organisations play this role in money other countries, e.g.,
the Federal Reserve in the USA. However, private banks (e.g., in Australia,
the Commonwealth Bank, ANZ, Westpac and NAB) also play a role in the
creation of fiat money. This works as follows.
For the purposes of the exercise, we assume that there are just two private
banks, creatively called “bank A” and “bank B”. Suppose an initial state
where just one rich person (Uncle Scrooge) has all the money (coins and
notes) that has been issued by the RBA: $1 billion. There are other rich
1
people, of course, but they are holding their wealth in forms other than
money: gold mines, development sites, buildings, houses, etc. The two banks
have also just opened for business, so they don’t have any money yet, but as
we will see, they are in a nice profitable line of business. Everyone else has
to survive by working for a rich person, or by borrowing from a bank.
Luckily, bank A soon has plenty of money to lend: Scrooge has everything
he needs already, and is afraid of robbers, so he deposits his money in bank
A. The bank credits Scrooge’s account for $1B, and everyone else has $0 in
their account at their chosen bank. From from the bank’s perspective, the
$1B coins and notes now in its vaults is an asset, but it is balanced by a
liability : in effect, the bank owes Scrooge this money, and he can request a
withdrawal of his money any time he likes. Using the equation
Equity (net worth) = Assets− Liabilities
we see that bank A’s equity is $1B - $1B = 0. The bank didn’t get rich all
of a sudden because of Scrooge’s deposit!
In practice, rich people prefer to collect interest on their deposits, and
don’t spend much, so they tend to leave their money in the bank, and with-
draw only small amounts. The bank exploits this fact to start making profits
by lending some of the deposits out, and collecting interest as a result as
the money is paid back. (Some of that covers interest due to be paid to
Scrooge, but the bank charges borrowers a higher interest rate than they pay
to Scrooge, so they make a nice profit along the way.)
The RBA regulates banks based on this behaviour. It would be a disaster
if the bank had lent out all of Scrooge’s money and then Scrooge came to
make a withdrawal because he wants to buy a maxi-yacht. The bank wouldn’t
have the cash, and go out of business from this default on its obligations. So
the RBA requires that banks hold enough cash “in reserve” in their vaults so
that they can pay out the expected amount of withdrawal requests. Suppose
that this “reseverve ratio” is r ∈ (0, 1): if a bank has $X cash it is permitted
to lend out up to $(1− r) ·X, but must keep at least $r ·X in its vaults to
cover potential withdrawals.
Let’s say that bank A lends out the $(1 − r) · 1B to Alice for her gold
mining project, and Alice uses it to buy a gold mine and equipment from
Bob, who deposits this money in bank B. How much “money” is there now
in the economy? One way to answer this is to ask how much money people
have in their bank accounts. Well, Scrooge has $1B in his account at bank A,
2
and Bob has (1− r) · $1B in his at bank B, so there is now (1 + (1− r)) · $1B
total in people’s bank accounts. (Of course, some of them have to pay it
back over time, but for the moment, this is money that could potentially be
spent on goods and services.) The total amount of notes and coins in the
economy is still the same. Bank A has $r · 1B worth, and $(1− r) · 1B has
just been transferred to bank B, for a total of $1B.
(a) Of course, the story does not end here. Bank B would like to make
some money by collecting interest from loans as well, so it lends out
some of the cash it now has in its vaults to Carol for her project to
build student apartment towers. If it follows the RBA’s rules about
keeping money in reserve, what is the maximum it can lend to Carol?
(b) Carol takes her maximum size loan and uses the money to buy a de-
velopment site from Arthur, who deposits the money in bank A. What
is the total amount of deposits now in the banking system?
(c) After receiving Arthur’s deposit, how much money is bank A able to
issue in new loans? (Don’t count the loan already made to Alice!)
(d) Suppose this story is continued ad infinitum, with a bank making max-
imum size loans at each step, and the money lent being deposited in
the other bank. How much money in total is in people’s accounts in
the limit? Express this as simply as you can, and explain your answer.
(Hint: there is an equation somewhere in the slides for weeks 1-2 that
helps with this question.)
(e) Suppose this story has been proceeding for a few years. What would
happen if there was suddenly a pandemic, and Scrooge and the other
rich people who had sold their gold mines and development sites and
houses etc., started to worry that there would be mass unemployment
and many of the people who had borrowed money would not be able
to repay their loans? What might this have to do with the following
diagram from the RBA?
3
Question 2: (Public Key Encryption) Both RSA and Elliptic Curve
encryption require us to compute exponentials in some group G. Let ∗ be
the operation in this group, and write 1 for the unit of the group. For m
an element of the group, and e a natural number, the most obvious way to
compute me = m ∗m ∗ ... ∗m (e copies of m) is the following:
r = 1;
for i = 1..e do r := r*m
return r
(a) When e is a number of 2048 bits, as is typical with RSA keys, what
is the maximum number of group operations (∗) required by this algo-
rithm?
A more efficient way to compute me is the following
1. Write e in binary, as bk, . . . , b0, where b0 is the least significant bit.
2. Let p be an array of group elements of length k + 1;
4
3. p[0] := m ;
4. for i = 0..k − 1 do p[i + 1] := p[i] ∗ p[i];
5. r := 1 ;
6. for i = 0..k do { if bi then r := r ∗ p[i] }
7. return r
Explain how this algorithm works as follows:
(b) Give the loop invariant for the loop in step 4, in the form of a general
statement about p[0]...p[i] that holds while the loop is running. Explain
why the body of the loop maintains this invariant.
(c) Give the loop invariant for the loop in step 6, in the form of a general
statement about p, r, i and the bj that holds while the loop is running.
Explain why the body of the loop maintains this invariant.
(d) Use the answer to (c) to show that the algorithm returns the correct
answer me.
(e) What is the maximum number of group operations performed by this
algorithm when e is a number of 2048 bits?
Question 3 (Hash Functions): Suppose that we have a list of files f1, f2, . . . , fn
that have been timestamped using the Haber and Stornetta scheme discussed
in lectures. That is, for a cryptographic hash function h, and a value v0 from
the previous period, we compute a sequence of values
w1 = h(f1) v1 = h(v0||w1)
w2 = h(f2) v2 = h(v1||w2)
...
wn = h(fn) vn = h(vn−1||wn)
Assume that only the values v0 and vn have been published in the paper, on
days d0, d1, respectively. The number of files included in any period may be
arbitrary, it is not required to be equal to n. To prove existence of a file fi
in the interval [d0, dn], we can present the following information: the file fi,
the index i, and the sequence of hash values w1, . . . , wn.
5
(a) (2 marks) What computation should a verifier of the claim that the file
existed in the interval perform? Assume that the verifier is able to look
up the values v0 and vn in the newspaper.
(b) (3 marks) Suppose that Mallory has a file f that is not in the set
{f1, . . . , fn}. In an attempt to cheat, and fraudulently convince the
verifier that file f existed in period [d0, d1], Mallory needs to present
data of the form f, i, w′1, . . . , w
′
m for some m, which passes the test
from part (a). Prove that it is difficult for Mallory to do this. Explain
carefully what properties of the hash function you rely upon for the
proof.
Question 4: (Signatures and Digital Notes) Alice has an account at
Bob’s bank. Alice would like to withdraw $10 from her account to use for her
internet shopping. Alice would like to get Bob to sign a message m that says,
intuitively, “Bob will pay $10 to the first person to present this message.” Of
course, if Bob issues many such messages, then there is no way to tell them
apart, and people might start presenting such messages to the bank multiple
times, losing the bank a lot of money. To fix this, we can include a serial
number N in the message, so that it says
“This is note number N . Bob will pay $10 to the first person to
present this message.”
Let m(N) be the above message. The idea is that before Bob signs this
message, and gives it to Alice, he will record N in his database of notes
issued. If someone presents the message to Bob, he pays the $10, but updates
the database to record that this note has already been presented, and is no
longer valid.
This, however, presents a risk to Alice’s privacy. If she spends the note
on goods being sold by Victor, the vendor of “Very naughty products”, and
Victor then presents the note to the bank, then Bob will learn that Alice has
shopped with Victor. (Victor, if he is wise, will rush the note to the bank,
to make sure that Alice has not sent a copy to someone else already, and will
not ship the goods to Alice before he has been paid by the bank.)
To get around this risk to her privacy, Alice invents a way to obtain a
note signed by the bank, that contains a random serial number created by
Alice, without Bob learning what the serial number is. (As above, Bob, will
6
keep a record of which serial numbers he has paid out, to prevent people
claiming payment twice on the same note.) Let KB = (e, n) be Bob’s RSA
signature verification key, known to Alice, and let K−1B = (d, n) be Bob’s
private signature key, known only to Bob. Bob signs a message m using the
function SK−1B
(m) = (m,md mod n).
Suppose that messages are represented as a number mod n, where n is
the modulus in Bob’s signature verification key. Alice generates a random
number r mod n, and a random serial number N , and asks Bob to sign the
message mr = r
e × m(N) mod n. Note that Bob cannot tell what m(N)
is, since it has been mixed up with some random noise re. Bob signs this
message mr, and returns the result SK−1B
(mr) = (mr, (mr)
d mod n) to Alice.
(a) Show that Alice is now able to efficiently compute SK−1B
(m(N)), even
though she does not have Bob’s signature key K−1B . This means that
Alice then has the signed message that she wanted, without Bob learn-
ing the number N that allows him to trace the note back to Alice. (It
may be necessary to add some constraints to the definitions above. If
so, say what these are.)
(b) Bob starts to get worried, and has second thoughts. He does not know
what he is signing. For all he knows, Alice could be sending him the
message “Bob promises to pay Alice $1,000,000” to sign using the above
technique. To protect himself from being cheated like this by Alice, he
decides to “audit” Alice to keep her honest. Rather than signing every
message sent to him by Alice, he requires Alice to send him multiple
versions
re1 ×m(N1) mod n
re2 ×m(N2) mod n
...
rek ×m(Nk) mod n
where the ri are different random numbers, and the Ni are different
random serial numbers. Let the messages sent by Alice to Bob be
x1, . . . , xk. To make sure that Alice is not maliciously sending him
bad messages, Bob randomly selects just one of these messages xi for
signing. His idea is that he will force Alice to send him the values rj
for all j 6= i, so that he can compute the values r−ej × xj mod n, and
check that it is equal to a message of the right form m(N). (Note that
if xj = r
e
j ×m(Nj) mod n, then r−ej × xj mod n = r−ej × rej ×m(Nj)
7
mod n = m(Nj).) If one of these checks fails, he will refuse to sign,
otherwise he will sign xi.
Assume that Alice behaves as follows:
– First she flips a fair (1/2H+1/2T) coin to decide whether to cheat.
– If she does not cheat, she sends Bob completely correct messages.
– If she cheats, she uniformly at random picks i from {1, . . . , k},
and sends Bob x1, . . . xj where xj = r
e
j ×m(Nj) mod n if j 6= i
and xi = r
e
i × “Bob will pay Alice $1M” mod n.
– When Bob requests the rj values, she sends him the correct rj
values that she used to construct the xj.
In this case, what is the probability that Bob will catch Alice cheating,
given that she cheats? Conversely, assuming that Bob knows this is
how Alice behaves, if Alice passes Bob’s audit, what probability should
Bob assign to the proposition “Alice has not cheated”?
(c) Show that, in fact, there is a way for Alice to cheat, and always escape
undetected, even when Bob audits her as in (b), because Alice is able
to send Bob incorrect values rj, without Bob ever detecting that Alice
has cheated.
(d) Extend the protocol by adding some additional information that Alice
sends to Bob before Bob’s audit, that enables Bob to make sure that
Alice does not cheat when responding with the values rj that Bob
requests. Explain why your solution prevents Alice from cheating with
the rj.
(e) Your solution to (d) should also ensure that Bob cannot deduce Ni for
the message xj = r
e
i × m(Ni) that he signs. Explain why this is the
case.
Question 5 (Bitcoin Protocol: Suppose that all of Australia’s internet
connections to the rest of the world break down, disconnecting Australia
from the rest of the world for a period of one year. (For example, a major
earthquake damages all the sea cables, and at the same time, a period of sun
8
storms destroys all communications satellites and blocks all radio communi-
cations.) In no more than one page total, answer the following:
(a) (2 marks) What would be the effect on the Bitcoin ecosystem (i.e.,
users, miners, and exchanges) both inside and outside of Australia dur-
ing the disconnection period?
(b) (2 marks) What would happen when Australia becomes reconnected
to the rest of the world? In particular, what would be the negative
impacts?
(c) (1 mark) What could be done to protect against the negative impacts
from part (b)?
Question 6: Bitcoin Transactions: You are about to go on a holiday in
the Sahara. It is so hot there that if you take your mobile phone or laptop,
they will get cooked, and break down. There might also be some nasty
robbers who could steal your belongings. So you also don’t want to carry
around your Bitcoin private keys written on pieces of paper. You’d like to be
able to spend your Bitcoin on your trip, however, by using internet cafes at
the local oases. So you wonder if you can set up a Bitcoin transaction whose
output you can spend by means of a password mechanism, rather than a
private key. (You’d much prefer to use that than a Bitcoin private key, since
it is easier for you to remember!) For purposes of this exercise, we will
counterfactually pretend that your zID counts as a good password. Suppose
that you have been very careful to keep your zID secret from the world,
and any UNSW staff who do know your zID are completely trustworthy,
and would never do anything malicious. We’ll also pretend that the zID is
long enough and random enough that a brute force guessing attack will take
longer than your lifetime. (So answers to the questions below based on brute
force attacks or UNSW insider attacks don’t count as correct answers.)
(a) First, say what your UNSW zId is. Now write a Bitcoin unlocking script
that allows an output to be spent by providing the numerical part of
your zID (i.e., the part without the ”z”). The script should check
that the unlocking script of the input of the transaction that spends
the output is equal to the numerical part of your zID (presented as a
sequence of digits rather than as one single number).
9
(b) Would it then be safe for you to make your Bitcoin available for you
to spend on holiday by creating a valid transaction that has as input
some of your Bitcoin, and a single output with the unlocking script of
part (a)? If so, explain why. If not, what could go wrong? Who would
be able to spend your Bitcoin, how and when?
(c) You decide to add some extra protection. Rather than the unlocking
script just checking that the input contains your zID, it should check
that whatever is provided in the unlocking script has a SHA256 hash
that is equal to the SHA256 hash of the numerical part of your zID.
First, tell us what the SHA256 hash of the string consisting of the
numerical part of your zID is. (You may find the Unix function shasum
useful here.)
(d) Now give the unlocking script for the hash-based password unlocking
script using your answer in part (c).
(e) Would it be safe for you to make your Bitcoin available for you to spend
on holiday, using a transaction with the unlocking script of part (d)?
If so, explain why. If not, what could go wrong? Who would be able
to spend your Bitcoin, how and when?
10
学霸联盟
Assignment 1 (version 2)
Total Marks: 30
(Each question is worth 5 marks)
Due: 23:59 Tuesday March 9, 2021
c©R. van der Meyden, UNSW
(All rights reserved - distribution to 3rd parties and/or
placement on non-UNSW websites prohibited.)
Submissions: Submit your solutions as a pdf or text file via the course
moodle page. Your submission must be your individual work - UNSW rules
concerning this will apply (see the Course Outline). Turnitin will be used
to perform similarity checks. In general, these are short answer questions —
aim to keep your answers brief but precise. Answer all parts, and show your
working.
Question 1 (Money, debt, and a reason some people worry about
fiat money and prefer Bitcoin):
In Australia, the Reserve Bank of Australia (RBA) is responsible for
creating fiat money, in a number of forms that include coins and (plastic)
notes. Similar organisations play this role in money other countries, e.g.,
the Federal Reserve in the USA. However, private banks (e.g., in Australia,
the Commonwealth Bank, ANZ, Westpac and NAB) also play a role in the
creation of fiat money. This works as follows.
For the purposes of the exercise, we assume that there are just two private
banks, creatively called “bank A” and “bank B”. Suppose an initial state
where just one rich person (Uncle Scrooge) has all the money (coins and
notes) that has been issued by the RBA: $1 billion. There are other rich
1
people, of course, but they are holding their wealth in forms other than
money: gold mines, development sites, buildings, houses, etc. The two banks
have also just opened for business, so they don’t have any money yet, but as
we will see, they are in a nice profitable line of business. Everyone else has
to survive by working for a rich person, or by borrowing from a bank.
Luckily, bank A soon has plenty of money to lend: Scrooge has everything
he needs already, and is afraid of robbers, so he deposits his money in bank
A. The bank credits Scrooge’s account for $1B, and everyone else has $0 in
their account at their chosen bank. From from the bank’s perspective, the
$1B coins and notes now in its vaults is an asset, but it is balanced by a
liability : in effect, the bank owes Scrooge this money, and he can request a
withdrawal of his money any time he likes. Using the equation
Equity (net worth) = Assets− Liabilities
we see that bank A’s equity is $1B - $1B = 0. The bank didn’t get rich all
of a sudden because of Scrooge’s deposit!
In practice, rich people prefer to collect interest on their deposits, and
don’t spend much, so they tend to leave their money in the bank, and with-
draw only small amounts. The bank exploits this fact to start making profits
by lending some of the deposits out, and collecting interest as a result as
the money is paid back. (Some of that covers interest due to be paid to
Scrooge, but the bank charges borrowers a higher interest rate than they pay
to Scrooge, so they make a nice profit along the way.)
The RBA regulates banks based on this behaviour. It would be a disaster
if the bank had lent out all of Scrooge’s money and then Scrooge came to
make a withdrawal because he wants to buy a maxi-yacht. The bank wouldn’t
have the cash, and go out of business from this default on its obligations. So
the RBA requires that banks hold enough cash “in reserve” in their vaults so
that they can pay out the expected amount of withdrawal requests. Suppose
that this “reseverve ratio” is r ∈ (0, 1): if a bank has $X cash it is permitted
to lend out up to $(1− r) ·X, but must keep at least $r ·X in its vaults to
cover potential withdrawals.
Let’s say that bank A lends out the $(1 − r) · 1B to Alice for her gold
mining project, and Alice uses it to buy a gold mine and equipment from
Bob, who deposits this money in bank B. How much “money” is there now
in the economy? One way to answer this is to ask how much money people
have in their bank accounts. Well, Scrooge has $1B in his account at bank A,
2
and Bob has (1− r) · $1B in his at bank B, so there is now (1 + (1− r)) · $1B
total in people’s bank accounts. (Of course, some of them have to pay it
back over time, but for the moment, this is money that could potentially be
spent on goods and services.) The total amount of notes and coins in the
economy is still the same. Bank A has $r · 1B worth, and $(1− r) · 1B has
just been transferred to bank B, for a total of $1B.
(a) Of course, the story does not end here. Bank B would like to make
some money by collecting interest from loans as well, so it lends out
some of the cash it now has in its vaults to Carol for her project to
build student apartment towers. If it follows the RBA’s rules about
keeping money in reserve, what is the maximum it can lend to Carol?
(b) Carol takes her maximum size loan and uses the money to buy a de-
velopment site from Arthur, who deposits the money in bank A. What
is the total amount of deposits now in the banking system?
(c) After receiving Arthur’s deposit, how much money is bank A able to
issue in new loans? (Don’t count the loan already made to Alice!)
(d) Suppose this story is continued ad infinitum, with a bank making max-
imum size loans at each step, and the money lent being deposited in
the other bank. How much money in total is in people’s accounts in
the limit? Express this as simply as you can, and explain your answer.
(Hint: there is an equation somewhere in the slides for weeks 1-2 that
helps with this question.)
(e) Suppose this story has been proceeding for a few years. What would
happen if there was suddenly a pandemic, and Scrooge and the other
rich people who had sold their gold mines and development sites and
houses etc., started to worry that there would be mass unemployment
and many of the people who had borrowed money would not be able
to repay their loans? What might this have to do with the following
diagram from the RBA?
3
Question 2: (Public Key Encryption) Both RSA and Elliptic Curve
encryption require us to compute exponentials in some group G. Let ∗ be
the operation in this group, and write 1 for the unit of the group. For m
an element of the group, and e a natural number, the most obvious way to
compute me = m ∗m ∗ ... ∗m (e copies of m) is the following:
r = 1;
for i = 1..e do r := r*m
return r
(a) When e is a number of 2048 bits, as is typical with RSA keys, what
is the maximum number of group operations (∗) required by this algo-
rithm?
A more efficient way to compute me is the following
1. Write e in binary, as bk, . . . , b0, where b0 is the least significant bit.
2. Let p be an array of group elements of length k + 1;
4
3. p[0] := m ;
4. for i = 0..k − 1 do p[i + 1] := p[i] ∗ p[i];
5. r := 1 ;
6. for i = 0..k do { if bi then r := r ∗ p[i] }
7. return r
Explain how this algorithm works as follows:
(b) Give the loop invariant for the loop in step 4, in the form of a general
statement about p[0]...p[i] that holds while the loop is running. Explain
why the body of the loop maintains this invariant.
(c) Give the loop invariant for the loop in step 6, in the form of a general
statement about p, r, i and the bj that holds while the loop is running.
Explain why the body of the loop maintains this invariant.
(d) Use the answer to (c) to show that the algorithm returns the correct
answer me.
(e) What is the maximum number of group operations performed by this
algorithm when e is a number of 2048 bits?
Question 3 (Hash Functions): Suppose that we have a list of files f1, f2, . . . , fn
that have been timestamped using the Haber and Stornetta scheme discussed
in lectures. That is, for a cryptographic hash function h, and a value v0 from
the previous period, we compute a sequence of values
w1 = h(f1) v1 = h(v0||w1)
w2 = h(f2) v2 = h(v1||w2)
...
wn = h(fn) vn = h(vn−1||wn)
Assume that only the values v0 and vn have been published in the paper, on
days d0, d1, respectively. The number of files included in any period may be
arbitrary, it is not required to be equal to n. To prove existence of a file fi
in the interval [d0, dn], we can present the following information: the file fi,
the index i, and the sequence of hash values w1, . . . , wn.
5
(a) (2 marks) What computation should a verifier of the claim that the file
existed in the interval perform? Assume that the verifier is able to look
up the values v0 and vn in the newspaper.
(b) (3 marks) Suppose that Mallory has a file f that is not in the set
{f1, . . . , fn}. In an attempt to cheat, and fraudulently convince the
verifier that file f existed in period [d0, d1], Mallory needs to present
data of the form f, i, w′1, . . . , w
′
m for some m, which passes the test
from part (a). Prove that it is difficult for Mallory to do this. Explain
carefully what properties of the hash function you rely upon for the
proof.
Question 4: (Signatures and Digital Notes) Alice has an account at
Bob’s bank. Alice would like to withdraw $10 from her account to use for her
internet shopping. Alice would like to get Bob to sign a message m that says,
intuitively, “Bob will pay $10 to the first person to present this message.” Of
course, if Bob issues many such messages, then there is no way to tell them
apart, and people might start presenting such messages to the bank multiple
times, losing the bank a lot of money. To fix this, we can include a serial
number N in the message, so that it says
“This is note number N . Bob will pay $10 to the first person to
present this message.”
Let m(N) be the above message. The idea is that before Bob signs this
message, and gives it to Alice, he will record N in his database of notes
issued. If someone presents the message to Bob, he pays the $10, but updates
the database to record that this note has already been presented, and is no
longer valid.
This, however, presents a risk to Alice’s privacy. If she spends the note
on goods being sold by Victor, the vendor of “Very naughty products”, and
Victor then presents the note to the bank, then Bob will learn that Alice has
shopped with Victor. (Victor, if he is wise, will rush the note to the bank,
to make sure that Alice has not sent a copy to someone else already, and will
not ship the goods to Alice before he has been paid by the bank.)
To get around this risk to her privacy, Alice invents a way to obtain a
note signed by the bank, that contains a random serial number created by
Alice, without Bob learning what the serial number is. (As above, Bob, will
6
keep a record of which serial numbers he has paid out, to prevent people
claiming payment twice on the same note.) Let KB = (e, n) be Bob’s RSA
signature verification key, known to Alice, and let K−1B = (d, n) be Bob’s
private signature key, known only to Bob. Bob signs a message m using the
function SK−1B
(m) = (m,md mod n).
Suppose that messages are represented as a number mod n, where n is
the modulus in Bob’s signature verification key. Alice generates a random
number r mod n, and a random serial number N , and asks Bob to sign the
message mr = r
e × m(N) mod n. Note that Bob cannot tell what m(N)
is, since it has been mixed up with some random noise re. Bob signs this
message mr, and returns the result SK−1B
(mr) = (mr, (mr)
d mod n) to Alice.
(a) Show that Alice is now able to efficiently compute SK−1B
(m(N)), even
though she does not have Bob’s signature key K−1B . This means that
Alice then has the signed message that she wanted, without Bob learn-
ing the number N that allows him to trace the note back to Alice. (It
may be necessary to add some constraints to the definitions above. If
so, say what these are.)
(b) Bob starts to get worried, and has second thoughts. He does not know
what he is signing. For all he knows, Alice could be sending him the
message “Bob promises to pay Alice $1,000,000” to sign using the above
technique. To protect himself from being cheated like this by Alice, he
decides to “audit” Alice to keep her honest. Rather than signing every
message sent to him by Alice, he requires Alice to send him multiple
versions
re1 ×m(N1) mod n
re2 ×m(N2) mod n
...
rek ×m(Nk) mod n
where the ri are different random numbers, and the Ni are different
random serial numbers. Let the messages sent by Alice to Bob be
x1, . . . , xk. To make sure that Alice is not maliciously sending him
bad messages, Bob randomly selects just one of these messages xi for
signing. His idea is that he will force Alice to send him the values rj
for all j 6= i, so that he can compute the values r−ej × xj mod n, and
check that it is equal to a message of the right form m(N). (Note that
if xj = r
e
j ×m(Nj) mod n, then r−ej × xj mod n = r−ej × rej ×m(Nj)
7
mod n = m(Nj).) If one of these checks fails, he will refuse to sign,
otherwise he will sign xi.
Assume that Alice behaves as follows:
– First she flips a fair (1/2H+1/2T) coin to decide whether to cheat.
– If she does not cheat, she sends Bob completely correct messages.
– If she cheats, she uniformly at random picks i from {1, . . . , k},
and sends Bob x1, . . . xj where xj = r
e
j ×m(Nj) mod n if j 6= i
and xi = r
e
i × “Bob will pay Alice $1M” mod n.
– When Bob requests the rj values, she sends him the correct rj
values that she used to construct the xj.
In this case, what is the probability that Bob will catch Alice cheating,
given that she cheats? Conversely, assuming that Bob knows this is
how Alice behaves, if Alice passes Bob’s audit, what probability should
Bob assign to the proposition “Alice has not cheated”?
(c) Show that, in fact, there is a way for Alice to cheat, and always escape
undetected, even when Bob audits her as in (b), because Alice is able
to send Bob incorrect values rj, without Bob ever detecting that Alice
has cheated.
(d) Extend the protocol by adding some additional information that Alice
sends to Bob before Bob’s audit, that enables Bob to make sure that
Alice does not cheat when responding with the values rj that Bob
requests. Explain why your solution prevents Alice from cheating with
the rj.
(e) Your solution to (d) should also ensure that Bob cannot deduce Ni for
the message xj = r
e
i × m(Ni) that he signs. Explain why this is the
case.
Question 5 (Bitcoin Protocol: Suppose that all of Australia’s internet
connections to the rest of the world break down, disconnecting Australia
from the rest of the world for a period of one year. (For example, a major
earthquake damages all the sea cables, and at the same time, a period of sun
8
storms destroys all communications satellites and blocks all radio communi-
cations.) In no more than one page total, answer the following:
(a) (2 marks) What would be the effect on the Bitcoin ecosystem (i.e.,
users, miners, and exchanges) both inside and outside of Australia dur-
ing the disconnection period?
(b) (2 marks) What would happen when Australia becomes reconnected
to the rest of the world? In particular, what would be the negative
impacts?
(c) (1 mark) What could be done to protect against the negative impacts
from part (b)?
Question 6: Bitcoin Transactions: You are about to go on a holiday in
the Sahara. It is so hot there that if you take your mobile phone or laptop,
they will get cooked, and break down. There might also be some nasty
robbers who could steal your belongings. So you also don’t want to carry
around your Bitcoin private keys written on pieces of paper. You’d like to be
able to spend your Bitcoin on your trip, however, by using internet cafes at
the local oases. So you wonder if you can set up a Bitcoin transaction whose
output you can spend by means of a password mechanism, rather than a
private key. (You’d much prefer to use that than a Bitcoin private key, since
it is easier for you to remember!) For purposes of this exercise, we will
counterfactually pretend that your zID counts as a good password. Suppose
that you have been very careful to keep your zID secret from the world,
and any UNSW staff who do know your zID are completely trustworthy,
and would never do anything malicious. We’ll also pretend that the zID is
long enough and random enough that a brute force guessing attack will take
longer than your lifetime. (So answers to the questions below based on brute
force attacks or UNSW insider attacks don’t count as correct answers.)
(a) First, say what your UNSW zId is. Now write a Bitcoin unlocking script
that allows an output to be spent by providing the numerical part of
your zID (i.e., the part without the ”z”). The script should check
that the unlocking script of the input of the transaction that spends
the output is equal to the numerical part of your zID (presented as a
sequence of digits rather than as one single number).
9
(b) Would it then be safe for you to make your Bitcoin available for you
to spend on holiday by creating a valid transaction that has as input
some of your Bitcoin, and a single output with the unlocking script of
part (a)? If so, explain why. If not, what could go wrong? Who would
be able to spend your Bitcoin, how and when?
(c) You decide to add some extra protection. Rather than the unlocking
script just checking that the input contains your zID, it should check
that whatever is provided in the unlocking script has a SHA256 hash
that is equal to the SHA256 hash of the numerical part of your zID.
First, tell us what the SHA256 hash of the string consisting of the
numerical part of your zID is. (You may find the Unix function shasum
useful here.)
(d) Now give the unlocking script for the hash-based password unlocking
script using your answer in part (c).
(e) Would it be safe for you to make your Bitcoin available for you to spend
on holiday, using a transaction with the unlocking script of part (d)?
If so, explain why. If not, what could go wrong? Who would be able
to spend your Bitcoin, how and when?
10
学霸联盟
