1. In detail, give the steps needed to create an instance of RSA, assuming encryption exponent 3. At the end, explain what the following are: the encryption function, the decryption function, the public key, and the private key.

   Assume that Alice and Bob have RSA key pairs (E_A, D_A), and (E_B, D_B), where E is the encryption key (= algorithm) and D is the decryption key.

2. Explain how Alice makes a message m secret and sends it to Bob and how Bob recovers the message.

3. Explain how Alice sends Bob a signed message m and how Bob verifies the signature.

4. Explain how Alice could use a secure one-way hash function to quickly sign an arbitrarily long message.

Here is a table of "exponentials" with base 03. The entry E(rs) is the field element given by 03^rs, where these are hex numbers, and the initial ``0x'' is left off for simplicity.

Similarly, here is a table of ``logarithms'', where the entry L(rs) is the field element that satisfies rs = 03<sup>L(rs)</sup>, where these are hex numbers, and again the initial ``0x'' is left off.

1. Use the above tables to calculate (22)*(7e).

2. Show how 22 and 7e are represented as polynomials. Show the steps necessary to multiply them as field elements, using the "magic" polynomial m(x) = x⁸ + x⁴ + x³ + x + 1, without actually carrying out the operations.

3. In the simplest version of the AES, what are the sizes of: the key, the plaintext, and the ciphertext? What are the number of rounds in the AES algorithm (again shortest version)?

4. What is a secure one-way hash function? How can the AES be used to provide such a function? (Unless the AES gets broken somehow.)

1. Give the definition of a (3, 3)-threshold scheme.

2. What does it mean for such a scheme to be perfect?

3. Show how to use sources of true random bits and exclusive-or to create a perfect (3, 3)-threshold scheme.

4. Give the definition of a (3, n)-threshold scheme. What must be true about the number n?

5. In Shamir's scheme, if the "secret" is 47 and you want a (3, 10)-threshold scheme, show how you would construct it (but not how your would recover the secret, which is more elaborate).

Protocol. A and B verify that they possess a common key K, using a public one-way function h.

A sends h(h(K)) to B. B verifies that the received value is correct. B sends h(K) to A. A verifies that the received value is correct.

1. What is a one-way function?

2. Why not have A send h(K) to B and then have B send h(h(K)) to A?

3. What keeps C from intercepting A's transmission of h(h(K)) and then sending h(K) back to A (assuming C doesn't know K)?

SPEKE Protocol. A and B verify that they share a secret S, using a public prime p and a public one-way function h.

A chooses a random RA and sends QA = SRA mod p to B. B chooses a random RB and sends QB = SRB mod p to A. A calculates K = QBRA mod p. B calculates K = QARB mod p. A sends h(h(K)) to B. B verifies that the received value is correct. B sends h(K) to A. A verifies that the received value is correct.

Note: the random R_A and R_B are secret and used only once.

1. Steps i. to iv. resemble another protocol that we studied. What is it, and what is it used for?

2. If the S that A uses is the same as the S that B uses, how do you know that the K's calculated by A and B will be the same.

3. Suppose A is a computer user, and suppose B is the computer system that A uses. What could the shared secret S be and how might one use this protocol?

   Note: A and B can convince one another that they share the same secret S, but if B doesn't know A's secret, it will not be revealed.