9.1-9.4, due on November 8

1. (Difficult) One difficult part was following the ElGamal signature scheme.  I don't think we've practiced much with ElGamal much, so maybe if we do so and with more effort I could do better.  Also, I didn't follow the calculations in the Birthday Attack on signatures, but I hope I could, if necessary.
2. (Reflective) The book argues that forging a signature for a non-sensical message is not dangerous (e.g. at the end of section 9.2).   I don't know if I agree.  It seems that symmetric keys are often the messages transferred with RSA, and one random bit of strings would be nearly as good as another.  In this way an attacker could start with the signature, and generate a perfectly valid key with sig^e.  The signature would then be accepted by the receiver.
   I think such attacks are foiled by requiring messages in RSA to have a certain format or padding.  The book may mention this, but I think mentioning it again here would be helpful.  Or I could be wrong, in which case I would like to know what I am misunderstanding or how else this attack can be averted.