Changes made with Emanuele.

book/fermat.tex

@@ -2,10 +2,12 @@
 
 Excluding the trial division, Fermat's method is the oldest known systematic
 method for factorizing integers. Even if its algorithmic complexity is not
-really among the most efficient, it holds still a practical interest whenever
+among the most efficient, it holds still a practical interest whenever
 the two primes are sufficiently close.
-Indeed, \cite{DSS2009} \S B.3.6 explicitly reccomends that $|p-q| \geq \sqrt{N}2^{-100}$,
-in order to address this kind of threat, for any key of bitlength $1024,\ 2048,\ 3072$.\\
+Indeed, \cite{DSS2009} \S B.3.6 explicitly recommends that
+$|p-q| \geq \sqrt{N}2^{-100}$
+for any key of bitlength $1024,\ 2048,\ 3072$ in order to address this kind of
+threat.\\
 %% it would be nice here to explain that this magic 2^100 is just about wonting
 %% the most significant digits to be different.
 The basic idea is to attempt to write $N$ as a difference of squares,
@@ -41,22 +43,22 @@ below here to better clarify the limits of this algorithm.
 \end{proof}
 
 \begin{remark}
-  Note that, for the algorithm to be effective, the two primes
-  \emph{really close} to $\sqrt{N}$. As much as the lowest prime gets near to
-  one, the ratio $\frac{(1-k)^2}{2k}$ becomes larger, until the actual magnitude
+  Note that, for the algorithm to be effective, the two primes must be
+  ``really close'' to $\sqrt{N}$. As much as the lowest prime gets near to
+  $1$, the ratio $\frac{(1-k)^2}{2k}$ becomes larger, until the actual magnitude
   of this factorization method approaches \bigO{N}.
 \end{remark}
 
 \section{An Implementation Perspective}
 
 At each iteration, the $i-$th state is hold by the pair $\angular{x, x^2}$.\\
-The later step, described by $\angular{x+1, (x+1)^2}$ can be computed efficently
+The later step, described by $\angular{x+1, (x+1)^2}$ can be computed efficiently
 considering the square of a binomial: $\angular{x+1, (x^2) + (x \ll 1) + 1}$.
 The upperbound, instead, is reached when
 $ \Delta = p - q  = x + y - x + y = 2y > 2^{-100}\sqrt{N}$.
 
 Algorithm ~\ref{alg:fermat} presents a simple implementation of this
-factorization method, taking into account the small aptimizations
+factorization method, taking into account the small optimizations
 aforementioned.
 
 \paragraph{How to chose the upper limit?}  after having explained our interpretation

book/library.bib

@@ -72,6 +72,12 @@
  address = {Cambridge, MA, USA},
 }
 
+@book{Crandall:,
+    author = {Richard Crandall and Carl Pomerance and Richard Crandall and Carl Pomerance},
+    title = {Prime numbers: a computational perspective. Second Edition},
+    year = {2005}
+}
+
 @article{wiener,
  author = {Michael J. Wiener},
  title = {Cryptanalysis of short RSA secret exponents},

book/math_prequisites.tex

@@ -1,22 +1,36 @@
 \chapter{Mathematical prequisites \label{chap:preq}}
 
-This chapter formalizes the notation used in the rest of the thesis, and
-moreover attempts to discuss and study the elementary functions on which the
-project has been grounded. For example, the $\ll$ and $\gg$ are respectively
-used with the meaning of left and right binary shift, as usual in the computer
-science field; meanwhile, the $\dsqrt$ function will be defined in section
-\ref{sec:preq:sqrt}, with the acceptation of discrete square root.
-
-
-%% XXX. where to put these?
+In this chapter we formalize the notation used in the rest of the thesis, and
+furthermore attempt to discuss and study the elementary functions on which the
+project has been grounded.
+\\
+The $\ll$ and $\gg$ are respectively used with the meaning of left and right
+bitwise shift, as usual in computer science.
+\\
+The $\dsqrt$ function will be defined in section \ref{sec:preq:sqrt}, with the
+acceptation of discrete square root.
+\\
 The logarithmic $\log$ function is assumed to be in base two, i.e. $\log_2$.
-
+\\
 The $\idiv$ symbol is the integer division over $\naturalN$, i.e.
 $a \idiv b = \floor{\frac{a}{b}}$.
 
+\section{Algorithmic Complexity Notation}
+The notation used to describe asymptotic complexity follows the $O$-notation,
+abused under the conventions and limits of MIT's Introduction to Algorithms.
+
+Let \bigO{g} be the asymptotic upper bound of g:
+$$
+\bigO{g(n)} = \{ f(n) : \exists n_0, c \in \naturalN \mid 0 \leq f(n) \leq cg(n)
+\ \forall n > n_0 \}
+$$
+
+With $f(n) = \bigO{g(n)}$ we actually mean
+$f(n) \in \bigO{g(n)}$.
+
 \section{Euclid's Greatest Common Divisor}
 
-Being the greatest common divisor a foundamental algebraic operation in the ssl
+Being the greatest common divisor a foundamental algebraic operation in the TLS
 protocol, \openssl implemented it with the following signature:
 
 \begin{minted}[fontsize=\small]{c}
@@ -25,20 +39,20 @@ protocol, \openssl implemented it with the following signature:
 
 The computation proceeds under the well-known Euclidean algorithm, specifically
 the binary variant developed by Josef Stein in 1961 \cite{AOCPv2}. This variant
-exploits some interesting properties of $gcd(a, b)$
+exploits some interesting properties of $gcd(a, b)$:
 \begin{itemize}
   \setlength{\itemsep}{1pt}
   \setlength{\parskip}{0pt}
   \setlength{\parsep}{0pt}
-  \item if $a,\ b$ are even, then $gcd(a, b) = 2gcd(a/2, b/2)$
-  \item if $a$ is even and $b$ is odd, then $gcd(a, b) = gcd(a/2, b)$
-  \item  $gcd(a, b) = gcd(a-b, b)$, as in the standard Euclid's algorithm
-  \item the sum of two odd numbers is always even
+  \item if $a,\ b$ are even, then $gcd(a, b) = 2gcd(a/2, b/2)$;
+  \item if $a$ is even and $b$ is odd, then $gcd(a, b) = gcd(a/2, b)$;
+  \item  $gcd(a, b) = gcd(a-b, b)$, as in the standard Euclid algorithm;
+  \item the sum of two odd numbers is always even.
 \end{itemize}
 
 % Donald Knuth, TAOCP, "a binary method", p. 388 VOL 2
-Both \cite{AOCPv2} and \cite{MITalg} analyze the running time for the algorithm,
-even if \cite{MITalg}'s demonstration is fairly simpler and proceeds %elegantly
+Both \cite{AOCPv2} and \cite{MITalg} analyze the running time of the
+algorithm; \cite{MITalg}'s proof is fairly simpler and proceeds %elegantly
 by induction.
 Anyway, both show that algorithm ~\ref{alg:gcd} belongs to the class
 \bigO{\log b}.
@@ -74,84 +88,39 @@ Anyway, both show that algorithm ~\ref{alg:gcd} belongs to the class
 Unfortunately, there is yet no known parallel solution that significantly improves
 Euclid's \textsc{gcd}.
 
-\section{RSA Cipher \label{sec:preq:rsa}}
-
-The RSA cryptosystem, invented by Ron Rivesst, Adi Shamir, and Len Adleman
-~\cite{rsa}, was first published in August 1977's issue of
-\emph{Scientific American}. In its basic version, this \emph{asymmetric} cipher
-works as follows:
-\begin{itemize}
-  \item choose a pair $\angular{p, q}$ of \emph{random} \emph{prime} numbers;
-    let $N$ be the product of the two, $N=pq$, and call it ``Public Modulus''
-  \item choose a pair $\angular{e, d}$ of \emph{random} numbers, both in
-    $\integerZ^*_{\varphi(N)}$, such that one is the multiplicative inverse of the
-    other, $ed \equiv 1 \pmod{\varphi(N)}$ and $\varphi(N)$ is Euler's totient
-    function;
-\end{itemize}
-Now, call $\angular{N, e}$ \emph{public key}, and $\angular{N, d}$
-\emph{private key}, and let the encryption function $E(m)$ be the $e$-th power of
-the message $m$:
-\begin{align}
-  \label{eq:rsa:encrypt}
-  E(m) = m^e \pmod{N}
-\end{align}
-while the decryption function $D(c)$ is the $d$-th power of the ciphertext $c$:
-\begin{align}
-  \label{eq:rsa:decrypt}
-  D(c) = c^d \equiv E(m)^d \equiv m^{ed} \equiv m \pmod{N}
-\end{align}
-that, due to Fermat's little theorem, is the inverse of $E$.
-
-\paragraph{}
-%% less unless <https://www.youtube.com/watch?v=XnbnuY7Kxhc>
-From now on, unless otherwise specified, the variable $N=pq$ will always refer
-to the public modulus of a generis RSA keypair, with $p, q\ .\ p > q$ being the
-two primes factorizing it. Again, $e, d$ will respectively refer to the public
-exponent and the private exponent.
-
-
-\section{Algorithmic Complexity Notation}
-The notation used to describe asymptotic complexity follows the $O$-notation,
-abused under the conventions and limits of MIT's Introduction to Algorithms.
-
-Let \bigO{g} be the asymptotic upper bound of g:`
-$$
-O(g(n)) = \{ f(n) : \exists n_0, c \in \naturalN \mid 0 \leq f(n) \leq cg(n)
-\ \forall n > n_0 \}
-$$
-
-With the writing $f(n) = O(g(n))$ we will actually interpret
-$f(n) \in O(g(n))$.
 
 \section{Square Root \label{sec:preq:sqrt}}
 
-Computing the square root has been another foundamental requirement of the
-project, though not satisfied by \openssl. Apparently,
+Computing the square root is another important building block of the project,
+though not available in \openssl\!.
+Apparently,
 % \openssl is a great pile of crap, as phk states
-\openssl does only provide the discrete quare root implementation using the
-Tonelli/Shanks algorithm, which specifically solves $x$ in $x^2 = a \pmod{p}$,
-with $p \in \naturalPrime$.
+\openssl does only provide the discrete square root implementation using the
+Tonelli/Shanks algorithm, which specifically solves in $x$ the equation
+$x^2 = a \pmod{p}$, with $p \in \naturalPrime$:
 
 \begin{minted}{c}
   BIGNUM* BN_mod_sqrt(BIGNUM* x, const BIGNUM* a, const BIGNUM* p,
                       const BN_CTX* ctx);
 \end{minted}
 
-Instead, we are interested in finding the square root in $\naturalN$, hence we
-did come out with our specific implementation, first using Bombelli's algorithm
-described in ~\ref{par:preq:sqrt:bombelli},
-and later with Dijkstra one discussed in ~\ref{par:preq:sqrt:dijkstra}.
+Instead, we are interested in finding the the pair
+$\angular{x, r} \in \naturalN^2 \mid x^2 + r = n$, that is, the integer part of
+the square root of a natural number and its rest.
+Hence, we did come out with our specific implementation, first using Bombelli's
+algorithm, and later with the one of Dijkstra. Both are going to be discussed
+below.
 
-Unless otherwise specified, in the later pages we will use $\sqrt{n}$ with the
-usual meaning ``the half power of $n$'', while with $x, r = \dsqrt{n}$ we will
-intend the pair $\angular{x, r} \in \naturalN^2 \mid x^2 + r = n$.
+Unless otherwise specified, in the later pages we use $\sqrt{n}$ with the
+usual meaning ``the half power of $n$'', while with $x, r = \dsqrt{n}$ we mean
+the pair just defined.
 
 \paragraph{Bombelli's Algorithm \label{par:preq:sqrt:bombelli}} dates back to
 the XVI century, and approaches the problem of finding the square root by using
 continued fractions. Unfortunately, we weren't able to fully assert the
 correctness of the algorithm, since the original document
-~\cite{bombelli:algebra} is definitely unreadable and presents a difficult,
-inconvenient notation. Though, for completeness' sake, we report in table
+~\cite{bombelli:algebra} presents a difficult, inconvenient notation. Though,
+for completeness' sake, we report in table
 ~\ref{alg:sqrt:bombelli} the pseudocode adopted and tested for its correctness.
 
 \begin{algorithm}[H]
@@ -179,6 +148,9 @@ inconvenient notation. Though, for completeness' sake, we report in table
       \State $r \gets r - y$
       \State $x \gets 10x + d - 1$
     \EndFor
+
+    \State \Return $x, r$
+
     \EndProcedure
   \end{algorithmic}
 \end{algorithm}
@@ -190,23 +162,24 @@ multiplications. This means that the complexity of this solutions belongs to
 \cite{Dijkstra:adop}, \S 8, p.61. There, Dijkstra presents an elightning
 process for the computation of the square root, making only use of binary shift
 and algebraic additions.
-Specifically, the problem attempts to find, given a natual $n$, the $a$ that
-establishes:
+Specifically, the problem attempts to find, given a natual $n$, the integer $a$
+that establishes:
 \begin{align}
   \label{eq:preq:dijkstra_problem}
   a^2 \leq n \: \land \: (a+1)^2 > n
 \end{align}
 
-Take now the pair $\angular{a=0, b=n+1}$, and think about the problem as dicotomic
-search: we want to diminuish the dinstance between the upper bound $b$ and the
-lower bound $a$ while holding the guard \ref{eq:preq:dijkstra_problem}:
+Take now the pair $\angular{a=0, b=n+1}$, and consider the inverval
+$[a, b[$. We would like to reduce the distance between the upper bound $b$ and
+the lower bound $a$, while holding the guard \ref{eq:preq:dijkstra_problem}:
 
 \begin{align*}
   a^2 \leq n \: \land \: b > n
 \end{align*}
 
 %% XXX. I am not so sure about this, pure fantasy.
-The speed of convergence is determined by the choice of dinstance $d$, which is optimal when
+The speed of convergence is determined by the choice of the distance $d$, which
+analougously to the dicotomic search problem, is optimal when
 $d = (b-a) \idiv 2$.
 
 \begin{algorithm}[H]
@@ -229,14 +202,13 @@ $d = (b-a) \idiv 2$.
 % heh, there's not much to explain here, that's almost the same in Dijkstra's
 % book, excluding the inspirative familiar portrait that led to the insight of
 % this change of varaibles.
-Now optimization proceeds by abstration: the variables $a, b$ are sobstituded
-introducing:
+Now optimization proceeds with the following change of variables:
 $c = b-a$,
 $p = ac$,
 $q = c^2$,
-$r = n-a^2$
-and finally $h$ as local optimization. For any further details and
-explainations, the reference is still \cite{Dijkstra:adop}.
+$r = n-a^2$;
+For any further details and explainations, the reference is still
+\cite{Dijkstra:adop}.
 
 \begin{algorithm}[H]
   \caption{Square Root: final version}
@@ -255,10 +227,10 @@ explainations, the reference is still \cite{Dijkstra:adop}.
   \end{algorithmic}
 \end{algorithm}
 
-A fair approxidmation of the magnitude of the Dijkstra algorithm can be studied
-by looking at the pseudocode in ~\ref{alg:sqrt:dijkstra_naif}. Exactely as with
+A fair approximation of the magnitude of the Dijkstra algorithm can be studied
+by looking at the pseudocode in ~\ref{alg:sqrt:dijkstra_naif}. Exactly as in
 the dicotomic search case, we split the interval $[a, b]$ in half on each step,
-and choose wether to take the leftmost or the rightmost part. This results in
+and choose whether to take the leftmost or the rightmost part. This results in
 $log(n+1)$ steps. During each iteration, instead, as we have seen in
 ~\ref{alg:sqrt:dijkstra} we just apply summations and binary shifts, which are
 upper bounded by \bigO{\log{n}/2}. Thus, the order of magnitude belongs to
@@ -266,8 +238,46 @@ upper bounded by \bigO{\log{n}/2}. Thus, the order of magnitude belongs to
 
 \paragraph{}
 Even if both algorithms presented have \emph{asymptotically} the same
-complexity, we believe that adopting Dijkstra's one has lead to a pragmatic,
-substantial performance improvement.
+complexity, we believe that adopting the one of Dijkstra has lead to a
+pragmatic, substantial performance improvement.
+
+
+\section{RSA Cipher \label{sec:preq:rsa}}
+
+The RSA cryptosystem, invented by Ron Rivest, Adi Shamir, and Len Adleman
+~\cite{rsa}, was first published in August 1977's issue of
+\emph{Scientific American}. In its basic version, this \emph{asymmetric} cipher
+works as follows:
+\begin{itemize}
+  \item choose a pair $\angular{p, q}$ of \emph{random} \emph{prime} numbers;
+    let $N$ be the product of the two, $N=pq$, and call it \emph{public modulus};
+  \item choose a pair $\angular{e, d}$ of \emph{random} numbers, both in
+    $\integerZ^*_{\varphi(N)}$, such that one is the multiplicative inverse of the
+    other, $ed \equiv 1 \pmod{\varphi(N)}$ and $\varphi(N)$ is Euler's totient
+    function;
+\end{itemize}
+Now, call $\angular{N, e}$ \emph{public key}, and $\angular{N, d}$
+\emph{private key}, and let the encryption function $E(m)$ be the $e$-th power of
+the message $m$:
+\begin{align}
+  \label{eq:rsa:encrypt}
+  E(m) = m^e \pmod{N}
+\end{align}
+while the decryption function $D(c)$ is the $d$-th power of the ciphertext $c$:
+\begin{align}
+  \label{eq:rsa:decrypt}
+  D(c) = c^d \equiv E(m)^d \equiv m^{ed} \equiv m \pmod{N}
+\end{align}
+that, due to Fermat's little theorem, is the inverse of $E$.
+
+\paragraph{}
+%% less unless <https://www.youtube.com/watch?v=XnbnuY7Kxhc>
+From now on, unless otherwise specified, the variable $N=pq$ will always refer
+to the public modulus of a generic RSA keypair, with
+$p, q$ being the two primes factorizing it, such that $p > q$.
+ Again, $e, d$ will respectively refer to the public
+exponent and the private exponent.
+
 %%% Local Variables:
 %%% mode: latex
 %%% TeX-master: "question_authority"

book/preface.tex

@@ -1,17 +1,16 @@
 \chapter{Preface}
 
-Even if the basic RSA keypair generation algorithm is fairly
-straightforward, it turns out that any software willing to provide such a
-feature does have to test the pair candidate against a substantious number of
-tests before claiming its security.
+Even if the basic RSA key generation algorithm is fairly straightforward, it
+turns out that any software willing to provide such a feature does have to test
+the candidate key against a substantious number of threats before claiming its
+security.
 
-The purpose of this project is to examine the TLS protocol, study in deep the
-\openssl library, and survey some of the attacks to which a bad key generation
-is exposed. On the footprint of ~\cite{20years}, we which already analyzed most
-of these, we are going to describe the mathematical basis of each attack, and
-then proceed further reasoning about a clever, possibly optimal, solution in
-procedural programming; finally, we are trying to think about a distributed
-version of it.
+The purpose of this project is to examine the TLS protocol, to study in depth
+the \openssl library, and to survey some of the attacks to which a bad key
+generation is exposed. On the footprint of ~\cite{20years}, where most of these
+attacks have already been analyzed, we are going to describe the mathematical
+basis of each attack, reason about a possible solution in procedural
+programming, and finally, give some hints about a distributed version of it.
 
 Besides the pseudocode already available in this document, the project led to the
 development of a real, open, C implementation consultable at

book/question_authority.tex

@@ -21,9 +21,8 @@
 \usepackage{minted}
 \usepackage{makeidx,shortvrb,latexsym}
 \usepackage{supertabular}
-%\usepackage{xypic}
-%% setting epigraphs
 
+%% setting epigraphs
 \renewcommand{\epigraphsize}{\small}
 \setlength{\epigraphwidth}{0.8\textwidth}
 \let\origepigraph\epigraph
@@ -50,35 +49,6 @@
 \newcommand{\abs}[1]{\left|#1\right|}
 \newcommand{\rfrac}[2]{{}^{#1}\!/_{#2}}
 
-%% Optional custom shortcuts commands.
-\usepackage{braket}
-\newcommand{\pe}{\mathbb{P}_{\mathrm{E}}}
-\newcommand{\pme}{\mathbb{P}_{\mathrm{ME}}}
-\newcommand{\primary}{\blacktriangle}
-\newcommand{\secondary}{{\blacktriangle\!}^{\! \! +}}
-\newcommand{\MM}{\mathcal{M}}
-\newcommand{\DP}{{\D\!}^{\! \! +}}
-\newcommand{\D}{\Delta}
-\newcommand{\Fq}{ \mathbb{F}_{q}}
-\newcommand{\Fp}{ \mathbb{F}_{p}}
-\newcommand{\Lq}{ \mathcal{L}_{q}}
-\newcommand{\R}{ \mathcal{R}}
-\newcommand{\Cq}{ \mathcal{C}_{q}}
-\newcommand{\SCa}{ S_{C,\alpha}}
-\newcommand{\Cqn}{ \mathcal{C}_{q,n}}
-\newcommand{\K}{ \mathbb{K}}
-\newcommand{\U}{ \mathcal{U}}
-\newcommand{\vi}{\mathrm{\textbf{v}}}
-\newcommand{\ww}{\mathrm{w}}
-\newcommand{\uu}{\mathrm{\textbf{u}}}
-\newcommand{\f}{\mathsf{f}}
-\newcommand{\V}{V_{\left(n,S\right)}^{\zeta}}
-\newcommand{\T}{T_{\left(n,S\right)}^{\zeta}}
-\newcommand{\SQ}{\begin{flushright}
-$\square$
-\end{flushright}}
-
-
 \makeindex
 \let\origdoublepage\cleardoublepage
 \newcommand{\clearemptydoublepage}{%
@@ -162,6 +132,8 @@ $\square$
   \centering
   \includegraphics[width=80pt]{kopimi.png}
 \end{figure}
+
+
 \include{preface}
 
 \part{Prequisites}
@@ -182,4 +154,5 @@ $\square$
 \bibliography{library}
 \clearpage
 \addcontentsline{toc}{chapter}{Bibliography}
+
 \end{document}

book/wiener.tex

@@ -6,15 +6,16 @@ possible to find the private key in \emph{polynomial time} using continued fract
 expansions whenever a good estimate of the fraction $\frac{e}{N}$ is known.
 More specifically, given $d < \frac{1}{3} ^{4}\sqrt{N}$ one can efficiently
 recover $d$ only knowing $\angular{N, e}$.
-\section{A small digression into continued fractions}
+
+\section{A small digression into continued fractions \label{sec:wiener:cf}}
 
 \section{The actual attack}
 
 
 As we saw in ~\ref{sec:preq:rsa}, by contruction the two exponents are such that
 $ed \equiv 1 \pmod{\varphi(N)}$. This implies that there exists a
-$k \in \naturalN \mid ed = k\varphi(N) + 1$. But, this can be formalized to be
-the same problem ...: %% decribed in the preceeding section XXX.
+$k \in \naturalN \mid ed = k\varphi(N) + 1$. This can be formalized to be
+the same problem we saw in ~\ref{sec:wiener:cf}:
 \begin{align*}
   ed = k\varphi(N) + 1 \\
   \abs{\frac{ed - k\eulerphi{N}}{d\eulerphi{N}}} = \frac{1}{d\eulerphi{N}} \\