|
|
@@ -21,29 +21,63 @@ RSA key-pair immune to this attack, namely
|
|
|
|
|
|
Let us call ``continued fraction'' any expression of the form:
|
|
|
%% why \cfrac sucks this much. |-------------------------|
|
|
|
-$$
|
|
|
+\begin{align*}
|
|
|
a_0 + \frac{1}{a_1
|
|
|
+ \frac{1}{a_2
|
|
|
+ \frac{1}{a_3
|
|
|
+ \frac{1}{a_4 + \ldots}}}}
|
|
|
-$$
|
|
|
+\end{align*}
|
|
|
hereby described as a series for convenience:
|
|
|
$\angular{a_0, a_1, a_2, a_3, \ \ldots, a_n}$.
|
|
|
Any floating point number $x$ can be represented as a continued fraction, and
|
|
|
for each $i < n$ there exists fraction $\rfrac{h_i}{k_i}$ approximating $x$.
|
|
|
By definition, each new approximation is recursively defined as:
|
|
|
-$$
|
|
|
-
|
|
|
- a_{-1} = 0 \quad
|
|
|
- a_i = h_i // k_i
|
|
|
|
|
|
- h_{-1} = 1 \quad h_{-2} = 0 \quad
|
|
|
- h_i = a_i h_{i-1} + h_{i-2}
|
|
|
+\begin{align}
|
|
|
+ \label{eq:wiener:cf}
|
|
|
+ \begin{cases}
|
|
|
+ a_{-1} = 0 \\
|
|
|
+ a_i = h_i // k_i \\
|
|
|
+ \end{cases}
|
|
|
+ \quad
|
|
|
+ \begin{cases}
|
|
|
+ h_{-2} = 0 \\
|
|
|
+ h_{-1} = 1 \\
|
|
|
+ h_i = a_i h_{i-1} + h_{i-2}
|
|
|
+ \end{cases}
|
|
|
+ \quad
|
|
|
+ \begin{cases}
|
|
|
+ k_{-2} = 1 \\
|
|
|
+ k_{-1} = 0 \\
|
|
|
+ k_i = a_i k_{i-1} + k_{i-2}
|
|
|
+ \end{cases}
|
|
|
+\end{align}
|
|
|
|
|
|
- k_{-1} = 0 \quad k_{-2} = 1 \quad
|
|
|
- k_i = a_i k_{i-1} + k_{i-2}
|
|
|
-$$
|
|
|
+After a small digression into the properties of continuef fractions, Wiener, in
|
|
|
+~\cite{wiener}, shows that, if a continued fraction $f'$ is an underestimate of
|
|
|
+another one $f$:
|
|
|
+\begin{align}
|
|
|
+ f' = f(1-\delta)
|
|
|
+\end{align}
|
|
|
|
|
|
+Then it is possible to recover $f$, having $f'$, if $\delta$ is small
|
|
|
+enough, where small enough means:
|
|
|
+\begin{align}
|
|
|
+ \label{eq:wiener:cf_approx}
|
|
|
+ \delta = 1 - \frac{f'}{f} < \frac{1}{\rfrac{3}{2}{h_1}{d_1}}
|
|
|
+\end{align}
|
|
|
+\\
|
|
|
+The ``continued fraction algorithm'' allowing us to recover $f$ is the
|
|
|
+following:
|
|
|
+\begin{enumerate}[(i)]
|
|
|
+ \setlength{\itemsep}{1pt}
|
|
|
+ \setlength{\parskip}{0pt}
|
|
|
+ \setlength{\parsep}{0pt}
|
|
|
+ \item generate the next $a_i$ of the continued fraction expansion of $f'$;
|
|
|
+ \item use ~\ref{eq:wiener:cf} to generate the next fraction $\rfrac{h_i}{k_i}$
|
|
|
+ equal to $\angular{a_0, a_1, \ldots, a_{i-1}, a_i}$ %% non e` proprio cosi`
|
|
|
+ \item chech whether $\rfrac{h_i}{k_i}$ is equal to $f$
|
|
|
+\end{enumerate}
|
|
|
|
|
|
\section{The actual attack}
|
|
|
|
|
|
@@ -72,6 +106,8 @@ For the last step, remember that $k < d < \rfrac{1}{3} {}^4\sqrt{N}$:
|
|
|
= \frac{1}{d{}^4\sqrt{N}}
|
|
|
\end{align*}
|
|
|
|
|
|
+This demonstrates the conditions of ~\ref{eq:wiener:cf_approx} and allows us to
|
|
|
+proceed with the continued fraction algorithm to converge to a solution.
|
|
|
\section{Again on the engine™}
|
|
|
|
|
|
%%% Local Variables:
|
Michele Orrù