|
|
@@ -52,50 +52,52 @@ Therefore, the latter expression becomes:
|
|
|
\end{cases}
|
|
|
\end{equation}
|
|
|
|
|
|
-Three foundamental properties interpolate terms of Lucas Sequences:
|
|
|
+Two foundamental properties interpolate terms of Lucas Sequences, namely
|
|
|
+\emph{addition} and \emph{duplication} formulas:
|
|
|
\begin{align}
|
|
|
- & V_{2n+1} = \tau V_n^2 - V_n V_{n-1} - \tau \label{eq:ls:2n+1} \\
|
|
|
- & V_{2n} = V_n^2 - 2 \label{eq:ls:2n} \\
|
|
|
- & V_{2n-1} = V_nV_{n-1} - \tau \label{eq:ls:2n-1}
|
|
|
+ & V_{n+m} = V_nV_m - V_{m-n} \label{eq:ls:addition} \\
|
|
|
+ & V_{2n} = V_n^2 - 2 \label{eq:ls:duplication}
|
|
|
\end{align}
|
|
|
|
|
|
All these identities can be verified by direct substitution with
|
|
|
\ref{eq:williams:ls}. What's interesting about the ones of above, is that we can
|
|
|
exploit them to efficiently compute the product $V_{hk}$ if we are provided with
|
|
|
-$\angular{V_k, V_{k-1}}$ by considering the binary representation of the number
|
|
|
-$h$. In other words, we can consider each bit of $h$, starting from the least
|
|
|
-significant one: if it is zero, we use the multiplication formula
|
|
|
-\ref{eq:ls:2n}; otherwise the two addition formulas \ref{eq:ls:2n+1} and
|
|
|
-\ref{eq:ls:2n-1}.
|
|
|
+`$V_k$ by considering the binary representation of the number
|
|
|
+$h$. In other words, we can consider each bit of $h$, starting from second most
|
|
|
+significant one: if it is zero, we compute $\angular{V_{2k}, V_{(2+1)k}}$ using
|
|
|
+\ref{eq:ls:duplication} and \ref{eq:ls:addition} respectively; otherwise we
|
|
|
+compute $\angular{V_{(2+1)k}, V_{2(k+1)}}$ using \ref{eq:ls:addition} and
|
|
|
+\ref{eq:ls:duplication}.
|
|
|
|
|
|
\begin{algorithm}[H]
|
|
|
\caption{Lucas Sequence Multiplier}
|
|
|
\begin{algorithmic}[1]
|
|
|
- \Function{Lucas}{$V, V', a, \tau$}
|
|
|
- \While{$a > 0$}
|
|
|
- \If{$a$ is even }
|
|
|
- \State $V'' \gets V^2 -2$
|
|
|
- \Comment by equation \ref{eq:ls:2n}
|
|
|
- \State $V' \gets VV' - \tau$
|
|
|
- \Comment by equation \ref{eq:ls:2n-1}
|
|
|
- \State $V \gets V''$
|
|
|
- \ElsIf{$a$ is odd}
|
|
|
- \State $V'' \gets \tau V^2 - VV' - \tau$
|
|
|
- \Comment by equation \ref{eq:ls:2n+1}
|
|
|
- \State $V' \gets V^2 -2$
|
|
|
- \Comment by equation \ref{eq:ls:2n}
|
|
|
- \State $V \gets V''$
|
|
|
+ \Function{Lucas}{$V, a, N$}
|
|
|
+ \State $V_1 \gets V$
|
|
|
+ \State $V_2 \gets V^2 - 2 \pmod{N}$
|
|
|
+
|
|
|
+ \For{each bit $b$ in $a$ to right of the MSB}
|
|
|
+ \If{$b$ is $0$ }
|
|
|
+ \State $V_2 \gets V_1V_2 - V \pmod{N}$
|
|
|
+ \Comment by addition %% \ref{eq:ls:addition}
|
|
|
+ \State $V_1 \gets V_1^2 -2 \pmod{N}$
|
|
|
+ \Comment by duplication %% \ref{eq:ls:duplication}
|
|
|
+ \ElsIf{$b$ is $1$}
|
|
|
+ \State $V_1 \gets V_1V_2 - V \pmod{N}$
|
|
|
+ \Comment by addition %% \ref{eq:ls:addition}
|
|
|
+ \State $V_2 \gets V_2^2 -2 \pmod{N}$
|
|
|
+ \Comment by duplication %% \ref{eq:ls:duplication}
|
|
|
\EndIf
|
|
|
- \State $a \gets a \gg 1$
|
|
|
- \EndWhile
|
|
|
- \State \Return $V, V'$
|
|
|
+ \EndFor
|
|
|
+ \State \Return $V_1$
|
|
|
\EndFunction
|
|
|
\end{algorithmic}
|
|
|
\end{algorithm}
|
|
|
|
|
|
Finally, we need the following (\cite{Williams:p+1} \S 2):
|
|
|
\begin{theorem*}[Lehmer]
|
|
|
- If $p$ is an odd prime and the Legendre symbol
|
|
|
+ Let $\Delta$ be $\tau^2-4$;
|
|
|
+ if $p$ is an odd prime and the Legendre symbol
|
|
|
$\varepsilon = \legendre{\Delta}{p}$, then:
|
|
|
\begin{align*}
|
|
|
%% & U_{(p - \varepsilon)m} \equiv 0 \pmod{p} \\
|
|
|
@@ -107,13 +109,14 @@ Finally, we need the following (\cite{Williams:p+1} \S 2):
|
|
|
|
|
|
\begin{remark}
|
|
|
From number theory we know that the probability that
|
|
|
- $\mathbb{P}\{\varepsilon = -1\} = \rfrac{1}{2}$.
|
|
|
+ $P(\varepsilon = -1) = \rfrac{1}{2}$.
|
|
|
There is no reason to restrict ourselves to
|
|
|
$\legendre{\Delta}{p} = -1$.
|
|
|
In the alternative case of $\varepsilon = 1$, the factorization yields the
|
|
|
same factors as Pollard's $p-1$ method, but slowerly.
|
|
|
- For this reason, when we look up for a $p-1$ factorization, it is advisable
|
|
|
- to attempt the attack presented in the previous chapter \cite{Williams:p+1}.
|
|
|
+ For this reason it is advisable to first attempt the attack presented in the
|
|
|
+ previous chapter \cite{Williams:p+1}whenever we look up for a $p-1$
|
|
|
+ factorization.
|
|
|
\end{remark}
|
|
|
|
|
|
|
|
|
@@ -127,12 +130,12 @@ $\gcd(V_Q -2, N)$ is a non-trial divisor of $N$.
|
|
|
|
|
|
\begin{enumerate}[(i)]
|
|
|
\item take a random, initial $\tau = V_1$; now let the \emph{base} be
|
|
|
- $\angular{V_0, V_1}$.
|
|
|
+ $\angular{V_1}$.
|
|
|
\item take the $i$-th prime in $\mathcal{P}$, starting from $0$, and call it
|
|
|
$p_i$;
|
|
|
-\item assuming the current state is $\angular{V_k, V_{k-1}}$, compute the
|
|
|
+\item assuming the current state is $\angular{V_k}$, compute the
|
|
|
successive terms of the sequence using additions and multiplications formula,
|
|
|
- until you have $\angular{V_{p_ik}, V_{p_ik - 1}}$.
|
|
|
+ until you have $\angular{V_{p_ik}}$.
|
|
|
\item just like with the Pollard $p-1$ method, repeat step (iii) for $e =
|
|
|
\ceil{\frac{\log N}{\log p_i}}$ times;
|
|
|
\item select $Q = V_k - 2 \pmod{N}$ and check the $gcd$ with $N$, hoping this
|
|
|
@@ -157,12 +160,11 @@ if $g = N$ start back from scratch, as $pq \mid g$.
|
|
|
\Require $\mathcal{P}$, the prime pool
|
|
|
\Function{Factorize}{$N, \tau$}
|
|
|
\State $V \gets \tau$
|
|
|
- \State $V' \gets 2$
|
|
|
\For{$p_i \strong{ in } \mathcal{P}$}
|
|
|
\Comment step (i)
|
|
|
\State $e \gets \log \sqrt{N} // \log p_i$
|
|
|
\For{$e \strong{ times }$}
|
|
|
- \State $V, V' \gets \textsc{lucas}(V, V', p_i, \tau)$
|
|
|
+ \State $V \gets \textsc{lucas}(V, p_i, N)$
|
|
|
\Comment step (ii)
|
|
|
\State $Q \gets V -2$
|
|
|
\State $g \gets \gcd(Q, N)$
|
Michele Orrù