Home Explore Help
Sign In
maker
/
bachelor
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a515a5d047
Branches Tags
bachelor
/
book
/
fermat.tex

fermat.tex 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165 
  1. \chapter{Fermat's factorization method \label{chap:fermat}}
    2. 

  2. 

  3. Excluding the trial division, Fermat's method is the oldest known systematic
    4. 

  4. method for factorizing integers. Even if its algorithmic complexity is not
    5. 

  5. among the most efficient, it holds still a practical interest whenever
    6. 

  6. the two primes are sufficiently close.
    7. 

  7. Indeed, \cite{DSS2009} \S B.3.6 explicitly recommends that
    8. 

  8. $|p-q| \geq \sqrt{N}2^{-100}$
    9. 

  9. for any key of bitlength $1024,\ 2048,\ 3072$ in order to address this kind of
    10. 

  10. threat.\\
    11. 

  11. %% it would be nice here to explain that this magic 2^100 is just about wonting
    12. 

  12. %% the most significant digits to be different.
    13. 

  13. The basic idea is to attempt to write $N$ as a difference of squares,
    14. 

  14. \begin{align}
    15. 

  15. \label{eq:fermat_problem}
    16. 

  16. x^2 - N = y^2
    17. 

  17. \end{align}
    18. 

  18. 

  19. So, we start by $x = \ceil{\sqrt{N}}$ and check that $x^2-N$ is a perfect
    20. 

  20. square. If it isn't, we iteratively increment $x$ and check again, until we
    21. 

  21. find a pair $\angular{x, y}$ satisfying equation \ref{eq:fermat_problem}.
    22. 

  22. Once found, we claim that $N = pq = (x+y)(x-y)$; it is indeed true that, if we
    23. 

  23. decompose $x^2 - y^2$ as difference of squares, then it is immediately clear
    24. 

  24. that $x+y \mid N \ \land \  x-y \mid N$, and that both are non-trivial
    25. 

  25. divisors.
    26. 

  26. 

  27. \paragraph{Complexity} \cite{riesel} contains a detailed proof for the
    28. 

  28. complexity of this algorithm, which is
    29. 

  29. $\bigO{\frac{(1-k)^2}{2k} \sqrt{N}} \;\;,  0 < k < 1$. We summarize it down
    30. 

  30. below here to better clarify the limits of this algorithm.
    31. 

  31. 

  32. \begin{proof}
    33. 

  33.   Since, once we reach the final step $x_f$ it holds $N = pq = x_f^2 - y_f^2$,
    34. 

  34.   the number of steps required to reach the result is:
    35. 

  35.   \begin{align*}
    36. 

  36.     x_f - \sqrt{N} &= \frac{p + q}{2} - \sqrt{N} \\
    37. 

  37.                    &= \frac{p + \frac{N}{p}}{2} - \sqrt{N} \\
    38. 

  38.                    &= \frac{(\sqrt{N} - p)^2}{2p}
    39. 

  39.   \end{align*}
    40. 

  40.   If we finally suppose that $p = k\sqrt{N}, \; 0 < k < 1$, then the number of cycles
    41. 

  41.   becomes
    42. 

  42.   $\frac{(1-k)^2}{2k} \sqrt{N}$.
    43. 

  43. \end{proof}
    44. 

  44. 

  45. \begin{remark}
    46. 

  46.   Note that, for the algorithm to be effective, the two primes must be
    47. 

  47.   ``really close'' to $\sqrt{N}$. As much as the lowest prime gets near to
    48. 

  48.   $1$, the ratio $\frac{(1-k)^2}{2k}$ becomes larger, until the actual magnitude
    49. 

  49.   of this factorization method approaches \bigO{N}.
    50. 

  50. \end{remark}
    51. 

  51. 

  52. \section{An Implementation Perspective \label{sec:fermat:implementation}}
    53. 

  53. 

  54. At each iteration, the $i-$th state is hold by the pair $\angular{x, x^2}$.\\
    55. 

  55. The later step, described by $\angular{x+1, (x+1)^2}$ can be computed efficiently
    56. 

  56. considering the square of a binomial: $\angular{x+1, x^2 + 2x + 1}$.
    57. 

  57. The upper-bound, instead, is reached when
    58. 

  58. $ \Delta = p - q  = x + y - x + y = 2y > 2^{-100}\sqrt{N}$.
    59. 

  59. 

  60. Algorithm ~\ref{alg:fermat} presents a simple implementation of this
    61. 

  61. factorization method, taking into account the small optimizations
    62. 

  62. aforementioned.
    63. 

  63. 

  64. \begin{algorithm}[H]
    65. 

  65.   \caption{Fermat Factorization \label{alg:fermat}}
    66. 

  66.   \begin{algorithmic}[1]
    67. 

  67.     \Function{fermat}{\PKArg}
    68. 

  68.     \State $x \gets \floor{\sqrt{N}}$
    69. 

  69.     \State $x' \gets x \cdot x$
    70. 

  70. 

  71.     \Repeat
    72. 

  72.     \State $x' \gets x' + 2x + 1$
    73. 

  73.     \State $x \gets x+1$
    74. 

  74.     \State $y, rest \gets \dsqrt{x' - N}$
    75. 

  75.     \Until{ $rest \neq 0 \strong{ and } y < \frac{\sqrt{N}}{2^{101}}$ }
    76. 

  76.     \Comment i.e., \ref{eq:fermat_problem} holds?
    77. 

  77. 

  78.     \If{ $rest = 0$ }
    79. 

  79.     \State $p \gets x+y$
    80. 

  80.     \State $q \gets x-y$
    81. 

  81.     \State \Return $p, q$
    82. 

  82.     \Else
    83. 

  83.     \State \Return \textbf{nil}
    84. 

  84.     \EndIf
    85. 

  85.     \EndFunction
    86. 

  86.     \end{algorithmic}
    87. 

  87. \end{algorithm}
    88. 

  88. 

  89. \paragraph{How to chose the upper limit?}  Our choice of keeping straight with
    90. 

  90. the limits of the standard is a mere choice of commodity: we are interested in
    91. 

  91. finding public keys  not respecting the standard.
    92. 

  92. Though, it is worth noting that what this limit \emph{states} is that at least
    93. 

  93. one of the most significant $100$ bits should be different between the two
    94. 

  94. primes:
    95. 

  95. 

  96. \begin{bytefield}[
    97. 

  97.   endianness=big,
    98. 

  98.   bitwidth=1.35em,
    99. 

  99.   % bitformatting=\fakerange,
    100. 

  100.   ]{16}
    101. 

  101.   \\
    102. 

  102.   % \bitheader{}
    103. 

  103.   \\[1px]
    104. 

  104.   \begin{rightwordgroup}{\small{$2^{\frac{\log N}{2}-100}$}}
    105. 

  105.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
    106. 

  106.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
    107. 

  107.     \bitbox{3}{\tiny $\cdots$} &
    108. 

  108.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
    109. 

  109.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    110. 

  110.     \bitbox{3}{\tiny $\cdots$}    & \bitbox{1}{0} & \bitbox{1}{0} &
    111. 

  111.   \end{rightwordgroup}
    112. 

  112.   \\[1ex]
    113. 

  113.   \wordbox[]{1}{} &&
    114. 

  114.   \\[1ex]
    115. 

  115.   \begin{rightwordgroup}{$p$}
    116. 

  116.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    117. 

  117.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{1} &
    118. 

  118.     \bitbox{3}{\tiny $\cdots$} &
    119. 

  119.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    120. 

  120.     \bitbox{1}{0} &
    121. 

  121.     \colorbitbox{lightgray}{1}{1} & \colorbitbox{lightgray}{1}{0} &
    122. 

  122.     \colorbitbox{lightgray}{1}{0} &
    123. 

  123.     \colorbitbox{lightgray}{4}{\tiny{$\cdots$ LSB $\cdots$}} &
    124. 

  124.     \colorbitbox{lightgray}{1}{0} &
    125. 

  125.   \end{rightwordgroup}
    126. 

  126.   \\[1ex]
    127. 

  127.   \begin{rightwordgroup}{$q$}
    128. 

  128.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    129. 

  129.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{1} &
    130. 

  130.     \bitbox{3}{\tiny $\cdots$} &
    131. 

  131.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    132. 

  132.     \bitbox{1}{0} &
    133. 

  133.     \colorbitbox{lightgray}{1}{0} & \colorbitbox{lightgray}{1}{0} &
    134. 

  134.     \colorbitbox{lightgray}{1}{0} &
    135. 

  135.     \colorbitbox{lightgray}{4}{\tiny{$\cdots$ LSB $\cdots$}} &
    136. 

  136.     \colorbitbox{lightgray}{1}{0} &
    137. 

  137.   \end{rightwordgroup}
    138. 

  138. \end{bytefield}
    139. 

  139. \vfill
    140. 

  140. 

  141. For example, in the case of a RSA key $1024$, the binary difference between $p$
    142. 

  142. and $q$ has to be greater than $2^{412}$, which means that, excluding corner-cases
    143. 

  143. where the remainder is involved, there must be at least one difference in the
    144. 

  144. top 100 most significant bits for the key to be considered safe.
    145. 

  145. 

  146. 

  147. \section{Thoughts about a parallel solution}
    148. 

  148. 

  149. At first glance we might be willing to split the entire interval
    150. 

  150. $\{ \ceil{\sqrt{N}}, \ldots, N-1 \}$ in equal parts, one per each
    151. 

  151. node. However, this would not be any more efficient than the trial division
    152. 

  152. algorithm, and nevertheless during each single iteration, the computational
    153. 

  153. complexity is dominated by the square root $\dsqrt$ function, which belongs to
    154. 

  154. the class \bigO{\log^2 N}, as we saw in section ~\ref{sec:preq:sqrt}.
    155. 

  155. Computing separatedly $x^2$ would add an overhead of the same order of magnitude
    156. 

  156. \bigO{\log^2 N}, and thus result in a complete waste of resources.
    157. 

  157. 

  158. %%As a result of this, we advice the use of a strictly limited number of
    159. 

  159. %%processors - like two or three - performing in parallel fermat's factorization
    160. 

  160. %%method over different intervals.
    161. 

  161. 

  162. %%% Local Variables:
    163. 

  163. %%% TeX-master: "question_authority.tex"
    164. 

  164. %%% End:
    165. 

  165.