Domů Procházet Nápověda
Přihlásit se
maker
/
bachelor
Sledovat 1
Oblíbit 0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: e309ea4750
Větve Značky
bachelor
/
book
/
fermat.tex

fermat.tex 6.3 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. \chapter{Fermat's Factorization Algorithm \label{chap:fermat}}
    2. 

  2. 

  3. Excluding the trial division, Fermat's method is the oldest known systematic
    4. 

  4. method for factorizing integers. Even if its algorithmic complexity is not
    5. 

  5. among the most efficient, it holds still a practical interest whenever
    6. 

  6. the two primes are sufficiently close.
    7. 

  7. Indeed, \cite{DSS2009} \S B.3.6 explicitly recommends that
    8. 

  8. $|p-q| \geq \sqrt{N}2^{-100}$
    9. 

  9. for any key of bitlength $1024,\ 2048,\ 3072$ in order to address this kind of
    10. 

  10. threat.\\
    11. 

  11. %% it would be nice here to explain that this magic 2^100 is just about wonting
    12. 

  12. %% the most significant digits to be different.
    13. 

  13. The basic idea is to attempt to write $N$ as a difference of squares,
    14. 

  14. \begin{align}
    15. 

  15. \label{eq:fermat_problem}
    16. 

  16. x^2 - N = y^2
    17. 

  17. \end{align}
    18. 

  18. 

  19. So, we start by $x = \ceil{\sqrt{N}}$ and check that $x^2-N$ is a perfect
    20. 

  20. square. If it isn't, we iteratively increment $x$ and check again, until we
    21. 

  21. find a pair $\angular{x, y}$ satisfying equation \ref{eq:fermat_problem}.
    22. 

  22. Once found, we claim that $N = pq = (x+y)(x-y)$; it is indeed true that, if we
    23. 

  23. decompose $x^2 - y^2$ as difference of squares, then it is immediately clear
    24. 

  24. that $x+y \mid N \ \land \  x-y \mid N$, and that both are non-trivial
    25. 

  25. divisors.
    26. 

  26. 

  27. \paragraph{Complexity} \cite{riesel} contains a detailed proof for the
    28. 

  28. complexity of this algorithm, which is
    29. 

  29. $\bigO{\frac{(1-k)^2}{2k} \sqrt{N}} \;\;,  0 < k < 1$. We summarize it down
    30. 

  30. below here to better clarify the limits of this algorithm.
    31. 

  31. 

  32. \begin{proof}
    33. 

  33.   Since, once we reach the final step $x_f$ it holds $N = pq = x_f^2 - y_f^2$,
    34. 

  34.   the number of steps required to reach the result is:
    35. 

  35.   \begin{align*}
    36. 

  36.     x_f - \sqrt{N} &= \frac{p + q}{2} - \sqrt{N} \\
    37. 

  37.                    &= \frac{p + \frac{N}{p}}{2} - \sqrt{N} \\
    38. 

  38.                    &= \frac{(\sqrt{N} - p)^2}{2p}
    39. 

  39.   \end{align*}
    40. 

  40.   If we finally suppose that $p = k\sqrt{N}, \; 0 < k < 1$, then the number of cycles
    41. 

  41.   becomes
    42. 

  42.   $\frac{(1-k)^2}{2k} \sqrt{N}$.
    43. 

  43. \end{proof}
    44. 

  44. 

  45. \begin{remark}
    46. 

  46.   Note that, for the algorithm to be effective, the two primes must be
    47. 

  47.   ``really close'' to $\sqrt{N}$. As much as the lowest prime gets near to
    48. 

  48.   $1$, the ratio $\frac{(1-k)^2}{2k}$ becomes larger, until the actual magnitude
    49. 

  49.   of this factorization method approaches \bigO{N}.
    50. 

  50. \end{remark}
    51. 

  51. 

  52. \section{An Implementation Perspective \label{sec:fermat:implementation}}
    53. 

  53. 

  54. At each iteration, the $i-$th state is hold by the pair $\angular{x, x^2}$.\\
    55. 

  55. The later step, described by $\angular{x+1, (x+1)^2}$ can be computed efficiently
    56. 

  56. considering the square of a binomial: $\angular{x+1, (x^2) + (x \ll 1) + 1}$.
    57. 

  57. The upper-bound, instead, is reached when
    58. 

  58. $ \Delta = p - q  = x + y - x + y = 2y > 2^{-100}\sqrt{N}$.
    59. 

  59. 

  60. Algorithm ~\ref{alg:fermat} presents a simple implementation of this
    61. 

  61. factorization method, taking into account the small optimizations
    62. 

  62. aforementioned.
    63. 

  63. 

  64. \begin{algorithm}[H]
    65. 

  65.   \caption{Fermat Factorization \label{alg:fermat}}
    66. 

  66.   \begin{algorithmic}[1]
    67. 

  67.     \State $x \gets \floor{\sqrt{N}}$
    68. 

  68.     \State $x^2 \gets xx$
    69. 

  69. 

  70.     \Repeat
    71. 

  71.     \State $x \gets x+1$
    72. 

  72.     \State $x^2 \gets x^2 + x \ll 1 + 1$
    73. 

  73.     \State $y, rest \gets \dsqrt{x^2 - N}$
    74. 

  74.     \Until{ $rest \neq 0 \land y < \frac{\sqrt{N}}{2^{101}}$ }
    75. 

  75. 

  76.     \If{ $rest = 0$ }
    77. 

  77.     \State $p \gets x+y$
    78. 

  78.     \State $q \gets x-y$
    79. 

  79.     \State \Return $p, q$
    80. 

  80.     \Else
    81. 

  81.     \State \Return \textbf{nil}
    82. 

  82.     \EndIf
    83. 

  83.     \end{algorithmic}
    84. 

  84. \end{algorithm}
    85. 

  85. 

  86. \paragraph{How to chose the upper limit?}  Our choice of keeping straight with
    87. 

  87. the limits of the standard is a mere choice of commodity: we are interested in
    88. 

  88. finding public keys  not respecting it. Though, it it worth noting that what this
    89. 

  89. limit \emph{states} is that at least one of the most significant $100$ bits
    90. 

  90. should be different between the two primes:
    91. 

  91. 

  92. \begin{bytefield}[
    93. 

  93.   endianness=big,
    94. 

  94.   bitwidth=1.5em,
    95. 

  95. %  bitformatting=\fakerange,
    96. 

  96.   ]{16}
    97. 

  97.   \\
    98. 

  98. %  \bitheader{}
    99. 

  99.   \\[1px]
    100. 

  100.   \begin{rightwordgroup}{$2^{\log{\frac{N}{2}}-100}$}
    101. 

  101.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
    102. 

  102.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
    103. 

  103.     \bitbox{3}{\tiny $\cdots$} &
    104. 

  104.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
    105. 

  105.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    106. 

  106.     \bitbox{5}{\tiny $\cdots$}    & \bitbox{1}{0} & \bitbox{1}{0} &
    107. 

  107.   \end{rightwordgroup}
    108. 

  108.   \\[1ex]
    109. 

  109.   \wordbox[]{1}{} &&
    110. 

  110.   \\[1ex]
    111. 

  111.   \begin{rightwordgroup}{$p$}
    112. 

  112.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    113. 

  113.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{1} &
    114. 

  114.     \bitbox{3}{\tiny $\cdots$} &
    115. 

  115.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    116. 

  116.     \bitbox{1}{0} &
    117. 

  117.     \colorbitbox{lightgray}{1}{1} & \colorbitbox{lightgray}{1}{0} &
    118. 

  118.     \colorbitbox{lightgray}{1}{0} &
    119. 

  119.     \colorbitbox{lightgray}{6}{\tiny{$\cdots$ least signif. bits $\cdots$}} &
    120. 

  120.     \colorbitbox{lightgray}{1}{0} &
    121. 

  121.   \end{rightwordgroup}
    122. 

  122.   \\[1ex]
    123. 

  123.   \begin{rightwordgroup}{$q$}
    124. 

  124.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    125. 

  125.     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{1} &
    126. 

  126.     \bitbox{3}{\tiny $\cdots$} &
    127. 

  127.     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
    128. 

  128.     \bitbox{1}{0} &
    129. 

  129.     \colorbitbox{lightgray}{1}{0} & \colorbitbox{lightgray}{1}{0} &
    130. 

  130.     \colorbitbox{lightgray}{1}{0} &
    131. 

  131.     \colorbitbox{lightgray}{6}{\tiny{$\cdots$ least signif. bits $\cdots$}} &
    132. 

  132.     \colorbitbox{lightgray}{1}{0} &
    133. 

  133.   \end{rightwordgroup}
    134. 

  134. \end{bytefield}
    135. 

  135. \vspace{20pt}
    136. 

  136. 

  137. For example, in the case of a RSA key $1024$, the binary difference between $p$
    138. 

  138. and $q$ has to be greater than $2^{412}$, which means that, excluding corner-cases
    139. 

  139. where the remainder is involved, there must be at least one difference in the
    140. 

  140. top 100 most significant bits for the key to be considered safe.
    141. 

  141. 

  142. 

  143. \section{Thoughts about a parallel solution}
    144. 

  144. 

  145. At first glance we might be willing to split the entire interval
    146. 

  146. $\{ \ceil{\sqrt{N}}, \ldots, N-1 \}$ in equal parts, one assigned to per each
    147. 

  147. node. However, this would not be any more efficient than the trial division
    148. 

  148. algorithm, and nevertheless it is worth noting that during each single iteration,
    149. 

  149. the computational complexity is dominated by the square root $\dsqrt$ function,
    150. 

  150. which belongs to the class \bigO{\log^2 N}, as we saw in section
    151. 

  151. ~\ref{sec:preq:sqrt}. Computing separatedly $x^2$ would add an overhead of the
    152. 

  152. same order of magnitude \bigO{\log^2 N}, and thus result in a complete waste of
    153. 

  153. resources.
    154. 

  154. %%% Local Variables:
    155. 

  155. %%% TeX-master: "question_authority.tex"
    156. 

  156. %%% End:
    157. 

  157.