\section{Mathematical and Cryptographic Preliminaries}
Throughout this paper, let $\mathbb{N}$ denote the non-negative
integers including zero, i.e. $\mathbb{N} = \{0,1,2,\ldots\}$.
+Further, let $\mathbb{Z}$ denote the integers $\mathbb{Z} = \{\ldots,-2,-1,0,1,2,\ldots\}$.
One of the most fundamental notions in mathematics is without doubt
-the term \emph{divisor}, we say for $a,c\in\mathbb{N}$,
+the term \emph{divisor}, we say for $a,c\in\mathbb{Z}$,
that \emph{$a$ divides $c$}, and write $a|c$, if there is a number $b\in\mathbb{Z}$
such that $c = a\cdot b$. Every number $n\in\mathbb{N}$ has at least
two divisors, a \emph{prime number} $p\in\mathbb{N}$ is a number $p$
\begin{itemize}
\item $\left(\frac{a}{p}\right) \equiv a^{(p-1)/2} \pmod p$;
\item $\left(\frac{ab}{p}\right) = \left(\frac{a}{p}\right)\left(\frac{b}{p}\right)$;
+ \item $\left(\frac{a^2}{p}\right) = 1$;
+ \item If $a\equiv b\pmod p$ then $\left(\frac{a}{p}\right) = \left(\frac{b}{p}\right)$;
\item $\sum_{a=0}^{p-1}\limits\left(\frac{a}{p}\right) = 0$;
\item $\left(\frac{p}{q}\right) = (-1)^{(p-1)(q-1)/4} \left(\frac{q}{p}\right)$;
- \item $\left(\frac{2}{p}\right) = (-1)^{(p^2-1)/8}$.
+ \item $\left(\frac{-1}{p}\right) = \begin{cases}
+ 1\, \qquad & p\equiv 1\pmod 4;\\
+ -1\, \qquad & p\equiv 3\pmod 4;
+ \end{cases}$
+ \item $\left(\frac{2}{p}\right) = (-1)^{(p^2-1)/8}$;
+ \end{itemize}
+ In particular, the last point specializes to
+ \begin{itemize}
+ \item $\left(\frac{2}{p}\right) = \begin{cases}1\,\qquad & \text{if $p\equiv 1$ or $p\equiv 7\pmod 8$};\\
+ -1\,\qquad & \text{if $p\equiv 3$ or $p\equiv 5\pmod 8$}.
+ \end{cases}$
+
\end{itemize}
\end{lem}
\subsubsection*{The Discrete Logarithm problem}
Consider an odd prime $p$. Let $b\in\mathbb{Z}_p$ and $0\leq x\leq p-1$.
We consider the equality $a\equiv b^x\pmod p$, and call $x$ the \emph{discrete
-logarithm} (or \emph{index}) of $a$ with respect to the basis $b$.\\
+logarithm} (or \emph{index}) of $a$ with respect to the basis $b$. It is indicated
+by $x={\rm ind}_b(a)$.\\
The Diffie-Hellmann key exchange algorithm relies on the assumption, that given $a^x$ and
$a^y$ (without knowing $x$ and $y$), the expression $a^{xy}$ can not be efficiently computed,
context means that there is an algorithm which proceeds more effective than the brute-force
method, which proceeds by computing $b^k\pmod p$ until $a\equiv b^x\pmod p$ is reached.\\
-TODO: Baby Step Giant Step Algorithm
+We will now describe the Baby-Step/Giant-Step algorithm for computing the discrete logarithm.
+Suppose we are given an odd prime $p$, an element $g\in\mathbb{Z}_p$ and $a = a_0\in\mathbb{Z}$.
+The algorithm proceeds by first compiling a table with entries $(i,t_i)$ where $t_i = g^i \pmod p$.
+The table consists of $m := \lceil \sqrt{p-1}\rceil$ entries from zero to $m-1$.
+In the next step, one computes $g^{-m}\pmod p$. If $a$ is in the second row of the table,
+on reads of the index (in the first row), otherwise it computes $a_{i+1} = a_i g^{-m}\pmod p$.
+At some stage between $i = 0$ and $m-1$ we find the index $j$ and return as solution $x=i\cdot m + j$.
\subsection{The RSA cryptosystem}
But some of the coefficients $a_k$ might be zero, and hence contribute 1 to the
product. Hence, we are led to the following algorithm:
\begin{algorithm}[H]
-
\begin{algorithmic}[1]
\Require{$c\in\mathbb{Z}$, $d\in\mathbb{N}$}
\Ensure{$c^d$}
$$
The termination of the loop is a consequence of $\lfloor n/2^k\rfloor \rightarrow 0$ after
finitely many steps, i.e. there exists $k\in\mathbb{N}$ such that $\lfloor n/2^k\rfloor = 0$.
+
+\subsection{Computing Integer Roots}
+Given a number $x\in\mathbb{R}^+$, the \emph{square-root} $y := \sqrt{x}\in\mathbb{R}$ is implicit
+defined by $y^2 = x$. To not leave the field of real numbers (and introducing complex numbers), we
+restrict the domain to $\mathbb{R}^+$. However, in general, $x\in\mathbb{R}^+$ has two roots,
+$y = \pm \sqrt{x}$.\\
+
+Computing the \emph{integer-square-root} amounts to the following: Given a non-negative integer $a\in\mathbb{N}^+$,
+usually its square root is either an integer or irrational. The integer-square-root is defined as the non-negative
+integer $x\in\mathbb{N}^+$ that fulfills $x\leq \sqrt{a}<x+1$. Reformulated we immediately see that this is equivalent
+to $x := \lfloor \sqrt{a}\rfloor$. The integer-square-root is needed in the Baby-Step Giant-Step algorithm
+(recall that $\lceil x\rceil + \lfloor -x\rfloor = 0$), but also
+in algorithms for prime-factorization of integers, because the largest prime-factor of $n\in\mathbb{N}$
+does noet exceed the integer-square-root of $n$.
+We present an algorithm that computes the integer-square-root, and analyze it afterwards.
+\begin{algorithm}[H]
+\begin{algorithmic}[1]
+\Require{$a\in\mathbb{N}^+$}
+\Ensure{$x\in\mathbb{N}^+$ such that $x \leq \sqrt{a} < x+1$ or equivalently $x= \lfloor \sqrt{a}\rfloor$}
+\State $(x,y,z) \leftarrow (0,1,1)$;
+\While{$y \leq a$}
+\State $x\leftarrow x+ 1$;
+\State $z\leftarrow z+ 2$;
+\State $y\leftarrow y+ z$;
+\EndWhile
+\State\Return $x$.
+\end{algorithmic}
+ \caption{Integer-Square-Root}
+ \label{alg:2}
+\end{algorithm}
+The first step of Algorithm \ref{alg:2} is the initialization of the result $x$ and two
+temporary variables $y$ and $z$. As for the While-Loop, we observe that initially
+\begin{align}
+x = x^2 &\leq a\quad &\wedge& \quad y = x^2 + z \quad &\wedge& \quad z = 2x+1\label{eq:inv}\\
+0 &\leq a\quad &\wedge& \quad 1 = 0+1 \quad &\wedge& \quad 1 = 2\cdot 0 +1.\nonumber
+\end{align}
+We claim, that \eqref{eq:inv} is an invariant that is kept at each step of the loop. This is
+seen as follows: The tuple $(x,y,z)$ is updated to $(x',y',z')$, where
+$$
+(x',y',z') \leftarrow (x+1,y+z+2,z+2).
+$$
+Indeed,
+\begin{align*}
+y' = (x')^2 + z' &\Leftrightarrow y+z+2 = (x+1)^2 + z+2 = x^2 + 2x + 3 + z\\
+&\Leftrightarrow y = x^2 + 2x + 1 = x^2+z.
+\end{align*}
+as claimed. After finitely many iterations, we have $y > a$ and we terminate the algorithm with
+$x^2\leq a$ (as it holds in each step of the loop), and we conclude
+$$
+y > a \Leftrightarrow (x^2+z) > a \Leftrightarrow x^2+2x+1 > a \Leftrightarrow (x+1)^2 > a,
+$$
+hence we have shown $x^2\leq a < (x+1)^2$, and taking square roots shows the claim.
\appendix
\section{Listing of the developed Theory}
{\scriptsize \verbatiminput{../numbertheory.txt}}
projects / cfuerst / formal-numbers.git / commitdiff