From: Christoph Fuerst <ch.fuerst@gmx.at>
Date: Sun, 2 Apr 2017 10:13:36 +0000 (+0200)
Subject: Described Integer Square Root
X-Git-Url: http://git.risc.jku.at/gitweb/?a=commitdiff_plain;h=295d280d05eefc39f6f5d4fce16424d8bd523b2d;p=cfuerst%2Fformal-numbers.git

Described Integer Square Root
---

diff --git a/report/formal.pdf b/report/formal.pdf
index 90947c5..8af4496 100644
Binary files a/report/formal.pdf and b/report/formal.pdf differ
diff --git a/report/formal.tex b/report/formal.tex
index a487560..ac8c8bf 100644
--- a/report/formal.tex
+++ b/report/formal.tex
@@ -57,8 +57,9 @@ systems.
 \section{Mathematical and Cryptographic Preliminaries}
 Throughout this paper, let $\mathbb{N}$ denote the non-negative
 integers including zero, i.e. $\mathbb{N} = \{0,1,2,\ldots\}$.
+Further, let $\mathbb{Z}$ denote the integers $\mathbb{Z} = \{\ldots,-2,-1,0,1,2,\ldots\}$.
 One of the most fundamental notions in mathematics is without doubt
-the term \emph{divisor}, we say for $a,c\in\mathbb{N}$,
+the term \emph{divisor}, we say for $a,c\in\mathbb{Z}$,
 that \emph{$a$ divides $c$}, and write $a|c$, if there is a number $b\in\mathbb{Z}$
 such that $c = a\cdot b$. Every number $n\in\mathbb{N}$ has at least
 two divisors, a \emph{prime number} $p\in\mathbb{N}$ is a number $p$
@@ -176,9 +177,22 @@ $$
 \begin{itemize}
  \item $\left(\frac{a}{p}\right) \equiv a^{(p-1)/2} \pmod p$;
  \item $\left(\frac{ab}{p}\right) = \left(\frac{a}{p}\right)\left(\frac{b}{p}\right)$;
+ \item $\left(\frac{a^2}{p}\right) = 1$;
+ \item If $a\equiv b\pmod p$ then $\left(\frac{a}{p}\right) = \left(\frac{b}{p}\right)$;
  \item $\sum_{a=0}^{p-1}\limits\left(\frac{a}{p}\right) = 0$;
  \item $\left(\frac{p}{q}\right) = (-1)^{(p-1)(q-1)/4} \left(\frac{q}{p}\right)$;
- \item $\left(\frac{2}{p}\right) = (-1)^{(p^2-1)/8}$.
+ \item $\left(\frac{-1}{p}\right) = \begin{cases}
+                                     1\, \qquad & p\equiv 1\pmod 4;\\
+                                     -1\, \qquad & p\equiv 3\pmod 4;
+                                    \end{cases}$
+ \item $\left(\frac{2}{p}\right) = (-1)^{(p^2-1)/8}$;
+ \end{itemize}
+ In particular, the last point specializes to
+ \begin{itemize}
+ \item $\left(\frac{2}{p}\right) = \begin{cases}1\,\qquad & \text{if $p\equiv 1$ or $p\equiv 7\pmod 8$};\\
+ -1\,\qquad & \text{if $p\equiv 3$ or $p\equiv 5\pmod 8$}.
+ \end{cases}$
+
 \end{itemize}
 
 \end{lem}
@@ -187,7 +201,8 @@ $$
 \subsubsection*{The Discrete Logarithm problem}
 Consider an odd prime $p$. Let $b\in\mathbb{Z}_p$ and $0\leq x\leq p-1$.
 We consider the equality $a\equiv b^x\pmod p$, and call $x$ the \emph{discrete
-logarithm} (or \emph{index}) of $a$ with respect to the basis $b$.\\
+logarithm} (or \emph{index}) of $a$ with respect to the basis $b$. It is indicated
+by $x={\rm ind}_b(a)$.\\
 
 The Diffie-Hellmann key exchange algorithm relies on the assumption, that given $a^x$ and
 $a^y$ (without knowing $x$ and $y$), the expression $a^{xy}$ can not be efficiently computed,
@@ -195,7 +210,13 @@ i.e. the discrete logarithm problem is not effectively solvable. Effective solva
 context means that there is an algorithm which proceeds more effective than the brute-force
 method, which proceeds by computing $b^k\pmod p$ until $a\equiv b^x\pmod p$ is reached.\\
 
-TODO: Baby Step Giant Step Algorithm
+We will now describe the Baby-Step/Giant-Step algorithm for computing the discrete logarithm.
+Suppose we are given an odd prime $p$, an element $g\in\mathbb{Z}_p$ and $a = a_0\in\mathbb{Z}$.
+The algorithm proceeds by first compiling a table with entries $(i,t_i)$ where $t_i = g^i \pmod p$.
+The table consists of $m := \lceil \sqrt{p-1}\rceil$ entries from zero to $m-1$.
+In the next step, one computes $g^{-m}\pmod p$. If $a$ is in the second row of the table,
+on reads of the index (in the first row), otherwise it computes $a_{i+1} = a_i g^{-m}\pmod p$.
+At some stage between $i = 0$ and $m-1$ we find the index $j$ and return as solution $x=i\cdot m + j$.
 
 
 \subsection{The RSA cryptosystem}
@@ -250,7 +271,6 @@ $c^d \equiv c^{a_0}\cdot (c^{2})^{a_1} \cdot \ldots (c^{2^m})^{a_m}$.
 But some of the coefficients $a_k$ might be zero, and hence contribute 1 to the
 product. Hence, we are led to the following algorithm:
 \begin{algorithm}[H]
-
 \begin{algorithmic}[1]
 \Require{$c\in\mathbb{Z}$, $d\in\mathbb{N}$}
 \Ensure{$c^d$}
@@ -304,6 +324,58 @@ y \leq y' \text{ and }
 $$
 The termination of the loop is a consequence of $\lfloor n/2^k\rfloor \rightarrow 0$ after
 finitely many steps, i.e. there exists $k\in\mathbb{N}$ such that $\lfloor n/2^k\rfloor = 0$.
+
+\subsection{Computing Integer Roots}
+Given a number $x\in\mathbb{R}^+$, the \emph{square-root} $y := \sqrt{x}\in\mathbb{R}$ is implicit
+defined by $y^2 = x$. To not leave the field of real numbers (and introducing complex numbers), we
+restrict the domain to $\mathbb{R}^+$. However, in general, $x\in\mathbb{R}^+$ has two roots,
+$y = \pm \sqrt{x}$.\\
+
+Computing the \emph{integer-square-root} amounts to the following: Given a non-negative integer $a\in\mathbb{N}^+$,
+usually its square root is either an integer or irrational. The integer-square-root is defined as the non-negative
+integer $x\in\mathbb{N}^+$ that fulfills $x\leq \sqrt{a}<x+1$. Reformulated we immediately see that this is equivalent
+to $x := \lfloor \sqrt{a}\rfloor$. The integer-square-root is needed in the Baby-Step Giant-Step algorithm 
+(recall that $\lceil x\rceil + \lfloor -x\rfloor = 0$), but also
+in algorithms for prime-factorization of integers, because the largest prime-factor of $n\in\mathbb{N}$ 
+does noet exceed the integer-square-root of $n$. 
+We present an algorithm that computes the integer-square-root, and analyze it afterwards.
+\begin{algorithm}[H]
+\begin{algorithmic}[1]
+\Require{$a\in\mathbb{N}^+$}
+\Ensure{$x\in\mathbb{N}^+$ such that $x \leq \sqrt{a} < x+1$ or equivalently $x= \lfloor \sqrt{a}\rfloor$}
+\State $(x,y,z) \leftarrow (0,1,1)$;
+\While{$y \leq a$}
+\State $x\leftarrow x+ 1$;
+\State $z\leftarrow z+ 2$;
+\State $y\leftarrow y+ z$;
+\EndWhile
+\State\Return $x$.
+\end{algorithmic}
+        \caption{Integer-Square-Root}
+        \label{alg:2}
+\end{algorithm}
+The first step of Algorithm \ref{alg:2} is the initialization of the result $x$ and two
+temporary variables $y$ and $z$. As for the While-Loop, we observe that initially 
+\begin{align}
+x = x^2 &\leq a\quad  &\wedge& \quad y = x^2 + z \quad &\wedge& \quad z = 2x+1\label{eq:inv}\\
+0 &\leq a\quad &\wedge& \quad 1 = 0+1 \quad &\wedge& \quad 1 = 2\cdot 0 +1.\nonumber
+\end{align}
+We claim, that \eqref{eq:inv} is an invariant that is kept at each step of the loop. This is
+seen as follows: The tuple $(x,y,z)$ is updated to $(x',y',z')$, where 
+$$
+(x',y',z') \leftarrow (x+1,y+z+2,z+2).
+$$
+Indeed, 
+\begin{align*}
+y' = (x')^2 + z' &\Leftrightarrow y+z+2 = (x+1)^2 + z+2 = x^2 + 2x + 3 + z\\
+&\Leftrightarrow y = x^2 + 2x + 1 = x^2+z.
+\end{align*}
+as claimed. After finitely many iterations, we have $y > a$ and we terminate the algorithm with
+$x^2\leq a$ (as it holds in each step of the loop), and we conclude 
+$$
+y > a \Leftrightarrow (x^2+z) > a \Leftrightarrow x^2+2x+1 > a \Leftrightarrow (x+1)^2 > a,
+$$
+hence we have shown $x^2\leq a < (x+1)^2$, and taking square roots shows the claim.
 \appendix
 \section{Listing of the developed Theory}
 {\scriptsize \verbatiminput{../numbertheory.txt}}