maqp/gist:ced7e90f70131f95f6465a7f782acf1b

## gistfile1.txt
I had a chat with a buddy of mine (Topi Talvitie) who's a postdoc researcher here at Helsinki Uni.
He reverse engineered the logic on how a fake solver algorithm, such as the one by Grant's, can be created.
I've tried to to translate it the best I can:

-------------

The goal is to find integers p and q so that pq = N [N being the public key].

The problem is then rephrased so that the goal is to find a single integer C = (p+q) / 2.
This is because finding the value of a single variable appears easier than solving an equation with two variables.

This works because if C is known, then evidently

    p = C - A, and
    q = C + A

with some A which is easy to find:

N
  = pq
  = (C-A) * (C+A)
  = C² - A²

and then,

A² = C² - N
A  = √(C² - N)

The only requirement for C is, A needs to be an integer.
Because the requirement resembles the Pythagorean Theorem, a new value is defined: B = √(N),

The goal is now to find C in a situation where A = √(C² - B²) and where A is an integer.

So again, the goal is to find hypotenuse C in an equation where one cathetus is B, and the other cathetus A is an integer.
The next step is to add further obfuscation with binomial square rule: C² - B² = (C - B) (C + B)
But this obfuscation is too easy, so the variable, that needs to be solved, is swapped. Instead of C, the goal now is to solve w = C - B.
Now, the C²-B² can be swapped to less suspicious form w * (2B + w).
Now the goal is to find w so that the variable C = w+B and A = √(w * (2B + w)) where both A and C are integers.
The requirement "w+B needs to be an integer" seems out of place, so it is fixed by defining r = ceil(B) - B, and by switching the variable x = w-r.
Thus, w = x+r. Now,

w+B
= x +       r     + B
= x + ceil(B) - B + B
= x + ceil(B)

x+ceil(B) is an integer iff x is an integer.

Now the goal is to find x so that A = √( (x+r) * ((2B) + (x+r))  ) where A is an integer.

------------------

The rest is my own handwriting based on Topi's work:

One thing that needs doing is to fix Grant's mistake of saying (x+r) * ((2B) + (x+r)) solves A, it actually solves A².

So there you have it, the bullshit algorithm can trivially be expanded from the intial problem,
but only if you have the prime factors ready, creating the algorithm started from 89*137=12193.


-----------------

To show this step by step with real numbers:

12193

  = 89 * 137             Since we're designing the scam algorithm, we can be clever and start with the solution p=89, q=137.
                         This is simply because we know it's impossible to factor semiprimes in constant time. The only
                         way that can be done is if we know the answer beforehand.

                         But for our scam to succeed, we need to obfuscate the fact we knew the prime factors. The
                         obfuscation is done in the next step, and for that we'll need to define two values:

                         Middle point between the two primes = (89+137) / 2
                                                             = 226      / 2
                                                             = 113

                         The distance of each prime from middle point (113)
                                      |137 - 113| = 24
                                      |89  - 113| = 24

  = (113-24) * (113+24)  Now, to obfuscate that the algorithm has the values of the primes baked in, we express
                         them with the two values defined above: middle point +- distance from middle point.

                         This single layer of obfuscation is trivial to detect. For next obfuscation we realize
                         the current representation of the primes is aching to the binomial square rule:
                             a²-b² = (a+b)(a-b)

                         So we'll use the rule to hide the middlepoint+distance data inside two perfect square values:

  = 113² - 24²           On this line, the binomial square obfuscation is in place.

                         Furthermore, now the equation is of form
                             12193 = 113² - 24²

                         This form reminds us of the Pythagorean theorem (A² + B² = C²) and more specifically,
                         how a single cathetus is solved from the hypothenuse and the other cathetus:
                             B²    =  C²  - A²

                         We can now draw the triangle, and write down the sides:
                             * cathetus   A = 24
                             * cathetus   B = √(12193) = 110.421918114
                             * hypotenuse C = 113

                         We also do a quick check for constraints for value A, i.e. that it must be an integer:
                             A² =   C² - N
                             A  = √(C² - N)

At this point we've succeeded in hiding the prime factors inside the values 24 and 113.
We realize we can e.g. use the two values to define the shape of a right-angle triangle.
We now need to be able to claim we can factor the semiprime B² with the help of Pythagoras.
That will season our scam with some ancient rules of mathematics and is intuitive for
everyone who learned the Pythagorean Theorem at the basic school.

But there's a problem: Just like how the attacker can't deduce primes p and q from public key,
the attacker can't define the shape of the triangle from just the length of one cathetus
B = sqrt(public key)).

But if we can make it appear we have a solver for e.g. the cathetus A, that works when
given just the cathetus B, we can then retrieve from the triangle the values we hid there
in the first place, and claim we've solved the semiprime factoring problem!

    So let's create a fake algorithm for solving A, by starting from the obvious Pythagorean cathetus solver:

             A  = √(  C² -  B²)
             A² =     C² -  B²
                =   113² - 24²

     The binomial square obfuscation we used to hide the primes p and q is too easy to detect, so we
     add further obfuscation by swapping variables, first by defining
         w =  C  - B
           = 113 - 110.421918114
           = 2.578081885886448

     We then can express the hypotenuse as sum of two long floating point numbers:
         C = 113
           = B + w
           = 110.421918114 + 2.578081885886448

     Now, that we can replace C with B+w, the very revealing A² = C²-B² can be obfuscated to less suspicious form:

         A² =       C²           - B²
            =    (B + w)²        - B²
            = (B + w)(B + w)     - B²
            = B² + wB + wB + w²  - B²

            = wB+wB + w² + B²-B²
            = wB+wB + w²
            = w(B+B + w)
            = w(2B  + w) <--- This final reduced form (pay attention to this we'll come back to it in just a moment):

            = 2.578081885886448 * (2*110.421918114 + 2.578081885886448)

            We can double-check our scam solver algorithm works by copy-pasting the equation to e.g. wolframalpha.com
                24² == 2.578081885886448 * (2*110.421918114 + 2.578081885886448)

     ---

     Next, to hide the seemingly weird requirement that w+B (=C) must be an integer, we introduce another variable
         r = ceil(B) - B
         r = 111 - 110.421918114
         r = 0.5780818858864478

     We then craft yet another variable x that depends on r:
         x = w-r
         x = 2.5780818 - 0.5780818
         x = 2

     Now we've moved the decimals from w to separate variable r, and x has become the the integer part of w.
         w = x +       r
           = x + (ceil(B) - B)
           = 2 + (111 - 110.421918114)
           = 2.5780818

     We'll then use these variables to replace the "w" in the reduced form (the one you were asked to pay attention to above).
        A² =    w      (2B +    w   )
           = (x + r) * (2B + (x + r))   <-- Our scam algorithm is ready, it's here. If you look at Grant's side-A solver description:
                                            https://preview.redd.it/fqhf1mqd0b761.jpg?width=598&format=pjpg&auto=webp&s=3ab97efb7bb1d4be8ce07c9020384fdbed169e2b
                                            You'll notice it's identical.

        A² =  (x +     r)     * (2*B             + (x +      r  ))
           =  (2 + 0.5780818) * (2*110.421918114 + (2 + 0.5780818))
        A  = √(2 + 0.5780818) * (2*110.421918114 + (2 + 0.5780818))
           = 24

So again, the reason the algorithm pushes out A when given square root of the public key (B), as one of its cathetuses,
is the shape of the triangle was pre-baked into the form that depends on knowing the length of the side A and the
hypothenuse, that represent the private values.

The reason it works on paper is because the triangle was drawn beforehand. If I give you only the public key, you can get
side B by taking square root of it, and draw the first cathetus. But what you have is only a line. That line alone doesn't
help you in drawing the rest of the triangle, unless you know the length of at least one other side of that triangle. And
asking for one additional side of the triangle is the same as asking for just one of the secret primes p or q.
If you know public key N (=p*q) and one of the two secret values, e.g. q, you can get the another one trivially: p = N/q.

The pre-baked triangle shape only works with one specific public key, because we got the shape of the triangle when we
started to obfuscate the prime factors we knew beforehand. That's the only way to draw the triangle.

To explain
    Length of side B is the square root of the public key. We know that already
    Lenght of side C is the middle point between the two secret primes p and q, i.e. something we as attacker don't know.
    Length of side A is the distance of both primes from the secret C (that again, we don't know), so we don't know A either.

So in order to be able to draw the triangle, we need to know the private key, and if we already know the private key, we're
wasting our time if we're drawing triangles when we could be breaking the encryption instead.

The only way to use the algorithm to try to factor semi-primes, is to try values for A in order in a program such as

import math
public_key = ...
B = math.sqrt(public_key)
for A in range(0, 2**1024)):
    C = math.sqrt(A**2 + B**2)
    p = C-A
    q = C+A
    if p*q == public_key:
        print(f"{p}, {q}")
        exit(0)

This is literally trial division (=brute force attack) that runs in exponential time. It takes on average 2^1024 =
1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000 operations.

The universe will have reached heat death before a a single key is broken, it is therefore completely useless.

tl;dr: The algorithm only works if you know the private key beforehand. It's a scam.
	I had a chat with a buddy of mine (Topi Talvitie) who's a postdoc researcher here at Helsinki Uni.
	He reverse engineered the logic on how a fake solver algorithm, such as the one by Grant's, can be created.
	I've tried to to translate it the best I can:

	-------------

	The goal is to find integers p and q so that pq = N [N being the public key].

	The problem is then rephrased so that the goal is to find a single integer C = (p+q) / 2.
	This is because finding the value of a single variable appears easier than solving an equation with two variables.

	This works because if C is known, then evidently

	p = C - A, and
	q = C + A

	with some A which is easy to find:

	N
	= pq
	= (C-A) * (C+A)
	= C² - A²

	and then,

	A² = C² - N
	A = √(C² - N)

	The only requirement for C is, A needs to be an integer.
	Because the requirement resembles the Pythagorean Theorem, a new value is defined: B = √(N),

	The goal is now to find C in a situation where A = √(C² - B²) and where A is an integer.

	So again, the goal is to find hypotenuse C in an equation where one cathetus is B, and the other cathetus A is an integer.
	The next step is to add further obfuscation with binomial square rule: C² - B² = (C - B) (C + B)
	But this obfuscation is too easy, so the variable, that needs to be solved, is swapped. Instead of C, the goal now is to solve w = C - B.
	Now, the C²-B² can be swapped to less suspicious form w * (2B + w).
	Now the goal is to find w so that the variable C = w+B and A = √(w * (2B + w)) where both A and C are integers.
	The requirement "w+B needs to be an integer" seems out of place, so it is fixed by defining r = ceil(B) - B, and by switching the variable x = w-r.
	Thus, w = x+r. Now,

	w+B
	= x + r + B
	= x + ceil(B) - B + B
	= x + ceil(B)

	x+ceil(B) is an integer iff x is an integer.

	Now the goal is to find x so that A = √( (x+r) * ((2B) + (x+r)) ) where A is an integer.

	------------------

	The rest is my own handwriting based on Topi's work:

	One thing that needs doing is to fix Grant's mistake of saying (x+r) * ((2B) + (x+r)) solves A, it actually solves A².

	So there you have it, the bullshit algorithm can trivially be expanded from the intial problem,
	but only if you have the prime factors ready, creating the algorithm started from 89*137=12193.


	-----------------

	To show this step by step with real numbers:

	12193

	= 89 * 137 Since we're designing the scam algorithm, we can be clever and start with the solution p=89, q=137.
	This is simply because we know it's impossible to factor semiprimes in constant time. The only
	way that can be done is if we know the answer beforehand.

	But for our scam to succeed, we need to obfuscate the fact we knew the prime factors. The
	obfuscation is done in the next step, and for that we'll need to define two values:

	Middle point between the two primes = (89+137) / 2
	= 226 / 2
	= 113

	The distance of each prime from middle point (113)
	\|137 - 113\| = 24
	\|89 - 113\| = 24

	= (113-24) * (113+24) Now, to obfuscate that the algorithm has the values of the primes baked in, we express
	them with the two values defined above: middle point +- distance from middle point.

	This single layer of obfuscation is trivial to detect. For next obfuscation we realize
	the current representation of the primes is aching to the binomial square rule:
	a²-b² = (a+b)(a-b)

	So we'll use the rule to hide the middlepoint+distance data inside two perfect square values:

	= 113² - 24² On this line, the binomial square obfuscation is in place.

	Furthermore, now the equation is of form
	12193 = 113² - 24²

	This form reminds us of the Pythagorean theorem (A² + B² = C²) and more specifically,
	how a single cathetus is solved from the hypothenuse and the other cathetus:
	B² = C² - A²

	We can now draw the triangle, and write down the sides:
	* cathetus A = 24
	* cathetus B = √(12193) = 110.421918114
	* hypotenuse C = 113

	We also do a quick check for constraints for value A, i.e. that it must be an integer:
	A² = C² - N
	A = √(C² - N)

	At this point we've succeeded in hiding the prime factors inside the values 24 and 113.
	We realize we can e.g. use the two values to define the shape of a right-angle triangle.
	We now need to be able to claim we can factor the semiprime B² with the help of Pythagoras.
	That will season our scam with some ancient rules of mathematics and is intuitive for
	everyone who learned the Pythagorean Theorem at the basic school.

	But there's a problem: Just like how the attacker can't deduce primes p and q from public key,
	the attacker can't define the shape of the triangle from just the length of one cathetus
	B = sqrt(public key)).

	But if we can make it appear we have a solver for e.g. the cathetus A, that works when
	given just the cathetus B, we can then retrieve from the triangle the values we hid there
	in the first place, and claim we've solved the semiprime factoring problem!

	So let's create a fake algorithm for solving A, by starting from the obvious Pythagorean cathetus solver:

	A = √( C² - B²)
	A² = C² - B²
	= 113² - 24²

	The binomial square obfuscation we used to hide the primes p and q is too easy to detect, so we
	add further obfuscation by swapping variables, first by defining
	w = C - B
	= 113 - 110.421918114
	= 2.578081885886448

	We then can express the hypotenuse as sum of two long floating point numbers:
	C = 113
	= B + w
	= 110.421918114 + 2.578081885886448

	Now, that we can replace C with B+w, the very revealing A² = C²-B² can be obfuscated to less suspicious form:

	A² = C² - B²
	= (B + w)² - B²
	= (B + w)(B + w) - B²
	= B² + wB + wB + w² - B²

	= wB+wB + w² + B²-B²
	= wB+wB + w²
	= w(B+B + w)
	= w(2B + w) <--- This final reduced form (pay attention to this we'll come back to it in just a moment):

	= 2.578081885886448 * (2*110.421918114 + 2.578081885886448)

	We can double-check our scam solver algorithm works by copy-pasting the equation to e.g. wolframalpha.com
	24² == 2.578081885886448 * (2*110.421918114 + 2.578081885886448)

	---

	Next, to hide the seemingly weird requirement that w+B (=C) must be an integer, we introduce another variable
	r = ceil(B) - B
	r = 111 - 110.421918114
	r = 0.5780818858864478

	We then craft yet another variable x that depends on r:
	x = w-r
	x = 2.5780818 - 0.5780818
	x = 2

	Now we've moved the decimals from w to separate variable r, and x has become the the integer part of w.
	w = x + r
	= x + (ceil(B) - B)
	= 2 + (111 - 110.421918114)
	= 2.5780818

	We'll then use these variables to replace the "w" in the reduced form (the one you were asked to pay attention to above).
	A² = w (2B + w )
	= (x + r) * (2B + (x + r)) <-- Our scam algorithm is ready, it's here. If you look at Grant's side-A solver description:
	https://preview.redd.it/fqhf1mqd0b761.jpg?width=598&format=pjpg&auto=webp&s=3ab97efb7bb1d4be8ce07c9020384fdbed169e2b
	You'll notice it's identical.

	A² = (x + r) * (2*B + (x + r ))
	= (2 + 0.5780818) * (2*110.421918114 + (2 + 0.5780818))
	A = √(2 + 0.5780818) * (2*110.421918114 + (2 + 0.5780818))
	= 24

	So again, the reason the algorithm pushes out A when given square root of the public key (B), as one of its cathetuses,
	is the shape of the triangle was pre-baked into the form that depends on knowing the length of the side A and the
	hypothenuse, that represent the private values.

	The reason it works on paper is because the triangle was drawn beforehand. If I give you only the public key, you can get
	side B by taking square root of it, and draw the first cathetus. But what you have is only a line. That line alone doesn't
	help you in drawing the rest of the triangle, unless you know the length of at least one other side of that triangle. And
	asking for one additional side of the triangle is the same as asking for just one of the secret primes p or q.
	If you know public key N (=p*q) and one of the two secret values, e.g. q, you can get the another one trivially: p = N/q.

	The pre-baked triangle shape only works with one specific public key, because we got the shape of the triangle when we
	started to obfuscate the prime factors we knew beforehand. That's the only way to draw the triangle.

	To explain
	Length of side B is the square root of the public key. We know that already
	Lenght of side C is the middle point between the two secret primes p and q, i.e. something we as attacker don't know.
	Length of side A is the distance of both primes from the secret C (that again, we don't know), so we don't know A either.

	So in order to be able to draw the triangle, we need to know the private key, and if we already know the private key, we're
	wasting our time if we're drawing triangles when we could be breaking the encryption instead.

	The only way to use the algorithm to try to factor semi-primes, is to try values for A in order in a program such as

	import math
	public_key = ...
	B = math.sqrt(public_key)
	for A in range(0, 2**1024)):
	C = math.sqrt(A2 + B2)
	p = C-A
	q = C+A
	if p*q == public_key:
	print(f"{p}, {q}")
	exit(0)

	This is literally trial division (=brute force attack) that runs in exponential time. It takes on average 2^1024 =
	1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
	0000000000000000000000000000000000000000000000000000000000000 operations.

	The universe will have reached heat death before a a single key is broken, it is therefore completely useless.

	tl;dr: The algorithm only works if you know the private key beforehand. It's a scam.