Pollard's p - 1 algorithm

From Wikipedia, the free encyclopedia

(Redirected from Pollard's p-1 algorithm)

Categories: Integer factorization algorithms

Pollard's p − 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors; it is the simplest example of an algebraic-group factorisation algorithm.

The factors it finds are ones for which p-1 is smooth; the essential observation is that, by working in the multiplicative group modulo a composite number N, we are also working in the multiplicative groups modulo all of N's factors.

The existence of this algorithm leads to the concept of safe primes, being primes for which p-1 has at least one large prime factor. Almost all sufficiently large primes are safe; if a prime used for cryptographic purposes turns out to be unsafe, it is much more likely to be through malice than through an accident of random number generation.

1 Base concepts
2 Multiple factors
3 Algorithm and running time
4 How do you pick B?
5 Large prime variant
6 Implementations
7 References
8 External links

Base concepts

Let n be a composite integer with prime factor p. By Fermat's little theorem, we know that

Failed to parse (Missing texvc executable; please see math/README to configure.): a^{K(p-1)} \equiv 1\pmod{p}

for all Failed to parse (Missing texvc executable; please see math/README to configure.): K

, and for all Failed to parse (Missing texvc executable; please see math/README to configure.): a

coprime to Failed to parse (Missing texvc executable; please see math/README to configure.): p

If a number x is congruent to 1 modulo a factor of n, then the gcd (x-1,n) will be divisible by that factor.

The idea is to make the exponent a large multiple of p-1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit B. Start with a random x, and repeatedly replace it by Failed to parse (Missing texvc executable; please see math/README to configure.): x^w \mod n

as w runs through those prime powers.  Check at each stage, or once at the end if you prefer, whether (x-1,n) is not equal to 1.

Multiple factors

It is possible that all the prime factors of n are divisible by small primes, at which point the Pollard p-1 algorithm gives you n again.

Algorithm and running time

The basic algorithm can be written as follows:

Inputs: n: a composite integer

Output: a non-trivial factor of n or failure

select a smoothness bound B
randomly pick a coprime to n (note: we can actually fix a, random selection here is not imperative)
for each prime q ≤ B

Failed to parse (Missing texvc executable; please see math/README to configure.): e \gets \bigg\lfloor \frac{\log{n}}{\log{q}} \bigg\rfloor

Failed to parse (Missing texvc executable; please see math/README to configure.): a \gets a^{q^e} \mod{n}

(note: this is a^M)

g ← gcd(a − 1, n)
if 1 < g < n then return g
if g = 1 then select a higher B and go to step 2 or return failure
if g = n then go to step 2 or return failure

If g = 1 in step 6, this indicates that for all p − 1 that none were B-powersmooth. If g = n in step 7, this usually indicates that all factors were B-powersmooth, but in rare cases it could indicate that a had a small order modulo p.

The running time of this algorithm is O(B × log B × log²n); larger values of B make it run more slowly, but are more likely to produce a factor

How do you pick B?

Since the algorithm is incremental, you can just leave it running with the bound constantly increasing.

Assume that Failed to parse (Missing texvc executable; please see math/README to configure.): p-1 , where Failed to parse (Missing texvc executable; please see math/README to configure.): p

is the smallest prime factor of n, can be modelled as a random number of size less than Failed to parse (Missing texvc executable; please see math/README to configure.): \sqrt n

. By Dickson's theorem, the probability that the largest factor of such a number is less than Failed to parse (Missing texvc executable; please see math/README to configure.): (p-1)^\epsilon

is roughly Failed to parse (Missing texvc executable; please see math/README to configure.): \epsilon^{-\epsilon}

so there is a probability of about Failed to parse (Missing texvc executable; please see math/README to configure.): 3^{-3} = 1/27

that a B value of Failed to parse (Missing texvc executable; please see math/README to configure.): n^{1/6}
will yield a factorisation.

In practice, the elliptic curve method is faster than the Pollard p-1 method once the factors are at all large; you might run the p-1 method up to Failed to parse (Missing texvc executable; please see math/README to configure.): B=10^6 , which will find a quarter of all twelve-digit factors and 1/27 of all eighteen-digit factors, before proceeding to another method.

Large prime variant

A variant of the basic algorithm is sometimes used; instead of requiring that Failed to parse (Missing texvc executable; please see math/README to configure.): p-1

has all its factors less than B, we can require it to have all but one of its factors less than some B1, and the remaining factor greater than some B2.  Let Failed to parse (Missing texvc executable; please see math/README to configure.): p_1
be the smallest prime greater than B1, Failed to parse (Missing texvc executable; please see math/README to configure.): p_2
the next-largest, and so on; let Failed to parse (Missing texvc executable; please see math/README to configure.): d_n = p_n - p_{n-1}

. The distribution of prime numbers is such that the Failed to parse (Missing texvc executable; please see math/README to configure.): d_n

will all be fairly small.

Having computed Failed to parse (Missing texvc executable; please see math/README to configure.): c = a^M \mod n , we can easily compute once and for all Failed to parse (Missing texvc executable; please see math/README to configure.): E_r = c^r \mod n

for all Failed to parse (Missing texvc executable; please see math/README to configure.): r
which appear as a value of Failed to parse (Missing texvc executable; please see math/README to configure.): d_n

. Compute Failed to parse (Missing texvc executable; please see math/README to configure.): t_1 = c^{p_1} \mod n . We can then stop doing exponentiation, and compute

Failed to parse (Missing texvc executable; please see math/README to configure.): t_2 (= c^{p_2} \mod n) = t_1 E_{d_2} \mod n , Failed to parse (Missing texvc executable; please see math/README to configure.): t_3 = t_2 E_{d_3} \mod n , ...

with one multiplication rather than one exponentiation at each step; this is quicker by roughly a factor $\log B$ than doing the exponentiations. It can also be accelerated significantly using fast Fourier transforms.

Implementations

The GMP-ECM package includes an efficient implementation of the p-1 method.

References

J.M. Pollard. "Theorems of Factorization and Primality Testing", Proceedings of the Cambridge Philosophical Society 76 (1974), pp. 521–528.

External links

(German) Factoring applet that uses p-1
Pollard p-1 C source code

v • d • e Number-theoretic algorithms
Primality tests	AKS · APR · Ballie-PSW · ECPP · Fermat · Lucas–Lehmer · Lucas–Lehmer (Mersenne numbers) · Proth's theorem · Pépin's · Solovay-Strassen · Miller-Rabin · Trial division
Sieving algorithms	Sieve of Atkin · Sieve of Eratosthenes · Sieve of Sundaram · Wheel factorization
Integer factorization algorithms	CFRAC · Dixon's · ECM · Euler's · Pollard's rho · P - 1 · P + 1 · QS · GNFS · SNFS · rational sieve · Fermat's · Shanks' square forms · Trial division · Shor's algorithm
Other algorithms	Ancient Egyptian multiplication · Aryabhata · Binary GCD · Chakravala · Euclidean · Extended Euclidean · integer relation algorithm · integer square root · Modular exponentiation · Shanks-Tonelli
Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests.