- Pollard's p - 1 algorithm
Pollard's "p" − 1 algorithm is a number theoretic
integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors; it is the simplest example of an algebraic-group factorisation algorithm.
The factors it finds are ones for which "p"-1 is smooth; the essential observation is that, by working in the multiplicative group modulo a composite number "N", we are also working in the multiplicative groups modulo all of "N"'s factors.
The existence of this algorithm leads to the concept of
safe primes, being primes for which "p-1" has at least one large prime factor. Almost all sufficiently large primes are safe; if a prime used for cryptographic purposes turns out to be unsafe, it is much more likely to be through malice than through an accident of random number generation.
Let "n" be a composite integer with prime factor "p". By
Fermat's little theorem, we know that
: for all , and for all
If a number "x" is congruent to 1 modulo a factor of "n", then the gcd ("x-1","n") will be divisible by that factor.
The idea is to make the exponent a large multiple of "p"-1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit "B". Start with a random "x", and repeatedly replace it by as "w" runs through those prime powers. Check at each stage, or once at the end if you prefer, whether ("x-1","n") is not equal to 1.
It is possible that for all the prime factors p of "n", p-1 is divisible by small primes, at which point the Pollard p-1 algorithm gives you "n" again.
Algorithm and running time
The basic algorithm can be written as follows:
:Inputs: "n": a composite integer:Output: a non-trivial factor of "n" or failure
:# select a smoothness bound "B":# randomly pick "a" coprime to "n" (note: we can actually fix "a", random selection here is not imperative):# for each prime "q" ≤ "B":#::#: (note: this is "a""M"):# "g" ← gcd("a" − 1, "n"):# if 1 < "g" < "n" then return "g":# if "g" = 1 then select a higher "B" and go to step 2 or return failure:# if "g" = "n" then go to step 2 or return failure
If "g" = 1 in step 6, this indicates that for all "p" − 1 that none were "B"-powersmooth. If "g" = "n" in step 7, this usually indicates that all factors were "B"-powersmooth, but in rare cases it could indicate that "a" had a small order modulo "n".
The running time of this algorithm is O("B" × log "B" × log2"n"); larger values of "B" make it run more slowly, but are more likely to produce a factor
How do you pick "B"?
Since the algorithm is incremental, you can just leave it running with the bound constantly increasing.
Assume that , where is the smallest prime factor of "n", can be modelled as a random number of size less than . By
Dickson's theorem, the probability that the largest factor of such a number is less than is roughly ; so there is a probability of about that a "B" value of will yield a factorisation.
In practice, the
elliptic curve methodis faster than the Pollard p-1 method once the factors are at all large; you might run the p-1 method up to , which will find a quarter of all twelve-digit factors and 1/27 of all eighteen-digit factors, before proceeding to another method.
Large prime variant
A variant of the basic algorithm is sometimes used; instead of requiring that has all its factors less than B, we can require it to have all but one of its factors less than some B1, and the remaining factor less than some B2. Let be the smallest prime greater than B1, the next-largest, and so on; let . The distribution of prime numbers is such that the will all be fairly small.
Having computed , we can easily compute once and for all for all which appear as a value of . Compute . We can then stop doing exponentiation, and compute
, , ...
with one multiplication rather than one exponentiation at each step; this is quicker by roughly a factor $log B$ than doing the exponentiations. It can also be accelerated significantly using
Fast Fourier transforms.
The [http://gforge.inria.fr/projects/ecm/ GMP-ECM] package includes an efficient implementation of the p-1 method.
*J.M. Pollard. "Theorems of Factorization and Primality Testing", "Proceedings of the Cambridge Philosophical Society" 76 (1974), pp. 521–528.
*De icon [http://zeta24.com/prim/pminus1big.php Factoring applet that uses p-1]
* [http://ardoino.com/maths-factoring-pollard/ Pollard p-1 C source code]
Wikimedia Foundation. 2010.
Look at other dictionaries:
Pollard — may refer to:*Pollard (surname) *Pollard, Alabama, a town in the United States *Jonathan Pollard, a spy *Pollard, a tree or animal which has been polled (had its branches, horns or antlers removed): **Pollard, a tree affected by pollarding, a… … Wikipedia
Pollard's rho algorithm — is a special purpose integer factorization algorithm. It was invented by John Pollard in 1975. It is particularly effective at splitting composite numbers with small factors.Core ideasThe rho algorithm is based on Floyd s cycle finding algorithm… … Wikipedia
Pollard's rho algorithm for logarithms — is an algorithm for solving the discrete logarithm problem analogous to Pollard s rho algorithm for solving the Integer factorization problem.The goal is to compute gamma such that alpha ^ gamma = eta(mod N), where eta belongs to the group G… … Wikipedia
Pollard's lambda algorithm — In mathematics, specifically computational number theory and computational algebra, Pollard s lambda algorithm (aka Pollard s kangaroo algorithm, see Naming below) is an algorithm for solving the discrete logarithm. The algorithm was introduced… … Wikipedia
Pollard-Rho-Methode — Grafische Darstellung der Teilergebnisse Die Pollard Rho Methoden sind Algorithmen zur Bestimmung der Periodenlänge einer Zahlenfolge, die mit einer mathematischen Funktion berechnet wird. Verschiedene schwierige mathematische Probleme wie der… … Deutsch Wikipedia
Williams' p + 1 algorithm — In computational number theory, Williams p + 1 algorithm is an integer factorization algorithm, one of the family of algebraic group factorisation algorithms. It was invented by Hugh C. Williams in 1982. It works well if the number N to be… … Wikipedia
Multiplication algorithm — A multiplication algorithm is an algorithm (or method) to multiply two numbers. Depending on the size of the numbers, different algorithms are in use. Efficient multiplication algorithms have existed since the advent of the decimal system.… … Wikipedia
Cipolla's algorithm — In computational number theory, Cipolla s algorithm is a technique for solving a congruence of the form x2 = n, where , so n is the square of x, and where p is an odd prime. Here denotes the finite field with p elements; . Th … Wikipedia
Cornacchia's algorithm — In computational number theory, Cornacchia s algorithm is an algorithm for solving the Diophantine equation x2 + dy2 = m, where and d and m are coprime. The algorithm was described in 1908 by Giuseppe Cornacchia. Contents 1 The algorithm … Wikipedia
Algoritmo rho de Pollard — Para otros usos de este término, véase algoritmo rho de Pollard para logaritmos discretos. El algoritmo rho de Pollard es un algoritmo especializado de factorización de números enteros. Fue inventado por John Pollard en 1975. Es especialmente… … Wikipedia Español