Post on 26-May-2020
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Integer Factorization MethodsTrial division, Pollard’s p − 1,
Pollard’s ρ, and Fermat’s method
Christopher Koch1
1Department of Computer Science and EngineeringCSE489/589 Algorithms in CS & IT
New Mexico Tech
April 8, 2014
Integer Factorization MethodsTrial division, Pollard’s p − 1,
Pollard’s ρ, and Fermat’s method
Christopher Koch1
1Department of Computer Science and EngineeringCSE489/589 Algorithms in CS & IT
New Mexico Tech
April 8, 20142014
-04-
11
Integer Factorization Methods
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Overview
• Intro to modular arithmetic• Euler’s theorem and Fermat’s little theorem• Trial division• Pollard’s p − 1 method• Cycles in Z/nZ• Floyd’s cycle-finding algorithm• Pollard’s ρ method (Monte Carlo factorization)• Birthday paradox• Fermat’s method
Conventiona, b, c,d,m,n are integers, p, q are primes
Overview
• Intro to modular arithmetic• Euler’s theorem and Fermat’s little theorem• Trial division• Pollard’s p − 1 method• Cycles in Z/nZ• Floyd’s cycle-finding algorithm• Pollard’s ρ method (Monte Carlo factorization)• Birthday paradox• Fermat’s method
Conventiona, b, c,d,m,n are integers, p, q are primes
2014
-04-
11
Integer Factorization MethodsOverview
Overview
• Monte Carlo method: dependent on some kind of randomnumber/function/process
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Modular Arithmetic
• a∣b (a divides b) if b is a multiple of a.• quotient and remainder unique in integer division• Congruence modulo n:
a ≡ b (mod n) iff n∣(a − b).
Modular Arithmetic
• a∣b (a divides b) if b is a multiple of a.• quotient and remainder unique in integer division• Congruence modulo n:
a ≡ b (mod n) iff n∣(a − b).
2014
-04-
11
Integer Factorization MethodsModular Arithmetic
Division Algorithm and CongruenceModular Arithmetic
• Division Algorithm: Given a, b there exist unique q, r
a = bq + r where 0 ≤ r < b.
• For example, 13 ≡ 8 ≡ 3 (mod 5).• Intuition: a and b have same remainder when divided by n
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Residue classes
• Congruence modulo n is an equivalence relation onintegers.
• Equivalence classes: one for each remainder
[a]n = {x ∶ x ≡ a (mod n)} .
• Called residue classes mod n
Residue classes
• Congruence modulo n is an equivalence relation onintegers.
• Equivalence classes: one for each remainder
[a]n = {x ∶ x ≡ a (mod n)} .
• Called residue classes mod n
2014
-04-
11
Integer Factorization MethodsModular Arithmetic
Residue classes mod nResidue classes
• Equivalence classes of congruence: Integers with sameremainder are related to each other
• Each remainder thus forms an equivalence class• Example: Residue classes mod 4, residue classes mod 2 (even,
odd)
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Integers modulo n
• Integers modulo n: set of residue classes mod n:
Z/nZ = {[r]n ∶ r ∈ Z} .
• How to do arithmetic in mod n? What is [3]4 + [1]4?
Integers modulo n
• Integers modulo n: set of residue classes mod n:
Z/nZ = {[r]n ∶ r ∈ Z} .
• How to do arithmetic in mod n? What is [3]4 + [1]4?
2014
-04-
11
Integer Factorization MethodsModular Arithmetic
Integers modulo nIntegers modulo n
• For example, Z/4Z = {[0]4 , [1]4 , [2]4 , [3]4}• 24-hour clock• Intuition: notion of “finite discreteness”• Like b-bit (unsigned) integers – Z/2bZ – overflow “wraps” back
around (most general-purpose architectures don’t do saturationarithmetic, so it wraps around like modular arithmetic)
• But also, [5]4 ∈ Z/4Z. Why?• Because [5]4 = [1]4, since 5 ≡ 1 (mod 4).
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Arithmetic mod n
DefinitionLet n ∈ Z+ and a, b ∈ Z. Then,
[a]n + [b]n = [a + b]n
[a]n × [b]n = [a × b]n
• Similarly,
[a]n − [b]n = [a]n + [−b]n = [a − b]n .
Arithmetic mod n
DefinitionLet n ∈ Z+ and a, b ∈ Z. Then,
[a]n + [b]n = [a + b]n
[a]n × [b]n = [a × b]n
• Similarly,
[a]n − [b]n = [a]n + [−b]n = [a − b]n .
2014
-04-
11
Integer Factorization MethodsModular Arithmetic
Arithmetic with integers mod nArithmetic mod n
• Example here: 24-hour clock, adding 12 and 25, and multiplying13 by 2
• Proof that well-defined: Pick x ∈ [a]n, y ∈ [b]n differentrepresentatives, show x + y ∈ [a + b]n since x ≡ a (mod n) andy ≡ b (mod n) implies x + y ≡ a + b (mod n).
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
GCD and Totatives
• gcd(a, b) is the greatest common divisor of a and b• a, b are called coprime or relatively prime if gcd(a, b) = 1.
a is called a totative of b and vice versa.• Bézout’s identity: If gcd(n,m) = d, then there exist k, l
s.t. nk +ml = d.• ϕ(n) counts the number totatives less than n:
ϕ(n) = ∣{c ∶ 1 ≤ c < n and gcd(c,n) = 1}∣ .
• We have ϕ(mn) = ϕ(n)ϕ(m).
GCD and Totatives
• gcd(a, b) is the greatest common divisor of a and b• a, b are called coprime or relatively prime if gcd(a, b) = 1.
a is called a totative of b and vice versa.• Bézout’s identity: If gcd(n,m) = d, then there exist k, l
s.t. nk +ml = d.• ϕ(n) counts the number totatives less than n:
ϕ(n) = ∣{c ∶ 1 ≤ c < n and gcd(c,n) = 1}∣ .
• We have ϕ(mn) = ϕ(n)ϕ(m).2014
-04-
11
Integer Factorization MethodsModular Arithmetic
GCD and TotativesGCD and Totatives
• Example: gcd(40,6) = 2.• Example: ϕ(p) = p − 1.• Multiplicative ϕ useful since ϕ(pq) = ϕ(p)ϕ(q) = (p − 1)(q − 1).
(easy to compute)• Totative of n is a number m that is coprime to n
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Inverses mod n
• Notice: no division in mod n!• Division is usually defined as multiplication by the
multiplicative inverse.• Multiplicative inverse of [a]n is [b]n such that
[a]n[b]n = [1]n ; i.e. ab ≡ 1 (mod n).
Inverses mod n
• Notice: no division in mod n!• Division is usually defined as multiplication by the
multiplicative inverse.• Multiplicative inverse of [a]n is [b]n such that
[a]n[b]n = [1]n ; i.e. ab ≡ 1 (mod n).
2014
-04-
11
Integer Factorization MethodsModular Arithmetic
Inverses mod nInverses mod n
• Example here: 2 ∈ Z/4Z and its inverse? 4 ∈ Z/7Z and itsinverse?
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Theorem[a]n ∈ Z/nZ has a multiplicative inverse if and only ifgcd(a,n) = 1.
• Drawing from previous example: gcd(4,2) = 2, whilegcd(4,7) = 1.
• That means that every element except 0 in Z/pZ has aninverse, since a prime is coprime to every element below it.
• Bézout’s identity again: gcd(m,n) = 1, thenm[m−1]n + n[n−1]m = 1.
Theorem[a]n ∈ Z/nZ has a multiplicative inverse if and only ifgcd(a,n) = 1.
• Drawing from previous example: gcd(4,2) = 2, whilegcd(4,7) = 1.
• That means that every element except 0 in Z/pZ has aninverse, since a prime is coprime to every element below it.
• Bézout’s identity again: gcd(m,n) = 1, thenm[m−1]n + n[n−1]m = 1.
2014
-04-
11
Integer Factorization MethodsModular Arithmetic
Inverses mod n
• Proof: see write-up of notes on intro to mod arithmetic
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Euler’s and Fermat’s Theorems
Theorem (Euler, Euler totient, Euler-Fermat)Let a,n be coprime. Then,
aϕ(n) ≡ 1 (mod n).
Corollary (Fermat)Unless a is a multiple of p,
ap−1 ≡ 1 (mod p).
• Leonhard Euler, 1707-1783. Euler-Fermat Theorem. Fermat’slittle theorem was the origin, Euler gave proof for it in 1736 andkept working until Euler-Fermat was in its final form in 1761.
• E54 (Theorematum Quorundam ad Numeros PrimosSpectantium Demonstratio) proves Fermat’s – by induction onbinomial series expansion (1 + 1)p−1 etc / induction as we knowit today (he bashes on Fermat’s notion of induction and how hedisproved Fermat’s conjecture that 22n + 1 is prime for any n)
• Modern proof: using LaGrange’s theorem (subgroup H of G,o(H )∣o(G)), let H = (Z/nZ)∗ and G = Z/nZ; and sinceao(H) ≡ 1 for a ∈ H
• Carmichael’s theorem: aλ(n) ≡ 1 mod n where λ(n) = 0.5ϕ(n)if n is a power of 2 and all other λ(n) = ϕ(n).
• Pierre de Fermat, 1601-1665, Fermat’s last theoreman + bn ≠ cn for n ≥ 2.
• Application to RSA: Let M be a message. M mϕ(n)+1 ≡ M(mod n). So, let’s find ed = mϕ(n) + 1, i.e. ed ≡ 1(mod ϕ(n)).
• C(M) = M e (mod n), D(M) = M d (mod n). Then,C(D(M)) = M de ≡ M mϕ(n)+1 ≡ M (mod n)
• Choose twoprime n = pq for easy ϕ computation
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Cost of Multiplication and GCD
ConventionWe will denote the cost of multiplication by M(n) and the costof the GCD by G(n) for n-digit numbers.
• Schoolbook multiplication: M(n) ∈ O(n2).• Schönhage-Strassen: M(n) ∈ O(n lgn lg lgn).• Euclidean GCD: G(n) ∈ O(n2).• Schönhage’s GCD: G(n) ∈ O(M(n) lgn).• Modular exponentiation (ak mod b): O(M(c) lg k),
where c =max(lg a, lg b).
Cost of Multiplication and GCD
ConventionWe will denote the cost of multiplication by M(n) and the costof the GCD by G(n) for n-digit numbers.
• Schoolbook multiplication: M(n) ∈ O(n2).• Schönhage-Strassen: M(n) ∈ O(n lgn lg lgn).• Euclidean GCD: G(n) ∈ O(n2).• Schönhage’s GCD: G(n) ∈ O(M(n) lgn).• Modular exponentiation (ak mod b): O(M(c) lg k),
where c =max(lg a, lg b).2014
-04-
11
Integer Factorization MethodsCost of Multiplication and GCD
Cost of Multiplication and GCD
• Schönhage GCD (“controlled Euclidean descent”): ActaInformatica vol I no 3 1971
• Schönhage-Strassen: Computing Vol 7 1971
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Integer Factorization
Theorem (Fundamental Theorem of Arithmetic)Let n be an integer. Then there exist unique primesp1,p2,⋯,pk not necessarily distinct such that
n = p1 × p2 ×⋯ × pk .
• In essence, every integer can be factored uniquely intoprimes. For example, 20 = 2 × 2 × 5.
• FTA guarantees existence of that factorization, but howdo you find it?
ConventionIn the following slides, every big O is given in terms of inputvalues instead of input length.
Integer Factorization
Theorem (Fundamental Theorem of Arithmetic)Let n be an integer. Then there exist unique primesp1,p2,⋯,pk not necessarily distinct such that
n = p1 × p2 ×⋯ × pk .
• In essence, every integer can be factored uniquely intoprimes. For example, 20 = 2 × 2 × 5.
• FTA guarantees existence of that factorization, but howdo you find it?
ConventionIn the following slides, every big O is given in terms of inputvalues instead of input length.
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Integer Factorization
• FTA first written down and proved by Euclid in his treatiseElements, 300BC (differently, of course)
• Proof: existence by induction, base case n = 2 / uniqueness:Euclid’s lemma or elementary using the smallest integer that isproduct of two different prime factorizations
• Euclid’s lemma: p∣ab implies p∣a or p∣b.• Erdős-Kac Theorem: ω(n) number of distinct prime factors of
n, then the probability distribution of
ω(n) − log logn√log logn
is the standard normal distribution.
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Trial Division
1: TrialDivision(n)2: D ← ()3: for all p in primes(√n) do4: while n mod p = 0 do5: append(D,p)6: n ← n/p7: if n > 1 then8: append(D,n)9: return D
• How often does for-loop execute?• Prime-counting function π(m).• How often does while execute? In total, at most
logp(n) ≤ lgn (since lg 2 ≤ lg p for all p ≥ 1)
Trial Division
1: TrialDivision(n)2: D ← ()3: for all p in primes(√n) do4: while n mod p = 0 do5: append(D,p)6: n ← n/p7: if n > 1 then8: append(D,n)9: return D
• How often does for-loop execute?• Prime-counting function π(m).• How often does while execute? In total, at most
logp(n) ≤ lgn (since lg 2 ≤ lg p for all p ≥ 1)
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Trial DivisionTrial Division
• Loop executes π (√n).
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Trial Division: Analysis
Theorem (Prime number theorem)
limx→∞
π(x)x/ ln(x) = 1.
This implies π(x) ∈ O ( xln x ).
Then, for an integer n to be factored, trial division is
O (π (√
n) lg(n)M(lgn)) = O (√
nM(lgn)) .
Trial Division: Analysis
Theorem (Prime number theorem)
limx→∞
π(x)x/ ln(x) = 1.
This implies π(x) ∈ O ( xln x ).
Then, for an integer n to be factored, trial division is
O (π (√
n) lg(n)M(lgn)) = O (√
nM(lgn)) .
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Trial DivisionTrial Division: Analysis
• Landau notation (Bachman) in terms of limits: f (n) ∈ O(g(n))if
limn→∞
∣ f (n)g(n) ∣ <∞.
• PNT conjectured by Gauß in 1792 by his own account at 15years old (Gauß, Hubert Mania)
• PNT first proved by Hadamard and Vallée-Poussin (1896)• TODO / MAYBE: talk about distribution of prime factors, the
O of the first prime factor being found and last factor beingfound. Might be useful for following sections.
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Pollard’s p − 1 method
1: PollardP-1(n,B)2: K ← ∏
primes p≤Bp⌊logp(n)⌋
3: m ← (2K − 1) mod n ▷ modular exponentiation4: g ← gcd (m,n)5: if g = 1 then6: either increase B and7: return PollardP-1(n,B)8: or return failure9: else
10: return g ▷ g must be a divisor of n
Pollard’s p − 1 method
1: PollardP-1(n,B)2: K ← ∏
primes p≤Bp⌊logp(n)⌋
3: m ← (2K − 1) mod n ▷ modular exponentiation4: g ← gcd (m,n)5: if g = 1 then6: either increase B and7: return PollardP-1(n,B)8: or return failure9: else
10: return g ▷ g must be a divisor of n2014
-04-
11
Integer Factorization MethodsInteger Factorization
Pollard’s p − 1Pollard’s p − 1 method
• John M. Pollard, 1974.• Periodicals of the Cambridge Phil Society, 1974, Theorems on
Primality Testing and Factorization• and Lenstra’s ECM paper and MIT Elliptic Curves Spring 2013
course• n to be factored, finds non-trivial divisor of n• B smoothness bound• Since m < n, g < n• Original method detailed a second step to be taken for
deterministic factorization: L < M < n, M < L2.• b ≡ am mod n where m is product of primes less than or equal
L to some power. Find d = gcd(b − 1,n). If d = n, decrease Land repeat.
• Step 2: For primes L < p < M , Fp = (bp − 1) mod n, findgcd(Fp,n).
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Pollard’s p − 1: Why does it work?
Corollary (Fermat’s little theorem)For a < p, ap−1 ≡ 1 (mod p). That is, p∣ (ap−1 − 1).
• Assume p is a prime divisor of n.• That means that gcd(ap−1 − 1,n) ≥ p.• The preceding also works if the exponent is a multiple of
some p − 1, i.e. aK − 1 where K is a multiple of p − 1.• Goal: choose K such that it is likely to be the multiple of
some p − 1 for a prime divisor p.
Pollard’s p − 1: Why does it work?
Corollary (Fermat’s little theorem)For a < p, ap−1 ≡ 1 (mod p). That is, p∣ (ap−1 − 1).
• Assume p is a prime divisor of n.• That means that gcd(ap−1 − 1,n) ≥ p.• The preceding also works if the exponent is a multiple of
some p − 1, i.e. aK − 1 where K is a multiple of p − 1.• Goal: choose K such that it is likely to be the multiple of
some p − 1 for a prime divisor p.2014
-04-
11
Integer Factorization MethodsInteger Factorization
Pollard’s p − 1Pollard’s p − 1: Why does it work?
• I.e. we have found a non-trivial divisor.• p − 1 only finds factors p that are of the form
p − 1 = A
where A is some product of primes less than B. (p − 1 must beB-(power)smooth.)
• Original version: p − 1 = Aq for some L < q < M .• Example 1: n = 540143, choose B = 8 and
K = lcm(2,⋯B) = 840 (easier). Then, 2K mod n = 53047 andgcd(2K − 1,n) = 421. Then, 540143 = 421 × 1283.
• Example 2: n = 491389 = 383× 1283. Because 383− 1 = 2× 191,we have 191∣K and B ≥ 191 (for lcm). INFEASIBLE.
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Pollard’s p − 1: Analysis
The exp and modular exp can be combined:1: K ← 22: for all p in primes(B) do3: pc ← p4: while pc < n do5: K ← Kp (mod n)6: pc ← pc ∗ p7: g ← gcd(K − 1,n)
Pollard’s p − 1: Analysis
The exp and modular exp can be combined:1: K ← 22: for all p in primes(B) do3: pc ← p4: while pc < n do5: K ← Kp (mod n)6: pc ← pc ∗ p7: g ← gcd(K − 1,n)
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Pollard’s p − 1Pollard’s p − 1: Analysis
• ∑p ⌊logp(n)⌋ multiplications and mod exps.• Each mod exp is O(lg(p)M(lgn))• Each mult M(lgn).• Then, ∑p logp(n) lg(p)M(lgn) = ∑p lg(n)M(lgn)
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Pollard’s p − 1: Analysis
• ∑p
⌊logp(n)⌋ multiplications and mod exps.
• Each mod exp is O(lg(p)M(lgn))• Each mult M(lgn).• Then, ∑
plogp(n) lg(p)M(lgn) =∑
plg(n)M(lgn)
• Then, we have
O(G(lgn) + π(B) lg(n)M(lgn)).
• Then, complexity of one iteration of Pollard’s p − 1 is
O(π(B) lg(n)M(lgn)).
Pollard’s p − 1: Analysis
• ∑p
⌊logp(n)⌋ multiplications and mod exps.
• Each mod exp is O(lg(p)M(lgn))• Each mult M(lgn).• Then, ∑
plogp(n) lg(p)M(lgn) =∑
plg(n)M(lgn)
• Then, we have
O(G(lgn) + π(B) lg(n)M(lgn)).
• Then, complexity of one iteration of Pollard’s p − 1 is
O(π(B) lg(n)M(lgn)).2014
-04-
11
Integer Factorization MethodsInteger Factorization
Pollard’s p − 1Pollard’s p − 1: Analysis
• Multiplication is M(lgn) since pc < n and p < n• Mod exp is O(lg(p)M(lgn)) since mod exp is
O(∣exp∣M(∣max(base,modulus)∣).• G(lgn) = O(M(lgn) lg lgn), so less than the other stuff• Mult + mod exp: O ((lg(p) + 1)M(lgn)) = O(lg(p)M(lgn)).• Notice: If B = √
n, worse than trial division when TD finds allfactors and p − 1 finds one
• MIT’s Elliptic Curve class agrees
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Cycles in Z/nZ
DefinitionA sequence {Xi}i≥0 is considered periodic if there exists a suchthat Xm+a = Xm for all m ≥ 0
• Ultimately periodic if for all m ≥ M (some starting value)
Cycles in Z/nZ
DefinitionA sequence {Xi}i≥0 is considered periodic if there exists a suchthat Xm+a = Xm for all m ≥ 0
• Ultimately periodic if for all m ≥ M (some starting value)
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Cycles in Z/nZCycles in Z/nZ
• Periodic: 1, 2, 3, 1, 2, 3, 1, 2, 3, . . .• Ultimately periodic: 3, 2, 4, 5, 1, 4, 5, 1, 4, 5, 1, . . .• Since Z/nZ “wraps around” in a sense, we can find cycles in it.• a is called period.
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
• Let f ∶ Z/nZ→ Z/nZ.• Consider a sequence {Xi}i≥0 where Xi ∈ Z/nZ and
Xm+1 = f (Xm).• The sequence is ultimately periodic.
Proof:
• Assume X0,X1,⋯,Xm−1 distinct for some m and Xm isnot. m ≤ n by Pidgeonhole
• Then, Xm = Xµ for some 0 ≤ µ ≤ m − 1.• Let λ = m − µ (period)• By induction, we need to show that Xn+λ = Xn for all
n ≥ µ.
• Let f ∶ Z/nZ→ Z/nZ.• Consider a sequence {Xi}i≥0 where Xi ∈ Z/nZ and
Xm+1 = f (Xm).• The sequence is ultimately periodic.
Proof:
• Assume X0,X1,⋯,Xm−1 distinct for some m and Xm isnot. m ≤ n by Pidgeonhole
• Then, Xm = Xµ for some 0 ≤ µ ≤ m − 1.• Let λ = m − µ (period)• By induction, we need to show that Xn+λ = Xn for all
n ≥ µ.2014
-04-
11
Integer Factorization MethodsInteger Factorization
Cycles in Z/nZ
• For example, let n = 5, f (x) = (x + 4) mod 5 and x0 = 1.1,0,4,3,2,1,0,⋯
• Base: n = µ. Then, Xµ+λ = Xm = Xµ.• Assume Xn+λ = Xn for all some n• Then, Xn+1+λ = f (Xn+λ) = f (Xn) = Xn+1.• Example: n = 19, f (x) = (x2 − 1) mod n, x0 = 2.• Sequence: 2, 3, 8, 6, 16 -> 8 DRAW RHO• Then, ∃n s.t. X2n = Xn (let n = λ)
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Floyd’s cycle-finding algorithm
Input: function f and start-value x01: FloydCycle(f , x0)2: x ← f (x0), y ← f (f (x0))3: while x ≠ y do4: x ← f (x)5: y ← f (f (y))
Floyd’s cycle-finding algorithm
Input: function f and start-value x01: FloydCycle(f , x0)2: x ← f (x0), y ← f (f (x0))3: while x ≠ y do4: x ← f (x)5: y ← f (f (y))
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Floyd’s cycle-findingFloyd’s cycle-finding algorithm
• Think of tortoise and hare going in circles: one slow, one fast;eventually they cross
• same with hour-hand and minute-hand of a clock
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Pollard’s ρ method
1: PollardRho(f ,n)2: x ← 2, y ← 2, g ← 13: while g = 1 do4: x ← f (x) ▷ Pollard used f (x) = x2 − 1 (mod n)5: y ← f (f (y))6: g ← gcd(∣x − y∣,n)7: if g = n then8: return failure9: else
10: return g ▷ g must be a divisor of n
Pollard’s ρ method
1: PollardRho(f ,n)2: x ← 2, y ← 2, g ← 13: while g = 1 do4: x ← f (x) ▷ Pollard used f (x) = x2 − 1 (mod n)5: y ← f (f (y))6: g ← gcd(∣x − y∣,n)7: if g = n then8: return failure9: else
10: return g ▷ g must be a divisor of n2014
-04-
11
Integer Factorization MethodsInteger Factorization
Pollard’s ρPollard’s ρ method
• J. M. Pollard, 1975.• n to be factored, finds non-trivial divisor• f a function with the property x ≡ y (mod p) implies
f (x) ≡ f (y) (mod p)• Original name is Monte Carlo factorization method, Pollard
initially called it ρ method though• Same exit condition as Floyd cycle: x = y iff
gcd(∣x − y∣,n) = gcd(1,n) = 1.• Cormen example: factoring 1387 = 19 × 73, using x2 − 1 mod n.• Mod 1387 sequence: 2, 3, 8, 63, 1194, 1186, 177, 814, 996,
310, 396, 84, 120, 529, 1053, 595, 339 -> 1186• Corresponding mod 19 ρ: 2, 3, 8, 6, 16 -> 8• Corresponding mod 73 ρ (don’t draw this one): 2, 3, 8, 63, 26,
18, 31, 11, 47 -> 18• 63 − 177, gcd(63 − 177,1387) = 19.
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Pollard’s ρ: Why does it work?
• Let p∣n prime.• Want p∣(x − y) so that gcd(∣x − y∣,n) ≥ p.• p∣(x − y) means x ≡ y (mod p).• When a cycle mod p is found, we find a factor.• When does that happen? Birthday paradox• For the birthday paradox to work, we need to expect that
f is a uniform function: Every remainder has an equalprobability of being chosen.
• This is a conjecture, but empirical data approximatelysupports it
Pollard’s ρ: Why does it work?
• Let p∣n prime.• Want p∣(x − y) so that gcd(∣x − y∣,n) ≥ p.• p∣(x − y) means x ≡ y (mod p).• When a cycle mod p is found, we find a factor.• When does that happen? Birthday paradox• For the birthday paradox to work, we need to expect that
f is a uniform function: Every remainder has an equalprobability of being chosen.
• This is a conjecture, but empirical data approximatelysupports it20
14-0
4-11
Integer Factorization MethodsInteger Factorization
Pollard’s ρPollard’s ρ: Why does it work?
• Make that gcd clear – p∣(x − y) and p∣n.• Z/nZ ultimately periodic.• Show a ρ, use example from Cormen• Cormen example: factoring 1387 = 19 × 73, using x2 − 1 mod n.• Mod 1387 sequence: 2, 3, 8, 63, 1194, 1186, 177, 814, 996,
310, 396, 84, 120, 529, 1053, 595, 339 -> 1186• Corresponding mod 19 ρ: 2, 3, 8, 6, 16 -> 8• Corresponding mod 73 ρ (don’t draw this one): 2, 3, 8, 63, 26,
18, 31, 11, 47 -> 18• 63 − 177, gcd(177 − 63,1387) = 19
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Birthday paradox
• “How many people need to be in a room so that there is aprobability of m that two of them have the samebirthday?”
• “How many random variables do we need to draw from fsuch that two of them have the same remainder mod pwith probability m?” (Xi ≡ Xj (mod p))
• Of course, 0 < m < 1.• Original birthday paradox: m = 0.5
Birthday paradox
• “How many people need to be in a room so that there is aprobability of m that two of them have the samebirthday?”
• “How many random variables do we need to draw from fsuch that two of them have the same remainder mod pwith probability m?” (Xi ≡ Xj (mod p))
• Of course, 0 < m < 1.• Original birthday paradox: m = 0.5
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Birthday paradoxBirthday paradox
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Assume every event equally likely.
P(Xi ≡ r) = 1p
Assume the events are independent.
P(Xi ≡ r and Xj ≡ r) = P(Xi ≡ r)P(Xj ≡ r) = 1p2
Probability that once Xi is chosen, Xj will have same birthday:
P(Xi ≡ Xj) =1p
Complement: probability that all remainders are different.
Assume every event equally likely.
P(Xi ≡ r) = 1p
Assume the events are independent.
P(Xi ≡ r and Xj ≡ r) = P(Xi ≡ r)P(Xj ≡ r) = 1p2
Probability that once Xi is chosen, Xj will have same birthday:
P(Xi ≡ Xj) =1p
Complement: probability that all remainders are different.2014
-04-
11
Integer Factorization MethodsInteger Factorization
Birthday paradox
• Dropping mod p for convenience• Due to the functional iteration, the random variables Xi and Xj
are NOT independent! But we assume so for the sake of theanalysis (and so does Pollard in his initial paper.)
• Independent: Once Xi is there, the probability that Xj will besame remainder is 1/p.
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Let Ai be the event that Xi /≡ Xj for all 0 ≤ j < i.Then, the event that choosing λ random variables yieldsdistinct remainders is
Bλ =λ−1⋂i=0
Ai = Bλ−1 ∩Aλ−1
By defn of conditional probability:
P(Bλ) = P(Bλ−1)P(Aλ−1∣Bλ−1)
Then,P(Ai ∣Bi) =
p − ip
,
since for Ai , i remainders are already “occupied” and p − iremainders are “left.”
Let Ai be the event that Xi /≡ Xj for all 0 ≤ j < i.Then, the event that choosing λ random variables yieldsdistinct remainders is
Bλ =λ−1⋂i=0
Ai = Bλ−1 ∩Aλ−1
By defn of conditional probability:
P(Bλ) = P(Bλ−1)P(Aλ−1∣Bλ−1)
Then,P(Ai ∣Bi) =
p − ip
,
since for Ai , i remainders are already “occupied” and p − iremainders are “left.”20
14-0
4-11
Integer Factorization MethodsInteger Factorization
Birthday paradox
• Ai means Xi is distinct from every remainder Xj for j < i• Conditional probability definition: P(A∣B) = P(A∩B)
P(B)
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Expanding, we have (since P(B1) = P(A0) = 1)
P(Bλ) =λ−1∏i=0
P(Ai ∣Bi) =λ−1∏i=0
p − ip
=λ−1∏i=0
(1 − ip) = p!
(p − λ)!pλ
Using the approximation 1 − x ≈ e−x (Taylor series),
P(Bλ) ≈ 1 ×λ−1∏i=1
e−i/p = e−∑λ−1i=1 i/p = e−(λ
2−λ)/2p
Now, we want P(Bλ) ≤ 1 −m.Notice that this gets us the median for m = 0.5!
Expanding, we have (since P(B1) = P(A0) = 1)
P(Bλ) =λ−1∏i=0
P(Ai ∣Bi) =λ−1∏i=0
p − ip
=λ−1∏i=0
(1 − ip) = p!
(p − λ)!pλ
Using the approximation 1 − x ≈ e−x (Taylor series),
P(Bλ) ≈ 1 ×λ−1∏i=1
e−i/p = e−∑λ−1i=1 i/p = e−(λ
2−λ)/2p
Now, we want P(Bλ) ≤ 1 −m.Notice that this gets us the median for m = 0.5!20
14-0
4-11
Integer Factorization MethodsInteger Factorization
Birthday paradox
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Thus,
e−(λ2−λ)/2p ≤ 1 −m
λ2 − λ + 2p ln(1 −m) ≥ 0
Then,λ ≥ 1
2+ 12√1 − 8p ln(1 −m)
• Then, in Pollard’s ρ, we find a cycle mod p with probability12 after approximately 1
2√8 ln(2)p ≈ 1.177√p iterations.
• In fact, we always find a cycle mod p in θ(√p) steps.
Thus,
e−(λ2−λ)/2p ≤ 1 −m
λ2 − λ + 2p ln(1 −m) ≥ 0
Then,λ ≥ 1
2+ 12√1 − 8p ln(1 −m)
• Then, in Pollard’s ρ, we find a cycle mod p with probability12 after approximately 1
2√8 ln(2)p ≈ 1.177√p iterations.
• In fact, we always find a cycle mod p in θ(√p) steps.
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Birthday paradox
• Error analysis for this: http://dx.doi.org/10.1137/1033051
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Different analysis due to Knuth: mean instead of median.
E[λ] =p+1∑λ=1
P(Bλ) = 1 +p∑λ=1
P(Bλ) = 1 +p∑λ=1
p!(p − λ)!pλ
Define the Ramanujan Q function:
Q(n) =n∑k=1
n!(n − k)!nk
Then,E[λ] = 1 +Q(p)
The Q function can be approximated by
Q(p) ≈√πp2
≈ 1.2533√p
Different analysis due to Knuth: mean instead of median.
E[λ] =p+1∑λ=1
P(Bλ) = 1 +p∑λ=1
P(Bλ) = 1 +p∑λ=1
p!(p − λ)!pλ
Define the Ramanujan Q function:
Q(n) =n∑k=1
n!(n − k)!nk
Then,E[λ] = 1 +Q(p)
The Q function can be approximated by
Q(p) ≈√πp2
≈ 1.2533√p2014
-04-
11
Integer Factorization MethodsInteger Factorization
Birthday paradox
• summing the tail probabilities• On Ramanujan’s Q function:
http://algo.inria.fr/flajolet/Publications/FlGrKiPr95.pdf
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Fermat’s method
n must be odd.1: Fermat(n)2: a ← ⌈√n⌉3: b ← a2 − n4: while b is not a square do5: a ← a + 16: b ← a2 − n7: return a −
√b ▷ or a +
√b
Fermat’s method
n must be odd.1: Fermat(n)2: a ← ⌈√n⌉3: b ← a2 − n4: while b is not a square do5: a ← a + 16: b ← a2 − n7: return a −
√b ▷ or a +
√b
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Fermat’s methodFermat’s method
• Pierre de Fermat, when? Original paper?• n must be odd• finds non-trivial divisor
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Fermat’s: Why does it work?
• Every odd integer is the difference of two squares• n = a2 − b2 = (a + b)(a − b)• We hope that 1 < a + b < n (or equivalently same for a − b)• Rearrange: b2 = a2 − n.• Try values for a until b2 is a square.• Worst case: n is prime. O(n) steps.• Works best when prime factor is close to square-root of n.
Fermat’s: Why does it work?
• Every odd integer is the difference of two squares• n = a2 − b2 = (a + b)(a − b)• We hope that 1 < a + b < n (or equivalently same for a − b)• Rearrange: b2 = a2 − n.• Try values for a until b2 is a square.• Worst case: n is prime. O(n) steps.• Works best when prime factor is close to square-root of n.
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Fermat’s methodFermat’s: Why does it work?
• Factor n = 5959. Then, a + b = 101,a − b = 59. 5959 = 59 × 101.Trial 1 2 3a 78 79 80b2 125 282 441b 11.18 16.79 21
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Fermat’s: An Improvement
• Is there a way to know when values of a make b2 a square?
• Bézout’s identity again: gcd(m,n) = 1, thenm[m−1]n + n[n−1]m = 1.
Theorem (Chinese Remainder Theorem)Let gcd(n,m) = 1. Then the following system has a solutionand every solution is congruent mod mn:
x ≡ a (mod n) x ≡ b (mod m)
Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).
Fermat’s: An Improvement
• Is there a way to know when values of a make b2 a square?
• Bézout’s identity again: gcd(m,n) = 1, thenm[m−1]n + n[n−1]m = 1.
Theorem (Chinese Remainder Theorem)Let gcd(n,m) = 1. Then the following system has a solutionand every solution is congruent mod mn:
x ≡ a (mod n) x ≡ b (mod m)
Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).
2014
-04-
11
Integer Factorization MethodsInteger Factorization
Fermat’s methodFermat’s: An Improvement
IntegerFactorizationMethods
C. Koch
Overview
ModularArithmeticDivision Algorithmand Congruence
Residue classes modn
Integers modulo n
Arithmetic withintegers mod n
GCD and Totatives
Inverses mod n
Euler’s Theorem
Cost ofMultiplicationand GCD
IntegerFactorizationTrial Division
Pollard’s p − 1
Cycles in Z/nZ
Floyd’s cycle-finding
Pollard’s ρ
Birthday paradox
Fermat’s method
Fermat’s: An Improvement
• Is there a way to know when values of a make b2 a square?• Bézout’s identity again: gcd(m,n) = 1, then
m[m−1]n + n[n−1]m = 1.
Theorem (Chinese Remainder Theorem)Let gcd(n,m) = 1. Then the following system has a solutionand every solution is congruent mod mn:
x ≡ a (mod n) x ≡ b (mod m)
Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).
Fermat’s: An Improvement
• Is there a way to know when values of a make b2 a square?• Bézout’s identity again: gcd(m,n) = 1, then
m[m−1]n + n[n−1]m = 1.
Theorem (Chinese Remainder Theorem)Let gcd(n,m) = 1. Then the following system has a solutionand every solution is congruent mod mn:
x ≡ a (mod n) x ≡ b (mod m)
Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).2014
-04-
11
Integer Factorization MethodsInteger Factorization
Fermat’s methodFermat’s: An Improvement
• Want to factor n = 2,345,678,917• ⌈√n⌉ = 48433• a2 ≡ 0,1,4,9 mod 16, n ≡ 5 mod 16.• a2 − n ≡ 11,12,15,9 mod 16. Then, a2 ≡ 9 mod 16 only
solution. That only happens a ≡ ±3,±5 mod 16.• Also consider mod 9. n ≡ 7 mod 9.• a2 ≡ 0,1,4,7 mod 9. Then, a2 − n ≡ 2,3,6,0 mod 9.• Thus, a2 ≡ 7 mod 9 only solution. That’s when a ≡ ±4 mod 9.• a = cn[n−1]m + dm[m−1]n = 16(4)c + (−7)9d
c / d ±3 ±5±4 ±5 ±13
Let c be the mod m values, d the mod n.
• Then, a ≡ ±5,±13 mod 9 × 16 (72)• Only 4 out of 72 integers are possible – only 4/72 need to be
checked