kochris.comkochris.com/public/presentation-factorization-notes.pdf · Integer Factorization Methods...

IntegerFactorizationMethods

C. Koch

Overview

ModularArithmeticDivision Algorithmand Congruence

Residue classes modn

Integers modulo n

Arithmetic withintegers mod n

GCD and Totatives

Inverses mod n

Euler’s Theorem

Cost ofMultiplicationand GCD

IntegerFactorizationTrial Division

Pollard’s p − 1

Cycles in Z/nZ

Floyd’s cycle-finding

Pollard’s ρ

Birthday paradox

Fermat’s method

Integer Factorization MethodsTrial division, Pollard’s p − 1,

Pollard’s ρ, and Fermat’s method

Christopher Koch1

1Department of Computer Science and EngineeringCSE489/589 Algorithms in CS & IT

New Mexico Tech

April 8, 2014

Integer Factorization MethodsTrial division, Pollard’s p − 1,

Pollard’s ρ, and Fermat’s method

Christopher Koch1

1Department of Computer Science and EngineeringCSE489/589 Algorithms in CS & IT

New Mexico Tech

April 8, 20142014

-04-

11

Integer Factorization Methods


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Overview

• Intro to modular arithmetic• Euler’s theorem and Fermat’s little theorem• Trial division• Pollard’s p − 1 method• Cycles in Z/nZ• Floyd’s cycle-finding algorithm• Pollard’s ρ method (Monte Carlo factorization)• Birthday paradox• Fermat’s method

Conventiona, b, c,d,m,n are integers, p, q are primes

Overview

• Intro to modular arithmetic• Euler’s theorem and Fermat’s little theorem• Trial division• Pollard’s p − 1 method• Cycles in Z/nZ• Floyd’s cycle-finding algorithm• Pollard’s ρ method (Monte Carlo factorization)• Birthday paradox• Fermat’s method

Conventiona, b, c,d,m,n are integers, p, q are primes

2014

-04-

11

Integer Factorization MethodsOverview

Overview

• Monte Carlo method: dependent on some kind of randomnumber/function/process


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Modular Arithmetic

• a∣b (a divides b) if b is a multiple of a.• quotient and remainder unique in integer division• Congruence modulo n:

a ≡ b (mod n) iff n∣(a − b).

Modular Arithmetic

• a∣b (a divides b) if b is a multiple of a.• quotient and remainder unique in integer division• Congruence modulo n:

a ≡ b (mod n) iff n∣(a − b).

2014

-04-

11

Integer Factorization MethodsModular Arithmetic

Division Algorithm and CongruenceModular Arithmetic

• Division Algorithm: Given a, b there exist unique q, r

a = bq + r where 0 ≤ r < b.

• For example, 13 ≡ 8 ≡ 3 (mod 5).• Intuition: a and b have same remainder when divided by n


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Residue classes

• Congruence modulo n is an equivalence relation onintegers.

• Equivalence classes: one for each remainder

[a]n = {x ∶ x ≡ a (mod n)} .

• Called residue classes mod n

Residue classes

• Congruence modulo n is an equivalence relation onintegers.

• Equivalence classes: one for each remainder

[a]n = {x ∶ x ≡ a (mod n)} .

• Called residue classes mod n

2014

-04-

11


Residue classes mod nResidue classes

• Equivalence classes of congruence: Integers with sameremainder are related to each other

• Each remainder thus forms an equivalence class• Example: Residue classes mod 4, residue classes mod 2 (even,

odd)


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Integers modulo n

• Integers modulo n: set of residue classes mod n:

Z/nZ = {[r]n ∶ r ∈ Z} .

• How to do arithmetic in mod n? What is [3]4 + [1]4?

Integers modulo n

• Integers modulo n: set of residue classes mod n:

Z/nZ = {[r]n ∶ r ∈ Z} .

• How to do arithmetic in mod n? What is [3]4 + [1]4?

2014

-04-

11


Integers modulo nIntegers modulo n

• For example, Z/4Z = {[0]4 , [1]4 , [2]4 , [3]4}• 24-hour clock• Intuition: notion of “finite discreteness”• Like b-bit (unsigned) integers – Z/2bZ – overflow “wraps” back

around (most general-purpose architectures don’t do saturationarithmetic, so it wraps around like modular arithmetic)

• But also, [5]4 ∈ Z/4Z. Why?• Because [5]4 = [1]4, since 5 ≡ 1 (mod 4).


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Arithmetic mod n

DefinitionLet n ∈ Z+ and a, b ∈ Z. Then,

[a]n + [b]n = [a + b]n

[a]n × [b]n = [a × b]n

• Similarly,

[a]n − [b]n = [a]n + [−b]n = [a − b]n .

Arithmetic mod n

DefinitionLet n ∈ Z+ and a, b ∈ Z. Then,

[a]n + [b]n = [a + b]n

[a]n × [b]n = [a × b]n

• Similarly,

[a]n − [b]n = [a]n + [−b]n = [a − b]n .

2014

-04-

11


Arithmetic with integers mod nArithmetic mod n

• Example here: 24-hour clock, adding 12 and 25, and multiplying13 by 2

• Proof that well-defined: Pick x ∈ [a]n, y ∈ [b]n differentrepresentatives, show x + y ∈ [a + b]n since x ≡ a (mod n) andy ≡ b (mod n) implies x + y ≡ a + b (mod n).


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

GCD and Totatives

• gcd(a, b) is the greatest common divisor of a and b• a, b are called coprime or relatively prime if gcd(a, b) = 1.

a is called a totative of b and vice versa.• Bézout’s identity: If gcd(n,m) = d, then there exist k, l

s.t. nk +ml = d.• ϕ(n) counts the number totatives less than n:

ϕ(n) = ∣{c ∶ 1 ≤ c < n and gcd(c,n) = 1}∣ .

• We have ϕ(mn) = ϕ(n)ϕ(m).

GCD and Totatives

• gcd(a, b) is the greatest common divisor of a and b• a, b are called coprime or relatively prime if gcd(a, b) = 1.

a is called a totative of b and vice versa.• Bézout’s identity: If gcd(n,m) = d, then there exist k, l

s.t. nk +ml = d.• ϕ(n) counts the number totatives less than n:

ϕ(n) = ∣{c ∶ 1 ≤ c < n and gcd(c,n) = 1}∣ .

• We have ϕ(mn) = ϕ(n)ϕ(m).2014

-04-

11


GCD and TotativesGCD and Totatives

• Example: gcd(40,6) = 2.• Example: ϕ(p) = p − 1.• Multiplicative ϕ useful since ϕ(pq) = ϕ(p)ϕ(q) = (p − 1)(q − 1).

(easy to compute)• Totative of n is a number m that is coprime to n


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Inverses mod n

• Notice: no division in mod n!• Division is usually defined as multiplication by the

multiplicative inverse.• Multiplicative inverse of [a]n is [b]n such that

[a]n[b]n = [1]n ; i.e. ab ≡ 1 (mod n).

Inverses mod n

• Notice: no division in mod n!• Division is usually defined as multiplication by the

multiplicative inverse.• Multiplicative inverse of [a]n is [b]n such that

[a]n[b]n = [1]n ; i.e. ab ≡ 1 (mod n).

2014

-04-

11


Inverses mod nInverses mod n

• Example here: 2 ∈ Z/4Z and its inverse? 4 ∈ Z/7Z and itsinverse?


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Theorem[a]n ∈ Z/nZ has a multiplicative inverse if and only ifgcd(a,n) = 1.

• Drawing from previous example: gcd(4,2) = 2, whilegcd(4,7) = 1.

• That means that every element except 0 in Z/pZ has aninverse, since a prime is coprime to every element below it.

• Bézout’s identity again: gcd(m,n) = 1, thenm[m−1]n + n[n−1]m = 1.

Theorem[a]n ∈ Z/nZ has a multiplicative inverse if and only ifgcd(a,n) = 1.

• Drawing from previous example: gcd(4,2) = 2, whilegcd(4,7) = 1.

• That means that every element except 0 in Z/pZ has aninverse, since a prime is coprime to every element below it.


2014

-04-

11


Inverses mod n

• Proof: see write-up of notes on intro to mod arithmetic


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Euler’s and Fermat’s Theorems

Theorem (Euler, Euler totient, Euler-Fermat)Let a,n be coprime. Then,

aϕ(n) ≡ 1 (mod n).

Corollary (Fermat)Unless a is a multiple of p,

ap−1 ≡ 1 (mod p).

• Leonhard Euler, 1707-1783. Euler-Fermat Theorem. Fermat’slittle theorem was the origin, Euler gave proof for it in 1736 andkept working until Euler-Fermat was in its final form in 1761.

• E54 (Theorematum Quorundam ad Numeros PrimosSpectantium Demonstratio) proves Fermat’s – by induction onbinomial series expansion (1 + 1)p−1 etc / induction as we knowit today (he bashes on Fermat’s notion of induction and how hedisproved Fermat’s conjecture that 22n + 1 is prime for any n)

• Modern proof: using LaGrange’s theorem (subgroup H of G,o(H )∣o(G)), let H = (Z/nZ)∗ and G = Z/nZ; and sinceao(H) ≡ 1 for a ∈ H

• Carmichael’s theorem: aλ(n) ≡ 1 mod n where λ(n) = 0.5ϕ(n)if n is a power of 2 and all other λ(n) = ϕ(n).

• Pierre de Fermat, 1601-1665, Fermat’s last theoreman + bn ≠ cn for n ≥ 2.

• Application to RSA: Let M be a message. M mϕ(n)+1 ≡ M(mod n). So, let’s find ed = mϕ(n) + 1, i.e. ed ≡ 1(mod ϕ(n)).

• C(M) = M e (mod n), D(M) = M d (mod n). Then,C(D(M)) = M de ≡ M mϕ(n)+1 ≡ M (mod n)

• Choose twoprime n = pq for easy ϕ computation


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Cost of Multiplication and GCD

ConventionWe will denote the cost of multiplication by M(n) and the costof the GCD by G(n) for n-digit numbers.

• Schoolbook multiplication: M(n) ∈ O(n2).• Schönhage-Strassen: M(n) ∈ O(n lgn lg lgn).• Euclidean GCD: G(n) ∈ O(n2).• Schönhage’s GCD: G(n) ∈ O(M(n) lgn).• Modular exponentiation (ak mod b): O(M(c) lg k),

where c =max(lg a, lg b).


ConventionWe will denote the cost of multiplication by M(n) and the costof the GCD by G(n) for n-digit numbers.

• Schoolbook multiplication: M(n) ∈ O(n2).• Schönhage-Strassen: M(n) ∈ O(n lgn lg lgn).• Euclidean GCD: G(n) ∈ O(n2).• Schönhage’s GCD: G(n) ∈ O(M(n) lgn).• Modular exponentiation (ak mod b): O(M(c) lg k),

where c =max(lg a, lg b).2014

-04-

11

Integer Factorization MethodsCost of Multiplication and GCD


• Schönhage GCD (“controlled Euclidean descent”): ActaInformatica vol I no 3 1971

• Schönhage-Strassen: Computing Vol 7 1971


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Integer Factorization

Theorem (Fundamental Theorem of Arithmetic)Let n be an integer. Then there exist unique primesp1,p2,⋯,pk not necessarily distinct such that

n = p1 × p2 ×⋯ × pk .

• In essence, every integer can be factored uniquely intoprimes. For example, 20 = 2 × 2 × 5.

• FTA guarantees existence of that factorization, but howdo you find it?

ConventionIn the following slides, every big O is given in terms of inputvalues instead of input length.


Theorem (Fundamental Theorem of Arithmetic)Let n be an integer. Then there exist unique primesp1,p2,⋯,pk not necessarily distinct such that

n = p1 × p2 ×⋯ × pk .

• In essence, every integer can be factored uniquely intoprimes. For example, 20 = 2 × 2 × 5.

• FTA guarantees existence of that factorization, but howdo you find it?

ConventionIn the following slides, every big O is given in terms of inputvalues instead of input length.

2014

-04-

11

Integer Factorization MethodsInteger Factorization


• FTA first written down and proved by Euclid in his treatiseElements, 300BC (differently, of course)

• Proof: existence by induction, base case n = 2 / uniqueness:Euclid’s lemma or elementary using the smallest integer that isproduct of two different prime factorizations

• Euclid’s lemma: p∣ab implies p∣a or p∣b.• Erdős-Kac Theorem: ω(n) number of distinct prime factors of

n, then the probability distribution of

ω(n) − log logn√log logn

is the standard normal distribution.


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Trial Division

1: TrialDivision(n)2: D ← ()3: for all p in primes(√n) do4: while n mod p = 0 do5: append(D,p)6: n ← n/p7: if n > 1 then8: append(D,n)9: return D

• How often does for-loop execute?• Prime-counting function π(m).• How often does while execute? In total, at most

logp(n) ≤ lgn (since lg 2 ≤ lg p for all p ≥ 1)

Trial Division

1: TrialDivision(n)2: D ← ()3: for all p in primes(√n) do4: while n mod p = 0 do5: append(D,p)6: n ← n/p7: if n > 1 then8: append(D,n)9: return D

• How often does for-loop execute?• Prime-counting function π(m).• How often does while execute? In total, at most

logp(n) ≤ lgn (since lg 2 ≤ lg p for all p ≥ 1)

2014

-04-

11


Trial DivisionTrial Division

• Loop executes π (√n).


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Trial Division: Analysis

Theorem (Prime number theorem)

limx→∞

π(x)x/ ln(x) = 1.

This implies π(x) ∈ O ( xln x ).

Then, for an integer n to be factored, trial division is

O (π (√

n) lg(n)M(lgn)) = O (√

nM(lgn)) .

Trial Division: Analysis

Theorem (Prime number theorem)

limx→∞

π(x)x/ ln(x) = 1.

This implies π(x) ∈ O ( xln x ).

Then, for an integer n to be factored, trial division is

O (π (√

n) lg(n)M(lgn)) = O (√

nM(lgn)) .

2014

-04-

11


Trial DivisionTrial Division: Analysis

• Landau notation (Bachman) in terms of limits: f (n) ∈ O(g(n))if

limn→∞

∣ f (n)g(n) ∣ <∞.

• PNT conjectured by Gauß in 1792 by his own account at 15years old (Gauß, Hubert Mania)

• PNT first proved by Hadamard and Vallée-Poussin (1896)• TODO / MAYBE: talk about distribution of prime factors, the

O of the first prime factor being found and last factor beingfound. Might be useful for following sections.


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Pollard’s p − 1 method

1: PollardP-1(n,B)2: K ← ∏

primes p≤Bp⌊logp(n)⌋

3: m ← (2K − 1) mod n ▷ modular exponentiation4: g ← gcd (m,n)5: if g = 1 then6: either increase B and7: return PollardP-1(n,B)8: or return failure9: else

10: return g ▷ g must be a divisor of n

Pollard’s p − 1 method

1: PollardP-1(n,B)2: K ← ∏

primes p≤Bp⌊logp(n)⌋

3: m ← (2K − 1) mod n ▷ modular exponentiation4: g ← gcd (m,n)5: if g = 1 then6: either increase B and7: return PollardP-1(n,B)8: or return failure9: else

10: return g ▷ g must be a divisor of n2014

-04-

11


Pollard’s p − 1Pollard’s p − 1 method

• John M. Pollard, 1974.• Periodicals of the Cambridge Phil Society, 1974, Theorems on

Primality Testing and Factorization• and Lenstra’s ECM paper and MIT Elliptic Curves Spring 2013

course• n to be factored, finds non-trivial divisor of n• B smoothness bound• Since m < n, g < n• Original method detailed a second step to be taken for

deterministic factorization: L < M < n, M < L2.• b ≡ am mod n where m is product of primes less than or equal

L to some power. Find d = gcd(b − 1,n). If d = n, decrease Land repeat.

• Step 2: For primes L < p < M , Fp = (bp − 1) mod n, findgcd(Fp,n).


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Pollard’s p − 1: Why does it work?

Corollary (Fermat’s little theorem)For a < p, ap−1 ≡ 1 (mod p). That is, p∣ (ap−1 − 1).

• Assume p is a prime divisor of n.• That means that gcd(ap−1 − 1,n) ≥ p.• The preceding also works if the exponent is a multiple of

some p − 1, i.e. aK − 1 where K is a multiple of p − 1.• Goal: choose K such that it is likely to be the multiple of

some p − 1 for a prime divisor p.

Pollard’s p − 1: Why does it work?

Corollary (Fermat’s little theorem)For a < p, ap−1 ≡ 1 (mod p). That is, p∣ (ap−1 − 1).

• Assume p is a prime divisor of n.• That means that gcd(ap−1 − 1,n) ≥ p.• The preceding also works if the exponent is a multiple of

some p − 1, i.e. aK − 1 where K is a multiple of p − 1.• Goal: choose K such that it is likely to be the multiple of

some p − 1 for a prime divisor p.2014

-04-

11


Pollard’s p − 1Pollard’s p − 1: Why does it work?

• I.e. we have found a non-trivial divisor.• p − 1 only finds factors p that are of the form

p − 1 = A

where A is some product of primes less than B. (p − 1 must beB-(power)smooth.)

• Original version: p − 1 = Aq for some L < q < M .• Example 1: n = 540143, choose B = 8 and

K = lcm(2,⋯B) = 840 (easier). Then, 2K mod n = 53047 andgcd(2K − 1,n) = 421. Then, 540143 = 421 × 1283.

• Example 2: n = 491389 = 383× 1283. Because 383− 1 = 2× 191,we have 191∣K and B ≥ 191 (for lcm). INFEASIBLE.


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Pollard’s p − 1: Analysis

The exp and modular exp can be combined:1: K ← 22: for all p in primes(B) do3: pc ← p4: while pc < n do5: K ← Kp (mod n)6: pc ← pc ∗ p7: g ← gcd(K − 1,n)


The exp and modular exp can be combined:1: K ← 22: for all p in primes(B) do3: pc ← p4: while pc < n do5: K ← Kp (mod n)6: pc ← pc ∗ p7: g ← gcd(K − 1,n)

2014

-04-

11


Pollard’s p − 1Pollard’s p − 1: Analysis

• ∑p ⌊logp(n)⌋ multiplications and mod exps.• Each mod exp is O(lg(p)M(lgn))• Each mult M(lgn).• Then, ∑p logp(n) lg(p)M(lgn) = ∑p lg(n)M(lgn)


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method


• ∑p

⌊logp(n)⌋ multiplications and mod exps.

• Each mod exp is O(lg(p)M(lgn))• Each mult M(lgn).• Then, ∑

plogp(n) lg(p)M(lgn) =∑

plg(n)M(lgn)

• Then, we have

O(G(lgn) + π(B) lg(n)M(lgn)).

• Then, complexity of one iteration of Pollard’s p − 1 is

O(π(B) lg(n)M(lgn)).


• ∑p

⌊logp(n)⌋ multiplications and mod exps.

• Each mod exp is O(lg(p)M(lgn))• Each mult M(lgn).• Then, ∑

plogp(n) lg(p)M(lgn) =∑

plg(n)M(lgn)

• Then, we have

O(G(lgn) + π(B) lg(n)M(lgn)).

• Then, complexity of one iteration of Pollard’s p − 1 is

O(π(B) lg(n)M(lgn)).2014

-04-

11


Pollard’s p − 1Pollard’s p − 1: Analysis

• Multiplication is M(lgn) since pc < n and p < n• Mod exp is O(lg(p)M(lgn)) since mod exp is

O(∣exp∣M(∣max(base,modulus)∣).• G(lgn) = O(M(lgn) lg lgn), so less than the other stuff• Mult + mod exp: O ((lg(p) + 1)M(lgn)) = O(lg(p)M(lgn)).• Notice: If B = √

n, worse than trial division when TD finds allfactors and p − 1 finds one

• MIT’s Elliptic Curve class agrees


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Cycles in Z/nZ

DefinitionA sequence {Xi}i≥0 is considered periodic if there exists a suchthat Xm+a = Xm for all m ≥ 0

• Ultimately periodic if for all m ≥ M (some starting value)

Cycles in Z/nZ

DefinitionA sequence {Xi}i≥0 is considered periodic if there exists a suchthat Xm+a = Xm for all m ≥ 0

• Ultimately periodic if for all m ≥ M (some starting value)

2014

-04-

11


Cycles in Z/nZCycles in Z/nZ

• Periodic: 1, 2, 3, 1, 2, 3, 1, 2, 3, . . .• Ultimately periodic: 3, 2, 4, 5, 1, 4, 5, 1, 4, 5, 1, . . .• Since Z/nZ “wraps around” in a sense, we can find cycles in it.• a is called period.


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

• Let f ∶ Z/nZ→ Z/nZ.• Consider a sequence {Xi}i≥0 where Xi ∈ Z/nZ and

Xm+1 = f (Xm).• The sequence is ultimately periodic.

Proof:

• Assume X0,X1,⋯,Xm−1 distinct for some m and Xm isnot. m ≤ n by Pidgeonhole

• Then, Xm = Xµ for some 0 ≤ µ ≤ m − 1.• Let λ = m − µ (period)• By induction, we need to show that Xn+λ = Xn for all

n ≥ µ.

• Let f ∶ Z/nZ→ Z/nZ.• Consider a sequence {Xi}i≥0 where Xi ∈ Z/nZ and

Xm+1 = f (Xm).• The sequence is ultimately periodic.

Proof:

• Assume X0,X1,⋯,Xm−1 distinct for some m and Xm isnot. m ≤ n by Pidgeonhole

• Then, Xm = Xµ for some 0 ≤ µ ≤ m − 1.• Let λ = m − µ (period)• By induction, we need to show that Xn+λ = Xn for all

n ≥ µ.2014

-04-

11


Cycles in Z/nZ

• For example, let n = 5, f (x) = (x + 4) mod 5 and x0 = 1.1,0,4,3,2,1,0,⋯

• Base: n = µ. Then, Xµ+λ = Xm = Xµ.• Assume Xn+λ = Xn for all some n• Then, Xn+1+λ = f (Xn+λ) = f (Xn) = Xn+1.• Example: n = 19, f (x) = (x2 − 1) mod n, x0 = 2.• Sequence: 2, 3, 8, 6, 16 -> 8 DRAW RHO• Then, ∃n s.t. X2n = Xn (let n = λ)


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Floyd’s cycle-finding algorithm

Input: function f and start-value x01: FloydCycle(f , x0)2: x ← f (x0), y ← f (f (x0))3: while x ≠ y do4: x ← f (x)5: y ← f (f (y))

Floyd’s cycle-finding algorithm

Input: function f and start-value x01: FloydCycle(f , x0)2: x ← f (x0), y ← f (f (x0))3: while x ≠ y do4: x ← f (x)5: y ← f (f (y))

2014

-04-

11


Floyd’s cycle-findingFloyd’s cycle-finding algorithm

• Think of tortoise and hare going in circles: one slow, one fast;eventually they cross

• same with hour-hand and minute-hand of a clock


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Pollard’s ρ method

1: PollardRho(f ,n)2: x ← 2, y ← 2, g ← 13: while g = 1 do4: x ← f (x) ▷ Pollard used f (x) = x2 − 1 (mod n)5: y ← f (f (y))6: g ← gcd(∣x − y∣,n)7: if g = n then8: return failure9: else

10: return g ▷ g must be a divisor of n

Pollard’s ρ method

1: PollardRho(f ,n)2: x ← 2, y ← 2, g ← 13: while g = 1 do4: x ← f (x) ▷ Pollard used f (x) = x2 − 1 (mod n)5: y ← f (f (y))6: g ← gcd(∣x − y∣,n)7: if g = n then8: return failure9: else

10: return g ▷ g must be a divisor of n2014

-04-

11


Pollard’s ρPollard’s ρ method

• J. M. Pollard, 1975.• n to be factored, finds non-trivial divisor• f a function with the property x ≡ y (mod p) implies

f (x) ≡ f (y) (mod p)• Original name is Monte Carlo factorization method, Pollard

initially called it ρ method though• Same exit condition as Floyd cycle: x = y iff

gcd(∣x − y∣,n) = gcd(1,n) = 1.• Cormen example: factoring 1387 = 19 × 73, using x2 − 1 mod n.• Mod 1387 sequence: 2, 3, 8, 63, 1194, 1186, 177, 814, 996,

310, 396, 84, 120, 529, 1053, 595, 339 -> 1186• Corresponding mod 19 ρ: 2, 3, 8, 6, 16 -> 8• Corresponding mod 73 ρ (don’t draw this one): 2, 3, 8, 63, 26,

18, 31, 11, 47 -> 18• 63 − 177, gcd(63 − 177,1387) = 19.


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Pollard’s ρ: Why does it work?

• Let p∣n prime.• Want p∣(x − y) so that gcd(∣x − y∣,n) ≥ p.• p∣(x − y) means x ≡ y (mod p).• When a cycle mod p is found, we find a factor.• When does that happen? Birthday paradox• For the birthday paradox to work, we need to expect that

f is a uniform function: Every remainder has an equalprobability of being chosen.

• This is a conjecture, but empirical data approximatelysupports it

Pollard’s ρ: Why does it work?

• Let p∣n prime.• Want p∣(x − y) so that gcd(∣x − y∣,n) ≥ p.• p∣(x − y) means x ≡ y (mod p).• When a cycle mod p is found, we find a factor.• When does that happen? Birthday paradox• For the birthday paradox to work, we need to expect that

f is a uniform function: Every remainder has an equalprobability of being chosen.

• This is a conjecture, but empirical data approximatelysupports it20

14-0

4-11


Pollard’s ρPollard’s ρ: Why does it work?

• Make that gcd clear – p∣(x − y) and p∣n.• Z/nZ ultimately periodic.• Show a ρ, use example from Cormen• Cormen example: factoring 1387 = 19 × 73, using x2 − 1 mod n.• Mod 1387 sequence: 2, 3, 8, 63, 1194, 1186, 177, 814, 996,

310, 396, 84, 120, 529, 1053, 595, 339 -> 1186• Corresponding mod 19 ρ: 2, 3, 8, 6, 16 -> 8• Corresponding mod 73 ρ (don’t draw this one): 2, 3, 8, 63, 26,

18, 31, 11, 47 -> 18• 63 − 177, gcd(177 − 63,1387) = 19


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Birthday paradox

• “How many people need to be in a room so that there is aprobability of m that two of them have the samebirthday?”

• “How many random variables do we need to draw from fsuch that two of them have the same remainder mod pwith probability m?” (Xi ≡ Xj (mod p))

• Of course, 0 < m < 1.• Original birthday paradox: m = 0.5

Birthday paradox

• “How many people need to be in a room so that there is aprobability of m that two of them have the samebirthday?”

• “How many random variables do we need to draw from fsuch that two of them have the same remainder mod pwith probability m?” (Xi ≡ Xj (mod p))

• Of course, 0 < m < 1.• Original birthday paradox: m = 0.5

2014

-04-

11


Birthday paradoxBirthday paradox


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Assume every event equally likely.

P(Xi ≡ r) = 1p

Assume the events are independent.

P(Xi ≡ r and Xj ≡ r) = P(Xi ≡ r)P(Xj ≡ r) = 1p2

Probability that once Xi is chosen, Xj will have same birthday:

P(Xi ≡ Xj) =1p

Complement: probability that all remainders are different.

Assume every event equally likely.

P(Xi ≡ r) = 1p

Assume the events are independent.

P(Xi ≡ r and Xj ≡ r) = P(Xi ≡ r)P(Xj ≡ r) = 1p2

Probability that once Xi is chosen, Xj will have same birthday:

P(Xi ≡ Xj) =1p

Complement: probability that all remainders are different.2014

-04-

11


Birthday paradox

• Dropping mod p for convenience• Due to the functional iteration, the random variables Xi and Xj

are NOT independent! But we assume so for the sake of theanalysis (and so does Pollard in his initial paper.)

• Independent: Once Xi is there, the probability that Xj will besame remainder is 1/p.


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Let Ai be the event that Xi /≡ Xj for all 0 ≤ j < i.Then, the event that choosing λ random variables yieldsdistinct remainders is

Bλ =λ−1⋂i=0

Ai = Bλ−1 ∩Aλ−1

By defn of conditional probability:

P(Bλ) = P(Bλ−1)P(Aλ−1∣Bλ−1)

Then,P(Ai ∣Bi) =

p − ip

,

since for Ai , i remainders are already “occupied” and p − iremainders are “left.”

Let Ai be the event that Xi /≡ Xj for all 0 ≤ j < i.Then, the event that choosing λ random variables yieldsdistinct remainders is

Bλ =λ−1⋂i=0

Ai = Bλ−1 ∩Aλ−1

By defn of conditional probability:

P(Bλ) = P(Bλ−1)P(Aλ−1∣Bλ−1)

Then,P(Ai ∣Bi) =

p − ip

,

since for Ai , i remainders are already “occupied” and p − iremainders are “left.”20

14-0

4-11


Birthday paradox

• Ai means Xi is distinct from every remainder Xj for j < i• Conditional probability definition: P(A∣B) = P(A∩B)

P(B)


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Expanding, we have (since P(B1) = P(A0) = 1)

P(Bλ) =λ−1∏i=0

P(Ai ∣Bi) =λ−1∏i=0

p − ip

=λ−1∏i=0

(1 − ip) = p!

(p − λ)!pλ

Using the approximation 1 − x ≈ e−x (Taylor series),

P(Bλ) ≈ 1 ×λ−1∏i=1

e−i/p = e−∑λ−1i=1 i/p = e−(λ

2−λ)/2p

Now, we want P(Bλ) ≤ 1 −m.Notice that this gets us the median for m = 0.5!

Expanding, we have (since P(B1) = P(A0) = 1)

P(Bλ) =λ−1∏i=0

P(Ai ∣Bi) =λ−1∏i=0

p − ip

=λ−1∏i=0

(1 − ip) = p!

(p − λ)!pλ

Using the approximation 1 − x ≈ e−x (Taylor series),

P(Bλ) ≈ 1 ×λ−1∏i=1

e−i/p = e−∑λ−1i=1 i/p = e−(λ

2−λ)/2p

Now, we want P(Bλ) ≤ 1 −m.Notice that this gets us the median for m = 0.5!20

14-0

4-11


Birthday paradox


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Thus,

e−(λ2−λ)/2p ≤ 1 −m

λ2 − λ + 2p ln(1 −m) ≥ 0

Then,λ ≥ 1

2+ 12√1 − 8p ln(1 −m)

• Then, in Pollard’s ρ, we find a cycle mod p with probability12 after approximately 1

2√8 ln(2)p ≈ 1.177√p iterations.

• In fact, we always find a cycle mod p in θ(√p) steps.

Thus,

e−(λ2−λ)/2p ≤ 1 −m

λ2 − λ + 2p ln(1 −m) ≥ 0

Then,λ ≥ 1

2+ 12√1 − 8p ln(1 −m)

• Then, in Pollard’s ρ, we find a cycle mod p with probability12 after approximately 1

2√8 ln(2)p ≈ 1.177√p iterations.

• In fact, we always find a cycle mod p in θ(√p) steps.

2014

-04-

11


Birthday paradox

• Error analysis for this: http://dx.doi.org/10.1137/1033051


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Different analysis due to Knuth: mean instead of median.

E[λ] =p+1∑λ=1

P(Bλ) = 1 +p∑λ=1

P(Bλ) = 1 +p∑λ=1

p!(p − λ)!pλ

Define the Ramanujan Q function:

Q(n) =n∑k=1

n!(n − k)!nk

Then,E[λ] = 1 +Q(p)

The Q function can be approximated by

Q(p) ≈√πp2

≈ 1.2533√p

Different analysis due to Knuth: mean instead of median.

E[λ] =p+1∑λ=1

P(Bλ) = 1 +p∑λ=1

P(Bλ) = 1 +p∑λ=1

p!(p − λ)!pλ

Define the Ramanujan Q function:

Q(n) =n∑k=1

n!(n − k)!nk

Then,E[λ] = 1 +Q(p)

The Q function can be approximated by

Q(p) ≈√πp2

≈ 1.2533√p2014

-04-

11


Birthday paradox

• summing the tail probabilities• On Ramanujan’s Q function:

http://algo.inria.fr/flajolet/Publications/FlGrKiPr95.pdf


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Fermat’s method

n must be odd.1: Fermat(n)2: a ← ⌈√n⌉3: b ← a2 − n4: while b is not a square do5: a ← a + 16: b ← a2 − n7: return a −

√b ▷ or a +

√b

Fermat’s method

n must be odd.1: Fermat(n)2: a ← ⌈√n⌉3: b ← a2 − n4: while b is not a square do5: a ← a + 16: b ← a2 − n7: return a −

√b ▷ or a +

√b

2014

-04-

11


Fermat’s methodFermat’s method

• Pierre de Fermat, when? Original paper?• n must be odd• finds non-trivial divisor


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Fermat’s: Why does it work?

• Every odd integer is the difference of two squares• n = a2 − b2 = (a + b)(a − b)• We hope that 1 < a + b < n (or equivalently same for a − b)• Rearrange: b2 = a2 − n.• Try values for a until b2 is a square.• Worst case: n is prime. O(n) steps.• Works best when prime factor is close to square-root of n.

Fermat’s: Why does it work?

• Every odd integer is the difference of two squares• n = a2 − b2 = (a + b)(a − b)• We hope that 1 < a + b < n (or equivalently same for a − b)• Rearrange: b2 = a2 − n.• Try values for a until b2 is a square.• Worst case: n is prime. O(n) steps.• Works best when prime factor is close to square-root of n.

2014

-04-

11


Fermat’s methodFermat’s: Why does it work?

• Factor n = 5959. Then, a + b = 101,a − b = 59. 5959 = 59 × 101.Trial 1 2 3a 78 79 80b2 125 282 441b 11.18 16.79 21


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method

Fermat’s: An Improvement

• Is there a way to know when values of a make b2 a square?


Theorem (Chinese Remainder Theorem)Let gcd(n,m) = 1. Then the following system has a solutionand every solution is congruent mod mn:

x ≡ a (mod n) x ≡ b (mod m)

Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).


• Is there a way to know when values of a make b2 a square?





2014

-04-

11


Fermat’s methodFermat’s: An Improvement


C. Koch

Overview



Integers modulo n


GCD and Totatives

Inverses mod n

Euler’s Theorem



Pollard’s p − 1

Cycles in Z/nZ


Pollard’s ρ

Birthday paradox

Fermat’s method


• Is there a way to know when values of a make b2 a square?• Bézout’s identity again: gcd(m,n) = 1, then

m[m−1]n + n[n−1]m = 1.





• Is there a way to know when values of a make b2 a square?• Bézout’s identity again: gcd(m,n) = 1, then

m[m−1]n + n[n−1]m = 1.



Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).2014

-04-

11


Fermat’s methodFermat’s: An Improvement

• Want to factor n = 2,345,678,917• ⌈√n⌉ = 48433• a2 ≡ 0,1,4,9 mod 16, n ≡ 5 mod 16.• a2 − n ≡ 11,12,15,9 mod 16. Then, a2 ≡ 9 mod 16 only

solution. That only happens a ≡ ±3,±5 mod 16.• Also consider mod 9. n ≡ 7 mod 9.• a2 ≡ 0,1,4,7 mod 9. Then, a2 − n ≡ 2,3,6,0 mod 9.• Thus, a2 ≡ 7 mod 9 only solution. That’s when a ≡ ±4 mod 9.• a = cn[n−1]m + dm[m−1]n = 16(4)c + (−7)9d

c / d ±3 ±5±4 ±5 ±13

Let c be the mod m values, d the mod n.

• Then, a ≡ ±5,±13 mod 9 × 16 (72)• Only 4 out of 72 integers are possible – only 4/72 need to be

checked

kochris.comkochris.com/public/presentation-factorization-notes.pdf · Integer Factorization Methods...

Documents

Transcript of kochris.comkochris.com/public/presentation-factorization-notes.pdf · Integer Factorization Methods...