Integer Factorisation

Transcription

1 Integer Factorisation Vassilis Kostakos Department of Mathematical Sciences University of Bath May 7, 2001

2 MATH0082 Double Unit Project Comparison of Integer Factorisation Algorithms Candidate: Kostakos, V Supervisor: Russell Bradford SURNAME Checker: Review date: December 2000 Final submission date: 10 May 2001 Equipment required: Implement and compare several integer factorisation algorithms. Algorithms descriptions 15 α Implementation 15 α Comparison tests 30 2α Report and analysis 40 2α Total 100 6α Note: All the software files which are refereed to by this report may be found on the BUCS filesystem at : ~ma9vk\public_html\project\

3 Abstract The problem of integer factorisation has been around for a very long time. This report describes a number of algorithms and methods for performing factorisation. Particularly, the Trial Divisions and Fermat algorithms are dicussed. Furthermore, Pollard s ρ and p 1 methods are described, and finally Lenstra s Elliptic Curves method. The theory behind each algorithm is explained, so that the reader can become familiar with the process. Then, a sample pseudocode is presented, along with the expected running time for each algorithm. Finally, this report includes test data for each algorithm.

4 CONTENTS 1 Introduction 1 I Documentation 3 2 Project Plan Resources Scheduling Coding standards Requirements User Definition Functional Requirements Non-functional Requirements Software and Hardware Requirements Testing Correctness tests Performance tests II Implementation 12 5 Tools for factorisation Greatest common divisor Fast exponentiation modulo Primality testing Trial divisions algorithm Description of trial divisions algorithm Implementation of trial divisions algorithm Running time Remarks i

5 CONTENTS ii 7 Fermat s algorithm Quick description of Fermat s algorithm Detailed description of Fermat s algorithm Implementation of Fermat s algorithm Running time Remarks The Pollard ρ method Description of the algorithm Constructing the sequence Finding the period Calculating the factor Implementation of Pollard ρ Running time Remarks The Pollard p 1 method Description of the algorithm A slight improvement Implementation of Pollard p Running time Remarks Elliptic Curves Method Introduction to elliptic curves Elliptic curves as a group Elliptic curves modulo n Computation on elliptic curves Factorisation using elliptic curves Implementation of elliptic curves method Running time Remarks Overall Comparison Epilogue 39 III Appendices 40 A Benchmarks 41 A.1 Tests with products of two nearby primes A.2 Tests with products of three nearby primes A.3 Tests with products of three arbitrary primes B Program output 43 B.1 Tests output B.2 Combined factorisation output B.3 Biggest factorisation Bibliography 48

6 LIST OF TABLES 2.1 My schedule A.1 Products of two nearby primes A.2 Products of three nearby primes A.3 Products of three arbitrary primes iii

7 LIST OF FIGURES 5.1 Pseudocode for computing gcd(a, b) using the Euclidean algorithm Pseudocode for fast computation of a b mod m Pseudocode for trial divisions algorithm Results of tests on Trial divisions algorithm Pseudocode for Fermat s algorithm Results of tests on Fermat s algorithm Pseudocode for the Pollard ρ algorithm Results of tests on the Pollard ρ algorithm Pseudocode for Fermat s algorithm Results of tests on Pollard p 1 algorithm Pseudocode for main loop of Elliptic curves method Pseudocode for NEXTVALUES function of Elliptic curves method Results of tests on Elliptic curves algorithm iv

8 CHAPTER 1 Introduction This report, along with the software which I wrote, consist of my final year project. The main objective of this report is to balance somewhere between a theoretical explanation of certain factorisation algorithms and a description of my source code. Background information The problem of factorisation has been known for thousands of years. However, only recently did it become popular. This sudden interest in factorisation was due to the advances in cryptography, and mainly the RSA public key cryptosystem. The problem of factorisation may be stated as follows: Given a composite integer N, find a nontrivial factor f of N. There are a lot of factorisation algorithms out there. Some of them are heavily used, others just serve educational purposes. The factorisation algorithms may be distinguished in two different ways: Deterministic or nondeterministic Run time depends on size of N or f. Deterministic algorithms are algorithms which are guaranteed to find a solution if we let them run long enough. On the contrary, nondeterministic algorithms may never terminate. The most usual distinction, however, deals with the runtime of the algorithm. The running time of recent algorithms depends on the size of the input number N, whereas older algorithms depended on the size of the factor f which they find. About my project In doing my project, I tried to cover a broad range of algorithms and methods. The running time of all the algorithms I have implemented depends on the size 1

9 CHAPTER 1. INTRODUCTION 2 of the factor f which they find. Furthermore, only the first two algorithms which I describe are deterministic. About this report This report is divided into 3 parts. The first part deals with my preparation and scheduling for doing the project. Matters like requirements, resources, etc. are all covered in the first part. The second part of this report presents an account of all the algorithms I implemented. For each algorithm, I have tried to describe the theoretical background in order to make the reader understand what s going on. Then, I describe my implementation of the algorithm, along with some sort of pseudocode for illustration purposes. Finally, I present my test results, in the form of a graph. (In Appendices A and B I have included a set of tests on all of the algorithms). The third part consists of the Appendices, in which I have includes sample timings of the algorithms, as well as output of my program.

10 Part I Documentation 3

11 CHAPTER 2 Project Plan 2.1 Resources I started planning for this project by writing down what resources I though I was going to need in order to successfully complete the project. In terms of Hardware, all I needed was a computer, which I already owned. Furthermore, I could use the computing facilities of the University as well. In terms of software, I decided that I wanted to write the program using C. There are lots of different environments for creating C programs. However, I used the LCC-WIN32 version 3.3 for Windows, which includes an ansi-c compiler. My main concern was finding a suitable arbitrary-precision library, which I could use with my program. In the end, I decided to use Mike s Arbitrary Precision Math Library (MAPM) version 3.70, written by Michael C. Ring (ringx004@tc.umn.edu). Furthermore, I thought that I would also need some kind of books or papers, which would help me. In addition to the resources listed in the bibliography section, I also made use of the following programming books: Walter A. Burkhard, C for programmers, 1988 Wadsworth, Inc. Morton H. Lewin, Elements of C, Piscataway, New Jersey. M.I. Bolsky, The C Programmer s Handbook, AT&T Bell Laboratories, Prentice Hall, Inc. Leslie Lamport, LaTeX user s guide and reference manual, 1994 Addison- Wesley Publishing Company. 2.2 Scheduling The next part in planning my project was to devise of a schedule, which would roughly be my guide in what I do. In table 2.1 you can see my schedule, or to be precise, the final version of my schedule. 4

12 CHAPTER 2. PROJECT PLAN 5 Schedule Weeks Tasks 1 (Semester 1) 2 (Semester 1) 3 (Semester 1) Signed up for LEGO maze-solving robot 4 (Semester 1) Preliminary research on Robot movement, etc. 5 (Semester 1) 6 (Semester 1) Wrote first version of software for robot. 7 (Semester 1) NEW PROJECT: Integer factorisation 8 (Semester 1) Looking for a maths library 9 (Semester 1) Found the MAPM library, performance tests 10 (Semester 1) Implement trial divisions algorithm 11 (Semester 1) Wrote low-level functions for MAPM 12 (Semester 1) Implemented Fermat s algorithm (Christmas) (Christmas) (Christmas) 13 (Exams) Exams 14 (Exams) Exams 15 (Exams) Exams Revise for exams Revise for exams Revise for exams 1 (Semester 2) Research into Pollard s algorithms 2 (Semester 2) Implement MODEXPO, GCD, PRIME functions 3 (Semester 2) Pollard s ρ algorithm 4 (Semester 2) Tests on all algorithms so far implemented 5 (Semester 2) Pollard p 1. Read about Elliptic curves 6 (Semester 2) Elliptic curves algorithm and testing 7 (Semester 2) Function interface modifications, more tests 8 (Semester 2) Developed COMBINED function. Started report (Easter) (Easter) (Easter) Test result analysis, graph generation Report writting Report writting 9 (Semester 2) Report writting 10 (Semester 2) Report revision, final version preparation 11 (Semester 2) DEADLINE Table 2.1: My schedule I tried to follow my schedule as close as possible. Sometimes, I made changes to it, in order to accommodate any new tasks I thought were required. The final version of my schedule resembles quite a lot my initial schedule, however I have made a number of changes. 2.3 Coding standards It is always a good idea to specify some coding standards before starting a project, even if only one person is going to do any coding. First of all, I should say that all the source files were compiled using the -ansi flag. I received no warning messages when compiling the final version of my program. Here are some guidelines which I followed:

13 CHAPTER 2. PROJECT PLAN 6 Function names beginning with m belong to the MAPM library. Specifically, the functions that begin with m apm are functions which are defined in the library itself. Any other functions beginning with m are macros of functions in the MAPM library, which I defined in order to shorten the code. Function names beginning with M are low-level functions which interface the MAPM library. I wrote these functions in order to improve the performance of the program, and shorten the code as well. The prototypes for functions in file xxx.c are placed in the file xxx.h. It was obvious that the software program I was creating was quite modular, and could be built in big chunks at a time. Therefore, I decided to use a common algorithm testing interface. This meant that I would place each algorithm in a separate file, and use a common file to call the factorisation routines. This would also make it possible to call all of my algorithms from another function in an effort to factorise a really hard number. By doing the above, I was planning to minimise the effort of adding a new algorithm to my program, and make the testing of different algorithms quicker and easier.

14 CHAPTER 3 Requirements This chapter describes all the requirements and specifications that I used for implementing this project. Of course, these requirements were in no case static. In fact, they would change quite often, as I moved further into the project. A change in the requirements would often reflect upon a new idea that I came up with, or an idea that I wanted to drop. Therefore, these are the requirements at the end of the project. 3.1 User Definition The first thing that I had to specify was my target audience. It helps a lot to know who you want to look at your work. I guess it would be too naive to assume that my audience consisted of the two examiners that would assess my project. On the other hand, I wouldn t like to embark on a commercial software project, which would target a large piece of the market. With the above in mind, I chose my audience to be the academic community. Such an audience is not really keen about software that blows and whistles, but is more interested in the theoretical background. In fact, I believe that my project could be used for educational purposes, because it demonstrates a simple implementation of some fundamental mathematical concepts. Of course, when I refer to my project, I refer to both the software as well as the final report. Therefore, my choice of the academic community as an audience should have an effect on both the software and the final report. 3.2 Functional Requirements I believe that it was clear that my software should accept as input an integer N, and produce as output a factorisation p 1 p 2 p n of N. But there is more to it than just that. A very important requirement was that the software should be able to perform arbitrary-precision arithmetic. In other words, it should be able to deal with really long numbers, and perform calculations on them. 7

15 CHAPTER 3. REQUIREMENTS 8 Also, the software should output the computational time that was required to complete the factorisation, and also verify that the results it gives are correct. This should also be done while running long tests, and in which case the results should be somehow stored on a disk file. 3.3 Non-functional Requirements The most important element of the non-functional requirements deals with the algorithms that the program will implement. Therefore, I decided to implement the following algorithms. Trial division algorithm Fermat s algorithm Pollard s ρ method Pollard s p 1 method Elliptic curves method The fact that I chose not to implement one of the big algorithms, namely MPQS and NFS, is that I did not have enough time. By applying a variety of smaller algorithms, I got the flavour of different methods and theories, on which the very advanced algorithms are based. In terms of the user interface, I believe that a GUI was not something really required. Therefore, I chose to implement a command line interface, with simple input and output. The source code of the program was divided into the following files: MAIN.C This is the main file of the program. Nothing special here. MAIN.H Main header file. Contains definition of output destination for parameterised compilation. AL TRIAL.C This file contains the source code for the trial divisions algorithm. AL FERMT.C This file contains the source code for fermat s method. AL PRHO1.C This file contains the source code for Pollard s p 1 method. AL PRHO.C This file contains the source code for Pollard s ρ method. AL ELLCRVS.C This file contains the source code for the Elliptic curve method. TESTS.C Here are defined some tests for measuring the speed of each algorithm. TESTS.H This file contains parameters for the testing routine. MYLIB.C In this file I have included some of my tool functions, as well as some low-level functions for the arbitrary-precision arithmetic library I used.

16 CHAPTER 3. REQUIREMENTS 9 MYLIB.H This file includes function prototypes as well as macro definitions. COMBINED.C This file contains a function which utilises all the factoring algorithms. It tries to factor a given number by applying the different algorithms until the number has been completely factorised, or until it gives up. 3.4 Software and Hardware Requirements I developed the software on an MS-Windows 98 machine, with an Intel Celeron 433MHz processor. However, the software is capable of running on any machine which fulfills the minimum MS-Windows 95 requirements. Also, the source code may be compiled under a different operating system (Unix, Linux, etc.) in order to produce compatible versions of the program.

17 CHAPTER 4 Testing The tests I performed for my project come in two flavours. First, I had to test my algorithms to see if they ran as expected, i.e. try to find bugs in the program. However, I also ran lots of performance tests, ie perform lots of factorisations in order to get a feeling of performance of each algorithm. 4.1 Correctness tests Most of my testing for correctness was performed in place with the program. Essentially, I had to make sure that my algorithms did indeed perform a factorisation. This is quite easy to check within the main flow of the program, so I felt that there was no need for separate testing modules. By just adding a couple of lines of code, I was able to test the correctness of my results every time I performed a factorisation. This way, I was constantly checking for errors, even when I was running the performance tests. I should note at this point that all my checking was performed (inevitably) using the facilities of the MAPM library. I guess that if the MAPM library contained any sort of errors, my checks, and in fact my whole program, would be erroneous. 4.2 Performance tests I had to perform two separate kinds of performance tests. First of all, I ran tests on the library MAPM, to get a feel for its capabilities. These tests were supposed to give me an approximation of how fast this library was, and how to judge my algorithms according to the library s capabilities. The second, and most important kind of performance test was to benchmark the algorithms I implemented. These kinds of tests I usually performed after I felt that an algorithm was fully implemented. The results of these tests are included in the last section of each algorithm s chapter. I have tried to evaluate these tests, to the best of my abilities, and perhaps draw on some conclusions. 10

18 CHAPTER 4. TESTING 11 In the Appendix A I have tried to perform a mini benchmarking scheme, where all the algorithms were given the same numbers, and their performance was timed and entered into a table. Although I did not run too many of these tests, I felt that the results were quite within what I expected. Finally, in Appendix B I have included some sample printouts of the performance tests for each algorithm, as well as sample output of my final program, which utilises all the algorithms in order to factorise an input number.

19 Part II Implementation 12

20 CHAPTER 5 Tools for factorisation Before proceeding with the actual algorithms and their description, it would be useful to describe some tool algorithms which are used throughout the factorisation algorithms. 5.1 Greatest common divisor This algorithm is by far the most used algorithm in my program. It is used by all the factorisation methods I have implemented. A very efficient routine for finding the greatest common divisor of two numbers a and b would greatly enhance the performance of the factorisation algorithms. In figure 5.1 I have included pseudocode for finding the gcd(a, b) using the Euclidean method. WHILE b 0 DO temp := b b := a MOD b a := temp RETURN a Figure 5.1: Pseudocode for computing gcd(a, b) using the Euclidean algorithm 5.2 Fast exponentiation modulo The idea behind fast exponentiation is that if the exponent is a power of 2 then we can exponentiate by successively squaring: x 8 = ((x 2 ) 2 ) 2 13

21 CHAPTER 5. TOOLS FOR FACTORISATION 14 n = 1 WHILE b 0 IF b is odd THEN n := n a MOD m b := b/2 a := a a MOD m Figure 5.2: Pseudocode for fast computation of a b mod m x 256 = (((((((x 2 ) 2 ) 2 ) 2 ) 2 ) 2 ) 2 ) 2. If the exponent is not a power of 2, then we use its binary representation, which is just a sum of powers of 2: x 291 = x 256 x 32 x 2 x 1. The pseudocode shown in figure 5.2 will quickly compute a b mod m. The way it works is that it finds the binary representation of b, while at the same time compute successive squares of a. The variable n records the product of the powers of a, and also contains the final result at the end of the computation. 5.3 Primality testing According to Fermat s little theorem, if n is odd and composite and n satisfies 2 n 1 1 (mod n) then we say that n is pseudoprime. Therefore, for any number n, we can just compute the value 2 n 1 (mod n) using the algorithm 5.2, and then simply check to see if the return value is 1 or not. Despite the fact that this test is not a 100% guarantee of primality, in practice it is very useful. This test can be made stronger by computing the same values for the bases 2,3,5,7, and then checking to see if all of them yield the result 1.

22 CHAPTER 6 Trial divisions algorithm The most straight-forward algorithm for factorising an integer is using trial divisions. This algorithm is a good place to start, and it is quite easy to understand. 6.1 Description of trial divisions algorithm This algorithm essentially tries to factorise an integer N using brute force. Starting at p = 2, this algorithm tries to divide N with every number until it succeeds. When this happens, it sets N N/p, and resumes its operation. The way in which we choose our p can speed up, or slow down, our algorithm. For instance, we could pick our p s sequentially, by adding 1 at every iteration. Even better, we could divide N by 2 and 3, and then keep adding 2 to p in order to generate a sequence of odd numbers. The fastest way, but with more memory requirements, is to generate a list of all prime number below a specified limit, and then assign those values to p. 6.2 Implementation of trial divisions algorithm In figure 6.1 you can see the pseudocode of my implementation. I have not made any attempts to optimise this algorithm, and so I have used the naive way of choosing my p s, i.e. by adding 1 to the trial divisor at every iteration. As far as the source code is concerned, this function accepts the following parameters: n: The number to be factorised. Note that no changes are made to the original value of this variable. max: This variable sets the limit of the maximum test factor to be used. factors: An array of MAPM variables, in which the factors of n will be written. 15

23 CHAPTER 6. TRIAL DIVISIONS ALGORITHM 16 INPUT N test factor := 2 WHILE (N > 1 AND test factor < max) IF (N MOD test factor) == 0 THEN N := N / test factor PRINT test factor ELSE test factor := test factor + 1 Figure 6.1: Pseudocode for trial divisions algorithm Figure 6.2: Results of tests on Trial divisions algorithm 6.3 Running time According to [2], the expected running time of this algorithm is O(f (log N) 2 ), where f is the size of the factor found. The efficiency of this algorithm depends on your strategy of choosing the trial divisors p, as explained earlier. In figure 6.2 you can see the results of the tests of my implementation of this algorithm. The graph shows the factor size versus the amount of time it took, from a sample of 1427 factorisations. As expected, the amount of time the algorithm takes increases exponentially with the size of the factor found. Practically, after 6 or 7 digits, this algorithm becomes too expensive.

24 CHAPTER 6. TRIAL DIVISIONS ALGORITHM Remarks One of the features of this algorithm is that if we let it run long enough on a prime N p, it will prove the primality of N p. In most cases this is not wanted, and it is regarded as a waste of effort. However, this algorithm is very fast in finding prime factors of size less than 5-6 decimal digits. Furthermore, this algorithm may be used in breaking up composite factors which are found using the algorithms described in the following chapters.

25 CHAPTER 7 Fermat s algorithm The first of the modern algorithms that I will describe is due to Fermat. It is not usually implemented these days unless it is known that the number to be factored has two factors which are relatively close to the square root of the number. However, this algorithm contains the key idea behind two of the most powerful algorithms for factorisation, the Quadratic Sieve and the Continued Fractions algorithm. 7.1 Quick description of Fermat s algorithm Fermat s idea is the following. Let the number to be factored be N. Suppose that N can be written as the difference of two squares, such as N = x 2 y 2 Instantly, we could write N as (x y)(x + y), and thus we have successfully broken N into two factors. The two factors may not be prime. In that case, we could recursively apply this process until we deduce a prime factorisation for N. 7.2 Detailed description of Fermat s algorithm The first step in describing this algorithm is to prove that every odd number N can be written as a difference of squares. Let us suppose that N = a b. Since we assumed N to be odd, then both a and b must be odd. Now, let us define x and y as follows: x = (a + b)/2, y = (a b)/2 Then, if we try to work out x 2 y 2 for the above values, we get x 2 y 2 = (a 2 + 2ab + b 2 ) (a 2 2ab + b 2 ) = ab = n. Fermat s algorithm works in the opposite direction from trial division. When we apply trial division, we start by looking at small factors, and we work our 18

26 CHAPTER 7. FERMAT S ALGORITHM 19 way up to N. In Fermat s algorithm, we start by looking for factors near N, and work our way down. 7.3 Implementation of Fermat s algorithm Now I will describe an implementation of Fermat s algorithm. As I mentioned earlier, we search for integers x and y such that x 2 y 2 = N. We can start with x = N, and try increasing y until x 2 y 2 is equal or less than N. If it is equal to N then we are done! If not, we increase x by one, and we iterate. In order to further optimise the algorithm, let us set r = x 2 y 2 N. Therefore, we have success when r = 0. All that we really want to do is keep track of r. The value of r can change only when we increase x by one or y by one. When we replace x 2 with (x + 1) 2, variable r increases by 2x + 1. We could express this increase in r by setting u = 2x + 1. Similarly, when y 2 is replaced by (y + 1) 2 the variable r decreases by 2y + 1. This decrease in r can be expressed as v = 2y + 1. (Note that when x and y increase by one, u and v increase by two.) Having defined r, u, and v, we can proceed with our implementation. It turns out that we do not actually need the values x and y. Since we start by setting x = N and y = 0, it follows that u = 2 N + 1 and v = 1. Also, r = ( N ) 2 N. All we now have to do is define an increase in x and an increase in y. According to the definition of u and v, an increase to x by 1 would increase r by u, and u by 2. Similarly, and increase to y by 1 would decrease r by v, and increase v by 2. The algorithm is completely defined. All we now have to do is keep increasing x and y (in practice u, v, and r), until r = 0. When r is zero, we can compute (x+y) and (x-y) as follows: x + y = (u + v 2)/2, x y = (u v)/2 At this point, I believe that some sort of pseudocode would be most appropriate in order to fully understand my implementation. Figure 7.1 contains the pseudocode which describes my implementation. 7.4 Running time How much work is actually needed to find the factors of N? Let us suppose that N = a b, with a < b. The factorisation will be achieved when x = (a + b)/2. Since the starting value of x is N, and b = N/a, the factorisation will take approximately 1 2 (a + N a ) N = ( N a) 2 2a cycles. If the two factors of N are really close, i.e. if a = k N, with 0 < k < 1, then the number of cycles required in order to obtain the factorisation is (1 k) 2 N. 2k

27 CHAPTER 7. FERMAT S ALGORITHM 20 INPUT N sqrt := N u := 2 * sqrt + 1 v := 1 r := sqrt * sqrt - N WHILE r <> 0 IF r > 0 THEN /* Keep increasing y */ WHILE r > 0 r := r - v v := v + 2 IF r < 0 THEN /* Increase x */ r := r + u u := u + 2 PRINT (u + v - 2) / 2 PRINT (u - v) / 2 Figure 7.1: Pseudocode for Fermat s algorithm This complexity is of the order O(cN 1 2 ). However, the value of k can be very small, and thus making this algorithm impractical. For instance, let us consider an ordinary case where a N 1 3 and b N 2 3. In such a case, the number of cycles necessary will be ( N 3 N) N = ( 3 N) 2 ( 6 N 1) N 1 2 N 2 3, which is considerably higher than O(N 1 2 ). Therefore this algorithm is only practical when the factors a and b are almost equal to each other. In figure 7.2 you can see the test results of my implementation of Fermat s algorithm, from a sample of 2075 factorisations. Again, the graph shows the relation of the size of the factor found versus the amount of time it took. As we expected, this algorithm become too slow for factors with 7 or more digits. The graph follows the same trend as the trial divisions algorithm. In practice however, we will prefer the trial divisions algorithm. 7.5 Remarks This algorithm has a very nice feature: it does not involve multiplication. We have defined the variables r, u, v in such a way that we only need to perform addition and subtraction. This is why sometimes this algorithm is called factorising by addition and subtraction. However, the number of additions and subtractions that we have to perform is quite large. For example, in order to factorise = we need to increase x times, and y times.

28 CHAPTER 7. FERMAT S ALGORITHM 21 Figure 7.2: Results of tests on Fermat s algorithm Additionally, this algorithm suffers from the same problem as trial divisions, it will prove primality in the worst case. If this algorithm is given a prime number p, then the results will eventually be 1 and p. By the way, this is even worst than proving primality with trial divisions. The total number of cycles required for proving primality is n n, which is much worst than trial divisions.

29 CHAPTER 8 The Pollard ρ method This method is also called Pollard s second factoring method or the Monte Carlo Method because of it pseudo random nature. It is based on a statistical idea [7] and has been refined by Richard Brent [1]. The ideas involved for finding the factors of a number N are described below. 8.1 Description of the algorithm In short, the algorithm comprises of the following steps: 1. Construct a sequence of integers {x i } which is periodically recurrent (mod p), where p is a prime factor of N. 2. Search for the period of repetition, i.e. find i and j such that x i x j (mod p). 3. Calculate the factor p of N Constructing the sequence The first step in finding a factor is to construct a sequence of periodically recurrent values. Let us consider a recursively defined sequence of numbers, according to the formula x i f(x i 1, x i 2,..., x i k ) (mod m) where m is any arbitrary integer, and given the initial values x 1,..., x k. This means that the values x k+1, x k+2,... can be computed by using the k previously computed values. However, all the values are computed mod m, and therefore there are only m possible values that each x i can take. This means that there are at most m s distinct sequences of s values. Therefore, after at most m s + 1 values, we will have two identical sequences of s consecutive numbers. Let these sequences of s values be x i, x i+1,..., x i+s 1 and x j, x j+1,..., x j+s 1. Since these sequences are identical, it follows that their next elements, namely x i+s and x j+s respectively, will be the same. In fact, every element x i+s+n and x j+s+n will be identical thereafter. 22

30 CHAPTER 8. THE POLLARD ρ METHOD 23 This means that the sequence {x i } is periodically repeated, except maybe from a part at the beginning which is called the aperiodic part. This part can be thought of the tail of the Greek letter ρ. Once we get off the tail, we keep cycling around the same sequence of values. That s why this algorithm is known as the Pollard ρ algorithm. Back to our problem, instead of random integers {x i }, it would be sufficient to recursively compute a sequence of pseudo-random integers. The simplest way to do this would be to define a linear formula such as x i+1 ax i (mod N) for a fixed a and x 0. Unfortunately, it turns out that this does not produce sufficiently random values to give a short period of recurring values. This means that we would have to compute a lot of values before we can identify the period of recurrence. The next simplest choice is to use a quadriatic formula such as x i+1 x 2 i + a (mod N) for a fixed a and x 0. It has been empirically observed that the above expression does produce sufficiently random values 1. Pollard found that in such a sequence {x i } of integers mod N an element is usually recurring after only about C N steps Finding the period The second step of the algorithm is to search for the period within the sequence {x i }. To determine it in the most general case would require finding where a sequence of consecutive elements is repeated if the period is long. This is quite a tedious task, and is ruled out by the amount of labour involved. In the simplest case however, where x i is defined in terms of x i 1 only, the sequence will start to repeat as soon as any single x k is the same as any of the previous ones. Therefore, in order to find the period, we only need to compare each new x j with the previous values. The original version of Pollard s method used Floyd s cycle-finding algorithm for finding the period. 2 Suppose the sequence {x i } (mod m) has an aperiodic part of length a and a period of length l. The period will then ultimately be revealed by the test: Is x 2i x i (mod m)? The ρ method of Pollard has been made about 25% faster by a modification to the cycle-finding algorithm due to Brent [1]. As we saw above, Pollard searched for the period of the sequence x i (mod m) by considering x 2i x i (mod m). Instead, Brent halts x i when i = 2 k 1 and subsequently considers x 2n 1 x j, 2 n+1 2 n 1 j 2 n In this way the period is discovered after fewer arithmetic operations than demanded by the original algorithm of Pollard. The saving in Brent s modification is due to the fact that the lower x i s are not computed twice as in Floyd s algorithm. 1 Note that this is not true if a is either 0 or The proof of Floyd s cycle-finding algorithm is omitted.

31 CHAPTER 8. THE POLLARD ρ METHOD Calculating the factor Finally, consider the third and last step of Pollard s ρ method. If we have a sequence {x i } that is periodic (mod N), how can we find p, the unknown factor of N? In section we saw that the formula x i xi 2 + a (mod N) is sufficient to give us a desired sequence of pseudo-random numbers. Now, let us introduce the formula y i = x i (mod p) where p is the unknown factor of N. This formula gives rise to a few nice properties. The sequence {y i } is periodic, and eventually we will have y i = y j (mod p). But when this happens, then x i = x j (mod p), which means that p will divide x i x j. Therefore, by taking the GCD of x i x j and N, we have a very good chance of finding a non-trivial divisor of N. All this is nice, except from the fact that we do not know p, which means that we cannot compute {y i }, and therefore we do not know when y i will equal y j. This is where the algorithms for finding the period in a periodic sequence are used. What we do is that we use Floyd s or Brent s algorithm to choose lots of x i s and x j s, and we each time we compute the GCD of x i x j and N. Usually, the GCD will be one. But as soon as x i x j (mod p), then x i x j will be divisible by p, which means that the GCD will be a non-trivial divisor of N. A further improvement that can be made to both versions of Pollard s ρ algorithm has as follows. Instead of computing the GCD at every cycle of the algorithm, we can accumulate the product of differences of all the pairs we have considered. After say 20 cycles, we can compute the GCD of this product and N, without risking to miss any factors of N. This way, the burden of computing a GCD at each cycle is reduced to one subtraction and one multiplication. 8.2 Implementation of Pollard ρ As with the previous algorithms, I implemented Pollard s ρ algorithm in a single function. The parameters that the function expects are: n: The number to be factorised. Note that no changes are made to the original value of this variable. max: This variable sets the limit of the maximum test factor to be used. factors: An array of MAPM variables, in which the factors of n will be written. In figure 8.1 you can see the pseudocode of my algorithm. Note that the constant a, which is used to generate the pseudorandom sequence, is hardcoded in the function. It is quite an easy task to change its value, in order to get a different sequence of numbers.

32 CHAPTER 8. THE POLLARD ρ METHOD 25 INPUT N, c, max x1 := 2 x2 := x1 2 + c /* Our chosen function */ range := 1 product := 1 terms := 0 WHILE terms < max DO FOR j := 1 to range DO x2 := (x2 2 + a) MOD N /* Our chosen function */ product := product (x1 - x2) MOD N terms := terms + 1 IF (terms MOD 20 == 0) THEN g := gcd(product, N) IF g > 1 THEN PRINT g N := N / g product := 1 next values(x1, x2, range) /* Brent s improvement */ Figure 8.1: Pseudocode for the Pollard ρ algorithm 8.3 Running time Under plausible assumptions, the expected running time of Pollard s ρ algorithm is O(f 1/2 (log N) 2 ), where f is the size of the factor found. Figure 8.2 shows the test results of my implementation, from a sample of 4997 factorisations. There are a number of conclusions and comments to be made about this funny-looking graph. First of all, we have to remember that this algorithm is not deterministic, but probabilistic. Therefore, the results might contradict themselves at some points. For instance, at first glance one might think that this algorithm takes more time to finds small factors than larger ones. However, this is not entirely true. You should keep in mind that this graph only contains timings of successful factorisations. So, although the times for 20-digit factors are quite small, the success rate of the algorithm is quite low for such factors. The best way to explain this graph if we observe its patterns. There is an obvious pattern for each group of factors. The timings seem to build up slowly, and then explode very high. If this pattern is true for 20-digit numbers as well, we can see that the graph only contains the first part of the pattern, where the timings are quite small. If we had enough space to fit the entire graph, then when the pattern for 20-digit factors completed itself, its height could as much as the Eiffel tower s!

33 CHAPTER 8. THE POLLARD ρ METHOD Remarks Figure 8.2: Results of tests on the Pollard ρ algorithm The method that I have just described for finding prime factors of composite integers is probabilistic. This means that we have to be prepared to be unlucky on occasion, and not get any results. If we run the Pollard ρ algorithm and do not find any prime divisors that might be because there are no prime divisors in the appropriate interval or it might be because of bad luck. What we need to do in such situations is to change our luck. For this algorithm, this would mean to change certain constants, such as the recursive function described in section Then, of course, we have to know when it is time to give up, and perhaps try another algorithm. In practice, after running trial divisions up to 10 6 or 10 7, one would run the Pollard ρ algorithm for a while. Keep in mind, however, that if all the prime factors are roughly larger than then this algorithm will not usually work.

34 CHAPTER 9 The Pollard p 1 method The next algorithm that I will consider is known as the Pollard p 1 algorithm [6]. It formalises several rules, which have been known for some time. The principle here is to use information concerning the order of some element a of the group M N of primitive residue classes mod N to deduce properties of the factors of N. 9.1 Description of the algorithm This algorithm is pretty much based on Fermat s little theorem: If p is prime, and a 0 mod p then a p 1 1 (mod p). Now, let us suppose that the number to be factored is N, and that one of its prime factors is p. Also, assume that p 1 divides Q. Using Fermat s theorem, and under the assumption that (p 1) Q, we arrive at a Q 1 (mod p), and therefore p divides a Q 1. Now, we can apply GCD to N and a Q 1 to get p or some other non-trivial divisor of N. Our problem now is to find a Q such that (p 1) Q, and keeping in mind that we do not know p. This can be done in two ways. The easiest way is to set Q = max! (mod n). This value can be computed quickly, since a max! = ( (((a 1 ) 2 ) 3 ) 4 ) max, and because as we saw in Section 5.2, exponentiation modulo N is very fast. Note that a can be any number, as long as it is relatively prime to N. Another, more efficient way to choose Q is to set Q = p 1 p 2 p k, where p i is a prime number less than a specified limit. In such a case we should also append to Q some additional multiples of the small primes, so as not to miss out any factors of N. This will cut the number of exponentiations required by about a factor of eight. 27

35 CHAPTER 9. THE POLLARD P 1 METHOD 28 INPUT N, c, max m := c FOR i := 1 to max DO m := modexpo(m, i, N) IF (i MOD 10 == 0) THEN g := gcd(m-1, N) IF g > 1 THEN PRINT g Figure 9.1: Pseudocode for Fermat s algorithm No matter how we choose Q, we have to keep in mind that essentially the size of Q is what limits our search space. For instance, by choosing Q = 10000! we are assuming that p 1 has prime factors less than A slight improvement In practice, we do not know how close we have to get to max before we have picked up the first prime divisor of N. And we do not want to go so far that we pick them all up. For that reason, we periodically check the value of GCD(a Q 1, N). If it is still 1, we continue. If it is N, then we have picked up all the divisors of N. In such a case we need to either backtrack a bit, or try using a different a. 9.3 Implementation of Pollard p 1 In this section I will describe how I implemented the algorithm, as well as discuss certain issues that came up while implementing this algorithm. The function accepts the following parameters: num: the number to be factorised c, max: so that Q = c max! factors: an array where the factors of num are stored The algorithm is essentially a loop which runs until we have reached the specified limit of iterations, which is max. In most literature, this limit is set to 10000, so I decided to follow this guideline. My implementation uses the simple way of choosing Q, i.e. setting Q = 10000!, and subsequently calculating ! (mod N). This is done using the procedure modexpo, which was described in section 5.2. Every 10 cycles, the program calculates the gcd of the current 2 k! (mod N) and N, using the algorithm described in section 5.1. If the gcd is greater than one, then the gcd is written in the factors array. Subsequently, the program sets N N/gcd. If the remaining N is composite, then the procedure is applied recursively to the new N, otherwise the function terminates.

36 CHAPTER 9. THE POLLARD P 1 METHOD 29 Figure 9.2: Results of tests on Pollard p 1 algorithm The pseudocode of my implementation is shown in figure 9.1. I should note that my implementation makes no effort in backtracking or changing a in case gcd is equal to 1. It is up to the caller of the function to choose an appropriate a (c) and limit of iterations (max). 9.4 Running time In the worst case, Pollard s p 1 algorithm takes as long as the trial divisions algorithm. However, it usually does better, provided that we are lucky enough to find a factor. In figure 9.2 I have plotted the results of factorisations using this algorithm. As previously, the graph contains timings derived only from the successful tests, not the ones that failed. The patterns in the graph resemble greatly the graph of Pollard s ρ algorithm. However, there is another point to be made about this algorithm. Apparently, Pollard s p 1 algorithm is much faster that Pollard s ρ algorithm, but with less success. It turns out that the algorithm sheldomly gives back results, but when it does, it is very fast. This is why I had to perform so many tests on this algorithm, because more than 70% of the tests failed. 9.5 Remarks This algorithm has the same problems as the previous one. As described earlier, at some point we might find the GCD to be equal to N. In such cases we will want to try to change the base a to a different integer. Also, the algorithm might not terminate if p 1 has only large prime factors.

37 CHAPTER 9. THE POLLARD P 1 METHOD 30 It has been statistically found that the largest prime factor of an arbitrary integer N usually falls around N Therefore, with a limit of 10000, Pollard p 1 will find prime factors that are less than two million. We should keep in mind however that there is a fairly wide distribution of the largest prime factor of N, and therefore factors much larger than two million may be found. According to [2], the largest factor found by this algorithm during the Cunningham project is a 32-digit factor of I should also note that because of Pollard p 1, the RSA public key cryptosystem has restrictions on the primes a and b that are chosen. Essentially, if a 1 or b 1 have only small prime factors, then Pollard p 1 will break the encryption very quickly.

38 CHAPTER 10 Elliptic Curves Method Factorisation based on elliptic curves is a relatively new method. As its name implies, this method is based on the theory of elliptic curves. First, I will briefly describe what elliptic curves are, and demonstrate the theory behind them. Then, I will go on with the description of the factorisation method using elliptic curves Introduction to elliptic curves Elliptic curves are equations of the form where a and b are constants, such that y 2 = x 3 + ax + b, 4a These curves have the curious property that if a line intersects it at two points, then it will also have a third point of intersection. A tangent to the curve is considered to have two points of intersection at the point of tangency. If we know the two points (x 1, y 1 ), (x 2, y 2 ) of intersection, we can compute the slope λ of the line, as well as the third point of intersection in the following way: λ = { 3x 2 1 +a 2y if x 1 = x 2, otherwise y 1 y 2 x 1 x 2 x 3 = λ 2 x 1 x 2 (mod n) y 3 = λ(x 3 x 1 ) + y 1 (mod n) Elliptic curves as a group In order to perform factorisation with elliptic curves, we need to make the set of points on an elliptic curve into a group. To do this, we must define a binary operation, the identity element, as well as the inverse. 31

39 CHAPTER 10. ELLIPTIC CURVES METHOD 32 We start by defining the binary operation as follows: (x 1, y 1 ) (x 2, y 2 ) = (x 3, y 3 ) where x 3 and y 3 are computed as shown earlier. Note that the new point is not the third point of intersection, but its reflection across the x-axis. It is still, however, on the same elliptic curve. Now we proceed with defining the identity element of our group as follows: (x, y) (x, y) = (x, y) (x, y) = With the above definition, we have managed to define both the identity element and the inverses. The identity element can be thought of as a point far north, such that every vertical line passes through it. In terms of notation, E(a, b) denotes the group of rational points on the curve y 2 = x 3 + ax + b, where 4a b 2 0, together with the point. Also, with (x i, y i ) we denote (x 1, y 1 )#i, where (x 1, y 1 )#i = (x 1, y 1 ) (x 1, y 1 ) (x 1, y 1 ). } {{ } i times Elliptic curves modulo n All our reasoning from the previous sections still applies to elliptic curves modulo n. If x 1 x 2 (mod n) and y 1 y 2 (mod n) then (x 1, y 1 ) (x 2, y 2 ) =. Let s be the inverse of x 1 x 2. As before, we define: { (3x 2 λ = 1 + a) s if x 1 x 2 (mod n), (y 1 y 2 ) s otherwise x 3 = λ 2 x 1 x 2 (mod n) y 3 = λ(x 3 x 1 ) + y 1 (mod n) Furthermore, we will define the binary operation as and we will define (x i, y i ) mod n as (x 1, y 1 ) (x 2, y 2 ) (x 3, y 3 ) (mod n), (x i, y i ) (x 1, y 1 )#i (mod n). Finally, E(a, b)/n will denote the elliptic group modulo n whose elements are pairs (x, y) of non-negative integers less than n and satisfying y 2 x 3 = ax + b, together with the point Computation on elliptic curves In order to implement factorisation, we need a fast way of computing (x, y)#i. Given the first coordinate of (x 1, y 1 ), we can compute the first coordinate of (x 2, y 2 ) as follows: x 2 = (x2 a) 2 8bx 4(x 3 + ax + b).

40 CHAPTER 10. ELLIPTIC CURVES METHOD 33 Therefore, given the first coordinate of (x, y)#i, we can compute the first coordinate of (x, y)#2i using the above formula. We can extend this to 2i + 1 with the following formula: x 2i+1 = (a x ix i+1 ) 2 4b(x i + x i+1 ) x 1 (x i x i+1 ) 2. As you can see, such computations involve lots of fractions. We can avoid using rational numbers if we introduce the notion of a triplet (X, Y, Z), where x = X/Z, y = Y/Z, and where X,Y, and Z are integers. Another nice feature of this notation is that the identity element now has the explicit representation (0, Y, 0), where Y can be any integer. If we define (X i, Y i, Z i ) = (X, Y, Z)#i, we can adjust our previous formulas to our new notation: X 2i = (X 2 i az 2 i ) 2 8bX i Z 3 i, Z 2i = 4Z i (X 3 i + ax i Z 2 i + bz 3 i ), X 2i+1 = Z((X i X i+1 az i Z i+1 ) 2 4bZ i Z i+1 (X i Z i+1 + X i+1 Z i )), Z 2i+1 = X 1 (X i+1 Z i X i Z i+1 ) 2. I should note that for our purposes, we do not need to calculate the second coordinate Y of the triplets. Still, Y i can always be recovered from X i and Z i. Also, we can use our triplets modulo n, as long as we do all our computations modulo n Factorisation using elliptic curves The method I will be describing is essentially due to A. K. Lenstra, and H. W. Lenstra, Jr. Let N be a composite number relatively prime to 6. (In practice, this means that N has no small factors). We randomly choose a for our elliptic curve, and a random point (x, y) on the curve. We can now compute b as follows: b y 2 x 3 ax (mod N). We convert to triplets (X, Y, Z), with our initial triplet being (x, y, 1). If p is a prime number which divides N, and E(a, b)/p divides k!, then (X, Y, Z)#k! = ( (((X, Y, Z)#1)#2) )#k will be the identity element in E(a, b)/p (but not in E(a, b)). This simply means that there is at least one coordinate of (X, Y, Z)#k! which is not divisible by N, but all the coordinates are divisible by p. Since Z k! is divisible by p, there is a good chance that the greatest common divisor of Z k! and N is a non-trivial divisor of N.