Integer Factorization Algorithms



Similar documents
In nite Sequences. Dr. Philippe B. Laval Kennesaw State University. October 9, 2008

Soving Recurrence Relations

Asymptotic Growth of Functions

1. MATHEMATICAL INDUCTION

Trigonometric Form of a Complex Number. The Complex Plane. axis. ( 2, 1) or 2 i FIGURE The absolute value of the complex number z a bi is

Incremental calculation of weighted mean and variance

Department of Computer Science, University of Otago

3. Greatest Common Divisor - Least Common Multiple

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

5 Boolean Decision Trees (February 11)

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Example 2 Find the square root of 0. The only square root of 0 is 0 (since 0 is not positive or negative, so those choices don t exist here).

Running Time ( 3.1) Analysis of Algorithms. Experimental Studies ( 3.1.1) Limitations of Experiments. Pseudocode ( 3.1.2) Theoretical Analysis

2-3 The Remainder and Factor Theorems

THE ARITHMETIC OF INTEGERS. - multiplication, exponentiation, division, addition, and subtraction

A Recursive Formula for Moments of a Binomial Distribution

Sequences and Series

CS103X: Discrete Structures Homework 4 Solutions

Chapter 5: Inner Product Spaces

I. Chi-squared Distributions

Properties of MLE: consistency, asymptotic normality. Fisher information.

Factors of sums of powers of binomial coefficients

Lecture 4: Cauchy sequences, Bolzano-Weierstrass, and the Squeeze theorem

Section 11.3: The Integral Test

Infinite Sequences and Series

UC Berkeley Department of Electrical Engineering and Computer Science. EE 126: Probablity and Random Processes. Solutions 9 Spring 2006

CS103A Handout 23 Winter 2002 February 22, 2002 Solving Recurrence Relations

A probabilistic proof of a binomial identity

SAMPLE QUESTIONS FOR FINAL EXAM. (1) (2) (3) (4) Find the following using the definition of the Riemann integral: (2x + 1)dx


Factoring x n 1: cyclotomic and Aurifeuillian polynomials Paul Garrett <garrett@math.umn.edu>

WHEN IS THE (CO)SINE OF A RATIONAL ANGLE EQUAL TO A RATIONAL NUMBER?

Modified Line Search Method for Global Optimization

A Combined Continuous/Binary Genetic Algorithm for Microstrip Antenna Design

THE ABRACADABRA PROBLEM

Lecture 4: Cheeger s Inequality

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

Overview of some probability distributions.

A Note on Sums of Greatest (Least) Prime Factors

A Faster Clause-Shortening Algorithm for SAT with No Restriction on Clause Length

Taking DCOP to the Real World: Efficient Complete Solutions for Distributed Multi-Event Scheduling

SEQUENCES AND SERIES


MARTINGALES AND A BASIC APPLICATION

Basic Elements of Arithmetic Sequences and Series

Convexity, Inequalities, and Norms

INFINITE SERIES KEITH CONRAD

Repeating Decimals are decimal numbers that have number(s) after the decimal point that repeat in a pattern.

Chapter 7 Methods of Finding Estimators

Output Analysis (2, Chapters 10 &11 Law)

Annuities Under Random Rates of Interest II By Abraham Zaks. Technion I.I.T. Haifa ISRAEL and Haifa University Haifa ISRAEL.

Solving Logarithms and Exponential Equations

How To Solve The Homewor Problem Beautifully

On Formula to Compute Primes. and the n th Prime

MATH 083 Final Exam Review

Chapter 7 - Sampling Distributions. 1 Introduction. What is statistics? It consist of three major areas:

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

CHAPTER 3 THE TIME VALUE OF MONEY

FIBONACCI NUMBERS: AN APPLICATION OF LINEAR ALGEBRA. 1. Powers of a matrix

University of California, Los Angeles Department of Statistics. Distributions related to the normal distribution

Fast Fourier Transform

Your organization has a Class B IP address of Before you implement subnetting, the Network ID and Host ID are divided as follows:

Multi-server Optimal Bandwidth Monitoring for QoS based Multimedia Delivery Anup Basu, Irene Cheng and Yinzhe Yu

5: Introduction to Estimation

PROCEEDINGS OF THE YEREVAN STATE UNIVERSITY AN ALTERNATIVE MODEL FOR BONUS-MALUS SYSTEM

S. Tanny MAT 344 Spring be the minimum number of moves required.

Designing Incentives for Online Question and Answer Forums

Cooley-Tukey. Tukey FFT Algorithms. FFT Algorithms. Cooley

Project Deliverables. CS 361, Lecture 28. Outline. Project Deliverables. Administrative. Project Comments

.04. This means $1000 is multiplied by 1.02 five times, once for each of the remaining sixmonth

NATIONAL SENIOR CERTIFICATE GRADE 12

Our aim is to show that under reasonable assumptions a given 2π-periodic function f can be represented as convergent series

Normal Distribution.

Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Maximum Likelihood Estimators.

CME 302: NUMERICAL LINEAR ALGEBRA FALL 2005/06 LECTURE 8

1 Computing the Standard Deviation of Sample Means

Building Blocks Problem Related to Harmonic Series

Approximating Area under a curve with rectangles. To find the area under a curve we approximate the area using rectangles and then use limits to find

Lecture 2: Karger s Min Cut Algorithm

Lecture 5: Span, linear independence, bases, and dimension

Chapter 7: Confidence Interval and Sample Size

2. Degree Sequences. 2.1 Degree Sequences

CS100: Introduction to Computer Science

Domain 1: Designing a SQL Server Instance and a Database Solution

Confidence Intervals for One Mean

CHAPTER 7: Central Limit Theorem: CLT for Averages (Means)

The Role of Latin Square in Cipher Systems: A Matrix Approach to Model Encryption Modes of Operation

Analysis Notes (only a draft, and the first one!)

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 13

Definition. A variable X that takes on values X 1, X 2, X 3,...X k with respective frequencies f 1, f 2, f 3,...f k has mean

Descriptive Statistics

GCE Further Mathematics (6360) Further Pure Unit 2 (MFP2) Textbook. Version: 1.4

NEW HIGH PERFORMANCE COMPUTATIONAL METHODS FOR MORTGAGES AND ANNUITIES. Yuri Shestopaloff,

Hypothesis testing. Null and alternative hypotheses

Week 3 Conditional probabilities, Bayes formula, WEEK 3 page 1 Expected value of a random variable

Transcription:

Iteger Factorizatio Algorithms Coelly Bares Departmet of Physics, Orego State Uiversity December 7, 004 This documet has bee placed i the public domai.

Cotets I. Itroductio 3 1. Termiology 3. Fudametal Theorem of Arithmetic 3 3. Practical Motivatio 3 II. Algorithms 5 1. Algorithm: Trial Divisio 5. Pseudocode: Trial Divisio 5 3. Algorithm: Fermat Factorizatio 5 4. Pseudocode: Fermat Factorizatio 6 5. Algorithm: Pollard rho Factorizatio 6 6. Pseudocode: Pollard rho Factorizatio 7 7. Algorithm: Bret s Factorizatio Method 7 8. Pseudocode: Bret s Factorizatio Method 8 9. Algorithm: Pollard p-1 Factorizatio 9 10. Pseudocode: Pollard p-1 Factorizatio 10 III. Ruig times 11 1. Ruig time: Trial Divisio 11. Ruig time: Fermat Factorizatio 11 3. Ruig times: Empirical Results 11 IV. Failures of Probabilistic Algorithms 1 V. Coclusio 13 Appedi A. Maple Source Code for Simulatio 14 Appedi B. Refereces 17

I. Itroductio This paper gives a brief survey of iteger factorizatio algorithms. We offer several motivatios for the factorizatio of large itegers. A umber of factorig algorithms are the eplaied, ad pseudocode is give for each. Bouds i ruig time are foud for algorithms which are always successful, ad failure cases are show for probabilistic algorithms. Fially, the ru times of all preseted algorithms are plotted for certai prime products ad compared. 1. Termiology Big O otatio: The fuctio f () is O( g( )) as if ad oly if there are positive real costats c, such that for every >, 0 f ( ) cg( ). Eample: f ( ) = + + 1 is O ( ) as for c = 3, = 0. Whe Big O otatio is applied to the ruig time or storage requiremets of a algorithm, oe may write simply O ( g( )), ad it is assumed that. If multiple variables are preset, the variable which goes to ifiity is idicated. As part of the defiitio of O ( g( )), all possible eecutios of the algorithm must be cosidered as. Trivial factor: A positive iteger factor s of N such that s = 1 or s = N. Notrivial factor: A positive iteger factor s of N such that 1 < s < N. Prime umber: A positive iteger greater tha 1 that is divisible by o positive itegers other tha 1 ad itself.. Fudametal Theorem of Arithmetic The fudametal theorem of arithmetic states that every positive iteger ca be writte uiquely as a product of primes, whe the primes i the product are writte i odecreasig order. 3. Practical Motivatios The fudametal theorem of arithmetic implies that ay composite iteger ca be factored. Give the umber N = 1, it is straightforward to fid the factors of N: 1 = 3 7. Now cosider a larger composite umber: 3

N = 519590847565789349407183400483985714981604 03077771378360436600707595556640185588078440 69189064149515081899855914917618450808489100 78449968739807877767359714183477061896375014 971846911650776133798590957000973304597488084840 179749100644586918171951187461151517654638 16869987549184433637590851418654604357679843 387184774447907399343658483848119816381501067 481045166037730605601619676561338441436038339044 14956344319011465754445417844009461651573350 77870774981715774679696386356373899115483143 8167899885040445364035738195137863656439110103 97181070357. This iteger is ow as RSA-048. O March 1991, RSA Laboratories aouced a USD 00,000 award for the successful factorizatio of this umber. As of November 004, this umber has ot yet bee factored [1]. If oe is give two large prime umbers, there are fast algorithms for multiplyig them together. However, if oe is give the product of two large primes, it is difficult to fid the prime factors. The fastest ow geeral-purpose factorig algorithm is the Geeral Number Field Sieve (GNFS), which i asymptotic otatio taes S 64 = O ep 9 1/ 3 ( log ) / 3 steps to factor a iteger with decimal digits. The ruig time of the algorithm is bouded below by fuctios polyomial i ad bouded above by fuctios epoetial i []. The apparet difficulty of factorig large itegers is the basis of some moder cryptographic algorithms. The RSA ecryptio algorithm [3], ad the Blum Blum Shub cryptographic pseudoradom umber geerator [4] both rely o the difficulty of factorig large itegers. If it were possible to factor products of large prime umbers quicly, these algorithms would be isecure. The SSL ecryptio used for TCP/IP coectios over the World Wide Web relies o the security of the RSA algorithm [5]. Hece if oe could factor large itegers quicly, "secured" Iteret sites would o loger be secure. Fially, i computatioal compleity theory, it is uow whether factorig is i the compleity class P. I techical terms, this meas that there is o ow algorithm for aswerig the questio "Does iteger N have a factor less tha iteger s?" i a umber of steps that is O ( P( )), where is the umber of digits i N, ad P() is a polyomial fuctio. Moreover, o oe has proved that such a algorithm eists, or does ot eist. I layma's terms, oe ca simply as the questio, "What is the fastest algorithm for factorig large umbers?" This is a importat ope questio i mathematics [6]. 4

II. Algorithms 1. Algorithm: Trial Divisio Trial divisio is the simplest algorithm for factorig a iteger. Assume that s ad t are otrivial factors of N such that st = N ad s t. To perform the trial divisio algorithm, oe simply checs whether s N for s =,, N. Whe such a divisor s is foud, the t = N / s is also a factor, ad a factorizatio has bee foud for N. The upper boud of s N is provided by the followig theorem: Theorem. If N has otrivial factors s, t with st = N ad s t, the s N. Proof. Assume s > N. The t s > N, ad st > N, which cotradicts the assumptio that st = N. Hece s N.. Pseudocode: Trial Divisio fuctio trialdivisio(n) for s from to floor(sqrt(n)) if s divides N the retur s, N/s ed if ed for ed fuctio If this algorithm is give composite N, the it returs a pair of otrivial factors s, t with s t. The statemet s N is equivalet to s 0 (mod N ), ad so it ca be implemeted via modular arithmetic i most laguages. 3. Algorithm: Fermat Factorizatio This algorithm was discovered by mathematicia Pierre de Fermat i the 1600s [7]. Fermat factorizatio rewrites a composite umber N as the differece of squares: N = y This differece of squares leads immediately to the factorizatio of N: N = ( + y)( y) Assume that s ad t are otrivial odd factors of N such that st = N ad s t. We ca fid ad y such that s = ( y) ad t = ( + y). Solvig this equatio, we fid that = (s + t) / ad y = (t s) /. Here ad y are itegers, sice the differece betwee ay two odd umbers is eve, ad a eve umber is divisible by two. Sice s > 1 ad t s, 5

we fid that 1 ad y 0. For particular, y satisfyig s = ( y) ad t = ( + y), we thus ow that = N + y, ad hece N. Also, ( s + t) / t / N. whether For a algorithm, we choose y i = i N 1 = N, ad 1 = + 1. For each i, we chec i+ i is a iteger ad whether + y ),( y ) are otrivial ( i i i i factors of N. If both of these coditios hold, we retur the otrivial factors. Otherwise, we cotiue to the et i, ad eit oce i = N. 4. Pseudocode: Fermat Factorizatio fuctio fermatfactor(n) for from ceil(sqrt(n)) to N ysquared := * - N if issquare(ysquared) the y := sqrt(ysquared) s := ( - y) t := ( + y) if s <> 1 ad s <> N the retur s, t ed if ed if ed for ed fuctio Here the issquare(z) fuctio is true if z is a square umber ad false otherwise. It is straightforward to costruct a issquare fuctio by taig a square root, roudig the aswer to a iteger, squarig the result, ad checig if the origial umber is reproduced. 5. Algorithm: Pollard rho Factorizatio Pollard's rho method is a probabilistic method for factorig a composite umber N by iteratig a polyomial modulo N. The method was published by J.M. Pollard i 1975. Suppose we costruct the sequece: (mod 0 N + 1 + 1 (mod N ) ) This sequece will evetually become periodic. It ca be show that the legth of the cycle is less tha or equal to N by a proof by cotradictio: assume that the legth L of the cycle is greater tha N, however we have oly N distict values i our cycle of legth L>N, so there must eist two values are cogruet, ad these ca be idetified as the startig poits of a cycle with legth less tha or equal to N. Probabilistic argumets show that the epected time for this sequece (mod N) to fall ito a cycle ad epected legth of the cycle are both proportioal to N, for almost all N [8]. Other 6

iitial values ad iterative fuctios ofte have similar behavior uder iteratio, but the fuctio f ( ) = + 1 has bee foud to wor well i practice for factorizatio. Assume that s ad t are otrivial factors of N such that st = N ad s t. Now suppose that we have foud oegative itegers i, with i < such that (mod s) but (mod N). Sice s ( i ), ad s N, we have that s gcd(, N ). By i i i assumptio s, thus gcd( i, N). By defiitio we ow gcd( i, N ) N. However, we have that N / ( i ), ad thus that N / gcd(, N). So we have i i, N ) that N / gcd( i, N), gcd( i, N) > 1, ad gcd( N. Therefore gcd( i, N ) is a otrivial factor of N. Now we must fid i, such that i (mod s) ad i (mod N). Observe that the sequece (mod s) is periodic with the legth of the cycle proportioal to s. Pollard suggested that be compared to for = 1,, 3,. For each, we chec whether gcd(, N) is a otrivial factor of N. If gcd(, N) is a trivial factor of N, we repeat the iterative process util a factor is foud. If o factor is foud, the algorithm does ot termiate. 6. Pseudocode: Pollard rho Factorizatio fuctio pollardrho(n) # Iitial values (i) ad (*i) for i = 0. i := i := do # Fid (i+1) ad (*(i+1)) iprime := i ^ + 1 iprime := (i ^ + 1) ^ + 1 # Icremet i: chage our ruig values for (i), (*i). i := iprime % N i := iprime % N s := gcd(i - i, N) if s <> 1 ad s <> N the retur s, N/s ed if ed do ed fuctio Here a % m is a modulo operatio, which returs the least oegative iteger y such that a y (mod m). 7. Algorithm: Bret's Factorizatio Method Bret's factorizatio method is a improvemet to Pollard's rho algorithm, published by R. Bret i 1980 [9]. I Pollard's rho algorithm, oe tries to fid a 7

otrivial factor s of N by fidig idices i, with i < such that i (mod s) ad i (mod N). The sequece is defied by the recurrece relatio: (mod 0 N 1 (mod N ) + + ) Pollard suggested that be compared to for = 1,, 3,. Bret's improvemet to Pollard's method is to compare to m, where m is the largest itegral power of less tha. 8. Pseudocode: Bret's Factorizatio Method fuctio bretfactor(n) # Iitial values (i) ad (m) for i = 0. i := m := for i from 1 to ifiity # Fid (i) from (i-1). i := (i ^ + 1) % N s := gcd(i - m, N) if s <> 1 ad s <> N the retur s, N/s ed if if itegralpowerof(i) the m := i ed if ed do ed fuctio Here the fuctio itegralpowerof(z) is true if z is a itegral power of ad false otherwise. A iefficiet implemetatio for this fuctio ca be made by checig successive powers of util a power of equals or eceeds z: fuctio itegralpowerof(z) pow := 1 while pow <= z do if pow = z the retur true ed if pow := pow * ed while retur false ed fuctio I terms of more efficiet operatios, itegralpowerof(z) is true if ad oly if (z&(z-1)) is zero, where & is the bitwise AND operatio [10]. A proof follows. Theorem. If z is a positive iteger, the z is a itegral power of if ad oly if z & ( z 1) = 0, where a & b deotes the bitwise AND operatio of a ad b. 8

Proof. Let there be d biary bits i z, ad let ( ) i be a operator which gives the ith biary bit of ( ), where i = 1 is the least sigificat bit. If z is a itegral power of, the clearly z = 0 for = 1,,, d 1, ad z d = 1. We also have that z 1 < z, so clearly ( z 1) = 0. Usig the truth table for the logical AND operator, we fid that d ( z & ( z 1) ) must be 0 for = 1 d. Hece ( z & ( z 1) ) = 0. I the case that z is ot a itegral power of, z = 1. Let α be the largest itegral power of that is less tha d z. The z > α, hece z 1 α, ad thus ( z 1) = α = 1. Usig the truth table for the logical AND operator at bit d we fid that ( z & ( z 1) ) = 1, hece ( & ( z 1) ) 0 Therefore, z is a itegral power of if ad oly if z & ( z 1) = 0. 9. Algorithm: Pollard p-1 Factorizatio d d d z. Pollard's p-1 factorizatio method was published by J. M. Pollard i 1974 [11]. It is based o Fermat's little theorem, which states: 1 If p is prime, a is a atural umber, ad p / a, the a p 1 (mod p). Suppose we have a positive iteger 1ad a prime p> such that ( p 1)!. Now we ca apply Fermat's little theorem with a = : p 1 1 (mod p) have: But sice ( p 1)!, we ca write! = ( p 1) q for some positive iteger q. We also divides! p 1 q q ( ) 1 1 (mod p) Hece p 1. If N is a iteger which has otrivial prime factor p, the p!! 1 + Nt for all itegers t. We ca compute! 1(mod N ) for = 1,, 3,, ad for each chec whether there eists a iteger r = gcd(, N) which divides both ad N. If ( p 1)!, the we ow p ad hece r is a otrivial factor of N. If r is ot a otrivial factor of N, the it is a trivial factor of N, i.e. r = 1 or r = N. The algorithm is the:! Compute r = gcd( 1, N) for = 1,, 3. If r { 1, N}, the r is a otrivial factor ad we are doe.! ( 1)! For efficiecy purposes, we ca write ( ) (mod ) ow (mod N), N, so that if ( 1)!! ca be computed by a sigle modular epoetiatio operatio. is 9

10. Pseudocode: Pollard p-1 Factorizatio fuctio pollard_p1(n) # Iitial value ^(!) for = 0. two fact := 1 for from 1 to ifiity # Calculate ^(!) (mod N) from ^((-1)!). two fact := modpow(two fact,, N) r := gcd(two fact - 1, N) if r <> 1 ad r <> N the retur r, N/r ed if ed for ed fuctio Here modpow(a, b, m) returs the least oegative iteger y such that a b y (mod m). This fuctio is typically provided i laguages with big iteger operatios, ad is ow as "modular epoetiatio." For laguages without modular epoetiatio, we preset a efficiet algorithm for modular epoetiatio. Write b i terms of its biary digits b... 0 b 1, so 0 1 1 b b = b + b +... + ad observe that a ca be rewritte as 0 1 b 1 have: 0 b0 1 b1 1 b 1 ( a ) ( a )... ( a ) 0 1 1 0 b1 b 1 b b a = a a... a =. b Note that for ay, ( a ) is simply 1 if b = 0, ad a otherwise. Thus we a b = 1 = 0 b 0 a Also ote that ( ) + 1 a = a = a. Via a process of repeated squarig, we ca thus costruct a algorithm which returs the least oegative iteger y such that a b y (mod m). fuctio modpow(a, b, m): as := 1 a := a % m for from 0 to ifiity if ^>b the retur as ed if if (bit of b is ozero) the as := (as * a) % m a := (a * a) % m ed for ed fuctio 10

Here a % m is a modulo operatio, which returs the least oegative iteger y such that a y (mod m). III. Ruig Times 1. Ruig Time: Trial Divisio The worst case ruig time for the trial divisio algorithm occurs whe s = t = N, ad N = s. I this case, we test divisibility for eactly N 1 itegers. Thus the algorithm taes O ( N ) steps, or whe writte i terms of the umber of digits of N, it requires O( e / ) steps. Each divisibility test ca be carried out i O (log N ) time [13]. There are o more tha N such tests, so at worst the trial divisio algorithm taes O ( N log N ) time. Whe writte i terms of the umber of digits of N, trial divisio taes O ( e / ) time.. Ruig Time: Fermat Factorizatio Assumig that N is the product of odd primes, the Fermat factorizatio as preseted i Sectio II.4 maes o more tha N steps through the for loop. Hece Fermat factorizatio taes O (N) steps. Whe writte i terms of the umber of digits of N, the algorithm taes O( e ) steps. 3. Ruig Time: Empirical Results Figure 1 shows a plot of the media umber of steps for each algorithm versus the umber of decimal digits d i the prime factors, where "steps" is defied as the umber of iteratios through the for loop. For each value of d, each algorithm was tested 100 times. For each test, itegers s, t were chose i a uiform radom maer from the set of itegers havig d decimal digits. If s was composite, or t was composite, or s equaled t, the the umbers were reselected. Oce a valid pair s, t was foud, the algorithm was ru o the product st for up to 10 6 steps. The media umber of steps is plotted for each algorithm. 11

Figure 1 Number of Steps vs Digits i Prime Factors 1000000 100000 Number of Steps 10000 1000 100 Pollard rho Pollard p-1 Trial factorizatio Fermat factorizatio Bret factorizatio 10 1 0 1 3 4 5 6 7 Decimal Digits i Prime Factors Although the Bret factorizatio algorithm was touted as a improvemet to the Pollard rho method, it appears to be slower i this simulatio. I terms of media ruig times for these data, the Pollard rho ad Pollard p-1 methods are fastest, ad the trial factorizatio method is slowest. The Maple source code used to produce these data is preseted i Appedi A. IV. Failures of Probabilistic Algorithms The trial divisio ad Fermat factorizatio algorithms always termiate, ad upper bouds ca be derived for the ruig times of these algorithms i terms of N, the umber to be factored. The Pollard rho algorithm, Bret's method, ad the Pollard p-1 algorithm are probabilistic, ad may ot fiish, eve for small values of N. Eample. Cosider the Pollard rho algorithm for N = 1 = 3 7 values geerated by the algorithm is 0 (mod 1) + 1 5 (mod 1) 1 0 1 + 1 5 1 + 1 (mod 1) 5 (mod 1) for 1. The sequece of 1

If 1, 0. The algorithm at each step for = 1,, computes =, N ) = gcd(0, N ) = gcd( N. The algorithm ever fids a otrivial factor, ad ever termiates. Eample. Cosider the Pollard p-1 algorithm for N = 65 = 13 5. The sequece of values geerated by the algorithm is:! 1 (mod 65) = 1,, 3, 1 1 1 1 6 3 1 4 4 1 1 (mod 65) 3 63 0 (mod 65) (mod 65) (mod 65) + 1 + 1 ( + 1) 1 1 1 0 (mod 65) for 5 + 1 The Pollard p-1 algorithm computes at each step gcd(, N ). For the first three steps, we fid that gcd(1, 65) = 1, gcd(3, 65) = 1, ad gcd(63, 65) = 1. For steps 4 we fid gcd(0, 65) = 65. Hece the algorithm ever fids a otrivial factor, ad ever termiates. V. Coclusio There are o ow algorithms which ca factor arbitrary large itegers efficietly. Probabilistic algorithms such as the Pollard rho ad Pollard p-1 algorithm are i most cases more efficiet tha the trial divisio ad Fermat factorizatio algorithms. However, probabilistic algorithms ca fail whe give certai prime products: for eample, Pollard's rho algorithm fails for N = 1. Iteger factorizatio algorithms are a importat subect i mathematics, both for compleity theory, ad for practical purposes such as data security o computers. 13

Appedi A. Maple Source Code for Simulatio > # Defie each factorizatio algorithm > # Trial divisio. Factor N, retur s, t, iters, where s*t = N, ad # iters is the umber of iteratios made through the for loop. If # more tha masteps iteratios are made, returs 1, N, masteps. trial_factor := proc(n, masteps) local, y, iters; iters := 1; for from to floor(sqrt(n)) do if modp(n, ) = 0 the # If y is a iteger, retur factors. retur, N/, iters; if iters >= masteps the retur 1, N, masteps; iters := iters + 1; od; ed; > # Fermat factorizatio. Same argumets ad retur value as trial_factor. fermat_factor := proc(n, masteps) local, y, iters; iters := 1; # Loo for N = ^ - y^, for >= 1, y >= 1. # Iterate over ad chec y. for from ceil(sqrt(n)) to ifiity do ysquared := ^ - N; y := isqrt(ysquared); if y*y=ysquared the # If y is a iteger, retur factors. retur -y, +y, iters; if iters >= masteps the retur 1, N, masteps; iters := iters + 1; od; ed; > # Pollard rho factorizatio. Same argumets as trial_factor. > pollard_rho := proc(n, masteps) local i, i, f, iters, p; # f() fuctio iterated i Pollard rho method, we use f() = ^+1. f := proc() retur modp( * + 1, N); ed; iters := 1; # Iitial values for (i) ad (*i), where i=1. We use (1) =. i := f(); i := f(f()); while true do # Compute p = gcd((i)-(*i), N). p := gcd(i - i, N); # If p is a otrivial factor, retur factors. if p <> 1 ad p <> N the retur p, N/p, iters; # Icrease i by oe. Note we have to apply f twice to fid # (*(i+1)) = f(f((*i)). i := f(i); i := f(f(i)); 14

# Icremet iteratio couter. iters := iters + 1; if iters >= masteps the retur 1, N, masteps; od; ed; > # Pollard p-1 factorizatio. Same argumets as trial_factor. > pollard_p1 := proc(n, masteps) local two fact, p,, iters; two fact := ^(1); # ^(!) for (iitially) = 1. iters := 1; # Number of iteratios made through for loop. for from to ifiity do # Compute p = gcd(^(!)-1, N) for curret value. p := gcd(two fact - 1, N); # If p is a otrivial factor, retur factors. if p <> 1 ad p <> N the retur p, N/p, iters; # Fid ^((+1)!) = (^(!)) ^ (+1). two fact := two fact &^ (+1) mod N; # Icremet umber of iteratios. iters := iters + 1; if iters >= masteps the retur 1, N, masteps; od; ed; > # Bret factorizatio. Same argumets ad retur value as trial_factor. > bret_factor := proc(n, masteps) local i, i, f, iters, p; # f() fuctio iterated i Pollard rho method, we use f() = ^+1. f := proc() retur modp( * + 1, N); ed; iters := 1; # Iitial values for (i) ad (m), where i=1. i := f(); m := ; while true do # Compute p = gcd((i)-(m), N). p := gcd(i - m, N); # If p is a otrivial factor, retur factors. if p <> 1 ad p <> N the retur p, N/p, iters; # Icrease i by oe. Update (m) as eeded. if ^ilog(iters) = iters the m := i; i := f(i); # Icremet iteratio couter. iters := iters + 1; if iters >= masteps the retur 1, N, masteps; od; ed; > # Give 'algo', which should be oe of the factorizatio fuctios # defied above, ad, returs the media time to factor the product 15

# of two radomly selected -digit primes, over 100 rus of the algorithm. > media_steps_for digit_prime := proc(algo, ) local i, times, p, q, p1, p, iter; # Iitially empty seqece of the umber of steps made by the give algo # for each pair of radom primes. times := seq(, =0..-1); # Ru the algorithm 100 times o products of two radom -digit primes. for i from 1 to 100 do while 1=1 do p := rad(10^(-1)..10^-1)(); q := rad(10^(-1)..10^-1)(); if isprime(p) ad isprime(q) ad p <> q the brea; od; # Ru the algorithm, but bail out after 1e6 steps. p1, p, iter := algo(p*q, 1000000); times := times, iter; od; times := sort([times]); retur times[1+floor(ops(times)/)]; ed; > # Reproduce the media umber of steps for each algorithm whe > # give the products of two radomly selected 4-digit primes. > > # Vary the last argumet to reproduce the data i Figure 1. > > media_steps_for digit_prime(trial_factor, 4); 334 > media_steps_for digit_prime(fermat_factor, 4); 101 > media_steps_for digit_prime(pollard_rho, 4); 40 > media_steps_for digit_prime(pollard_p1, 4); 36 > media_steps_for digit_prime(bret_factor, 4); 97 16

Appedi B. Refereces [1]. Kalisy, Burt. "RSA Factorig Challege." USENET ewsgroup sci.crypto. March 18, 1991. Available: http://www.google.com/groups?selm=burt.91mar180916%40chirality.rsa.com, Accessed November 17, 004. []. "Geeral umber field sieve." From Wiipedia, a olie ecyclopedia. November 13, 004. Available: http://e.wiipedia.org/wii/gnfs [3]. Wesstei, Eric W. "RSA Ecryptio." From Mathworld, a olie ecyclopedia. April, 001. Available: http://mathworld.wolfram.com/rsaecryptio.html [4]. Juod, Pascal. "Cryptographic Secure Pseudo-Radom Bits Geeratio: The Blum-Blum-Shub Geerator." August 1999. Available: http://www.wi.tue.l/~hevt/boeh-bbs.pdf [5]. Housley et al. "RFC 459: Iteret X.509 Public Key Ifrastructure Certificate ad CRL Profile." Jauary, 1999. Available: http://www.faqs.org/rfcs/rfc459.html [6]. "Iteger factorizatio Difficulty ad compleity." From Wiipedia, a olie ecyclopedia. October 30, 004. Available: http://e.wiipedia.org/wii/iteger_factorizatio [7]. Weisstei, Eric W. "Fermat, Pierre de." From MathWorld, a olie ecyclopedia. Available: http://scieceworld.wolfram.com/biography/fermat.html [8]. Weisstei, Eric W. "Pollard Rho Factorizatio." From MathWorld, a olie ecyclopedia. December 8, 00. Available: http://mathworld.wolfram.com/pollardrhofactorizatiomethod.html [9]. Weisstei, Eric W. "Bret's Factorizatio Method." From MathWorld, a olie ecyclopedia. December 8, 00. Available: http://mathworld.wolfram.com/bretsfactorizatiomethod.html [10]. Ohaessia, Robert J. "Bob's page of mildly useful but still pretty eat code sippets." February 18, 003. Available: http://bob.allegroetwor.com/prog/trics.html [11]. Weisstei, Eric W. "Pollard Rho Factorizatio." From MathWorld, a olie ecyclopedia. December 8, 00. Available: http://mathworld.wolfram.com/pollardp-1factorizatiomethod.html [1]. Campbell, Robert. "Computatio Epoetiatio via the Russia Peasat Algorithm." March 9, 1998. Available: http://www.math.umbc.edu/%7ecampbell/math413fall98/7- FermatThm.html [13]. Lipso, Joh D. "Newto's method: a great algebraic algorithm." 1976. Available: http://portal.acm.org/citatio.cfm?id=806344 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information