Pollard's p-1 algorithm Guide, Meaning , Facts, Information and Description
Pollard's p − 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors.
| Table of contents |
|
2 Pollard concepts 3 Algorithm and running time 4 Large prime variant 5 Additional information |
Base concepts
Let n be a composite integer with prime factor p. By Fermat's little theorem, we know that
- for
Let p1, ..., pL be the primes less than B and let e1, ..., eL be the exponents such that
Therefore if gcd(aM − 1, n) ≠ n, then the gcd is a non-trivial factor of n.
Note that if p − 1 is not B-powersmooth, then aM ≢ 1 (mod p) for at least half of all a.
Note that in the case where q − 1 is B-powersmooth, the gcd may yield a trivial factor because q divides aM − 1.
Note that this is what makes the algorithm specialized. For example, 172189 = 421 × 409. 421 − 1 = 22×3×5×7 and 409 − 1 = 23×3×17. So, an appropriate value of B would be from 7 to 16. If B was selected less than 7 the gcd would have been 1 and if B was selected higher than 16 the gcd would have been n. Of course, we do not know what value of B is appropriate in advance, so this will factor into the algorithm.
To speed up calculations, we also know that when taking the gcd we can reduce one part modulo the other, so gcd(aM − 1, n) = gcd(aM − 1 mod n, n). This can be efficiently calculated using modular exponentiation and the Euclidean algorithm.
The running time of this algorithm is O(B × log B × log2n), so it is advantageous to pick a small value of B.
As a starting point, this would work into the basic algorithm at step 6 if we encountered gcd = 1 but didn't want to increase B. For all primes B < q1, ..., qL ≤ B', we check if
This is an Article on Pollard's p-1 algorithm. Page Contains Information, Facts Details or Explanation Guide About Pollard's p-1 algorithm Pollard concepts
Let n = pqr, where p and q are distinct primes and r is an integer, such that p − 1 is B-powersmooth and q − 1 is not B-powersmooth. Now, gcd(aM − 1, n) yields a proper factor of n.Algorithm and running time
The basic algorithm can be written as follows:
If g = 1 in step 6, this indicates that for all p − 1 that none were B-powersmooth. If g = n in step 7, this usually indicates that all factors were B-powersmooth, but in rare cases it could indicate that a had a small order modulo p.Large prime variant
A variant of the basic algorithm is sometimes used. Statistically, there is often a factor p of n such that p − 1 = fq such that f is B-powersmooth and B < q ≤ B', where q is a prime and B' is called a semi-smoothness bound.
to obtain a non-trivial factor of n. This is quickly accomplished, because if we let c = aM, and d1 = q1 and di = qi − qi − 1, then we can compute
The running time of the algorithm with this variant then becomes O(B' × log B' × log2n).Additional information
Because of this algorithm's effectiveness on certain types of numbers the RSA specifications require that the primes, p and q, be such that they are non-B-powersmooth for small values of B.