|
|
Line 1: |
Line 1: |
| {{DISPLAYTITLE:Pollard's ''p'' − 1 algorithm}}
| | Greetings! I am Dalton. Acting is without a doubt a thing that My business is totally addicted to. My your own house is now in Vermont and I don't plan on changing it. I am a cashier. I'm not good at webdesign but you may be want to check my website: http://prometeu.net<br><br>My webpage [http://prometeu.net Clash Of Clans Hack Tools] |
| '''Pollard's ''p'' − 1 algorithm''' is a [[number theory|number theoretic]] [[integer factorization]] [[algorithm]], invented by [[John Pollard (mathematician)|John Pollard]] in 1974. It is a special-purpose algorithm, meaning that it is only suitable for [[integer]]s with specific types of factors; it is the simplest example of an [[algebraic-group factorisation algorithm]].
| |
| | |
| The factors it finds are ones for which the number preceding the factor, ''p'' − 1, is [[smooth number#Powersmooth numbers|powersmooth]]; the essential observation is that, by working in the multiplicative group [[Modular arithmetic|modulo]] a composite number ''N'', we are also working in the multiplicative groups modulo all of ''N'''s factors.
| |
| | |
| The existence of this algorithm leads to the concept of [[safe prime]]s, being primes for which ''p'' − 1 is two times a [[Sophie Germain prime]] ''q'' and thus minimally smooth. These primes are sometimes construed as "safe for cryptographic purposes", but they might be ''unsafe'' — in current recommendations for cryptographic [[strong prime]]s (''e.g.'' [[ANSI X9.31]]), it is [[necessary but not sufficient]] that ''p'' − 1 has at least one large prime factor. Most sufficiently large primes are strong; if a prime used for cryptographic purposes turns out to be non-strong, it is much more likely to be through malice than through an accident of [[random number generation]]. This terminology is considered [[obsolescent]] by the cryptography industry.
| |
| [http://www.rsa.com/rsalabs/node.asp?id=2217]
| |
| | |
| ==Base concepts==
| |
| Let ''n'' be a composite integer with prime factor ''p''. By [[Fermat's little theorem]], we know that for all integers ''a'' coprime to ''p'' and for all positive integers ''K'':
| |
| | |
| :<math>a^{K(p-1)} \equiv 1\pmod{p}</math>
| |
| | |
| If a number ''x'' is congruent to 1 [[Modular arithmetic|modulo]] a factor of ''n'', then the {{nowrap|[[Greatest common divisor|gcd]](''x'' − 1, ''n'')}} will be divisible by that factor.
| |
| | |
| The idea is to make the exponent a large multiple of ''p'' − 1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit ''B''. Start with a random ''x'', and repeatedly replace it by <math>x^w \mod n</math> as ''w'' runs through those prime powers. Check at each stage, or once at the end if you prefer, whether {{nowrap|gcd(''x'' − 1, ''n'')}} is not equal to 1.
| |
| | |
| ==Multiple factors==
| |
| | |
| It is possible that for all the prime factors ''p'' of ''n'', ''p'' − 1 is divisible by small primes, at which point the Pollard ''p'' − 1 algorithm gives you ''n'' again.
| |
| | |
| ==Algorithm and running time==
| |
| The basic algorithm can be written as follows:
| |
| | |
| :'''Inputs''': ''n'': a composite number
| |
| :'''Output''': a nontrivial factor of ''n'' or <u>failure</u>
| |
| | |
| :# select a smoothness bound ''B''
| |
| :# define <math>M = \prod_{\text{primes}~q \le B} q^{ \lfloor \log_q{B} \rfloor }</math> (note: explicitly evaluating ''M'' may not be necessary)
| |
| :# randomly pick ''a'' coprime to ''n'' (note: we can actually fix ''a'', random selection here is not imperative)
| |
| :# compute {{nowrap|''g'' {{=}} gcd(''a''<sup>''M''</sup> − 1, ''n'')}} (note: exponentiation can be done modulo ''n'')
| |
| :# if {{nowrap|1 < ''g'' < ''n''}} then return ''g''
| |
| :# if {{nowrap|''g'' {{=}} 1}} then select a larger ''B'' and go to step 2 or return <u>failure</u>
| |
| :# if {{nowrap|''g'' {{=}} ''n''}} then select a smaller ''B'' and go to step 2 or return <u>failure</u>
| |
| | |
| If {{nowrap|''g'' {{=}} 1}} in step 6, this indicates that not all factors of {{nowrap|''p'' − 1}} were ''B''-powersmooth. If {{nowrap|''g'' {{=}} ''n''}} in step 7, this usually indicates that all factors were ''B''-powersmooth, but in rare cases it could indicate that ''a'' had a small order modulo ''n''.
| |
| | |
| The running time of this algorithm is {{nowrap|O(''B'' × log ''B'' × log<sup>2</sup> ''n'')}}; larger values of ''B'' make it run slower, but are more likely to produce a factor.
| |
| | |
| ==How to choose ''B''?==
| |
| | |
| Since the algorithm is incremental, it can just keep running with the bound constantly increasing.
| |
| | |
| Assume that ''p'' − 1, where ''p'' is the smallest prime factor of ''n'', can be modelled as a random number of size less than √''n''. By [[Dixon's theorem]], the probability that the largest factor of such a number is less than (''p'' − 1)<sup>''ε''</sub> is roughly ''ε''<sup>−''ε''</sub>; so there is a probability of about 3<sup>−3</sup> = 1/27 that a ''B'' value of ''n''<sup>1/6</sup> will yield a factorisation.
| |
| | |
| In practice, the [[elliptic curve method]] is faster than the Pollard ''p'' − 1 method once the factors are at all large; running the ''p'' − 1 method up to ''B'' = 10<sup>6</sup> will find a quarter of all twelve-digit factors and 1/27 of all eighteen-digit factors, before proceeding to another method.
| |
| | |
| ==Two-stage variant==
| |
| A variant of the basic algorithm is sometimes used; instead of requiring that ''p'' − 1 has all its factors less than ''B'', we require it to have all but one of its factors less than some ''B''<sub>1</sub>, and the remaining factor less than some {{nowrap|''B''<sub>2</sub> ≫ ''B''<sub>1</sub>}}. After completing the first stage, which is the same as the basic algorithm, instead of computing a new
| |
| | |
| :<math>M' = \prod_{\text{primes}~p \le B_2} q^{ \lfloor \log_q{B_2} \rfloor }
| |
| </math>
| |
| | |
| for ''B''<sub>2</sub> and checking {{nowrap|gcd(''a''<sup>''M'''</sup> − 1, ''n'')}}, we compute
| |
| | |
| :<math>Q = \prod_{\text{primes}~q \in (B_1, B_2]} (H^q - 1)</math> | |
| | |
| where {{nowrap|''H'' {{=}} ''a''<sup>''M''</sup>}} and check if {{nowrap|gcd(''Q'', ''n'')}} produces a nontrivial factor of ''n''. As before, exponentiations can be done modulo ''n''.
| |
| | |
| Let {''q''<sub>1</sub>, ''q''<sub>2</sub>, …} be successive prime numbers in the interval {{nowrap|(''B''<sub>1</sub>, ''B''<sub>2</sub>]}} and ''d''<sub>''n''</sub> = ''q''<sub>''n''</sub> − ''q''<sub>''n''−1</sub> the difference between consecutive prime numbers. Since typically {{nowrap|''B''<sub>1</sub> > 2}}, {{nowrap|''d''<sub>''n''</sub>}} are even numbers. The distribution of prime numbers is such that the ''d''<sub>''n''</sub> will all be relatively small. It is suggested that {{nowrap|''d''<sub>''n''</sub> ≤ [[Natural logarithm|ln]]<sup>2</sup> ''B''<sub>2</sub>}}. Hence, the values of {{nowrap|''H''<sup>2</sup>}}, {{nowrap|''H''<sup>4</sup>}}, {{nowrap|''H''<sup>6</sup>}}, … (mod ''n'') can be stored in a table, and {{nowrap|''H''<sup>''q''<sub>''n''</sub></sup>}} be computed from {{nowrap|''H''<sup>''q''<sub>''n''−1</sub></sup>⋅''H''<sup>''d''<sub>''n''</sub></sup>}}, saving the need for exponentiations.
| |
| | |
| ==Implementations==
| |
| | |
| * The [http://gforge.inria.fr/projects/ecm/ GMP-ECM] package includes an efficient implementation of the ''p'' − 1 method.
| |
| * [[Prime95]] and [[MPrime]], the official clients of the [[Great Internet Mersenne Prime Search]], use p - 1 to eliminate potential candidates.
| |
| | |
| ==See also==
| |
| * [[Williams' p + 1 algorithm]]
| |
| | |
| ==References==
| |
| *{{Cite journal |last=Pollard |first=J. M. |year=1974 |title=Theorems of factorization and primality testing |journal=Proceedings of the Cambridge Philosophical Society |volume=76 |issue=3 |pages=521–528 |doi=10.1017/S0305004100049252 |issn= }}
| |
| *{{Cite journal |last1=Montgomery |first1=P. L. |last2=Silverman |first2=R. D. |year=1990 |title=An FFT extension to the ''P'' − 1 factoring algorithm |journal=Mathematics of Computation |volume=54 |issue=190 |pages=839–854 |doi=10.1090/S0025-5718-1990-1011444-3 |issn= }}
| |
| | |
| ==External links==
| |
| *[http://modular.math.washington.edu/edu/2007/spring/ent/ent-html/node81.html Pollard's ''p'' − 1 Method]
| |
| *[http://ardoino.com/2004/03/maths-factoring-pollard/ Pollard's ''p'' − 1 Algorithm source code]
| |
| | |
| {{Number theoretic algorithms}}
| |
| | |
| [[Category:Integer factorization algorithms]]
| |
Greetings! I am Dalton. Acting is without a doubt a thing that My business is totally addicted to. My your own house is now in Vermont and I don't plan on changing it. I am a cashier. I'm not good at webdesign but you may be want to check my website: http://prometeu.net
My webpage Clash Of Clans Hack Tools