Integer Factorization Methods Modular Arithmetic Trial division, - - PowerPoint PPT Presentation

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Integer Factorization Methods

Trial division, Pollard’s p − 1, Pollard’s ρ, and Fermat’s method Christopher Koch1

1Department of Computer Science and Engineering

CSE489/589 Algorithms in CS & IT New Mexico Tech

April 8, 2014

Integer Factorization Methods

Trial division, Pollard’s p − 1, Pollard’s ρ, and Fermat’s method Christopher Koch1

1Department of Computer Science and Engineering CSE489/589 Algorithms in CS & IT New Mexico Tech

April 8, 2014

2014-04-11

Integer Factorization Methods

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Overview

• Intro to modular arithmetic
• Euler’s theorem and Fermat’s little theorem
• Trial division
• Pollard’s p − 1 method
• Cycles in Z/nZ
• Floyd’s cycle-finding algorithm
• Pollard’s ρ method (Monte Carlo factorization)
• Birthday paradox
• Fermat’s method

Convention

a,b,c,d,m,n are integers, p,q are primes

Overview

• Intro to modular arithmetic
• Euler’s theorem and Fermat’s little theorem
• Trial division
• Pollard’s p − 1 method
• Cycles in Z/nZ
• Floyd’s cycle-finding algorithm
• Pollard’s ρ method (Monte Carlo factorization)
• Birthday paradox
• Fermat’s method

Convention a,b,c,d,m,n are integers, p,q are primes

2014-04-11

Integer Factorization Methods Overview Overview

• Monte Carlo method: dependent on some kind of random

number/function/process

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Modular Arithmetic

• a∣b (a divides b) if b is a multiple of a.
• quotient and remainder unique in integer division
• Congruence modulo n:

a ≡ b (mod n) iff n∣(a − b).

Modular Arithmetic

• a∣b (a divides b) if b is a multiple of a.
• quotient and remainder unique in integer division
• Congruence modulo n:

a ≡ b (mod n) iff n∣(a − b).

2014-04-11

Integer Factorization Methods Modular Arithmetic Division Algorithm and Congruence Modular Arithmetic

• Division Algorithm: Given a,b there exist unique q,r

a = bq + r where 0 ≤ r < b.

• For example, 13 ≡ 8 ≡ 3 (mod 5).
• Intuition: a and b have same remainder when divided by n

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Residue classes

• Congruence modulo n is an equivalence relation on

integers.

• Equivalence classes: one for each remainder

[a]n = {x ∶ x ≡ a (mod n)}.

• Called residue classes mod n

Residue classes

• Congruence modulo n is an equivalence relation on

integers.

• Equivalence classes: one for each remainder

[a]n = {x ∶ x ≡ a (mod n)}.

• Called residue classes mod n

2014-04-11

Integer Factorization Methods Modular Arithmetic Residue classes mod n Residue classes

• Equivalence classes of congruence: Integers with same

remainder are related to each other

• Each remainder thus forms an equivalence class
• Example: Residue classes mod 4, residue classes mod 2 (even,
• dd)

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Integers modulo n

• Integers modulo n: set of residue classes mod n:

Z/nZ = {[r]n ∶ r ∈ Z}.

• How to do arithmetic in mod n? What is [3]4 + [1]4?

Integers modulo n

• Integers modulo n: set of residue classes mod n:

Z/nZ = {[r]n ∶ r ∈ Z}.

• How to do arithmetic in mod n? What is [3]4 + [1]4?

2014-04-11

Integer Factorization Methods Modular Arithmetic Integers modulo n Integers modulo n

• For example, Z/4Z = {[0]4 ,[1]4 ,[2]4 ,[3]4}
• 24-hour clock
• Intuition: notion of “finite discreteness”
• Like b-bit (unsigned) integers – Z/2bZ – overflow “wraps” back

around (most general-purpose architectures don’t do saturation arithmetic, so it wraps around like modular arithmetic)

• But also, [5]4 ∈ Z/4Z. Why?
• Because [5]4 = [1]4, since 5 ≡ 1 (mod 4).

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Arithmetic mod n

Definition

Let n ∈ Z+ and a,b ∈ Z. Then, [a]n + [b]n = [a + b]n [a]n × [b]n = [a × b]n

• Similarly,

[a]n − [b]n = [a]n + [−b]n = [a − b]n.

Arithmetic mod n

Definition Let n ∈ Z+ and a,b ∈ Z. Then, [a]n + [b]n = [a + b]n [a]n × [b]n = [a × b]n

• Similarly,

[a]n − [b]n = [a]n + [−b]n = [a − b]n.

2014-04-11

Integer Factorization Methods Modular Arithmetic Arithmetic with integers mod n Arithmetic mod n

• Example here: 24-hour clock, adding 12 and 25, and multiplying

13 by 2

• Proof that well-defined: Pick x ∈ [a]n,y ∈ [b]n different

representatives, show x + y ∈ [a + b]n since x ≡ a (mod n) and y ≡ b (mod n) implies x + y ≡ a + b (mod n).

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

GCD and Totatives

• gcd(a,b) is the greatest common divisor of a and b
• a,b are called coprime or relatively prime if gcd(a,b) = 1.

a is called a totative of b and vice versa.

• Bézout’s identity: If gcd(n,m) = d, then there exist k,l

s.t. nk + ml = d.

• ϕ(n) counts the number totatives less than n:

ϕ(n) = ∣{c ∶ 1 ≤ c < n and gcd(c,n) = 1}∣.

• We have ϕ(mn) = ϕ(n)ϕ(m).

GCD and Totatives

• gcd(a,b) is the greatest common divisor of a and b
• a,b are called coprime or relatively prime if gcd(a,b) = 1.

a is called a totative of b and vice versa.

• Bézout’s identity: If gcd(n,m) = d, then there exist k,l

s.t. nk + ml = d.

• ϕ(n) counts the number totatives less than n:

ϕ(n) = ∣{c ∶ 1 ≤ c < n and gcd(c,n) = 1}∣.

• We have ϕ(mn) = ϕ(n)ϕ(m).

2014-04-11

Integer Factorization Methods Modular Arithmetic GCD and Totatives GCD and Totatives

• Example: gcd(40,6) = 2.
• Example: ϕ(p) = p − 1.
• Multiplicative ϕ useful since ϕ(pq) = ϕ(p)ϕ(q) = (p − 1)(q − 1).

(easy to compute)

• Totative of n is a number m that is coprime to n

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Inverses mod n

• Notice: no division in mod n!
• Division is usually defined as multiplication by the

multiplicative inverse.

• Multiplicative inverse of [a]n is [b]n such that

[a]n[b]n = [1]n; i.e. ab ≡ 1 (mod n).

Inverses mod n

• Notice: no division in mod n!
• Division is usually defined as multiplication by the

multiplicative inverse.

• Multiplicative inverse of [a]n is [b]n such that

[a]n[b]n = [1]n; i.e. ab ≡ 1 (mod n).

2014-04-11

Integer Factorization Methods Modular Arithmetic Inverses mod n Inverses mod n

• Example here: 2 ∈ Z/4Z and its inverse? 4 ∈ Z/7Z and its

inverse?

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Theorem

[a]n ∈ Z/nZ has a multiplicative inverse if and only if gcd(a,n) = 1.

• Drawing from previous example: gcd(4,2) = 2, while

gcd(4,7) = 1.

• That means that every element except 0 in Z/pZ has an

inverse, since a prime is coprime to every element below it.

• Bézout’s identity again: gcd(m,n) = 1, then

m[m−1]n + n[n−1]m = 1.

Theorem [a]n ∈ Z/nZ has a multiplicative inverse if and only if gcd(a,n) = 1.

• Drawing from previous example: gcd(4,2) = 2, while

gcd(4,7) = 1.

• That means that every element except 0 in Z/pZ has an

inverse, since a prime is coprime to every element below it.

• Bézout’s identity again: gcd(m,n) = 1, then

m[m−1]n + n[n−1]m = 1.

2014-04-11

Integer Factorization Methods Modular Arithmetic Inverses mod n

• Proof: see write-up of notes on intro to mod arithmetic

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Euler’s and Fermat’s Theorems

Theorem (Euler, Euler totient, Euler-Fermat)

Let a,n be coprime. Then, aϕ(n) ≡ 1 (mod n).

Corollary (Fermat)

Unless a is a multiple of p, ap−1 ≡ 1 (mod p).

• Leonhard Euler, 1707-1783. Euler-Fermat Theorem. Fermat’s

little theorem was the origin, Euler gave proof for it in 1736 and kept working until Euler-Fermat was in its final form in 1761.

• E54 (Theorematum Quorundam ad Numeros Primos

Spectantium Demonstratio) proves Fermat’s – by induction on binomial series expansion (1 + 1)p−1 etc / induction as we know it today (he bashes on Fermat’s notion of induction and how he disproved Fermat’s conjecture that 22n + 1 is prime for any n)

• Modern proof: using LaGrange’s theorem (subgroup H of G,
• (H)∣o(G)), let H = (Z/nZ)∗ and G = Z/nZ; and since

ao(H) ≡ 1 for a ∈ H

• Carmichael’s theorem: aλ(n) ≡ 1 mod n where λ(n) = 0.5ϕ(n)

if n is a power of 2 and all other λ(n) = ϕ(n).

• Pierre de Fermat, 1601-1665, Fermat’s last theorem

an + bn ≠ cn for n ≥ 2.

• Application to RSA: Let M be a message. M mϕ(n)+1 ≡ M

(mod n). So, let’s find ed = mϕ(n) + 1, i.e. ed ≡ 1 (mod ϕ(n)).

• C(M) = M e (mod n), D(M) = M d (mod n). Then,

C(D(M)) = M de ≡ M mϕ(n)+1 ≡ M (mod n)

• Choose twoprime n = pq for easy ϕ computation

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Cost of Multiplication and GCD

Convention

We will denote the cost of multiplication by M(n) and the cost

• f the GCD by G(n) for n-digit numbers.
• Schoolbook multiplication: M(n) ∈ O(n2).
• Schönhage-Strassen: M(n) ∈ O(n lg n lg lg n).
• Euclidean GCD: G(n) ∈ O(n2).
• Schönhage’s GCD: G(n) ∈ O(M(n)lg n).
• Modular exponentiation (ak mod b): O(M(c)lg k),

where c = max(lg a,lg b).

Cost of Multiplication and GCD

Convention We will denote the cost of multiplication by M(n) and the cost

• f the GCD by G(n) for n-digit numbers.
• Schoolbook multiplication: M(n) ∈ O(n2).
• Schönhage-Strassen: M(n) ∈ O(n lg n lg lg n).
• Euclidean GCD: G(n) ∈ O(n2).
• Schönhage’s GCD: G(n) ∈ O(M(n)lg n).
• Modular exponentiation (ak mod b): O(M(c)lg k),

where c = max(lg a,lg b).

2014-04-11

Integer Factorization Methods Cost of Multiplication and GCD Cost of Multiplication and GCD

• Schönhage GCD (“controlled Euclidean descent”): Acta

Informatica vol I no 3 1971

• Schönhage-Strassen: Computing Vol 7 1971

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Integer Factorization

Theorem (Fundamental Theorem of Arithmetic)

Let n be an integer. Then there exist unique primes p1,p2,⋯,pk not necessarily distinct such that n = p1 × p2 × ⋯ × pk.

• In essence, every integer can be factored uniquely into
• primes. For example, 20 = 2 × 2 × 5.
• FTA guarantees existence of that factorization, but how

do you find it?

Convention

In the following slides, every big O is given in terms of input values instead of input length.

Integer Factorization

Theorem (Fundamental Theorem of Arithmetic) Let n be an integer. Then there exist unique primes p1,p2,⋯,pk not necessarily distinct such that n = p1 × p2 × ⋯ × pk.

• In essence, every integer can be factored uniquely into
• primes. For example, 20 = 2 × 2 × 5.
• FTA guarantees existence of that factorization, but how

do you find it? Convention In the following slides, every big O is given in terms of input values instead of input length.

2014-04-11

Integer Factorization Methods Integer Factorization Integer Factorization

• FTA first written down and proved by Euclid in his treatise

Elements, 300BC (differently, of course)

• Proof: existence by induction, base case n = 2 / uniqueness:

Euclid’s lemma or elementary using the smallest integer that is product of two different prime factorizations

• Euclid’s lemma: p∣ab implies p∣a or p∣b.
• Erdős-Kac Theorem: ω(n) number of distinct prime factors of

n, then the probability distribution of ω(n) − log log n √log log n is the standard normal distribution.

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Trial Division

1:

TrialDivision(n)

2:

D ← ()

3:

for all p in primes(√n) do

4:

while n mod p = 0 do

5:

append(D,p)

6:

n ← n/p

7:

if n > 1 then

8:

append(D,n)

9:

return D

• How often does for-loop execute?
• Prime-counting function π(m).
• How often does while execute? In total, at most

logp(n) ≤ lg n (since lg 2 ≤ lg p for all p ≥ 1)

Trial Division

1: TrialDivision(n) 2: D ← () 3: for all p in primes(√n) do 4: while n mod p = 0 do 5: append(D,p) 6: n ← n/p 7: if n > 1 then 8: append(D,n) 9: return D

• How often does for-loop execute?
• Prime-counting function π(m).
• How often does while execute? In total, at most

logp(n) ≤ lg n (since lg 2 ≤ lg p for all p ≥ 1)

2014-04-11

Integer Factorization Methods Integer Factorization Trial Division Trial Division

• Loop executes π (√n).

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Trial Division: Analysis

Theorem (Prime number theorem)

lim

x→∞

π(x) x/ln(x) = 1. This implies π(x) ∈ O ( x

ln x ).

Then, for an integer n to be factored, trial division is O (π (√n)lg(n)M(lg n)) = O (√nM(lg n)).

Trial Division: Analysis

Theorem (Prime number theorem) lim

x→∞

π(x) x/ln(x) = 1. This implies π(x) ∈ O ( x

ln x ).

Then, for an integer n to be factored, trial division is O (π (√n)lg(n)M(lg n)) = O (√nM(lg n)).

2014-04-11

Integer Factorization Methods Integer Factorization Trial Division Trial Division: Analysis

• Landau notation (Bachman) in terms of limits: f (n) ∈ O(g(n))

if lim

n→∞∣f (n)

g(n)∣ < ∞.

• PNT conjectured by Gauß in 1792 by his own account at 15

years old (Gauß, Hubert Mania)

• PNT first proved by Hadamard and Vallée-Poussin (1896)
• TODO / MAYBE: talk about distribution of prime factors, the

O of the first prime factor being found and last factor being

• found. Might be useful for following sections.

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Pollard’s p − 1 method

1:

PollardP-1(n,B)

2:

K ← ∏

primes p≤B

p⌊logp(n)⌋

3:

m ← (2K − 1) mod n ▷ modular exponentiation

4:

g ← gcd(m,n)

5:

if g = 1 then

6:

either increase B and

7:

return PollardP-1(n,B)

8:

• r return failure

9:

else

10:

return g ▷ g must be a divisor of n

Pollard’s p − 1 method

1: PollardP-1(n,B) 2: K ← ∏ primes p≤B p⌊logp(n)⌋ 3: m ← (2K − 1) mod n ▷ modular exponentiation 4: g ← gcd(m,n) 5: if g = 1 then 6: either increase B and 7: return PollardP-1(n,B) 8:

• r return failure

9: else 10: return g ▷ g must be a divisor of n

2014-04-11

Integer Factorization Methods Integer Factorization Pollard’s p − 1 Pollard’s p − 1 method

• John M. Pollard, 1974.
• Periodicals of the Cambridge Phil Society, 1974, Theorems on

Primality Testing and Factorization

• and Lenstra’s ECM paper and MIT Elliptic Curves Spring 2013

course

• n to be factored, finds non-trivial divisor of n
• B smoothness bound
• Since m < n, g < n
• Original method detailed a second step to be taken for

deterministic factorization: L < M < n, M < L2.

• b ≡ am mod n where m is product of primes less than or equal

L to some power. Find d = gcd(b − 1,n). If d = n, decrease L and repeat.

• Step 2: For primes L < p < M, Fp = (bp − 1) mod n, find

gcd(Fp,n).

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Pollard’s p − 1: Why does it work?

Corollary (Fermat’s little theorem)

For a < p, ap−1 ≡ 1 (mod p). That is, p∣(ap−1 − 1).

• Assume p is a prime divisor of n.
• That means that gcd(ap−1 − 1,n) ≥ p.
• The preceding also works if the exponent is a multiple of

some p − 1, i.e. aK − 1 where K is a multiple of p − 1.

• Goal: choose K such that it is likely to be the multiple of

some p − 1 for a prime divisor p.

Pollard’s p − 1: Why does it work?

Corollary (Fermat’s little theorem) For a < p, ap−1 ≡ 1 (mod p). That is, p∣(ap−1 − 1).

• Assume p is a prime divisor of n.
• That means that gcd(ap−1 − 1,n) ≥ p.
• The preceding also works if the exponent is a multiple of

some p − 1, i.e. aK − 1 where K is a multiple of p − 1.

• Goal: choose K such that it is likely to be the multiple of

some p − 1 for a prime divisor p.

2014-04-11

Integer Factorization Methods Integer Factorization Pollard’s p − 1 Pollard’s p − 1: Why does it work?

• I.e. we have found a non-trivial divisor.
• p − 1 only finds factors p that are of the form

p − 1 = A where A is some product of primes less than B. (p − 1 must be B-(power)smooth.)

• Original version: p − 1 = Aq for some L < q < M.
• Example 1: n = 540143, choose B = 8 and

K = lcm(2,⋯B) = 840 (easier). Then, 2K mod n = 53047 and gcd(2K − 1,n) = 421. Then, 540143 = 421 × 1283.

• Example 2: n = 491389 = 383 × 1283. Because 383 − 1 = 2 × 191,

we have 191∣K and B ≥ 191 (for lcm). INFEASIBLE.

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Pollard’s p − 1: Analysis

The exp and modular exp can be combined:

1: K ← 2 2: for all p in primes(B) do 3:

pc ← p

4:

while pc < n do

5:

K ← K p (mod n)

6:

pc ← pc ∗ p

7: g ← gcd(K − 1,n)

Pollard’s p − 1: Analysis

The exp and modular exp can be combined: 1: K ← 2 2: for all p in primes(B) do 3: pc ← p 4: while pc < n do 5: K ← K p (mod n) 6: pc ← pc ∗ p 7: g ← gcd(K − 1,n)

2014-04-11

Integer Factorization Methods Integer Factorization Pollard’s p − 1 Pollard’s p − 1: Analysis

• ∑p ⌊logp(n)⌋ multiplications and mod exps.
• Each mod exp is O(lg(p)M(lg n))
• Each mult M(lg n).
• Then, ∑p logp(n)lg(p)M(lg n) = ∑p lg(n)M(lg n)

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Pollard’s p − 1: Analysis

• ∑

p

⌊logp(n)⌋ multiplications and mod exps.

• Each mod exp is O(lg(p)M(lg n))
• Each mult M(lg n).
• Then, ∑

p

logp(n)lg(p)M(lg n) = ∑

p

lg(n)M(lg n)

• Then, we have

O(G(lg n) + π(B)lg(n)M(lg n)).

• Then, complexity of one iteration of Pollard’s p − 1 is

O(π(B)lg(n)M(lg n)).

Pollard’s p − 1: Analysis

• ∑

p

⌊logp(n)⌋ multiplications and mod exps.

• Each mod exp is O(lg(p)M(lg n))
• Each mult M(lg n).
• Then, ∑

p

logp(n)lg(p)M(lg n) = ∑

p

lg(n)M(lg n)

• Then, we have

O(G(lg n) + π(B)lg(n)M(lg n)).

• Then, complexity of one iteration of Pollard’s p − 1 is

O(π(B)lg(n)M(lg n)).

2014-04-11

Integer Factorization Methods Integer Factorization Pollard’s p − 1 Pollard’s p − 1: Analysis

• Multiplication is M(lg n) since pc < n and p < n
• Mod exp is O(lg(p)M(lg n)) since mod exp is

O(∣exp∣M(∣max(base,modulus)∣).

• G(lg n) = O(M(lg n)lg lg n), so less than the other stuff
• Mult + mod exp: O ((lg(p) + 1)M(lg n)) = O(lg(p)M(lg n)).
• Notice: If B = √n, worse than trial division when TD finds all

factors and p − 1 finds one

• MIT’s Elliptic Curve class agrees

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Cycles in Z/nZ

Definition

A sequence {Xi}i≥0 is considered periodic if there exists a such that Xm+a = Xm for all m ≥ 0

• Ultimately periodic if for all m ≥ M (some starting value)

Cycles in Z/nZ

Definition A sequence {Xi}i≥0 is considered periodic if there exists a such that Xm+a = Xm for all m ≥ 0

• Ultimately periodic if for all m ≥ M (some starting value)

2014-04-11

Integer Factorization Methods Integer Factorization Cycles in Z/nZ Cycles in Z/nZ

• Periodic: 1, 2, 3, 1, 2, 3, 1, 2, 3, . . .
• Ultimately periodic: 3, 2, 4, 5, 1, 4, 5, 1, 4, 5, 1, . . .
• Since Z/nZ “wraps around” in a sense, we can find cycles in it.
• a is called period.

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

• Let f ∶ Z/nZ → Z/nZ.
• Consider a sequence {Xi}i≥0 where Xi ∈ Z/nZ and

Xm+1 = f (Xm).

• The sequence is ultimately periodic.

Proof:

• Assume X0,X1,⋯,Xm−1 distinct for some m and Xm is
• not. m ≤ n by Pidgeonhole
• Then, Xm = Xµ for some 0 ≤ µ ≤ m − 1.
• Let λ = m − µ (period)
• By induction, we need to show that Xn+λ = Xn for all

n ≥ µ.

• Let f ∶ Z/nZ → Z/nZ.
• Consider a sequence {Xi}i≥0 where Xi ∈ Z/nZ and

Xm+1 = f (Xm).

• The sequence is ultimately periodic.

Proof:

• Assume X0,X1,⋯,Xm−1 distinct for some m and Xm is
• not. m ≤ n by Pidgeonhole
• Then, Xm = Xµ for some 0 ≤ µ ≤ m − 1.
• Let λ = m − µ (period)
• By induction, we need to show that Xn+λ = Xn for all

n ≥ µ.

2014-04-11

Integer Factorization Methods Integer Factorization Cycles in Z/nZ

• For example, let n = 5, f (x) = (x + 4) mod 5 and x0 = 1.

1,0,4,3,2,1,0,⋯

• Base: n = µ. Then, Xµ+λ = Xm = Xµ.
• Assume Xn+λ = Xn for all some n
• Then, Xn+1+λ = f (Xn+λ) = f (Xn) = Xn+1.
• Example: n = 19, f (x) = (x2 − 1) mod n, x0 = 2.
• Sequence: 2, 3, 8, 6, 16 -> 8 DRAW RHO
• Then, ∃n s.t. X2n = Xn (let n = λ)

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Floyd’s cycle-finding algorithm

Input: function f and start-value x0

1:

FloydCycle(f ,x0)

2:

x ← f (x0),y ← f (f (x0))

3:

while x ≠ y do

4:

x ← f (x)

5:

y ← f (f (y))

Floyd’s cycle-finding algorithm

Input: function f and start-value x0 1: FloydCycle(f ,x0) 2: x ← f (x0),y ← f (f (x0)) 3: while x ≠ y do 4: x ← f (x) 5: y ← f (f (y))

2014-04-11

Integer Factorization Methods Integer Factorization Floyd’s cycle-finding Floyd’s cycle-finding algorithm

• Think of tortoise and hare going in circles: one slow, one fast;

eventually they cross

• same with hour-hand and minute-hand of a clock

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Pollard’s ρ method

1:

PollardRho(f ,n)

2:

x ← 2,y ← 2,g ← 1

3:

while g = 1 do

4:

x ← f (x) ▷ Pollard used f (x) = x2 − 1 (mod n)

5:

y ← f (f (y))

6:

g ← gcd(∣x − y∣,n)

7:

if g = n then

8:

return failure

9:

else

10:

return g ▷ g must be a divisor of n

Pollard’s ρ method

1: PollardRho(f ,n) 2: x ← 2,y ← 2,g ← 1 3: while g = 1 do 4: x ← f (x) ▷ Pollard used f (x) = x2 − 1 (mod n) 5: y ← f (f (y)) 6: g ← gcd(∣x − y∣,n) 7: if g = n then 8: return failure 9: else 10: return g ▷ g must be a divisor of n

2014-04-11

Integer Factorization Methods Integer Factorization Pollard’s ρ Pollard’s ρ method

• J. M. Pollard, 1975.
• n to be factored, finds non-trivial divisor
• f a function with the property x ≡ y (mod p) implies

f (x) ≡ f (y) (mod p)

• Original name is Monte Carlo factorization method, Pollard

initially called it ρ method though

• Same exit condition as Floyd cycle: x = y iff

gcd(∣x − y∣,n) = gcd(1,n) = 1.

• Cormen example: factoring 1387 = 19 × 73, using x2 − 1 mod n.
• Mod 1387 sequence: 2, 3, 8, 63, 1194, 1186, 177, 814, 996,

310, 396, 84, 120, 529, 1053, 595, 339 -> 1186

• Corresponding mod 19 ρ: 2, 3, 8, 6, 16 -> 8
• Corresponding mod 73 ρ (don’t draw this one): 2, 3, 8, 63, 26,

18, 31, 11, 47 -> 18

• 63 − 177, gcd(63 − 177,1387) = 19.

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Pollard’s ρ: Why does it work?

• Let p∣n prime.
• Want p∣(x − y) so that gcd(∣x − y∣,n) ≥ p.
• p∣(x − y) means x ≡ y (mod p).
• When a cycle mod p is found, we find a factor.
• When does that happen? Birthday paradox
• For the birthday paradox to work, we need to expect that

f is a uniform function: Every remainder has an equal probability of being chosen.

• This is a conjecture, but empirical data approximately

supports it

Pollard’s ρ: Why does it work?

• Let p∣n prime.
• Want p∣(x − y) so that gcd(∣x − y∣,n) ≥ p.
• p∣(x − y) means x ≡ y (mod p).
• When a cycle mod p is found, we find a factor.
• When does that happen? Birthday paradox
• For the birthday paradox to work, we need to expect that

f is a uniform function: Every remainder has an equal probability of being chosen.

• This is a conjecture, but empirical data approximately

supports it

2014-04-11

Integer Factorization Methods Integer Factorization Pollard’s ρ Pollard’s ρ: Why does it work?

• Make that gcd clear – p∣(x − y) and p∣n.
• Z/nZ ultimately periodic.
• Show a ρ, use example from Cormen
• Cormen example: factoring 1387 = 19 × 73, using x2 − 1 mod n.
• Mod 1387 sequence: 2, 3, 8, 63, 1194, 1186, 177, 814, 996,

310, 396, 84, 120, 529, 1053, 595, 339 -> 1186

• Corresponding mod 19 ρ: 2, 3, 8, 6, 16 -> 8
• Corresponding mod 73 ρ (don’t draw this one): 2, 3, 8, 63, 26,

18, 31, 11, 47 -> 18

• 63 − 177, gcd(177 − 63,1387) = 19

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Birthday paradox

• “How many people need to be in a room so that there is a

probability of m that two of them have the same birthday?”

• “How many random variables do we need to draw from f

such that two of them have the same remainder mod p with probability m?” (Xi ≡ Xj (mod p))

• Of course, 0 < m < 1.
• Original birthday paradox: m = 0.5

Birthday paradox

• “How many people need to be in a room so that there is a

probability of m that two of them have the same birthday?”

• “How many random variables do we need to draw from f

such that two of them have the same remainder mod p with probability m?” (Xi ≡ Xj (mod p))

• Of course, 0 < m < 1.
• Original birthday paradox: m = 0.5

2014-04-11

Integer Factorization Methods Integer Factorization Birthday paradox Birthday paradox

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Assume every event equally likely. P(Xi ≡ r) = 1 p Assume the events are independent. P(Xi ≡ r and Xj ≡ r) = P(Xi ≡ r)P(Xj ≡ r) = 1 p2 Probability that once Xi is chosen, Xj will have same birthday: P(Xi ≡ Xj) = 1 p Complement: probability that all remainders are different.

Assume every event equally likely. P(Xi ≡ r) = 1 p Assume the events are independent. P(Xi ≡ r and Xj ≡ r) = P(Xi ≡ r)P(Xj ≡ r) = 1 p2 Probability that once Xi is chosen, Xj will have same birthday: P(Xi ≡ Xj) = 1 p Complement: probability that all remainders are different.

2014-04-11

Integer Factorization Methods Integer Factorization Birthday paradox

• Dropping

mod p for convenience

• Due to the functional iteration, the random variables Xi and Xj

are NOT independent! But we assume so for the sake of the analysis (and so does Pollard in his initial paper.)

• Independent: Once Xi is there, the probability that Xj will be

same remainder is 1/p.

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Let Ai be the event that Xi / ≡ Xj for all 0 ≤ j < i. Then, the event that choosing λ random variables yields distinct remainders is Bλ =

λ−1

⋂

i=0

Ai = Bλ−1 ∩ Aλ−1 By defn of conditional probability: P(Bλ) = P(Bλ−1)P(Aλ−1∣Bλ−1) Then, P(Ai∣Bi) = p − i p , since for Ai, i remainders are already “occupied” and p − i remainders are “left.”

Let Ai be the event that Xi / ≡ Xj for all 0 ≤ j < i. Then, the event that choosing λ random variables yields distinct remainders is Bλ =

λ−1

⋂

i=0

Ai = Bλ−1 ∩ Aλ−1 By defn of conditional probability: P(Bλ) = P(Bλ−1)P(Aλ−1∣Bλ−1) Then, P(Ai∣Bi) = p − i p , since for Ai, i remainders are already “occupied” and p − i remainders are “left.”

2014-04-11

Integer Factorization Methods Integer Factorization Birthday paradox

• Ai means Xi is distinct from every remainder Xj for j < i
• Conditional probability definition: P(A∣B) = P(A∩B)

P(B)

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Expanding, we have (since P(B1) = P(A0) = 1) P(Bλ) =

λ−1

∏

i=0

P(Ai∣Bi) =

λ−1

∏

i=0

p − i p =

λ−1

∏

i=0

(1 − i p) = p! (p − λ)!pλ Using the approximation 1 − x ≈ e−x (Taylor series), P(Bλ) ≈ 1 ×

λ−1

∏

i=1

e−i/p = e− ∑λ−1

i=1 i/p = e−(λ2−λ)/2p

Now, we want P(Bλ) ≤ 1 − m. Notice that this gets us the median for m = 0.5!

Expanding, we have (since P(B1) = P(A0) = 1) P(Bλ) =

λ−1

∏

i=0

P(Ai∣Bi) =

λ−1

∏

i=0

p − i p =

λ−1

∏

i=0

(1 − i p) = p! (p − λ)!pλ Using the approximation 1 − x ≈ e−x (Taylor series), P(Bλ) ≈ 1 ×

λ−1

∏

i=1

e−i/p = e− ∑λ−1

i=1 i/p = e−(λ2−λ)/2p

Now, we want P(Bλ) ≤ 1 − m. Notice that this gets us the median for m = 0.5!

2014-04-11

Integer Factorization Methods Integer Factorization Birthday paradox

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Thus, e−(λ2−λ)/2p ≤ 1 − m λ2 − λ + 2p ln(1 − m) ≥ 0 Then, λ ≥ 1 2 + 1 2 √ 1 − 8p ln(1 − m)

• Then, in Pollard’s ρ, we find a cycle mod p with probability

1 2 after approximately 1 2

√ 8ln(2)p ≈ 1.177√p iterations.

• In fact, we always find a cycle mod p in θ(√p) steps.

Thus, e−(λ2−λ)/2p ≤ 1 − m λ2 − λ + 2p ln(1 − m) ≥ 0 Then, λ ≥ 1 2 + 1 2 √ 1 − 8p ln(1 − m)

• Then, in Pollard’s ρ, we find a cycle mod p with probability

1 2 after approximately 1 2

√ 8ln(2)p ≈ 1.177√p iterations.

• In fact, we always find a cycle mod p in θ(√p) steps.

2014-04-11

Integer Factorization Methods Integer Factorization Birthday paradox

• Error analysis for this: http://dx.doi.org/10.1137/1033051

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Different analysis due to Knuth: mean instead of median. E[λ] =

p+1

∑

λ=1

P(Bλ) = 1 +

p

∑

λ=1

P(Bλ) = 1 +

p

∑

λ=1

p! (p − λ)!pλ Define the Ramanujan Q function: Q(n) =

n

∑

k=1

n! (n − k)!nk Then, E[λ] = 1 + Q(p) The Q function can be approximated by Q(p) ≈ √πp 2 ≈ 1.2533√p

Different analysis due to Knuth: mean instead of median. E[λ] =

p+1

∑

λ=1

P(Bλ) = 1 +

p

∑

λ=1

P(Bλ) = 1 +

p

∑

λ=1

p! (p − λ)!pλ Define the Ramanujan Q function: Q(n) =

n

∑

k=1

n! (n − k)!nk Then, E[λ] = 1 + Q(p) The Q function can be approximated by Q(p) ≈ √πp 2 ≈ 1.2533√p

2014-04-11

Integer Factorization Methods Integer Factorization Birthday paradox

• summing the tail probabilities
• On Ramanujan’s Q function:

http://algo.inria.fr/flajolet/Publications/FlGrKiPr95.pdf

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Fermat’s method

n must be odd.

1:

Fermat(n)

2:

a ← ⌈√n⌉

3:

b ← a2 − n

4:

while b is not a square do

5:

a ← a + 1

6:

b ← a2 − n

7:

return a − √ b ▷ or a + √ b

Fermat’s method

n must be odd. 1: Fermat(n) 2: a ← ⌈√n⌉ 3: b ← a2 − n 4: while b is not a square do 5: a ← a + 1 6: b ← a2 − n 7: return a − √ b ▷ or a + √ b

2014-04-11

Integer Factorization Methods Integer Factorization Fermat’s method Fermat’s method

• Pierre de Fermat, when? Original paper?
• n must be odd
• finds non-trivial divisor

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Fermat’s: Why does it work?

• Every odd integer is the difference of two squares
• n = a2 − b2 = (a + b)(a − b)
• We hope that 1 < a + b < n (or equivalently same for a − b)
• Rearrange: b2 = a2 − n.
• Try values for a until b2 is a square.
• Worst case: n is prime. O(n) steps.
• Works best when prime factor is close to square-root of n.

Fermat’s: Why does it work?

• Every odd integer is the difference of two squares
• n = a2 − b2 = (a + b)(a − b)
• We hope that 1 < a + b < n (or equivalently same for a − b)
• Rearrange: b2 = a2 − n.
• Try values for a until b2 is a square.
• Worst case: n is prime. O(n) steps.
• Works best when prime factor is close to square-root of n.

2014-04-11

Integer Factorization Methods Integer Factorization Fermat’s method Fermat’s: Why does it work?

• Factor n = 5959. Then, a + b = 101,a − b = 59. 5959 = 59 × 101.

Trial 1 2 3 a 78 79 80 b2 125 282 441 b 11.18 16.79 21

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Fermat’s: An Improvement

• Is there a way to know when values of a make b2 a square?

Fermat’s: An Improvement

• Is there a way to know when values of a make b2 a square?

2014-04-11

Integer Factorization Methods Integer Factorization Fermat’s method Fermat’s: An Improvement

Integer Factorization Methods

• C. Koch

Overview Modular Arithmetic

Division Algorithm and Congruence Residue classes mod n Integers modulo n Arithmetic with integers mod n GCD and Totatives Inverses mod n Euler’s Theorem

Cost of Multiplication and GCD Integer Factorization

Trial Division Pollard’s p − 1 Cycles in Z/nZ Floyd’s cycle-finding Pollard’s ρ Birthday paradox Fermat’s method

Fermat’s: An Improvement

• Is there a way to know when values of a make b2 a square?
• Bézout’s identity again: gcd(m,n) = 1, then

m[m−1]n + n[n−1]m = 1.

Theorem (Chinese Remainder Theorem)

Let gcd(n,m) = 1. Then the following system has a solution and every solution is congruent mod mn: x ≡ a (mod n) x ≡ b (mod m) Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).

Fermat’s: An Improvement

• Is there a way to know when values of a make b2 a square?
• Bézout’s identity again: gcd(m,n) = 1, then

m[m−1]n + n[n−1]m = 1. Theorem (Chinese Remainder Theorem) Let gcd(n,m) = 1. Then the following system has a solution and every solution is congruent mod mn: x ≡ a (mod n) x ≡ b (mod m) Solutions are x ≡ am[m−1]n + bn[n−1]m (mod mn).

2014-04-11

Integer Factorization Methods Integer Factorization Fermat’s method Fermat’s: An Improvement

• Want to factor n = 2,345,678,917
• ⌈√n⌉ = 48433
• a2 ≡ 0,1,4,9 mod 16, n ≡ 5 mod 16.
• a2 − n ≡ 11,12,15,9 mod 16. Then, a2 ≡ 9 mod 16 only
• solution. That only happens a ≡ ±3,±5 mod 16.
• Also consider

mod 9. n ≡ 7 mod 9.

• a2 ≡ 0,1,4,7 mod 9. Then, a2 − n ≡ 2,3,6,0 mod 9.
• Thus, a2 ≡ 7 mod 9 only solution. That’s when a ≡ ±4 mod 9.
• a = cn[n−1]m + dm[m−1]n = 16(4)c + (−7)9d

c / d ±3 ±5 ±4 ±5 ±13 Let c be the mod m values, d the mod n.

• Then, a ≡ ±5,±13 mod 9 × 16 (72)
• Only 4 out of 72 integers are possible – only 4/72 need to be

checked