Pollard's P − 1 Algorithm

Pollard's ''p'' − 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors; it is the simplest example of an algebraic-group factorisation algorithm.

The factors it finds are ones for which the number preceding the factor, ''p'' − 1, is powersmooth; the essential observation is that, by working in the multiplicative group modulo a composite number ''N'', we are also working in the multiplicative groups modulo all of ''Ns factors.

The existence of this algorithm leads to the concept of safe primes, being primes for which ''p'' − 1 is two times a Sophie Germain prime ''q'' and thus minimally smooth. These primes are sometimes construed as "safe for cryptographic purposes", but they might be ''unsafe'' — in current recommendations for cryptographic strong primes (''e.g.'' ANSI X9.31), it is necessary but not sufficient that ''p'' − 1 has at least one large prime factor. Most sufficiently large primes are strong; if a prime used for cryptographic purposes turns out to be non-strong, it is much more likely to be through malice than through an accident of random number generation. This terminology is considered obsolete by the cryptography industry: ECM makes safe primes just as easy to factor as non-safe primes, so size is the important factor.What are strong primes and are they necessary for the RSA system?
RSA Laboratories (2007)

Base concepts

Let ''n'' be a composite integer with prime factor ''p''. By Fermat's little theorem, we know that for all integers ''a'' coprime to ''p'' and for all positive integers ''K'':

:$a^ \equiv 1\pmod$

If a number ''x'' is congruent to 1 modulo a factor of ''n'', then the will be divisible by that factor.

The idea is to make the exponent a large multiple of ''p'' − 1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit ''B''. Start with a random ''x'', and repeatedly replace it by $x^w \bmod n$ as ''w'' runs through those prime powers. Check at each stage, or once at the end if you prefer, whether is not equal to 1.

Multiple factors

It is possible that for all the prime factors ''p'' of ''n'', ''p'' − 1 is divisible by small primes, at which point the Pollard ''p'' − 1 algorithm gives you ''n'' again.

Algorithm and running time

The basic algorithm can be written as follows:

:Inputs: ''n'': a composite number
:Output: a nontrivial factor of ''n'' or failure

:# select a smoothness bound ''B''
:# define $M = \prod_ q^$ (note: explicitly evaluating ''M'' may not be necessary)
:# randomly pick ''a'' coprime to ''n'' (note: we can actually fix ''a'', e.g. if ''n'' is odd, then we can always select ''a'' = 2, random selection here is not imperative)
:# compute (note: exponentiation can be done modulo ''n'')
:# if then return ''g''
:# if then select a larger ''B'' and go to step 2 or return failure
:# if then select a smaller ''B'' and go to step 2 or return failure

If in step 6, this indicates there are no prime factors ''p'' for which ''p-1'' is ''B''-powersmooth. If in step 7, this usually indicates that all factors were ''B''-powersmooth, but in rare cases it could indicate that ''a'' had a small order modulo ''n''. Additionally, when the maximum prime factors of ''p-1'' for each prime factors ''p'' of ''n'' are all the same in some rare cases, this algorithm will fail.

The running time of this algorithm is ; larger values of ''B'' make it run slower, but are more likely to produce a factor.

Example

If we want to factor the number ''n'' = 299.
:# We select ''B'' = 5.
:# Thus ''M'' = 2² × 3¹ × 5¹.
:# We select ''a'' = 2.
:# ''g'' = gcd(''a''^''M'' − 1, ''n'') = 13.
:# Since 1 < 13 < 299, thus return 13.
:# 299 / 13 = 23 is prime, thus it is fully factored: 299 = 13 × 23.

How to choose ''B''?

Since the algorithm is incremental, it can just keep running with the bound constantly increasing.

Assume that ''p'' − 1, where ''p'' is the smallest prime factor of ''n'', can be modelled as a random number of size less than . By Dixon's theorem, the probability that the largest factor of such a number is less than (''p'' − 1)^''1/ε'' is roughly ''ε''^−''ε''; so there is a probability of about 3⁻³ = 1/27 that a ''B'' value of ''n''^1/6 will yield a factorisation.

In practice, the elliptic curve method is faster than the Pollard ''p'' − 1 method once the factors are at all large; running the ''p'' − 1 method up to ''B'' = 2³² will find a quarter of all 64-bit factors and 1/27 of all 96-bit factors.

Two-stage variant

A variant of the basic algorithm is sometimes used; instead of requiring that ''p'' − 1 has all its factors less than ''B'', we require it to have all but one of its factors less than some ''B''₁, and the remaining factor less than some . After completing the first stage, which is the same as the basic algorithm, instead of computing a new

:$M' = \prod_ q^$

for ''B''₂ and checking , we compute

:$Q = \prod_ (H^q - 1)$

where and check if produces a nontrivial factor of ''n''. As before, exponentiations can be done modulo ''n''.

Let be successive prime numbers in the interval and ''d''_''n'' = ''q''_''n'' − ''q''_''n''−1 the difference between consecutive prime numbers. Since typically , are even numbers. The distribution of prime numbers is such that the ''d''_''n'' will all be relatively small. It is suggested that . Hence, the values of , , , … (mod ''n'') can be stored in a table, and be computed from , saving the need for exponentiations.

Implementations

* Th
GMP-ECM
package includes an efficient implementation of the ''p'' − 1 method.
* Prime95 and MPrime, the official clients of the Great Internet Mersenne Prime Search, use a modified version of the p - 1 algorithm to eliminate potential candidates.

See also

* Williams's ''p'' + 1 algorithm

References

*
*
*

{{DEFAULTSORT:Pollard's p - 1 algorithm
Integer factorization algorithms