Download
1 / 9
180 likes | 439 Views
Pollard’s rho method. Random Factoring. Let p|n and a ≡ b (mod p) Note: p is unknown and a,b is randomly selected a ≠ b (mod n) ⇒ gcd(a-b,n) is a non-trivial factor of n Proof: p|(a-b), p|n ⇒ p|gcd(a-b,n). Let f: S → S be a random function
E N D
Random Factoring • Let p|n and a≡b (mod p) • Note: p is unknown and a,b is randomly selected • a ≠b (mod n) ⇒ gcd(a-b,n) is a non-trivial factor of n Proof: p|(a-b), p|n ⇒ p|gcd(a-b,n)
Let f: S → S be a random function • We use f to generate x0, x1, x2, … defined by xi+1 = f(xi). • Since S is finite, the sequence must eventually cycle. • Then we can use this sequence to test gcd(xi-xj,n) factors n or not. • Require Memory and Time
Example • Let f = x2+1 mod 15 • Memory all xi and compute every gcd(xi-xj,n) • gcd(5-2,15) = 3
xi+1 = xj+3 xi xi+4 x1 xj x0 xj+1 • The sequence of f is cyclic.
Floyd’s cycle finding • Let p1 and p2 be two pointer. • p1, p2 starts at x0. • p1 goes one step at a time • p2 goes two steps at a time • If there is a cycle, p1 and p2 will meet somewhere. p1 x3 = x10 p1 p2 p1 p2 p2 x2 p1 p2 p1=p2 x6 p1 p2 x1 x7 p1 p2 x0 x8
Pollard’s rho method • Combine random factoring and Floyd’s cycle finding. • Let f(x) = x2 + 1 mod n be the random sequence generator.
Pollard’s rho method • INPUT: a composite integer n that is not a prime power • OUTPUT: a non-trivial factor d of n • Set p1← 2, p2← 2 • For i=1, 2, … • p1← f(p1), p2← f(f(p2)) • d ← gcd(p1-p2,n) • If 1<d<n then return d • If d=n then return fail
Example • n=455459 =613*743
