Pollard's rho algorithm
Encyclopedia : P : PO : POL : Pollard's rho algorithm
Pollard's rho algorithm is a special-purpose integer factorization algorithm. It was invented by John Pollard in 1975. It is particularly effective at splitting composite numbers with small factors.
Core ideas
The rho algorithm is based on Floyd's cycle-finding algorithm and on the observation that (as in the birthday paradox) two numbers x and y are congruent modulo p with probability 0.5 after [1.177\sqrt] numbers have been randomly chosen. If p is a factor of n, the integer we are aiming to factor, then [1 < \gcd \left( |x-y|,n \right) \le n] since p divides both [\left|x-y\right|] and n.The rho algorithm therefore uses a function modulo n as a generator of a pseudo-random sequence. It runs one sequence twice as "fast" as the other; i.e. for every iteration made by one copy of the sequence, the other copy makes two iterations. Let x be the current state of one sequence and y be the current state of the other. The GCD of |x − y| and n is taken at each step. If this GCD ever comes to n, then the algorithm terminates with failure, since this means x = y and therefore, by Floyd's cycle-finding algorithm, the sequence has cycled and continuing any further would only be repeating previous work.
The algorithm
Inputs: n, the integer to be factored; and f(x), a pseudo-random function modulo nOutput: a non-trivial factor of n, or failure.
- x ← 2, y ← 2; d ← 1
- While d = 1:
- # x ← f(x)
- # y ← f(f(y))
- # d ← GCD(|x − y|, n)
- # If 1 < d < n, then return d.
- # If d = n, return failure.
Richard Brent's variant
In 1980, Richard Brent published a faster variant of the rho algorithm. He used the same core ideas as Pollard, but he used a different method of cycle detection that was faster than Floyd's original algorithm.Brent's algorithm is as follows:
Input: n, the integer to be factored; x0, such that 0 ≤ x0 ≤ n; m such that m > 0; and f(x), a pseudo-random function modulo n.
Output: a non-trivial factor of n, or failure.
- y ← x0, r ← 1, q ← 1.
- Do:
- # x ← y
- # For i = 1 To r:
- ## y ← f(y)
- #k ← 0
- # Do:
- ## ys ← y
- ## For i = 1 To min(m, r − k):
- ### y ← f(y), q ← (q × |x − y|) mod n
- ## g ← GCD(q, n), k ← k + i
- # Until (k ≥ r or g > 1)
- # r ← 2r
- Until g > 1
- If g = n then
- # Do:
- ## ys ← f(ys), g ← GCD(|x − ys|, n)
- # Until g > 1
- If g = n then return failure, else return g
In practice
The algorithm is very fast for numbers with small factors. For example, on a 733 MHz workstation, an implementation of the rho algorithm, without any optimizations, found the factor 274177 of the sixth Fermat number in about half a second. The sixth Fermat number is 18446744073709551617 (20 decimal digits). However, for a semiprime of the same size, the same workstation took around 9 seconds to find a factor of 10023859281455311421 (the product of 2 10-digit primes).For f, we choose a polynomial with integer coefficients. The most common ones are of the form:
- [f(x)=x^2+c\hboxn,\,c\neq0,-2.]
Example factorization
Let n = 8051 and f(x) = x2 + 1 mod 8051.
| i | xi | yi | GCD(|xi − yi|, 8051) |
| 1 | 5 | 26 | 1 |
| 2 | 26 | 7474 | 1 |
| 3 | 677 | 871 | 97 |
97 is a non-trivial factor of 8051. Other values of c may give the cofactor (83) of 97 instead of 97.
References
- Richard P. Brent. An Improved Monte Carlo Factorization Algorithm, BIT 20, 1980, pp.176-184, http://web.comlab.ox.ac.uk/oucl/work/richard.brent/pd/rpb051i.pdf
- Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction to Algorithms, Second Edition. MIT Press and McGraw-Hill, 2001. ISBN 0262032937. Section 31.9: Integer factorization, pp.896–901 (this section discusses only Pollard's rho algorithm).
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.