Pollard's p − 1 algorithm


Pollard's p − 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors; it is the simplest example of an algebraic-group factorisation algorithm.
The factors it finds are ones for which the number preceding the factor, p − 1, is powersmooth; the essential observation is that, by working in the multiplicative group modulo a composite number N, we are also working in the multiplicative groups modulo all of N's factors.
The existence of this algorithm leads to the concept of safe primes, being primes for which p − 1 is two times a Sophie Germain prime q and thus minimally smooth. These primes are sometimes construed as "safe for cryptographic purposes", but they might be unsafe — in current recommendations for cryptographic strong primes, it is necessary but not sufficient that p − 1 has at least one large prime factor. Most sufficiently large primes are strong; if a prime used for cryptographic purposes turns out to be non-strong, it is much more likely to be through malice than through an accident of random number generation. This terminology is considered obsolete by the cryptography industry: ECM makes safe primes just as easy to factor as non-safe primes, so size is the important factor.

Base concepts

Let n be a composite integer with prime factor p. By Fermat's little theorem, we know that for all integers a coprime to p and for all positive integers K:
If a number x is congruent to 1 modulo a factor of n, then the will be divisible by that factor.
The idea is to make the exponent a large multiple of p − 1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit B. Start with a random x, and repeatedly replace it by as w runs through those prime powers. Check at each stage, or once at the end if you prefer, whether is not equal to 1.

Multiple factors

It is possible that for all the prime factors p of n, p − 1 is divisible by small primes, at which point the Pollard p − 1 algorithm gives you n again.

Algorithm and running time

The basic algorithm can be written as follows:
If in step 6, this indicates there are no prime factors p for which p-1 is B-powersmooth. If in step 7, this usually indicates that all factors were B-powersmooth, but in rare cases it could indicate that a had a small order modulo n. By the way, when the maximum prime factors of p-1 for each prime factors p of n are all the same in some rare cases, this algorithm will fail.
The running time of this algorithm is ; larger values of B make it run slower, but are more likely to produce a factor.

Example

If we want to factor the number n = 299.

How to choose ''B''?

Since the algorithm is incremental, it can just keep running with the bound constantly increasing.
Assume that p − 1, where p is the smallest prime factor of n, can be modelled as a random number of size less than . By Dixon's theorem, the probability that the largest factor of such a number is less than 1/ε is roughly εε; so there is a probability of about 3−3 = 1/27 that a B value of n1/6 will yield a factorisation.
In practice, the elliptic curve method is faster than the Pollard p − 1 method once the factors are at all large; running the p − 1 method up to B = 232 will find a quarter of all 64-bit factors and 1/27 of all 96-bit factors.

Two-stage variant

A variant of the basic algorithm is sometimes used; instead of requiring that p − 1 has all its factors less than B, we require it to have all but one of its factors less than some B1, and the remaining factor less than some. After completing the first stage, which is the same as the basic algorithm, instead of computing a new
for B2 and checking, we compute
where and check if produces a nontrivial factor of n. As before, exponentiations can be done modulo n.
Let be successive prime numbers in the interval and dn = qnqn−1 the difference between consecutive prime numbers. Since typically, are even numbers. The distribution of prime numbers is such that the dn will all be relatively small. It is suggested that. Hence, the values of,,, … can be stored in a table, and be computed from, saving the need for exponentiations.

Implementations