Trial division, Pollard s p 1, Pollard s ρ, and Fermat s method. Christopher Koch 1. April 8, 2014

Iteger Divisio Algorithm ad Cogruece Iteger Trial divisio,,, ad with itegers mod Iverses mod Multiplicatio ad GCD Iteger Christopher Koch 1 1 Departmet of Computer Sciece ad Egieerig CSE489/589 Algorithms i CS & IT New Mexico Tech April 8, 2014 Floyd s cycle-fidig

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Itro to modular arithmetic Euler s theorem ad Fermat s little theorem Trial divisio method Floyd s cycle-fidig algorithm method (Mote Carlo factorizatio) Covetio a, b, c, d, m, are itegers, p, q are primes

Iteger Divisio Algorithm ad Cogruece with itegers mod a b (a divides b) if b is a multiple of a. quotiet ad remaider uique i iteger divisio Cogruece modulo : a b (mod ) iff (a b). Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Residue classes Cogruece modulo is a equivalece relatio o itegers. Equivalece classes: oe for each remaider Called residue classes mod [a] = {x x a (mod )}. Multiplicatio ad GCD Iteger Floyd s cycle-fidig

Iteger Divisio Algorithm ad Cogruece : set of residue classes mod : Z/Z = {[r] r Z}. How to do arithmetic i mod? What is [3] 4 + [1] 4? with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig

Iteger mod Divisio Algorithm ad Cogruece with itegers mod Defiitio Let Z + ad a, b Z. The, [a] + [b] = [a + b] [a] [b] = [a b] Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Similarly, [a] [b] = [a] + [ b] = [a b].

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger gcd(a, b) is the greatest commo divisor of a ad b a, b are called coprime or relatively prime if gcd(a, b) = 1. a is called a totative of b ad vice versa. Bézout s idetity: If gcd(, m) = d, the there exist k, l s.t. k + ml = d. ϕ() couts the umber totatives less tha : ϕ() = {c 1 c < ad gcd(c, ) = 1}. We have ϕ(m) = ϕ()ϕ(m). Floyd s cycle-fidig

Iteger Iverses mod Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Notice: o divisio i mod! Divisio is usually defied as multiplicatio by the multiplicative iverse. Multiplicative iverse of [a] is [b] such that [a] [b] = [1] ; i.e. ab 1 (mod ). Floyd s cycle-fidig

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Theorem [a] Z/Z has a multiplicative iverse if ad oly if gcd(a, ) = 1. Drawig from previous example: gcd(4, 2) = 2, while gcd(4, 7) = 1. That meas that every elemet except 0 i Z/pZ has a iverse, sice a prime is coprime to every elemet below it. Bézout s idetity agai: gcd(m, ) = 1, the m[m 1 ] + [ 1 ] m = 1. Floyd s cycle-fidig

Iteger Euler s ad Fermat s Theorems Divisio Algorithm ad Cogruece Theorem (Euler, Euler totiet, Euler-Fermat) Let a, be coprime. The, with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig a ϕ() 1 Corollary (Fermat) Uless a is a multiple of p, a p 1 1 (mod ). (mod p).

Iteger Multiplicatio ad GCD Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Covetio We will deote the cost of multiplicatio by M () ad the cost of the GCD by G() for -digit umbers. Schoolbook multiplicatio: M () O( 2 ). Schöhage-Strasse: M () O( lg lg lg ). Euclidea GCD: G() O( 2 ). Schöhage s GCD: G() O(M () lg ). expoetiatio (a k where c = max(lg a, lg b). mod b): O(M (c) lg k),

Iteger Divisio Algorithm ad Cogruece with itegers mod Iteger Theorem (Fudametal Theorem of ) Let be a iteger. The there exist uique primes p 1, p 2,, p k ot ecessarily distict such that = p 1 p 2 p k. Iverses mod Multiplicatio ad GCD Iteger I essece, every iteger ca be factored uiquely ito primes. For example, 20 = 2 2 5. FTA guaratees existece of that factorizatio, but how do you fid it? Floyd s cycle-fidig Covetio I the followig slides, every big O is give i terms of iput values istead of iput legth.

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig 1: TrialDivisio() 2: D () 3: for all p i primes( ) do 4: while mod p = 0 do 5: apped(d, p) 6: /p 7: if > 1 the 8: apped(d, ) 9: retur D How ofte does for-loop execute? Prime-coutig fuctio π(m). How ofte does while execute? I total, at most log p () lg (sice lg 2 lg p for all p 1)

Iteger : Aalysis Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Theorem (Prime umber theorem) lim x π(x) x/ l(x) = 1. This implies π(x) O ( x l x ). The, for a iteger to be factored, trial divisio is O (π ( ) lg()m (lg )) = O ( M (lg )). Floyd s cycle-fidig

Iteger method Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig 1: PollardP-1(, B) 2: K primes p B p log p () 3: m (2 K 1) mod modular expoetiatio 4: g gcd (m, ) 5: if g = 1 the 6: either icrease B ad 7: retur PollardP-1(, B) 8: or retur failure 9: else 10: retur g g must be a divisor of

Iteger : Why does it work? Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Corollary (Fermat s little theorem) For a < p, a p 1 1 (mod p). That is, p (a p 1 1). Assume p is a prime divisor of. That meas that gcd(a p 1 1, ) p. The precedig also works if the expoet is a multiple of some p 1, i.e. a K 1 where K is a multiple of p 1. Goal: choose K such that it is likely to be the multiple of some p 1 for a prime divisor p. Floyd s cycle-fidig

Iteger : Aalysis Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger The exp ad modular exp ca be combied: 1: K 2 2: for all p i primes(b) do 3: pc p 4: while pc < do 5: K K p (mod ) 6: pc pc p 7: g gcd(k 1, ) Floyd s cycle-fidig

Iteger : Aalysis Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig log p () multiplicatios ad mod exps. p Each mod exp is O(lg(p)M (lg )) Each mult M (lg ). The, log p () lg(p)m (lg ) = lg()m (lg ) p p The, we have O(G(lg ) + π(b) lg()m (lg )). The, complexity of oe iteratio of is O(π(B) lg()m (lg )).

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Defiitio A sequece {X i } i 0 is cosidered periodic if there exists a such that X m+a = X m for all m 0 Ultimately periodic if for all m M (some startig value) Iteger Floyd s cycle-fidig

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Let f Z/Z Z/Z. Cosider a sequece {X i } i 0 where X i Z/Z ad X m+1 = f (X m ). The sequece is ultimately periodic. Proof: Assume X 0, X 1,, X m 1 distict for some m ad X m is ot. m by Pidgeohole The, X m = X µ for some 0 µ m 1. Let λ = m µ (period) By iductio, we eed to show that X +λ = X for all µ.

Iteger Floyd s cycle-fidig algorithm Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Iput: fuctio f ad start-value x 0 1: FloydCycle(f, x 0 ) 2: x f (x 0 ), y f (f (x 0 )) 3: while x y do 4: x f (x) 5: y f (f (y)) Floyd s cycle-fidig

Iteger method Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger 1: PollardRho(f, ) 2: x 2, y 2, g 1 3: while g = 1 do 4: x f (x) Pollard used f (x) = x 2 1 (mod ) 5: y f (f (y)) 6: g gcd( x y, ) 7: if g = the 8: retur failure 9: else 10: retur g g must be a divisor of Floyd s cycle-fidig

Iteger : Why does it work? Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Let p prime. Wat p (x y) so that gcd( x y, ) p. p (x y) meas x y (mod p). Whe a cycle mod p is foud, we fid a factor. Whe does that happe? For the birthday paradox to work, we eed to expect that f is a uiform fuctio: Every remaider has a equal probability of beig chose. This is a cojecture, but empirical data approximately supports it

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger How may people eed to be i a room so that there is a probability of m that two of them have the same birthday? How may radom variables do we eed to draw from f such that two of them have the same remaider mod p with probability m? (X i X j (mod p)) Of course, 0 < m < 1. Origial birthday paradox: m = 0.5 Floyd s cycle-fidig

Iteger Assume every evet equally likely. Divisio Algorithm ad Cogruece P(X i r) = 1 p Assume the evets are idepedet. with itegers mod Iverses mod P(X i r ad X j r) = P(X i r)p(x j r) = 1 p 2 Multiplicatio ad GCD Iteger Floyd s cycle-fidig Probability that oce X i is chose, X j will have same birthday: P(X i X j ) = 1 p Complemet: probability that all remaiders are differet.

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Let A i be the evet that X i / X j for all 0 j < i. The, the evet that choosig λ radom variables yields distict remaiders is B λ = λ 1 A i = B λ 1 A λ 1 i=0 By def of coditioal probability: The, P(B λ ) = P(B λ 1 )P(A λ 1 B λ 1 ) P(A i B i ) = p i p, sice for A i, i remaiders are already occupied ad p i remaiders are left.

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Expadig, we have (sice P(B 1 ) = P(A 0 ) = 1) P(B λ ) = = λ 1 i=0 λ 1 i=0 P(A i B i ) = λ 1 p i i=0 p (1 i p ) = p! (p λ)!p λ Usig the approximatio 1 x e x (Taylor series), λ 1 P(B λ ) 1 i=1 e i/p = e λ 1 i=1 i/p = e (λ2 λ)/2p Now, we wat P(B λ ) 1 m. Notice that this gets us the media for m = 0.5!

Iteger Thus, Divisio Algorithm ad Cogruece with itegers mod Iverses mod The, e (λ2 λ)/2p 1 m λ 2 λ + 2p l(1 m) 0 λ 1 2 + 1 2 1 8p l(1 m) Multiplicatio ad GCD Iteger The, i, we fid a cycle mod p with probability 1 2 after approximately 1 2 8 l(2)p 1.177 p iteratios. I fact, we always fid a cycle mod p i θ( p) steps. Floyd s cycle-fidig

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig Differet aalysis due to Kuth: mea istead of media. E[λ] = p+1 λ=1 P(B λ ) = 1 + p λ=1 Defie the Ramauja Q fuctio: The, Q() = k=1 P(B λ ) = 1 +! ( k)! k E[λ] = 1 + Q(p) The Q fuctio ca be approximated by πp Q(p) 2 1.2533 p p λ=1 p! (p λ)!p λ

Iteger Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger must be odd. 1: Fermat() 2: a 3: b a 2 4: while b is ot a square do 5: a a + 1 6: b a 2 7: retur a b or a + b Floyd s cycle-fidig

Iteger Fermat s: Why does it work? Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Every odd iteger is the differece of two squares = a 2 b 2 = (a + b)(a b) We hope that 1 < a + b < (or equivaletly same for a b) Rearrage: b 2 = a 2. Try values for a util b 2 is a square. Worst case: is prime. O() steps. Works best whe prime factor is close to square-root of. Floyd s cycle-fidig

Iteger Fermat s: A Improvemet Divisio Algorithm ad Cogruece Is there a way to kow whe values of a make b 2 a square? with itegers mod Iverses mod Multiplicatio ad GCD Iteger Floyd s cycle-fidig

Iteger Fermat s: A Improvemet Divisio Algorithm ad Cogruece with itegers mod Iverses mod Multiplicatio ad GCD Iteger Is there a way to kow whe values of a make b 2 a square? Bézout s idetity agai: gcd(m, ) = 1, the m[m 1 ] + [ 1 ] m = 1. Theorem (Chiese Remaider Theorem) Let gcd(, m) = 1. The the followig system has a solutio ad every solutio is cogruet mod m: x a (mod ) x b (mod m) Floyd s cycle-fidig Solutios are x am[m 1 ] + b[ 1 ] m (mod m).