|
|
@@ -1,20 +1,20 @@
|
|
|
\chapter{Pollard's $\rho$ factorization method \label{chap:pollardrho}}
|
|
|
|
|
|
-The \emph{Monte Carlo} factorization method, published by J. M. Pollard in
|
|
|
+A \emph{Monte Carlo} factorization method, published by J. M. Pollard in
|
|
|
~\cite{pollardMC}, consists into identifying a periodically recurrent sequence
|
|
|
of integers within a random walk $\pmod{N}$ that could leak one of the two
|
|
|
factors.
|
|
|
|
|
|
Consider a function $f$ from $\mathcal{S}$ to $\mathcal{S}$, where
|
|
|
-$\mathcal{S} = \{0, 1, \ldots, q-1\}$. Let $s$ be a random element in
|
|
|
-$\mathcal{S}$, and consider the sequence
|
|
|
+$\mathcal{S} = \{0, 1, \ldots, q-1\}$ and $q \in \naturalPrime$.
|
|
|
+Let $s$ be a random element in $\mathcal{S}$, and consider the sequence
|
|
|
\begin{align*}
|
|
|
s,\ f(s),\ f(f(s)),\ \ldots
|
|
|
\end{align*}
|
|
|
Since $f$ acts over a finite set, it is clear that this sequence must
|
|
|
eventually repeat, and become cyclic.
|
|
|
We might diagram it with the letter $\rho$, where the tail represent the
|
|
|
-cyclic part, or \emph{epacts}, and the oval the cyclic part, or
|
|
|
+aperiodic part, or \emph{epacts}, and the oval the cyclic part, or
|
|
|
\emph{period}.
|
|
|
\begin{center}
|
|
|
\begin{tikzpicture}[scale=0.7, thick]
|
|
|
@@ -45,8 +45,8 @@ cyclic part, or \emph{epacts}, and the oval the cyclic part, or
|
|
|
\end{center}
|
|
|
|
|
|
Now, consider $N=pq$.
|
|
|
-Let $F(x)$ be any function generating pseudorandom numbers $\angular{x_1, x_2, \ldots}$,
|
|
|
-and let $f(x) = F(x) \pmod{q}$.
|
|
|
+Let $F(x)$ be any function generating pseudorandom integers
|
|
|
+$\angular{x_1, x_2, \ldots}$, and let $f(x) = F(x) \pmod{q}$.
|
|
|
As we said above, without any luck, there will be a pair $\angular{x_i, x_j}$
|
|
|
generated by $F$ such that $x_i \equiv x_j \pmod{q}$, but $x_i \neq x_j$.
|
|
|
|
|
|
@@ -58,18 +58,21 @@ factor of $N$.
|
|
|
\paragraph{Choosing the function} Ideally, $F$ should be easily computable, but
|
|
|
at the same time random enough to reduce as much as possible the epacts
|
|
|
~\cite{Crandall} \S 5.2.1. Any quadratic function $F(x) = x^2 + b$ should be
|
|
|
-enough, provided that $b \in \naturalN \setminus \{0, 2\}$ \footnote{
|
|
|
+enough \footnote{
|
|
|
Note that this has been only empirically verified, and so far not been proved
|
|
|
- (~\cite{riesel}, p. 177)}.
|
|
|
+ (~\cite{riesel}, p. 177)}
|
|
|
+, provided that $b \in \naturalN \setminus \{0, 2\}$.
|
|
|
For example, ~\cite{pollardMC} uses $x^2 -1$, meanwhile we are going to choose
|
|
|
$F(x) = x^2 + 1$.
|
|
|
|
|
|
-\paragraph{Finding the period} In \cite{AOCPv2} \S 3.1, Knuth gives a simple and
|
|
|
-elegant algorithm, attributed to Floyd, for finding a multiple of the
|
|
|
-period. This algorithm is the same one finally adopted by Pollard in
|
|
|
+\paragraph{Finding the period} The trivial way to discover a period would be to
|
|
|
+test $x_i$ with all $x_j, \quad j < i$. Though, in \cite{AOCPv2} \S 3.1,
|
|
|
+Knuth gives a simple and elegant algorithm, attributed to Floyd, for finding a
|
|
|
+multiple of the period.
|
|
|
+This algorithm is the same one finally adopted by Pollard in
|
|
|
~\cite{pollardMC}.
|
|
|
|
|
|
-\begin{theorem*}
|
|
|
+\begin{theorem*}[Floyd]
|
|
|
Given an \emph{ultimately periodic} sequence, in the sense that there exists
|
|
|
numbers $\lambda$ and $\mu$ for which the values:
|
|
|
\begin{align*}
|
|
|
@@ -83,15 +86,15 @@ $\mu < n < \mu + \lambda$ such that $X_n = X_{2n}$.
|
|
|
\begin{proof}
|
|
|
First, if $X_n = X_{2n}$, then the sequence is obviously periodic from
|
|
|
$X_{2n}$ onward, possibly even earlier.
|
|
|
- Conversely, $X_n = X_m \quad (n \geq \mu)$ for
|
|
|
+ Conversely, it is true that $X_n = X_m \quad (n \geq \mu)$ for
|
|
|
$m = n + k\lambda, \quad k \in \naturalN$. Hence, there will eventually
|
|
|
be an $n$ such that $X_n = X_{2n}$ if and only if $n - \mu$ is a multiple of
|
|
|
$\lambda$.
|
|
|
The first such value happens for $n = (\lambda + 1)\floor{\rfrac{\mu}{\lambda}}$.
|
|
|
\end{proof}
|
|
|
|
|
|
-The immediate consequence of this is that we can find the period $q$ simply by
|
|
|
-checking $\gcd(x_{2i} - x_i, N)$ for incremental $i$-s.
|
|
|
+The immediate consequence of this is that we can find a collision simply by
|
|
|
+checking $\gcd(x_{2i} - x_i, N) > 1$ for incremental $i$.
|
|
|
|
|
|
\paragraph{Brent's Improvement} In 1979, Brent discovered an entire family of
|
|
|
cycle-finding algorithms whose optimal version resulted to be 36\% faster than
|
|
|
@@ -100,7 +103,7 @@ Instead of looking for the period of the sequence using $x_{2i} - x_i$, Brent
|
|
|
considers
|
|
|
$\abs{x_j - x_{2^k}}$ for $ 3 \cdot 2^{k-1} < j \leq 2^{k+1}$, resulting in
|
|
|
fewer operations required by the algorithm. Pragmatically, this boils down to
|
|
|
-confronting:
|
|
|
+compare:
|
|
|
|
|
|
\medskip
|
|
|
\begin{tabular}{l@{\hskip 40pt} l@{\hskip 50pt} l}
|
|
|
@@ -123,7 +126,7 @@ instead of Floyd's one runs around 25\% faster on average
|
|
|
~\cite{pollard-brent}.
|
|
|
|
|
|
\section{Complexity}
|
|
|
-\cite{riesel} presents a nice demonstration of the \emph{average} complexity of
|
|
|
+\cite{riesel} presents a nice proof of the \emph{average} complexity of
|
|
|
this algorithm, based on the birthday paradox.
|
|
|
\newtheorem*{birthday}{The Birthday Paradox}
|
|
|
\begin{birthday}
|
|
|
@@ -145,9 +148,9 @@ this algorithm, based on the birthday paradox.
|
|
|
This expression becomes $< \rfrac{1}{2}$ for $\epsilon \geq 23$.
|
|
|
\end{proof}
|
|
|
|
|
|
-We can obviously substitute the $365$ with any set cardinality $\zeta$
|
|
|
-to express the probability that a random function from $\integerZ_{|\epsilon}$
|
|
|
-to $\integerZ_{|\zeta}$ is injective. Back to our particular case,
|
|
|
+We can obviously substitute the $365$ with any set of cardinality $\zeta$
|
|
|
+to express the probability that a random function from $\integerZ_{\epsilon}$
|
|
|
+to $\integerZ_{\zeta}$ is injective. Back to our particular case,
|
|
|
we want to answer the question:
|
|
|
|
|
|
\emph{
|
|
|
@@ -190,7 +193,7 @@ and respectively updating them via $x \gets f(x)$ and $y \gets f(f(y))$.
|
|
|
|
|
|
\begin{remark}
|
|
|
It is intresting to see how in its basic version, Pollard's $\rho$
|
|
|
- method just needs 3 variables are to preserve the
|
|
|
+ method just needs 3 variables to preserve the
|
|
|
state. This places it among the most parsimonious factorization algorithms in
|
|
|
terms of memory footprint.
|
|
|
\end{remark}
|
Michele Orrù