Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Pollard's p − 1 algorithm
open-in-new
<h2 id="base-concepts">Base concepts</h2> <p>Let <i>n</i> be a composite integer with prime factor <i>p</i>. By <a href="/facts/Fermat%27s_little_theorem/qIjSIm2s">Fermat's little theorem</a>, we know that for all integers <i>a</i> coprime to <i>p</i> and for all positive integers <i>K</i>: </p> a K ( p − 1 ) ≡ 1 ( mod p ) {\displaystyle a^{K(p-1)}\equiv 1{\pmod {p}}} <p>If a number <i>x</i> is congruent to 1 <a href="/facts/Modular_arithmetic/0wtRa5dU">modulo</a> a factor of <i>n</i>, then the <a href="/facts/Greatest_common_divisor/kNFvBuKl">gcd</a>(<i>x</i> − 1, <i>n</i>) will be divisible by that factor. </p><p>The idea is to make the exponent a large multiple of <i>p</i> − 1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit <i>B</i>. Start with a random <i>x</i>, and repeatedly replace it by x w mod n {\displaystyle x^{w}{\bmod {n}}} as <i>w</i> runs through those prime powers. Check at each stage, or once at the end if you prefer, whether gcd(<i>x</i> − 1, <i>n</i>) is not equal to 1. </p> <h2 id="multiple-factors">Multiple factors</h2> <p>It is possible that for all the prime factors <i>p</i> of <i>n</i>, <i>p</i> − 1 is divisible by small primes, at which point the Pollard <i>p</i> − 1 algorithm simply returns <i>n</i>. </p> <h2 id="algorithm-and-running-time">Algorithm and running time</h2> <p>The basic algorithm can be written as follows: </p> Inputs: <i>n</i>: a composite number Output: a nontrivial factor of <i>n</i> or failure <ol><li>select a smoothness bound <i>B</i></li> <li>define M = ∏ primes q ≤ B q ⌊ log q B ⌋ {\displaystyle M=\prod _{{\text{primes}}~q\leq B}q^{\lfloor \log _{q}{B}\rfloor }} (note: explicitly evaluating <i>M</i> may not be necessary)</li> <li>randomly pick a positive integer, <i>a</i>, which is coprime to <i>n</i> (note: we can actually fix <i>a</i>, e.g. if <i>n</i> is odd, then we can always select <i>a</i> = 2, random selection here is not imperative)</li> <li>compute <i>g</i> = gcd(<i>a</i><i>M</i> − 1, <i>n</i>) (note: exponentiation can be done modulo <i>n</i>)</li> <li>if 1 < <i>g</i> < <i>n</i> then return <i>g</i></li> <li>if <i>g</i> = 1 then select a larger <i>B</i> and go to step 2 or return failure</li> <li>if <i>g</i> = <i>n</i> then select a smaller <i>B</i> and go to step 2 or return failure</li></ol> <p>If <i>g</i> = 1 in step 6, this indicates there are no prime factors <i>p</i> for which <i>p-1</i> is <i>B</i>-powersmooth. If <i>g</i> = <i>n</i> in step 7, this usually indicates that all factors were <i>B</i>-powersmooth, but in rare cases it could indicate that <i>a</i> had a small order modulo <i>n</i>. Additionally, when the maximum prime factors of <i>p-1</i> for each prime factors <i>p</i> of <i>n</i> are all the same in some rare cases, this algorithm will fail. </p><p>The running time of this algorithm is O(<i>B</i> × log <i>B</i> × log2 <i>n</i>); larger values of <i>B</i> make it run slower, but are more likely to produce a factor. </p> <h3>Example</h3> <p>If we want to factor the number <i>n</i> = 299. </p> <ol><li>We select <i>B</i> = 5.</li> <li>Thus <i>M</i> = 22 × 31 × 51.</li> <li>We select <i>a</i> = 2.</li> <li><i>g</i> = gcd(<i>a</i><i>M</i> − 1, <i>n</i>) = 13.</li> <li>Since 1 < 13 < 299, thus return 13.</li> <li>299 / 13 = 23 is prime, thus it is fully factored: 299 = 13 × 23.</li></ol> <h2 id="methods-of-choosing-b">Methods of choosing <i>B</i></h2> <p>Since the algorithm is incremental, it is able to keep running with the bound constantly increasing. </p><p>Assume that <i>p</i> − 1, where <i>p</i> is the smallest prime factor of <i>n</i>, can be modelled as a random number of size less than √<i>n</i>. By <a href="/facts/Dickman_function/PE99PvRS">the Dickman function</a>, the probability that the largest factor of such a number is less than (<i>p</i> − 1)<i>1/ε</i> is roughly <i>ε</i>−<i>ε</i>; so there is a probability of about 3−3 = 1/27 that a <i>B</i> value of <i>n</i>1/6 will yield a factorisation. </p><p>In practice, the <a href="/facts/Lenstra_elliptic-curve_factorization/PwdIdtQW">elliptic curve method</a> is faster than the Pollard <i>p</i> − 1 method once the factors are at all large; running the <i>p</i> − 1 method up to <i>B</i> = 232 will find a quarter of all 64-bit factors and 1/27 of all 96-bit factors. </p> <h2 id="two-stage-variant">Two-stage variant</h2> <p>A variant of the basic algorithm is sometimes used; instead of requiring that <i>p</i> − 1 has all its factors less than <i>B</i>, we require it to have all but one of its factors less than some <i>B</i>1, and the remaining factor less than some <i>B</i>2 ≫ <i>B</i>1. After completing the first stage, which is the same as the basic algorithm, instead of computing a new </p> M ′ = ∏ primes q ≤ B 2 q ⌊ log q B 2 ⌋ {\displaystyle M'=\prod _{{\text{primes }}q\leq B_{2}}q^{\lfloor \log _{q}B_{2}\rfloor }} <p>for <i>B</i>2 and checking gcd(<i>a</i><i>M'</i> − 1, <i>n</i>), we compute </p> Q = ∏ primes q ∈ ( B 1 , B 2 ] ( H q − 1 ) {\displaystyle Q=\prod _{{\text{primes }}q\in (B_{1},B_{2}]}(H^{q}-1)} <p>where <i>H</i> = <i>a</i><i>M</i> and check if gcd(<i>Q</i>, <i>n</i>) produces a nontrivial factor of <i>n</i>. As before, exponentiations can be done modulo <i>n</i>. </p><p>Let {<i>q</i>1, <i>q</i>2, …} be successive prime numbers in the interval (<i>B</i>1, <i>B</i>2] and <i>d</i><i>n</i> = <i>q</i><i>n</i> − <i>q</i><i>n</i>−1 the difference between consecutive prime numbers. Since typically <i>B</i>1 > 2, <i>d</i><i>n</i> are even numbers. The distribution of prime numbers is such that the <i>d</i><i>n</i> will all be relatively small. It is suggested that <i>d</i><i>n</i> ≤ <a href="/facts/Natural_logarithm/PnreKEzI">ln</a>2 <i>B</i>2. Hence, the values of <i>H</i>2, <i>H</i>4, <i>H</i>6, … (mod <i>n</i>) can be stored in a table, and <i>H</i><i>q</i><i>n</i> be computed from <i>H</i><i>q</i><i>n</i>−1⋅<i>H</i><i>d</i><i>n</i>, saving the need for exponentiations. </p> <h2 id="implementations">Implementations</h2> <ul><li>The <a href="https://gitlab.inria.fr/zimmerma/ecm">GMP-ECM</a> package includes an efficient implementation of the <i>p</i> − 1 method.</li> <li><a href="/facts/Prime95/gyjjG3l3">Prime95</a> and <a href="/facts/MPrime/gyjjG3l3">MPrime</a>, the official clients of the <a href="/facts/Great_Internet_Mersenne_Prime_Search/vuF5SW9X">Great Internet Mersenne Prime Search</a>, use a modified version of the p - 1 algorithm to eliminate potential candidates.</li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Williams%27s_p_%2B_1_algorithm/qPlGLfS7">Williams's <i>p</i> + 1 algorithm</a></li></ul> <ul><li>Pollard, J. M. (1974). "Theorems of factorization and primality testing". <i>Proceedings of the Cambridge Philosophical Society</i>. 76 (3): 521–528. <a href="/facts/Bibcode_(identifier)/9HtdQSGB">Bibcode</a>:<a href="https://ui.adsabs.harvard.edu/abs/1974PCPS...76..521P">1974PCPS...76..521P</a>. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1017%2FS0305004100049252">10.1017/S0305004100049252</a>. <a href="/facts/S2CID_(identifier)/ldJsHa2Y">S2CID</a> <a href="https://api.semanticscholar.org/CorpusID:122817056">122817056</a>.</li> <li>Montgomery, P. L.; Silverman, R. D. (1990). <a href="https://doi.org/10.1090%2FS0025-5718-1990-1011444-3">"An FFT extension to the <i>P</i> − 1 factoring algorithm"</a>. <i>Mathematics of Computation</i>. 54 (190): 839–854. <a href="/facts/Bibcode_(identifier)/9HtdQSGB">Bibcode</a>:<a href="https://ui.adsabs.harvard.edu/abs/1990MaCom..54..839M">1990MaCom..54..839M</a>. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1090%2FS0025-5718-1990-1011444-3">10.1090/S0025-5718-1990-1011444-3</a>.</li> <li><a href="/facts/Samuel_S._Wagstaff,_Jr./23qeUItG">Samuel S. Wagstaff, Jr.</a> (2013). <a href="https://www.ams.org/bookpages/stml-68"><i>The Joy of Factoring</i></a>. Providence, RI: American Mathematical Society. pp. 138–141. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4704-1048-3.</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>What are strong primes and are they necessary for the RSA system?, RSA Laboratories (2007) <a href="https://web.archive.org/web/20070315100305/http://www.rsa.com/rsalabs/node.asp?id=2217" target="_blank">https://web.archive.org/web/20070315100305/http://www.rsa.com/rsalabs/node.asp?id=2217</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> </ol>