Pollard's rho algorithm
Template:Short description Template:About
Pollard's rho algorithm is an algorithm for integer factorization. It was invented by John Pollard in 1975.<ref>Template:Cite journal</ref> It uses only a small amount of space, and its expected running time is proportional to the square root of the smallest prime factor of the composite number being factorized.
Core ideasEdit
The algorithm is used to factorize a number <math>n = pq</math>, where <math>p</math> is a non-trivial factor. A polynomial modulo <math>n</math>, called <math>g(x)</math> (e.g., <math>g(x) = (x^2 + 1) \bmod n</math>), is used to generate a pseudorandom sequence. It is important to note that <math>g(x)</math> must be a polynomial. A starting value, say 2, is chosen, and the sequence continues as <math>x_1 = g(2)</math>, <math>x_2 = g(g(2))</math>, <math>x_3 = g(g(g(2)))</math>, etc. The sequence is related to another sequence <math>\{x_k \bmod p\}</math>. Since <math>p</math> is not known beforehand, this sequence cannot be explicitly computed in the algorithm. Yet in it lies the core idea of the algorithm.
Because the number of possible values for these sequences is finite, both the <math>\{x_k\}</math> sequence, which is mod <math>n</math>, and <math>\{x_k \bmod p\}</math> sequence will eventually repeat, even though these values are unknown. If the sequences were to behave like random numbers, the birthday paradox implies that the number of <math>x_k</math> before a repetition occurs would be expected to be <math>O(\sqrt N)</math>, where <math>N</math> is the number of possible values. So the sequence <math>\{x_k \bmod p\}</math> will likely repeat much earlier than the sequence <math>\{x_k\}</math>. When one has found a <math>k_1,k_2</math> such that <math>x_{k_1}\neq x_{k_2}</math> but <math>x_{k_1}\equiv x_{k_2}\bmod p</math>, the number <math>|x_{k_1}-x_{k_2}|</math> is a multiple of <math>p</math>, so a non-trivial divisor has been found.<ref name=":0" />
Once a sequence has a repeated value, the sequence will cycle, because each value depends only on the one before it. This structure of eventual cycling gives rise to the name "rho algorithm", owing to similarity to the shape of the Greek letter ρ when the values <math>x_1 \bmod p</math>, <math>x_2 \bmod p</math>, etc. are represented as nodes in a directed graph.
This is detected by Floyd's cycle-finding algorithm: two nodes <math>i</math> and <math>j</math> (i.e., <math>x_i</math> and <math>x_j</math>) are kept. In each step, one moves to the next node in the sequence and the other moves forward by two nodes. After that, it is checked whether <math>\gcd(x_i - x_j, n) \ne 1</math>. If it is not 1, then this implies that there is a repetition in the <math>\{x_k \bmod p\}</math> sequence (i.e. <math>x_i \bmod p = x_j \bmod p)</math>. This works because if the <math>x_i \bmod p</math> is the same as <math>x_j \bmod p</math>, the difference between <math>x_i</math> and <math>x_j</math> is necessarily a multiple of <math>p</math>. Although this always happens eventually, the resulting greatest common divisor (GCD) is a divisor of <math>n</math> other than 1. This may be <math>n</math> itself, since the two sequences might repeat at the same time. In this (uncommon) case the algorithm fails, it can be repeated with a different parameter.
AlgorithmEdit
The algorithm takes as its inputs Template:Mvar, the integer to be factored; and Template:Tmath, a polynomial in Template:Mvar computed modulo Template:Mvar. In the original algorithm, <math>g(x) = (x^2 - 1) \bmod n</math>, but nowadays it is more common to use <math>g(x) = (x^2 + 1) \bmod n</math>. The output is either a non-trivial factor of Template:Mvar, or failure.
It performs the following steps:<ref name=":0">Template:Cite book (this section discusses only Pollard's rho algorithm).</ref>
Pseudocode for Pollard's rho algorithm
x ← 2 // starting value
y ← x
d ← 1
while d = 1:
x ← g(x)
y ← g(g(y))
d ← gcd(|x - y|, n)
if d = n:
return failure
else:
return d
Here Template:Mvar and Template:Mvar corresponds to Template:Tmath and Template:Tmath in the previous section. Note that this algorithm may fail to find a nontrivial factor even when Template:Mvar is composite. In that case, the method can be tried again, using a starting value of x other than 2 (<math>0 \leq x < n</math>) or a different Template:Tmath, <math>g(x) = (x^2 + b) \bmod n</math>, with <math>1 \leq b < n-2</math>.
Example factorizationEdit
Let <math>n = 8051</math> and <math>g(x) = (x^2 + 1) \bmod 8051</math>.
| Template:Mvar | Template:Mvar | Template:Mvar | Template:Math |
|---|---|---|---|
| 1 | 5 | 26 | 1 |
| 2 | 26 | 7474 | 1 |
| 3 | 677 | 871 | 97 |
| 4 | 7474 | 1481 | 1 |
Now 97 is a non-trivial factor of 8051. Starting values other than Template:Math may give the cofactor (83) instead of 97. One extra iteration is shown above to make it clear that Template:Mvar moves twice as fast as Template:Mvar. Note that even after a repetition, the GCD can return to 1.
VariantsEdit
In 1980, Richard Brent published a faster variant of the rho algorithm. He used the same core ideas as Pollard but a different method of cycle detection, replacing Floyd's cycle-finding algorithm with the related Brent's cycle finding method.<ref>Template:Cite journal</ref> CLRS gives a heuristic analysis and failure conditions (the trivial divisor <math>n</math> is found).<ref name=":0" />
A further improvement was made by Pollard and Brent. They observed that if <math>\gcd(a,n) > 1</math>, then also <math>\gcd(ab,n) > 1</math> for any positive integer Template:Tmath. In particular, instead of computing <math>\gcd (|x-y|,n)</math> at every step, it suffices to define Template:Tmath as the product of 100 consecutive <math>|x-y|</math> terms modulo Template:Tmath, and then compute a single <math>\gcd(z,n)</math>. A major speed up results as 100 Template:Math steps are replaced with 99 multiplications modulo Template:Tmath and a single Template:Math. Occasionally it may cause the algorithm to fail by introducing a repeated factor, for instance when Template:Tmath is a square. But it then suffices to go back to the previous Template:Math term, where <math>\gcd(z,n)=1</math>, and use the regular ρ algorithm from there.<ref group="note">Exercise 31.9-4 in CLRS</ref>
ApplicationEdit
The algorithm is very fast for numbers with small factors, but slower in cases where all factors are large. The ρ algorithm's most remarkable success was the 1980 factorization of the Fermat number Template:Math = 1238926361552897 × 93461639715357977769163558199606896584051237541638188580280321.<ref name="FotEFN">Template:Cite journal</ref> The ρ algorithm was a good choice for Template:Math because the prime factor Template:Mvar = 1238926361552897 is much smaller than the other factor. The factorization took 2 hours on a UNIVAC 1100/42.<ref name="FotEFN" />
Example: factoring Template:Mvar = 10403 = 101 · 103Edit
The following table shows numbers produced by the algorithm, starting with <math>x=2</math> and using the polynomial <math>g(x) = (x^2 + 1) \bmod 10403</math>. The third and fourth columns of the table contain additional information not known by the algorithm. They are included to show how the algorithm works.
| Template:Tmath | Template:Tmath | Template:Tmath | Template:Tmath | step |
|---|---|---|---|---|
| 2 | 2 | 2 | 2 | 0 |
| 5 | 2 | 5 | 2 | 1 |
| 26 | 2 | 26 | 2 | 2 |
| 677 | 26 | 71 | 26 | 3 |
| 598 | 26 | 93 | 26 | 4 |
| 3903 | 26 | 65 | 26 | 5 |
| 3418 | 26 | 85 | 26 | 6 |
| 156 | 3418 | 55 | 85 | 7 |
| 3531 | 3418 | Template:Rh| 97 | 85 | 8 |
| 5168 | 3418 | 17 | 85 | 9 |
| 3724 | 3418 | 88 | 85 | 10 |
| 978 | 3418 | 69 | 85 | 11 |
| 9812 | 3418 | 15 | 85 | 12 |
| 5983 | 3418 | 24 | 85 | 13 |
| 9970 | 3418 | 72 | 85 | 14 |
| 236 | 9970 | 34 | 72 | 15 |
| 3682 | 9970 | 46 | 72 | 16 |
| 2016 | 9970 | Template:Rh| 97 | 72 | 17 |
| 7087 | 9970 | 17 | 72 | 18 |
| 10289 | 9970 | 88 | 72 | 19 |
| 2594 | 9970 | 69 | 72 | 20 |
| 8499 | 9970 | 15 | 72 | 21 |
| 4973 | 9970 | 24 | 72 | 22 |
| 2799 | 9970 | Template:Rh| 72 | 72 | 23 |
The first repetition modulo 101 is 97 which occurs in step 17. The repetition is not detected until step 23, when <math>x \equiv y \pmod{101}</math>. This causes <math>\gcd (x - y, n) = \gcd (2799 - 9970, n)</math> to be <math>p = 101</math>, and a factor is found.
ComplexityEdit
If the pseudorandom number <math>x = g(x)</math> occurring in the Pollard ρ algorithm were an actual random number, it would follow that success would be achieved half the time, by the birthday paradox in <math>O(\sqrt p)\le O(n^{1/4})</math> iterations. It is believed that the same analysis applies as well to the actual rho algorithm, but this is a heuristic claim, and rigorous analysis of the algorithm remains open.<ref>Template:Cite book.</ref>
See alsoEdit
NotesEdit
ReferencesEdit
Further readingEdit
- Template:Cite conference Describes the improvements available from different iteration functions and cycle-finding algorithms.
- Template:Cite book
- Template:Cite book
External linksEdit
- Comprehensive article on Pollard's Rho algorithm aimed at an introductory-level audience
- {{#invoke:Template wrapper|{{#if:|list|wrap}}|_template=cite web
|_exclude=urlname, _debug, id |url = https://mathworld.wolfram.com/{{#if:PollardRhoFactorizationMethod%7CPollardRhoFactorizationMethod.html}} |title = Pollard rho Factorization Method |author = Weisstein, Eric W. |website = MathWorld |access-date = |ref = Template:SfnRef }}