In [1]:
## Exercise 4.5:
# Let n = 2^32 + 1 be an RSA modulus. We will use f(x)=x^2+1 mod n and the initialisation y = 7 
# to factor n with Pollard's rho method.

**Pollard's rho method:**

The idea of Pollard's rho method is to find $x$ and $x'$ such that

$$
\begin{align}
    x\equiv x' \mod p,
\end{align}
$$

and

$$
\begin{align}
    x\neq x' \mod n.
\end{align}
$$

If we can find such $x$ and $x'$, then

$$
\begin{align}
    \gcd(x-x',n)=p,
\end{align}
$$

since $p$ divides both $x-x'$ and $n$, but $q$ does not divide $x-x'$.

We use a function $f$ which maps from a set $G$ to $G$ itself. If $G$ is a finite set, then at some point the $f$-values will enter a cycle. Using $f$, we create a cyclic sequence of $f$-values modulo $n$, but also modulo $p$ and $q$, since $p$ and $q$ divides $n$. The idea is that a cycle for each of the primes, $p$ and $q$, will most likely not appear at the same time, so we stop when we have reached the first cycle.

In [2]:
from math import gcd

In [3]:
n = 2**32 + 1
y = 7

def f(x,n):
    return (x**2 + 1) % n

In [4]:
def Pollards_rho_method(n,y):
    z = f(y,n)
    d = gcd(y-z,n)
    
    while (d == 1):
        y = f(y,n)
        z = f(z,n)
        z = f(z,n)
        d = gcd(y-z,n)

    if (1<d<n):
        e = n//d
        assert(d*e == n)
        return "The two factors are {0} and {1}".format(d,e)
    else:
        return 'Failure'

In [5]:
Pollards_rho_method(n,y)

'The two factors are 641 and 6700417'

In [6]:
## Exercise 4.6:
# Let n = 978559 and s = 5,10,20,40,80,... We will use Pollard's (p-1)-method to factor n:

**Pollard's (p-1)-method:**

The idea of Pollard's (p-1)-method is to find $\alpha$ and $t$ such that

$$
\begin{align}
    \alpha^t\equiv 1 \mod p,
\end{align}
$$

but also

$$
\begin{align}
    \alpha^t\neq 1 \mod q.
\end{align}
$$

If we can find such $\alpha$ and $t$, then $n$ can easily be factored, since

$$
\begin{align}
    \gcd(\alpha^t-1 \mod n,n)=p.
\end{align}
$$

Consider the factorisation of $p-1$:

$$
\begin{align}
    p-1=p_1^{e_1}\cdot p_2^{e_2}\cdots p_r^{e_r},
\end{align}
$$

and assume that $s>p_j^{e_j}$, for $1\leq j\leq r$. Note that we use $s$ in order to handle the fact that we do not know $p$. Define:

$$
\begin{align}
    t=s!=s\cdot(s-1)\cdot(s-2)\cdots2\cdot1.
\end{align}
$$

It follows that $p_i^{e_i}$ divides $t$ for all $i$, $1\leq i\leq r$. Hence, $p-1$ divides $t$ which means that $t=(p-1)k$, for some integer $k$. For this value of $t$, it holds that

$$
\begin{align}
    \alpha^t\equiv 1 \mod p.
\end{align}
$$

The method is efficient, if either $p$ or $q$ has small prime factors. Otherwise, the method is inefficient.

In [7]:
def Pollards_pminus1_method(n,s):
    a = 2

    for i in s:
        for j in range(2,i):
            a = pow(a,j,n) # after this loop, a = 2^s! mod n

        d = gcd(a-1,n)
        if (d == 1):
            print("Failure, s is too small")
        elif (d == n):
            print("Failure, s is too large")
        elif (1 < d < n):
            e = n//d
            assert (d*e == n)
            return "The two factors of n are {0} and {1}".format(d,e)

In [8]:
n = 978559
s = [5,10,20,40,80]

Pollards_pminus1_method(n,s)

Failure, s is too small
Failure, s is too small


'The two factors of n are 1361 and 719'