<a href="https://colab.research.google.com/github/Noam-Coh3n/ModCrypto/blob/main/Pollard.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In [2]:
from math import sqrt, gcd

def trial_division(N):
  for p in range(2, int(sqrt(N))):
    if N % p == 0:
      break
  else:
    p = N

  return p

def Pollard_rho(N):
  
  x = y = 2
  p = 1

  while p == 1:
    x = pow(x,2,N) + 1 % N
    y = pow(pow(y,2,N) + 1, 2, N) + 1 % N
    p = gcd(x-y, N)
  
  return p


To test these functions, let's write a function that generates a random $N = pq$ where $p,q$ are random primes with $k$ (binary) digits.
Since the amount of digits of a number $m$ is approximately $\log_{2}(m)$, we get that the amount of digits of $N$ is approximately
$$
\log_{2}(N) = \log_{2}(pq) = \log_{2}(p) + \log_{2}(q) = 2k
$$

In [3]:
from sympy import randprime

def rand_composite(k):
  """Generate random N = pq where p,q are k-digit primes"""
  lo = 2**k
  hi = 2**(k+1)
  return randprime(lo, hi) * randprime(lo, hi)

Now, we use this to test our functions for varying sizes of $N$:

In [7]:
for k in range(10,35):
  N = rand_composite(k)
  print(k)
  %timeit -r 1 -n 1 trial_division(N)

10
176 µs ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
11
272 µs ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
12
447 µs ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
13
1.21 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
14
1.93 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
15
5.57 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
16
9.36 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
17
25.9 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
18
36.3 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
19
71 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
20
239 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
21
394 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
22
775 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
23
1.17 s ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
24
2.88 s ± 0 ns per loop (mean ± std. dev. of 1 run, 1 l

So, our trial division can factor numbers with about 19 digits in 0.1 seconds, about 25 digits in 10 seconds and about 31 digits in 10 minutes.

In [5]:
for k in list(range(20, 35)) + list(range(40, 61, 5)):
  N = rand_composite(k)
  print(k)
  %timeit -r 1 -n 1 Pollard_rho(N)

20
4.11 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
21
1.95 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
22
1.49 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
23
4.32 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
24
4.37 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
25
21.9 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
26
8.65 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
27
38.2 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
28
17.2 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
29
21.7 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
30
64.3 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
31
216 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
32
268 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
33
344 ms ± 0 ns per loop (mean ± std. dev. of 1 run, 1 loop each)
34
974 ms ± 0 ns per loop (mean ± std. dev. of 1 ru

KeyboardInterrupt: ignored

So, our Pollard Rho algorithm can factor numbers with about 30 digits in 0.1 seconds, about 50 digits in 10 seconds and about 55 digits in 10 minutes.

Now, let's see at what size of $N$ Pollard rho becomes faster than trial division:

In [164]:
for k in range(1,15):
  print(k)
  %timeit -n 1000 trial_division(rand_composite(k))
  %timeit -n 1000 Pollard_rho(rand_composite(k))

1
9.86 µs ± 632 ns per loop (mean ± std. dev. of 7 runs, 1000 loops each)
12.1 µs ± 346 ns per loop (mean ± std. dev. of 7 runs, 1000 loops each)
2
16.1 µs ± 1.25 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
18.1 µs ± 522 ns per loop (mean ± std. dev. of 7 runs, 1000 loops each)
3
18 µs ± 1.53 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
23.7 µs ± 1.48 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
4
12.7 µs ± 1.8 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
22.8 µs ± 2.42 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
5
15.1 µs ± 1.62 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
27.1 µs ± 530 ns per loop (mean ± std. dev. of 7 runs, 1000 loops each)
6
18.2 µs ± 1.89 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
28.4 µs ± 682 ns per loop (mean ± std. dev. of 7 runs, 1000 loops each)
7
26.6 µs ± 4.44 µs per loop (mean ± std. dev. of 7 runs, 1000 loops each)
41.9 µs ± 3.44 µs per loop (mean ± std. dev. 

We can see that it becomes faster when $N$ is roughly 10 bits long.

Now, we treat the results from a) as data points to fit a function of the form $f(x) = ax^b2^{cx}$ for certain constants $a,b,c$ where $x$ is the amount of digits of $N$.

In [196]:
from scipy.optimize import curve_fit
import numpy as np

def func(digits, a, b, c):
  # Put a in exponent for efficiency
  return digits**b * 2**(a + c*digits)

trial_div_data = np.array([19, 25, 31]), np.array([.1, 10, 600])
pollard_data = np.array([30, 50, 55]), np.array([.1, 10, 600])

trial_div_params, _ = curve_fit(func, *trial_div_data, maxfev=100000)
pollard_params, _ = curve_fit(func, *pollard_data, bounds=([-200, 0, 0], [0, 100, 1]), maxfev=100000)



Let's run a quick sanity check on these fittings:

In [197]:
print(*[np.around(func(d, *trial_div_params), 10) for d in trial_div_data[0]])
print(*[np.around(func(d, *pollard_params), 10) for d in pollard_data[0]])

0.1 10.0 600.0
2.32e-08 10.0000000025 600.0000000859


That looks good. So, by this extrapolation, for $N$'s of 1024 bits, we get an approximate runtime (in seconds) of: 

In [198]:
for m in (trial_div_params, pollard_params):
  print(func(1024, *m))

1.0249530731564563e+177
7.166167192154138e+164


In [202]:
np.around(trial_div_params, 1)

array([-50.1,   8.6,   0.5])

Looking at the parameters for the fitted curve of the runtime for trial division, we see that we get a function in roughly $\mathcal O(b^9 2^{\frac12 b}) = \mathcal O(\sqrt{N}\operatorname{polylog}(N))$ where $b$ is the amount of bits in $N$.
This lines up with the theoretical runtime of trial division.

In [203]:
np.around(pollard_params, 1)

array([-171.1,   27. ,    0.4])

The complexity of Pollard Rho is theoretically $\mathcal O(\sqrt[4]{N} \operatorname{polylog}(N)) = \mathcal{O}(b^\ell 2^{\frac14 b})$ for some constant $\ell$.
As we see in the fitted parameters, we have something similar by extrapolation, although the factor in the exponent is a bit too high ($\tfrac25$ instead of $\tfrac14$).
That's not all too surprising though, with how small our dataset was.