In [3]:
from random import randint, choices
from math import sqrt
from collections import Counter
import functools
import operator

from math116 import gcd, PRIMES

In [2]:
def factor_trial_division(n):
    factorization = Counter()
    for p in range(2, int(sqrt(n))+1):
        while n % p == 0:
            n //= p
            factorization[p] += 1
        if n == 1:
            break
    else:
        factorization[n] += 1
    return factorization


<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>


# The Pollard $p - 1$ factoring algorithm

The following $n$ is a HUUUGE number, but I can tell you that it's a product of two distinct primes $p$ and $q$, and for one of those primes, say $p$, the prime factorization of $p - 1$ consists of only “small” primes. (Here, small means less than $10,000$.) 

In [1]:
n = 2239332907938581313469088389912512958057802576035761509229975467371182328060818083073676768485093593645763783667457921296975290033841289567043469817303445760096469064626421472161772553673773806747901501872070212354354113010628328892533044385969492185194049030101052775356312098127825589510344808829251642945946465745199152984753448779786102568580113217718729863705132547058109475329984859895531956721977
n

2239332907938581313469088389912512958057802576035761509229975467371182328060818083073676768485093593645763783667457921296975290033841289567043469817303445760096469064626421472161772553673773806747901501872070212354354113010628328892533044385969492185194049030101052775356312098127825589510344808829251642945946465745199152984753448779786102568580113217718729863705132547058109475329984859895531956721977

In [4]:
b = 2 # This is the base we'll use. If this doesn't work, try another! 
power = b # This variable will be b^(k!) (mod n) at step k. Initialize to b = b^1. 
for k in range(2, 20000): # k is our counter. We start at 2, because the next step is to compute b^2
    power = pow(power, k, n) # Again, power is our “running total”. Here power = power^k (mod n)
    if k % 200 == 0: # Every 200th step, print a status update
        print(f"At k = {k}:")
        if power == 1:
            print("The Pollard p - 1 algorithm has failed for this base.")
            print(f"You could try the exponent factoring algorithm with base b = {b} and exponent {k}!, or")
            print("just try this again with another base.")
            break
        factor = gcd(power - 1, n)
        if factor == 1:
            print("    Got nothing so far...")
        else:
            print(f"    Got a factor! {factor}")
            break


At k = 200:
    Got nothing so far...
At k = 400:
    Got nothing so far...
At k = 600:
    Got nothing so far...
At k = 800:
    Got nothing so far...
At k = 1000:
    Got nothing so far...
At k = 1200:
    Got nothing so far...
At k = 1400:
    Got nothing so far...
At k = 1600:
    Got nothing so far...
At k = 1800:
    Got nothing so far...
At k = 2000:
    Got nothing so far...
At k = 2200:
    Got nothing so far...
At k = 2400:
    Got nothing so far...
At k = 2600:
    Got nothing so far...
At k = 2800:
    Got nothing so far...
At k = 3000:
    Got nothing so far...
At k = 3200:
    Got nothing so far...
At k = 3400:
    Got nothing so far...
At k = 3600:
    Got nothing so far...
At k = 3800:
    Got nothing so far...
At k = 4000:
    Got nothing so far...
At k = 4200:
    Got nothing so far...
At k = 4400:
    Got nothing so far...
At k = 4600:
    Got nothing so far...
At k = 4800:
    Got nothing so far...
At k = 5000:
    Got nothing so far...
At k = 5200:
    Got nothing 

In [7]:
p = factor
q = n // factor
p

693665714147229674509184791321202377731984497171167861139055088250516471124728701516823108795490715849715041158690827168199567641473669634945238157023642773331939876536987847320603535561143812042944678794061867000000000001

In [8]:
q

3228259466004522349879394297533129714581703356135482193889653727790206469046813734744014605439297673295110276018728182288383668087864658837142064029109708327107728308836531956721977

In [9]:
n == p * q

True

In [10]:
factor_trial_division(p - 1)

Counter({3: 19,
         7: 15,
         11: 13,
         13: 13,
         2: 12,
         5: 12,
         4759: 3,
         199: 2,
         73: 1,
         83: 1,
         149: 1,
         359: 1,
         479: 1,
         599: 1,
         797: 1,
         859: 1,
         877: 1,
         907: 1,
         977: 1,
         1019: 1,
         1153: 1,
         1289: 1,
         1307: 1,
         1409: 1,
         1483: 1,
         1543: 1,
         1637: 1,
         1699: 1,
         1723: 1,
         1741: 1,
         1789: 1,
         1873: 1,
         2003: 1,
         2129: 1,
         2143: 1,
         2237: 1,
         2389: 1,
         2749: 1,
         2791: 1,
         2843: 1,
         2953: 1,
         3623: 1,
         3691: 1,
         3697: 1,
         3863: 1,
         4219: 1,
         4357: 1,
         4729: 1,
         4943: 1,
         5119: 1,
         5651: 1,
         6151: 1,
         6947: 1})

### Note: The reason that we had to go as high as $14400$ in the above algorithm... 

is because, although the largest prime that appears in the factorization of $p - 1$ is $6947$ (which would imply we only need to go up to about $7000$), the prime $4759$ appears to the 3rd power. And $4759 \cdot 3 = 14277$. So in fact 
$$ (p - 1) \nmid 7000! \qquad \text{but} \qquad (p - 1) \mid 14400! $$

<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>


# The Universal Exponent factoring algorithm

Recall that a ***universal exponent*** for $n$ is a positive integer $e$ such that, for all integers $b$ that are coprime to $n$, we have 
$$ b^e \equiv 1 \pmod{n} $$
From Euler's Theorem, the Euler phi function $\phi(n)$ is always a universal exponent for $n$. 

The universal exponent factoring algorithm shows that knowing a universal exponent for $n$ allows us to find a nontrivial factorization of $n$. In particular, for the RSA cryptosystem, this means that knowing the private exponent $d$ (along with the public exponent $e$, which we assume everyone knows) is equivalent to knowing the factorization of the public modulus $n$. 

<br>
<br>
<br>
<br>
<br>


## The following data were taken from an actual RSA public/private key pair

that I used on my personal website. This particular key pair was retired in late 2021, so I have no problem sharing the full details with you now. 

In [12]:
def parse_hex(hex):
    return int("".join([c for c in hex if c in "0123456789abcdefABCDEF"]), base=16)


In [13]:
public_modulus = """
    00:c4:60:46:0d:ac:1a:cc:19:d8:1c:82:b0:7f:bd:
    06:2a:a4:95:fd:ac:cf:de:fa:0b:b7:3d:0e:ea:0c:
    8d:cc:bf:cc:cf:27:64:17:ea:0e:9d:43:c6:35:c3:
    4f:b2:ea:a0:9d:11:26:35:72:b2:3e:7b:74:7f:af:
    ce:f3:49:be:33:03:64:9f:c4:0f:38:ad:fb:2b:cf:
    6c:9a:42:0a:87:8c:02:6a:b9:ae:91:75:71:8d:da:
    be:07:de:f0:47:d3:5f:3b:99:1c:ef:7d:af:c2:fe:
    4f:3d:11:47:5e:f1:b9:3d:a6:43:2b:c4:cc:7d:c6:
    3a:e9:f8:a9:2b:07:c9:db:d6:82:92:18:3b:51:06:
    10:03:12:c2:28:ce:04:2b:57:11:7d:ea:a0:98:ca:
    6d:6b:76:5d:95:f6:cd:4b:67:ab:b9:f6:37:28:3b:
    90:34:c9:49:1f:94:04:63:cf:c4:66:81:92:13:72:
    f8:74:9c:a4:41:0c:0c:39:5e:63:71:c4:d6:8e:4d:
    c7:47:41:6c:91:a2:b3:67:4e:18:f3:2e:10:4f:0d:
    c1:18:8c:5b:87:e6:bc:43:7a:d0:4d:31:fa:20:83:
    80:ee:d1:61:0b:02:c6:64:94:b1:4a:2c:55:c3:bc:
    6a:23:3a:32:6f:c8:d1:95:b6:65:16:5e:55:e6:ac:
    7d:e2:10:6e:f1:3f:36:16:67:90:66:58:a4:3f:a7:
    d9:32:7f:70:05:9d:47:9f:43:8c:71:23:d9:e0:43:
    b9:ef:91:10:ae:6f:65:67:9d:2d:65:28:94:3f:3e:
    7b:9f:4e:10:0a:fa:b4:c6:71:35:66:5d:1c:6c:0a:
    b9:70:50:ec:8d:dd:3f:67:b2:53:d4:70:25:27:76:
    70:39:b4:bb:9f:e0:2b:11:c6:22:d1:1c:61:cf:56:
    09:03:dd:93:8b:53:65:a8:69:21:a9:60:de:7d:0f:
    62:9b:2f:13:99:ae:50:15:73:93:55:ef:1e:7a:73:
    0e:e0:a4:33:60:f7:ba:89:b2:e2:30:06:aa:5d:40:
    a7:05:47:44:b9:e3:8a:1d:58:e1:d3:fe:7a:8d:d0:
    40:7c:09:33:13:3f:e2:93:f1:bb:c3:8a:54:ec:43:
    b8:91:81:42:2a:c2:c1:c3:ea:dd:36:3a:73:e2:5c:
    a8:ea:96:9f:15:71:90:ff:56:46:26:0a:9a:b9:f2:
    5b:c2:c3:0c:0a:3f:7d:59:70:b6:0f:54:1d:9e:5c:
    3e:a0:c9:a7:24:2d:1d:60:36:f5:6b:31:2a:74:aa:
    af:59:36:32:f0:3d:d4:f6:64:39:48:82:1e:6c:05:
    2a:c4:92:32:60:5f:72:0c:39:39:93:fd:0a:5a:dd:
    17:38:75
"""

private_exponent = """
    44:96:83:a1:3e:dd:55:30:29:a5:3b:98:3d:e5:5d:
    84:03:5c:47:ef:d5:e2:c1:5e:da:2f:3f:48:4b:fe:
    32:e7:42:b7:8f:c0:8c:01:b9:fc:ff:b0:f9:12:30:
    82:03:24:f9:f7:05:6b:61:96:13:f0:b6:ad:ea:4f:
    d3:f5:8b:b2:f1:9a:71:9a:de:de:23:16:39:25:07:
    7f:91:55:70:26:5c:a9:be:14:d4:c5:3a:56:1b:72:
    87:f9:3b:df:3a:5a:66:cc:81:a8:bc:33:69:5d:bd:
    7b:4c:cf:aa:bf:ae:bd:73:96:be:70:cc:23:99:da:
    f5:e1:5d:e4:a3:a1:c3:60:d6:d6:04:14:a3:a6:04:
    6d:ae:5d:96:36:ee:89:dc:ad:45:57:6f:a4:2d:ff:
    ad:aa:f7:e0:eb:04:a5:33:9e:6d:23:2b:fc:a7:61:
    24:ae:b1:15:90:73:40:11:4f:3d:a6:3f:c8:ff:3c:
    fc:2d:c1:c8:de:56:5e:ab:32:fc:87:8d:90:c2:65:
    b9:e3:85:f2:0f:eb:ad:47:3f:bb:9f:f9:1e:43:65:
    90:17:65:d8:bf:a4:3d:c5:65:7f:b0:d6:f6:08:38:
    3e:31:6f:3d:93:48:8b:d4:cb:5f:66:c0:c5:ce:c7:
    1b:6a:b6:37:08:e2:fa:f1:6b:b9:36:55:b6:6d:c4:
    c1:55:b9:b1:46:3e:0f:c3:f0:af:b9:9a:ec:7e:29:
    fe:c4:db:46:31:b7:d2:c6:ba:55:2e:5d:43:6e:7c:
    9e:f0:2a:a9:ba:35:85:76:5c:05:8e:5b:99:9a:89:
    fa:2d:df:ef:97:77:3e:e0:e8:93:ef:a1:c9:39:d3:
    f2:7e:8e:91:10:f7:5d:fe:6b:ba:1d:66:7e:ae:79:
    11:d3:22:23:7a:9b:22:50:61:79:b8:34:18:b3:bc:
    18:00:51:ce:56:85:90:52:67:ea:ee:b7:cd:2f:01:
    cd:63:55:90:0a:9b:e2:22:a2:20:fc:0d:0b:42:a9:
    8c:03:23:f3:18:61:89:95:91:5a:17:a0:76:96:7d:
    93:58:ab:ec:58:6c:55:13:1e:32:75:0c:9c:f2:07:
    35:21:e3:99:50:70:68:b4:23:a6:93:6b:64:a5:9b:
    5d:1f:36:14:5d:fb:81:1f:07:3e:21:2e:13:59:5c:
    4c:e4:89:c9:74:b7:40:08:ba:03:53:86:7f:04:d1:
    b0:00:98:4c:ce:4d:8b:6e:af:93:a1:9a:88:3a:c6:
    0e:d1:71:38:ab:f7:3c:5f:c1:db:25:c9:e5:61:18:
    3b:f4:9d:a5:14:2d:9e:2e:fd:0b:a1:c4:f5:a4:57:
    46:4b:38:16:b8:06:e7:cf:01:6f:9d:d5:50:44:39:
    d4:81
"""

n = parse_hex(public_modulus)
e = 65537
d = parse_hex(private_exponent)


In [14]:
n

8011444647120632842560098297229480596003348953169100303572922792018104754140423371051070143584062057752865508881212510944272050848565554325052661101551619276028465935116786083251411327857090392937002503532714578228021854547962664767699900371714052298359518785290623974758916075158995122866232894019766529801435072235177145815847399960109197806425248786313359812984711025331660187928009379250571305706342861384243081342986174009428099446214636625507872766274138417107915516856755452237604129191054826729338780014849667270368677441309889492972864705718350662537139122809754362890345028019080050024981950869764189131204720268647281465716975024817455383531131908246718236170477224326290834935571876201433910952015021755041341851683103552430081781377372010604488256611123104376281897511656670114848601782960870394532408344046332290193143398422818951929863217161221425012643040284669404483595195001478678055184135281809315485920837088373672590079304880922643226906830589804042274073545465593561643968901098

In [15]:
print(f"The public modulus n has {len(f'{n:b}')} bits (i.e. {len(f'{n}')} digits in base 10)")

The public modulus n has 4096 bits (i.e. 1233 digits in base 10)


In [16]:
d

2798144070869757324354191525757706499267843470681305307670235175691508885397169399932236684417034354669317965398034001793099886231039955116963782483398943577342441449178681255559833457354605781380410871810791410892158936945585934609955455994454043625882316630228762115785458427459136035558662601951759401058254860665932295767654103561147131205106641206016644126512047169840574052850636048202474589737372600166094330407875757557956714471578696497518580460198285371127762732210066562426091498194657139994729155660770387473011261220861244342800995973478997309389735790791694422487449802269813118468526738413551158722756047294799708749823612904259255909400109261357858193360858686832613852736881153642794054585247032794194742088704944108776371485911208246117148489947479450904091738203936329294327705622764203968758165933443270350479248896296605160000578279500770965911493766525731618520352313995948696189097030345787351104722018709466619152649194682845366458410086295332000523056198669244315392753389987

In [17]:
print(f"The private exponent d has {len(f'{d:b}')} bits (i.e. {len(f'{d}')} digits in base 10)")

The private exponent d has 4095 bits (i.e. 1233 digits in base 10)


<br>
<br>
<br>
<br>
<br>


## Remember, the way this algorithm works is just like the Miller–Rabin pseudoprime test. 

The only difference is that ***you know*** that at some point within those $k$ steps, you'll eventually get $1$. 

In [18]:
E = e*d - 1
k = 0
q = E
while q % 2 == 0:
    k += 1
    q //= 2
k

7

In [19]:
q

1432671624785869420048442578309240709707161387015943015224876583666362639236517898151242153020618597671586652330398081058706150343153637019534807911050910665846028009803306511293943791364443742924437400827061224184682970707834885910411333746160427008667573320275799865486184288753042174706313054250878561462147256277056288029099585820991402638977140193114943797806406526326888294544313552273793571778267094508479094780788699399029759346280101815295900059531367409121876454537899471107177800915494101436207536519843038154833898645559245081985538071202289427074024332196213104426249981963724549570873725432882049134478617746556941502634297803956553551049648130168827753267895279366789172397007657549123390276197928033071412595839499391069352016188772303326402817075687193546105158177120118851268397214055450277347686881094309444994988554035864159148108583622203334319855992006225570960690075018378825798006656857592700229298179220018076714118517749450287356131420512009166549058860095205192952303741559

In [20]:
b = 2
a0 = pow(b, q, n)
a0 == n - 1 or a0 == 1

False

In [21]:
a1 = a0 * a0 % n
a1 == n - 1 or a1 == 1

False

In [22]:
a2 = a1 * a1 % n
a2 == n - 1 or a2 == 1

False

In [23]:
a3 = a2 * a2 % n
a3 == n - 1 or a3 == 1

True

In [24]:
a3

1

<br>
<br>
<br>
<br>
<br>


## The above work shows that $a_2 \not\equiv \pm 1 \pmod{n}$, but $a_2^2 \equiv 1 \pmod{n}$. 

Therefore $\gcd(a_2 - 1, n)$ is a nontrivial factor of $n$ (and likewise, so is $\gcd(a_2 + 1, n)$. 

<br>
<br>
<br>
<br>
<br>


In [26]:
p = gcd(a2  - 1, n)
q = n // p
p

29818323363118330695657208561022182245408483689874434796596094120042892130329696574925452875844170278700157916592557849288993553306983332735019276548683877107558000132342839622132954183866007256038688928395706504544708607176597167210211702097500460860695779658854082274640012311071347388999500255587482516496743652970820521032845436104906293196806848467707112570953129753138163353680150199211172662711377407652647161782846555142976493976077389079800130716340098472288312063871771378734078424685985843500667486174721314540295541228026730128210496208915614541556435826064770335947389668407574601426085283153753900398693

In [27]:
q

26867522192846776650080719061080022528067786111034292383953953410682948229041557086185365552679463359375432811106517110289485710848501581887853629264540610754531940323952337164803050241108601002340106244819396873185817706968066173622773606676338008330358022522052801347747105344486706513633871648080504039034146650915357634253379092870724458552981982642862454966676932160047225764828077067125252847606408431848297293799704733633927781787358638118511170598148368061256714181622280242678869883641997664353194754414833989252811267807730559824095344434826647059054547171413714731339279357049203128293892033651208660555473

In [28]:
p * q == n

True

## Tada! We have factored the public modulus $n$. 

(But remember, this was only feasible because we know the private exponent $d$. Again, this shows that knowing both $e$ and $d$ is computationally equivalent to knowing the factorization of $n$.) 

In [29]:
print(f"The factor p has {len(f'{p:b}')} bits (i.e. {len(f'{p}')} digits in base 10)")
print(f"The factor q has {len(f'{q:b}')} bits (i.e. {len(f'{q}')} digits in base 10)")

The factor p has 2048 bits (i.e. 617 digits in base 10)
The factor q has 2048 bits (i.e. 617 digits in base 10)


<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>


### If anyone is interested... 

Here are the functions that I used to generate the prime numbers $p$ and $q$ that I used to demonstrate the Pollard $p - 1$ factoring algorithm. 

To use either of these, you'll have to supply your own `pseudoprime` function, which should run a (strong, or maybe weak) pseudoprime test on $n$ using base $b$. 

In [2]:
def randomprime(bits):
    n = randint(1 << (bits - 1), 2*n - 1) & 1
    while True:
        if all(pseudoprime(n, b) for b in (2, 3, 5, 7, 11)):
            return n
        n += 2


In [15]:
def random_pollard_prime(k):
    primes = choices(PRIMES, weights=reversed(PRIMES), k=k)
    n = functools.reduce(operator.mul, primes, 1)
    while True:
        p = n + 1
        if all(pseudoprime(p, b) for b in (2, 3, 5, 7)):
            return p
        n *= PRIMES[randint(0, 5)]


In [58]:
p = random_pollard_prime(50)
p

461929076519476808576197057201791813015898258251885353445919904020318759305233903264485235527647623103296308261352109970371743939883363563939249870381764755336947821875001

In [63]:
q = randomprime(600)
q

2568365529345367613463492522713715406520371258603657923903198778848326055286932934390768193875280711406221038494068007403873367309124836626989255748160308610258374716804796583445479

In [64]:
n = p * q
n

1186402717134962875008962818005971582607024788735572324207156490667441948792539599463043356696185884779201366459574003992991217679779698158662118542865347872359871367239265746643427541301107651826711253053437858376330724210339870574184017148753195331609010421555090484592249515188836719068299520745577365340843576328580655455186773011757636662636570479

In [65]:
factor_trial_division(p - 1)

Counter({3: 8,
         5: 8,
         2: 3,
         11: 3,
         7: 2,
         83: 2,
         887: 2,
         1481: 2,
         13: 1,
         89: 1,
         107: 1,
         139: 1,
         193: 1,
         277: 1,
         283: 1,
         331: 1,
         337: 1,
         467: 1,
         569: 1,
         571: 1,
         647: 1,
         659: 1,
         787: 1,
         857: 1,
         877: 1,
         983: 1,
         1061: 1,
         1301: 1,
         1321: 1,
         1453: 1,
         1669: 1,
         1811: 1,
         2017: 1,
         2143: 1,
         2341: 1,
         2887: 1,
         2903: 1,
         3221: 1,
         3329: 1,
         3527: 1,
         3559: 1,
         3779: 1,
         3851: 1,
         3989: 1,
         4201: 1,
         4517: 1,
         4591: 1,
         5419: 1,
         5639: 1,
         6229: 1,
         6361: 1,
         6829: 1,
         6959: 1})