Factoring Algorithms

Pollard’s p − 1 Method

This method discovers a prime factor p of an

integer n whenever p − 1 has only small prime
factors.

Input: n (to factor) and a limit B

Output: a proper factor of n or "fail"

a = 2
for (i = 2 to B) {
a = a^i mod n
if ( ( g = gcd(a - 1, n) ) > 1) {
print "g divides n"
stop
}
}
print "fail"

1
Note that at the end of the i-th iteration of
the loop we have a ≡ 2i! (mod n), so a ≡
2i! (mod p) if p divides n.

When i is large enough so that p − 1 divides i!,

say, i! = (p − 1)m for some m, we will have

a ≡ 2i! ≡ (2p−1)m ≡ 1m ≡ 1 (mod p),

by Fermat’s little theorem, so p divides a−1. If
p also divides n, then p divides g = gcd(a−1, n).

Occasionally, Pollard’s p−1 method has a spec-

tacular success, but it is unlikely to factor an
RSA public modulus n.

However, when generating a large prime p for

RSA one should factor p − 1 and be sure it
contains a large prime factor. (A prime factor
q of p − 1 is “large” if no adversary can do q
operations.)
2
 Quadratic Sieve Method

Recall this theorem:

Theorem. If n = pq is the product of two

distinct primes, and if x2 ≡ y 2 (mod n), but
x 6≡ ±y (mod n), then gcd(x + y, n) = p or q.

Proof: We are given that n divides

(x + y)(x − y) but not (x + y) or (x − y). Hence,
one of p, q must divide (x + y) and the other
must divide (x − y).

In fact, if n has more than two prime factors

and the congruence conditions of the theorem
hold, then gcd(x+y, n) and gcd(x−y, n) will be
proper factors of n even if they are not prime.
The conditions fail to lead to a proper factor
of n only in case n is a power of a prime.

3
The quadratic sieve algorithm tries to factor n
simply by finding x and y with x2 ≡ y 2 (mod n),
ignoring the conditions x 6≡ ±y (mod n). (It
just hopes for the best. Usually, it finds several
such pairs x, y. Each pair succeeds in factoring
n with probability at least 1/2.)

4
Definition. An integer k is a square if there
exists an integer x so that k = x2.

The quadratic sieve method tries to factor n

by finding two congruent squares modulo n.

How can one recognize a square?

Multiple choice question:

Which of these numbers is a square?

a. 21
b. 23
c. 25
d. 27
e. 29

5
Which of these numbers is a square?

a. 431641
b. 431643
c. 431645
d. 431647
e. 431649

This is harder.

6
Suppose I give you the prime factorizations of
the numbers.

Which of these numbers is a square?

a. 431641 = 72 · 23 · 383
b. 431643 = 3 · 143881
c. 431645 = 5 · 131 · 659
d. 431647 = 17 · 25391
e. 431649 = 34 · 732

Qk e
Theorem. If n = i=1 pi i is the prime
factorization of n into the product of powers
of distinct primes, then n is square if and only
if all exponents ei are even numbers.

7
The quadratic sieve factoring algorithm finds
congruences x2 ≡ y 2 (mod n) as follows.

Generate many “relations” j 2 ≡ m (mod n),

where m is small and therefore easy to factor.
Factor the numbers m and match their prime
factors to form a product of some ms in which
each prime occurs as a factor an even number
of times, so it is a square. Let y 2 be the prod-
uct of these ms. Let x be the product of the
js in the relations used to make y 2. Then x2
is the product of the j 2s, which is congruent
to the the product of the ms. This product is
y 2 by the choice of relations.

8
Example. Let us factor n = 1649. Note
√
that n ≈ 40.6, so the numbers 412 mod n,
422 mod n, . . ., will be fairly small compared
to n. We have

412 ≡ 1681 ≡ 32 = 25 (mod 1649),

422 ≡ 1764 ≡ 115 = 5 · 23 (mod 1649),

432 ≡ 1849 ≡ 200 = 23 · 52 (mod 1649).

Now 32·200 = 28 ·52 = 802 is a square. There-
fore,

(41 · 43)2 ≡ 802 (mod 1649).

Note that 41 · 43 = 1763 ≡ 114 (mod 1649)
and that 114 6≡ ±80 (mod 1649). We get the
factors of 1649 from gcd(114 − 80, 1649) = 17
and gcd(114 + 80, 1649) = 97, so
1649 = 17 · 97.

9
In a real application of the quadratic sieve there
may be millions of relations j 2 ≡ m (mod n)
with m factored. How can we efficiently match
the prime factors of the ms to make each prime
occur an even number of times?

Answer: Use linear algebra over the field F2

with 2 elements.

Let p1, p2, . . ., pb be all of the prime numbers

that occur as factors of any of the ms.

Qb e
If m = i=1 pi i , where each exponent ei ≥ 0,
associate m to the vector

v(m) = (e1 , e2 , . . . , eb).

Multiplying ms corresponds to adding their as-
sociated vectors. If S ⊆ {1, 2, . . . , r}, where r is
the total number of relations, then i∈S mi is
Q

a square if and only if i∈S v(mi) has all even

P

coordinates.
10
Reduce the exponent vectors v(m) modulo 2
and think of them as vectors in the b-dimensional
vector space Fb2 over F2 = {0, 1}.

Linear combinations of distinct vectors v(m)

correspond to subset sums. Finding a nonempty
subset of integers whose product is a square is
reduced to finding a linear dependency among
the vectors v(m).

We know from linear algebra that if we have

more vectors than the dimension b of the vec-
tor space (r > b), then there will be linear de-
pendencies among the vectors.

Also from linear algebra we have efficient al-

gorithms, such as matrix reduction, for finding
linear dependencies. Row reduction over F2
is especially efficient because adding (or sub-
tracting) two rows is the same as finding their
exclusive-or.
11
The analysis of the quadratic sieve algorithm
shows that its time complexity to factor n is
about
√
e (ln n)(ln ln n)
bit operations.

To understand what this means, consider

√ √
(ln n)(ln ln n)
e ≤ e (ln n)(ln n) = eln n = n
and
√ √
e (ln n)(ln ln n) ≥ e (ln ln n)(ln ln n) = eln ln n = ln n.

√
Thus,
√ e (ln n)(ln ln n) ≤ nε for any ε > 0 and
e (ln n)(ln ln n) ≥ (ln n)c for any constant c > 0.
That is, the time complexity is subexponential
but not polynomial time.

12
 Discrete Logarithms via Index Calculus

There is a faster way to solve ax ≡ b (mod p)

using a method similar to the integer factoring
algorithm QS. It is called the index calculus
method.

If ax ≡ b (mod p), then we write x = Loga(b).

Note that Loga(b) is an integer determined
modulo p − 1 because of Fermat’s theorem:
ap−1 ≡ 1 (mod p).

Loga(b) is called the discrete logarithm of b to

base a. (The modulus p is usually supressed.)

13
Choose a factor base of primes p1, . . . , pk , usu-
ally all primes ≤ B. Perform the following pre-
computation which depends on a and p but
not on b. For many random values of x, try to
factor ax mod p using the primes in the factor
base.

Save at least k + 20 of the factored residues:

k
e
a xj ≡ pi ij
Y
(mod p) for 1 ≤ j ≤ k + 20,
i=1
or equivalently
k
X
xj ≡ eij Logapi (mod p−1) for 1 ≤ j ≤ k+20.
i=1

14
Use linear algebra to solve for the Logapi.

When b is given, perform the following main

computation to find Logab. Try many random
values for s until one is found for which bas mod
p can be factored using only the primes in the
factor base.

Write it as
k
c
bas ≡
Y
pi i (mod p)
i=1
or
k
X
(Logab) + s ≡ ciLogapi (mod p − 1).
i=1
Substitute the values of Logapi found in the
precomputation to get Logab.

15
Using arguments like those for the running time
of the quadratic sieve factoring algorithms, one
can prove that the precomputation takes time
q 
exp 2 log p log log p ,

while the main computation takes time

q 
exp log p log log p .

16