Andreas Kirkeskov Carlsen, 20002273

Aarhus Universitet December 14, 2005

Datalogisk Institut
IT-parken
Aabogade
8200 Aarhus N

Cryptology Fall 2005

Prime factorization
implementation in a functional language

Contents

1 Introduction 1

2 Fermat's factorization algorithm 2

2.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2.1 Correctness: . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2.2 Termination: . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.3 Execution time: . . . . . . . . . . . . . . . . . . . . . . . . 3

3 Pollard's rho factoring algorithm 3

3.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2.1 Correctness: . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.2 Termination: . . . . . . . . . . . . . . . . . . . . . . . . . 4

4 The elliptic curve factoring algorithm 4

4.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5 Summary 5

1 Introduction

Implementing some selected factorization algorithms, it is my wish to get a

better understanding of the application of the dierent algorithms, e.g. by
getting answers to questions like how does execution speed relate to bit-size of
the number, bit-size of the biggest factor, bit-size of the smallest factor, distance
fom the square root of the number to the smallest factor bigger than the square

Page 1 of 5
Andreas Kirkeskov Carlsen, 20002273

root (if any), distance from the square root of the number to the biggest factor
smaller than the square root. The implementations are basic implementations
of the algorithms, i.e. there is a lot of room for optimizations. This is especially
the case with the elliptic curve factorization algorithm. In the following sections,
I will rst present the dierent algorithms and try to analyse on their application
area. An implementation of the quadratic sieve algorithm was also planned, but
unfortunately I ran into problems implementing the sieving process.
All les for this project can be found at  akc/courses/crypt/project on the
DAIMI le system.

2 Fermat's factorization algorithm

Fermat's factoring algorithm uses the observation, that n = r2 − s2 ⇔ n =

th
(r + s)(r − s) and was created by Pierre de Fermat in the 17 century. In the
following, the algorithm will be presented and analysed. The implementation is
in the le fermat.scm.

2.1 Algorithm

1. Assume n is an odd number (if not, factor out 2 until n is odd).

√
2. Dene r1 = d ne, ∀i > 1 : ri = ri−1 + 1.
3. Iteratively nd mi = ri2 − n. If mi is a square s2 , then ri − s and ri + s
are factors of n. If ri ≥ n+1
2 then stop and report n as a prime.

4. Factor ri − s and ri + s.

2.2 Analysis

Having presented the algorithm, can we be sure it is correct and that it will
terminate?

2.2.1 Correctness:

If n has factors p andq , are we sure to nd these?

2 2
If n = pq , then n = 14 (p + q) − 41 (p − q) , since

1 2 1 2 1 2 2

(p + q) − (p − q) = (p + q) − (p − q)
4 4 4
1
= (2pq + 2pq)
4
= pq

So for
√ r = 12 (p + q) and s = 12 (p − q), we have n = r2 − s2 . If we can show that
d ne ≤ r < n+1 2 , then we are done, since this is the range
√ we iterate over. The
denition of r yields that r ≥ s. If we assume that r < n, then we get
√ 2
n< n − s2 = n − s2 ⇒ s2 < 0

Page 2 of 5
Andreas Kirkeskov Carlsen, 20002273

n+1
which is a contradiction. Now assume that r≥ 2 . Then
 2  2
n+1 n−1
n≥ − s2 ⇔ s2 ≥
2 2
This gives the factor
n+1 n−1
r+s≥ + =n
2 2
n+1
which can only be satised with the trivial factoring 1n, meaning that r< 2
or n is a prime.

2.2.2 Termination:

Will we always terminate?

Termination is trivially guaranteed, since we iterate over a limit range, al-
ways increasing our iterator.

2.2.3 Execution time:

It is expected that this algorithm performs best on numbers for which the dif-
ference between the square root of the number and the smallest factor big-
ger than the square root is as small as possible. Doing factorizations on the
numbers 19 × 23 × 31, 107 × 173 × 211 × 367, 2003 × 2011, 6113 × 6121,
71×10007, 11113×11117, 111119×111121, 11311×11317×11321, 787×9795683,
7879 × 979568803, 78791 × 97956893, and 787939 × 9795683 gives us the corre-
spondance shown in gure 2.2.3. As expected, it shows that when the bit-length
of the dierence between the square root of the number and the smallest factor
bigger than the square root increases, the running time increases faster than
exponentially.

3 Pollard's rho factoring algorithm

Pollard's rho factoring algorithm looks for numbers sharing residue class modulo
a proper divisor of n, but in dierent residue classes modulo n. Such numbers
are called collisions. The algorithm presented is actually a variant of Pollard's
rho algorithm called Floyd's cycle-nding algorithm. The implementation is in
the le pollard-rho.scm.

3.1 Algorithm

1. Choose a random (non-linear polynomial) function f : [0; n[ → [0; n[.

2. Dene a0 = 2, b0 = 2, ai = f (ai−1 ), bi = f (f (bi−1 )).
3. Iteratively nd di = gcd (ai − bi , n). If 1 < di < n, then di is a factor of n.
If di = n then either go to step 1 or stop and report n as maybe prime.
n
4. Factor d and
d.

3.2 Analysis

Is Pollard's rho algorithm correct and does it terminate?

Page 3 of 5
Andreas Kirkeskov Carlsen, 20002273

Figure 1: Correspondance between the execution time and the dierence be-
tween the square root of the number and the smallest factor bigger than the
square root

3.2.1 Correctness:

Since the range of f is nite, both the ai bi values must cycle. It should
and the
be clear that bi completes cycles twice as fast as ai , i.e. when ai has cycled, bi
has cycled as well. That is, if we go through a cycle with ai , then ai = bi , and
so we get gcd (ai − bi , n) = n. If, on the other hand, we nd a di ∈ ]1; n[, then
it is trivially a factor of n.

3.2.2 Termination:

Termination follows trivially from the guaranteed cycling and termination, when
cycling has occured.

4 The elliptic curve factoring algorithm

The elliptic curve factoring algorithm was found in 1987 by Lenstra. It works by
iteratively applying a group operation to a series of points starting at a random
point on a (non-degenerate) elliptic curve (operating modulo the number n we
are factoring). This will eventually lead to nding a generator for the subgroup
of points we iterate over and the order of this subgroup can be used to determine
a factor of n. The implementation is in the le elliptic-curve.scm.

4.1 Algorithm

1. Choose a non-degenerate elliptic curve and a point, P1 , on the curve.

i
2. Iteratively calculate Pi = Pi−1 , i.e. Pi = P1i! .

Page 4 of 5
Andreas Kirkeskov Carlsen, 20002273

3. If the calculation of Pi fails at some point, then we try to determine a

factor, d. If we fail to determine the factor we either go to step 1 (choosing
new values) or stop and report n as maybe prime.

n
4. Factor d and
d

5 Summary

Optimizing factorization algorithms is complex. However, algorithms like the

Elliptic curve factorization algorithm are only fast when such optimizations
are done. On the other hand, conceptually easy algorithms, like the quadratic
sieve, can be very dicult to implement, while complex algorithms, like the el-
liptic curve, can be feasible to implement. The selection of language also made
implementation dicult, because of the shift of paradigm (from imperative to
functional), as most optimizations described in sources are made in the imper-
ative paradigm.

References

[MVO96] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot.

Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton,
FL, USA, 1996.

[Nai04] Mohan Nair. Factorization methods. http://www.ing2.unibo.it/

NR/rdonlyres/B2B550E6-3BB0-48D2-816E-4923FF7D03A7/15675/
07Factorization.pdf, 2004.

Page 5 of 5