Main Page: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
In [[mathematics]], an '''addition chain''' for computing a positive integer ''n'' can be given by a [[sequence]] of [[natural number]]s ''v'' and a sequence of index pairs ''w'' such that each term in ''v'' is the sum of two previous terms, the indices of those terms being specified by ''w'':
'''Pollard's ''p'' − 1 algorithm''' is a [[number theory|number theoretic]] [[integer factorization]] [[algorithm]], invented by [[John Pollard (mathematician)|John Pollard]] in 1974. It is a special-purpose algorithm, meaning that it is only suitable for [[integer]]s with specific types of factors; it is the simplest example of an [[algebraic-group factorisation algorithm]].


: ''v'' =(''v''<sub>0</sub>,...,''v''<sub>''s''</sub>), with ''v''<sub>0</sub> = 1 and ''v''<sub>''s''</sub> = ''n''
The factors it finds are ones for which the number preceding the factor, ''p''&nbsp;&minus;&nbsp;1, is [[smooth number#Powersmooth numbers|powersmooth]]; the essential observation is that, by working in the multiplicative group [[Modular arithmetic|modulo]] a composite number ''N'', we are also working in the multiplicative groups modulo all of ''N'''s factors.
:for each 0< ''i'' ≤ ''s'' holds: ''v''<sub>''i''</sub> = ''v''<sub>''j''</sub> + ''v''<sub>''k''</sub>, with ''w''<sub>''i''</sub>=(''j,k'') and 0 ≤ ''j,k'' ≤  ''i''&nbsp;−&nbsp;1


Often only ''v'' is given since it is easy to extract ''w'' from ''v'', but sometimes ''w'' is not uniquely reconstructible. An introduction is given in.<ref>D. E. Knuth, ''The Art of Computer Programming'', Vol 2, "Seminumerical Algorithms", Section 4.6.3, 3rd edition, 1997</ref>
The existence of this algorithm leads to the concept of [[strong prime]]s, being primes for which ''p''&nbsp;&minus;&nbsp;1 has at least one large prime factor. Almost all sufficiently large primes are strong; if a prime used for cryptographic purposes turns out to be non-strong, it is much more likely to be through malice than through an accident of random number generation.


==Examples==
==Base concepts==
As an example: ''v'' = (1,2,3,6,12,24,30,31) is an addition chain for 31 of length 7, since
Let ''n'' be a composite integer with prime factor ''p''.  By [[Fermat's little theorem]], we know that for all integers ''a'' coprime to ''p'' and for all positive integers ''K'':
:2 = 1 + 1
:3 = 2 + 1
:6 = 3 + 3
:12 = 6 + 6
:24 = 12 + 12
:30 = 24 + 6
:31 = 30 + 1


Addition chains can be used for [[addition-chain exponentiation]]: so for example we only need 7 [[multiplication]]s to calculate 5<sup>31</sup>:
:<math>a^{K(p-1)} \equiv 1\pmod{p}</math>
:5<sup>2</sup> = 5<sup>1</sup> × 5<sup>1</sup>
:5<sup>3</sup> = 5<sup>2</sup> × 5<sup>1</sup>
:5<sup>6</sup> = 5<sup>3</sup> × 5<sup>3</sup>
:5<sup>12</sup> = 5<sup>6</sup> × 5<sup>6</sup>
:5<sup>24</sup> = 5<sup>12</sup> × 5<sup>12</sup>
:5<sup>30</sup> = 5<sup>24</sup> × 5<sup>6</sup>
:5<sup>31</sup> = 5<sup>30</sup> × 5<sup>1</sup>


==Methods for computing addition chains==
If a number ''x'' is congruent to 1 [[Modular arithmetic|modulo]] a factor of ''n'', then the [[Greatest common divisor|gcd]] (''x''&nbsp;&minus;&nbsp;1,&nbsp;''n'') will be divisible by that factor.
Calculating an addition chain of minimal length is not easy; a generalized version of the problem, in which one must find a chain that simultaneously forms each of a sequence of values, is NP-complete.<ref>{{Cite journal|first1=Peter|last1=Downey|first2=Benton|last2=Leong|first3=Ravi|last3=Sethi|title=Computing sequences with addition chains|journal=SIAM Journal on Computing|volume=10|issue=3|year=1981|pages=638–646|doi=10.1137/0210047}}. A number of other papers state that finding a single addition chain is NP-complete, citing this paper, but it does not claim or prove such a result.</ref> There is no known algorithm which can calculate a minimal addition chain for a given number with any guarantees of reasonable timing or small memory usage. However, several techniques to calculate relatively short chains exist.
One very well known technique to calculate relatively short addition chains is the ''binary method'', similar to [[exponentiation by squaring]]. Other well-known methods are the ''factor method'' and ''window method''.{{Citation needed|date=December 2009}}


==Chain length==
The idea is to make the exponent a large multiple of ''p''&nbsp;&minus;&nbsp;1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit ''B''.  Start with a random ''x'', and repeatedly replace it by <math>x^w \mod n</math> as ''w'' runs through those prime powers.  Check at each stage, or once at the end if you prefer, whether [[Greatest common divisor|gcd]] (''x''&nbsp;&minus;&nbsp;1,&nbsp;''n'') is not equal to&nbsp;1.
Let <math>l(n)</math> denote the smallest ''s'' so that there exists an addition chain
of length ''s'' which computes ''n''.
It is known that <ref>A. Schonhage A lower bound on the length of addition chains, Theoret. Comput. Sci. 1 (1975), 1–12.</ref>
:<math>\log(n)+ \log(\nu(n))-2.13\leq l(n) \leq \log(n) + \log(n)(1+o(1))/\log(\log(n))</math>,
where <math>\nu(n)</math> is [[Hamming weight]] of binary expansion of ''n''.


It is clear that ''l''(2''n'') ≤ ''l''(''n'')+1.  Strict inequality is possible, as ''l''(382) = ''l''(191) = 11, observed by Knuth.<ref name=G169/>
==Multiple factors==


==Brauer chain==
It is possible that for all the prime factors ''p'' of ''n'', ''p''&nbsp;&minus;&nbsp;1 is divisible by small primes, at which point the Pollard ''p''&nbsp;&minus;&nbsp;1 algorithm gives you ''n'' again.
A '''Brauer chain''' or '''star addition chain''' is an addition chain in which one of the summands is always the previous chain: that is,


:for each ''k''>0: ''a''<sub>''k''</sub> = ''a''<sub>''k-1''</sub> + ''a''<sub>''j''</sub> for some ''j'' < ''k''.
==Algorithm and running time==
The basic algorithm can be written as follows:


A '''Brauer number''' is one for which the Brauer chain is minimal.<ref name=G169/>
:'''Inputs''': ''n'': a composite integer
:'''Output''': a non-trivial factor of ''n'' or <u>failure</u>


Brauer proved that
:# select a smoothness bound ''B''
:''l''*(2<sup>''n''</sup>&minus;1) &le; ''n'' &minus; 1 + ''l''*(''n'')
:#<math>M \gets \prod_{\text{primes}~q \le B} q^{ \lfloor \log_q{B} \rfloor }</math>
where ''l''* is the length of the shortest star chain.  For many values of ''n'',and in particular for ''n''&nbsp;≤&nbsp;2500, they are equal: ''l''(''n'')&nbsp;=&nbsp;''l''*(''n''). But Hansen showed that there are some values of ''n'' for which ''l''(''n'')&nbsp;≠&nbsp;''l''*(''n''), such as ''n''&nbsp;=&nbsp;2<sup>6106</sup>&nbsp;+&nbsp;2<sup>3048</sup>&nbsp;+&nbsp;2<sup>2032</sup>&nbsp;+&nbsp;2<sup>2016</sup>&nbsp;+&nbsp;1 which has ''l''*(''n'')&nbsp;=&nbsp;6110, ''l''(''n'')&nbsp;≤&nbsp;6109.
:# randomly pick ''a'' coprime to ''n'' (note: we can actually fix ''a'', random selection here is not imperative)
:#<math>g \gets \gcd(a^M - 1, n)</math> (note: the powering can be done mod ''n'')
:# if 1 < ''g'' < ''n'' then return ''g''
:# if ''g'' = 1 then select a higher ''B'' and go to step 2 or return <u>failure</u>
:# if ''g'' = ''n'' then go to step 2 or return <u>failure</u>


==Scholz conjecture==
If ''g'' = 1 in step 6, this indicates that for all ''p'' &minus; 1 that none were ''B''-powersmooth. If ''g'' = ''n'' in step 7, this usually indicates that all factors were ''B''-powersmooth, but in rare cases it could indicate that ''a'' had a small order modulo ''n''.
{{main|Scholz conjecture}}
The [[Scholz conjecture]] (sometimes called the ''Scholz–Brauer'' or ''Brauer–Scholz conjecture''), named after [[A. Scholz]] and Alfred T. Brauer), is a [[conjecture]] from 1937 stating that
:''l''(2<sup>''n''</sup>&nbsp;&minus;&nbsp;1)&nbsp;&le;&nbsp;''n''&nbsp;&minus;&nbsp;1&nbsp;+&nbsp;''l''(''n'') .


N. Clift checked this by computer for&nbsp;''n''&nbsp;&nbsp;46It is known to be true for Brauer numbers.<ref name=G169>Guy (2004) p.169</ref>
The running time of this algorithm is O(''B''&nbsp;&times;&nbsp;log&nbsp;''B''&nbsp;&times;&nbsp;log<sup>2</sup>''n''); larger values of ''B'' make it run more slowly, but are more likely to produce a factor.
 
==How to choose ''B''?==
 
Since the algorithm is incremental, it can just keep running with the bound constantly increasing.
 
Assume that ''p''&nbsp;&minus;&nbsp;1, where ''p'' is the smallest prime factor of ''n'', can be modelled as a random number of size less than&nbsp;&radic;''n''. By [[Dixon's theorem]], the probability that the largest factor of such a number is less than (''p''&nbsp;&minus;&nbsp;1)<sup>''&epsilon;''</sub> is roughly ''&epsilon;''<sup>&minus;''&epsilon;''</sub>; so there is a probability of about 3<sup>&minus;3</sup>&nbsp;=&nbsp;1/27 that a ''B'' value of ''n''<sup>1/6</sup> will yield a factorisation.
 
In practice, the [[elliptic curve method]] is faster than the Pollard ''p''&nbsp;&minus;&nbsp;1 method once the factors are at all large; running the ''p''&nbsp;&minus;&nbsp;1 method up to ''B''&nbsp;=&nbsp;10<sup>6</sup> will find a quarter of all twelve-digit factors and 1/27 of all eighteen-digit factors, before proceeding to another method.
 
==Large prime variant==
{{incoherent}}
A variant of the basic algorithm is sometimes used; instead of requiring that ''p''&nbsp;&minus;&nbsp;1 has all its factors less than ''B'', we can require it to have all but one of its factors less than some ''B''<sub>1</sub>, and the remaining factor less than some ''B''<sub>2</sub>.  Let ''p''<sub>1</sub> be the smallest prime greater than ''B''<sub>1</sub>, ''p''<sub>2</sub> the next-largest, and so on; let ''d''<sub>''n''</sub>&nbsp;=&nbsp;''p''<sub>''n''</sub>&nbsp;&minus;&nbsp;''p''<sub>''n''&minus;1</sub>. The distribution of prime numbers is such that the ''d''<sub>''n''</sub> will all be fairly small.
 
Having computed <math>c = a^M \mod n</math>, we can easily compute once and for all <math>E_r = c^r \mod n</math> for all <math>r</math> which appear as a value of <math>d_n</math>. Compute <math>t_1 = c^{p_1} \mod n</math>. We can then stop doing exponentiation, and compute
 
: <math>t_2 (= c^{p_2} \mod n) = t_1 E_{d_2} \mod n</math>, <math>t_3 = t_2 E_{d_3} \mod n, \dots</math>
 
with one multiplication rather than one exponentiation at each step; this is quicker by roughly a factor log&nbsp;''B'' than doing the exponentiations.  It can also be accelerated significantly using [[Fast Fourier transform]]s.
 
==Implementations==
 
* The [http://gforge.inria.fr/projects/ecm/ GMP-ECM] package includes an efficient implementation of the ''p''&nbsp;&minus;&nbsp;1 method.
* [[Prime95]] and [[MPrime]], the official clients of the [[Great Internet Mersenne Prime Search]], use p - 1 to eliminate potential candidates.
 
==References==
*{{Citation |last=Pollard |first=J. M. |year=1974 |title=Theorems of Factorization and Primality Testing |journal=Proceedings of the Cambridge Philosophical Society |volume=76 |issue=3 |pages=521–528 |doi=10.1017/S0305004100049252 |issn= }}


==See also==
==See also==
* [[Addition chain exponentiation]]
* [[Williams' p + 1 algorithm]]
* [[Addition-subtraction chain]]
* [[Vectorial addition chain]]
* [[Lucas chain]]


==References==
==External links==
{{reflist}}
*[http://modular.math.washington.edu/edu/2007/spring/ent/ent-html/node81.html Pollard's ''p''&nbsp;&minus;&nbsp;1 Method]
*{{cite journal | last1=Brauer | first1=Alfred | title=On addition chains | doi=10.1090/S0002-9904-1939-07068-7  | mr=0000245  | year=1939 | journal=[[Bulletin of the American Mathematical Society]] | issn=0002-9904 | volume=45 | issue=10 | pages=736–739}}
* {{cite book|author=Richard K. Guy|authorlink=Richard K. Guy|title=[[Unsolved Problems in Number Theory]]|publisher=[[Springer-Verlag]]|year=2004|isbn=0-387-20860-7|oclc=54611248 | zbl=1058.11001}}  Section C6.


== External links ==
{{Number theoretic algorithms}}
* http://wwwhomes.uni-bielefeld.de/achim/addition_chain.html
* {{SloanesRef |sequencenumber=A003313|name=Length of shortest addition chain for n}}
*[http://www.numdam.org/item?id=JTNB_1994__6_1_21_0 F. Bergeron, J. Berstel. S. Brlek "Efficient computation of addition chains"]


{{DEFAULTSORT:Addition Chain}}
[[Category:Integer factorization algorithms]]
[[Category:Addition chains|*]]


[[es:Suma encadenada]]
[[de:Pollard-p-1-Methode]]
[[es:Algoritmo p − 1 de Pollard]]
[[fr:Algorithme p-1 de Pollard]]
[[nl:Pollards p-1-methode]]
[[ru:P-1 метод Полларда]]
[[th:ขั้นตอนวิธีพีลบหนึ่งของพอลลาร์ด]]

Revision as of 08:55, 12 August 2014

Pollard's p − 1 algorithm is a number theoretic integer factorization algorithm, invented by John Pollard in 1974. It is a special-purpose algorithm, meaning that it is only suitable for integers with specific types of factors; it is the simplest example of an algebraic-group factorisation algorithm.

The factors it finds are ones for which the number preceding the factor, p − 1, is powersmooth; the essential observation is that, by working in the multiplicative group modulo a composite number N, we are also working in the multiplicative groups modulo all of N's factors.

The existence of this algorithm leads to the concept of strong primes, being primes for which p − 1 has at least one large prime factor. Almost all sufficiently large primes are strong; if a prime used for cryptographic purposes turns out to be non-strong, it is much more likely to be through malice than through an accident of random number generation.

Base concepts

Let n be a composite integer with prime factor p. By Fermat's little theorem, we know that for all integers a coprime to p and for all positive integers K:

aK(p1)1(modp)

If a number x is congruent to 1 modulo a factor of n, then the gcd (x − 1, n) will be divisible by that factor.

The idea is to make the exponent a large multiple of p − 1 by making it a number with very many prime factors; generally, we take the product of all prime powers less than some limit B. Start with a random x, and repeatedly replace it by xwmodn as w runs through those prime powers. Check at each stage, or once at the end if you prefer, whether gcd (x − 1, n) is not equal to 1.

Multiple factors

It is possible that for all the prime factors p of n, p − 1 is divisible by small primes, at which point the Pollard p − 1 algorithm gives you n again.

Algorithm and running time

The basic algorithm can be written as follows:

Inputs: n: a composite integer
Output: a non-trivial factor of n or failure
  1. select a smoothness bound B
  2. MprimesqBqlogqB
  3. randomly pick a coprime to n (note: we can actually fix a, random selection here is not imperative)
  4. ggcd(aM1,n) (note: the powering can be done mod n)
  5. if 1 < g < n then return g
  6. if g = 1 then select a higher B and go to step 2 or return failure
  7. if g = n then go to step 2 or return failure

If g = 1 in step 6, this indicates that for all p − 1 that none were B-powersmooth. If g = n in step 7, this usually indicates that all factors were B-powersmooth, but in rare cases it could indicate that a had a small order modulo n.

The running time of this algorithm is O(B × log B × log2n); larger values of B make it run more slowly, but are more likely to produce a factor.

How to choose B?

Since the algorithm is incremental, it can just keep running with the bound constantly increasing.

Assume that p − 1, where p is the smallest prime factor of n, can be modelled as a random number of size less than √n. By Dixon's theorem, the probability that the largest factor of such a number is less than (p − 1)ε is roughly εε; so there is a probability of about 3−3 = 1/27 that a B value of n1/6 will yield a factorisation.

In practice, the elliptic curve method is faster than the Pollard p − 1 method once the factors are at all large; running the p − 1 method up to B = 106 will find a quarter of all twelve-digit factors and 1/27 of all eighteen-digit factors, before proceeding to another method.

Large prime variant

Template:Incoherent A variant of the basic algorithm is sometimes used; instead of requiring that p − 1 has all its factors less than B, we can require it to have all but one of its factors less than some B1, and the remaining factor less than some B2. Let p1 be the smallest prime greater than B1, p2 the next-largest, and so on; let dn = pn − pn−1. The distribution of prime numbers is such that the dn will all be fairly small.

Having computed c=aMmodn, we can easily compute once and for all Er=crmodn for all r which appear as a value of dn. Compute t1=cp1modn. We can then stop doing exponentiation, and compute

t2(=cp2modn)=t1Ed2modn, t3=t2Ed3modn,

with one multiplication rather than one exponentiation at each step; this is quicker by roughly a factor log B than doing the exponentiations. It can also be accelerated significantly using Fast Fourier transforms.

Implementations

References

  • Many property agents need to declare for the PIC grant in Singapore. However, not all of them know find out how to do the correct process for getting this PIC scheme from the IRAS. There are a number of steps that you need to do before your software can be approved.

    Naturally, you will have to pay a safety deposit and that is usually one month rent for annually of the settlement. That is the place your good religion deposit will likely be taken into account and will kind part or all of your security deposit. Anticipate to have a proportionate amount deducted out of your deposit if something is discovered to be damaged if you move out. It's best to you'll want to test the inventory drawn up by the owner, which can detail all objects in the property and their condition. If you happen to fail to notice any harm not already mentioned within the inventory before transferring in, you danger having to pay for it yourself.

    In case you are in search of an actual estate or Singapore property agent on-line, you simply should belief your intuition. It's because you do not know which agent is nice and which agent will not be. Carry out research on several brokers by looking out the internet. As soon as if you end up positive that a selected agent is dependable and reliable, you can choose to utilize his partnerise in finding you a home in Singapore. Most of the time, a property agent is taken into account to be good if he or she locations the contact data on his website. This may mean that the agent does not mind you calling them and asking them any questions relating to new properties in singapore in Singapore. After chatting with them you too can see them in their office after taking an appointment.

    Have handed an trade examination i.e Widespread Examination for House Brokers (CEHA) or Actual Property Agency (REA) examination, or equal; Exclusive brokers are extra keen to share listing information thus making certain the widest doable coverage inside the real estate community via Multiple Listings and Networking. Accepting a severe provide is simpler since your agent is totally conscious of all advertising activity related with your property. This reduces your having to check with a number of agents for some other offers. Price control is easily achieved. Paint work in good restore-discuss with your Property Marketing consultant if main works are still to be done. Softening in residential property prices proceed, led by 2.8 per cent decline within the index for Remainder of Central Region

    Once you place down the one per cent choice price to carry down a non-public property, it's important to accept its situation as it is whenever you move in – faulty air-con, choked rest room and all. Get round this by asking your agent to incorporate a ultimate inspection clause within the possibility-to-buy letter. HDB flat patrons routinely take pleasure in this security net. "There's a ultimate inspection of the property two days before the completion of all HDB transactions. If the air-con is defective, you can request the seller to repair it," says Kelvin.

    15.6.1 As the agent is an intermediary, generally, as soon as the principal and third party are introduced right into a contractual relationship, the agent drops out of the image, subject to any problems with remuneration or indemnification that he could have against the principal, and extra exceptionally, against the third occasion. Generally, agents are entitled to be indemnified for all liabilities reasonably incurred within the execution of the brokers´ authority.

    To achieve the very best outcomes, you must be always updated on market situations, including past transaction information and reliable projections. You could review and examine comparable homes that are currently available in the market, especially these which have been sold or not bought up to now six months. You'll be able to see a pattern of such report by clicking here It's essential to defend yourself in opposition to unscrupulous patrons. They are often very skilled in using highly unethical and manipulative techniques to try and lure you into a lure. That you must also protect your self, your loved ones, and personal belongings as you'll be serving many strangers in your home. Sign a listing itemizing of all of the objects provided by the proprietor, together with their situation. HSR Prime Recruiter 2010

See also

External links

Template:Number theoretic algorithms

de:Pollard-p-1-Methode es:Algoritmo p − 1 de Pollard fr:Algorithme p-1 de Pollard nl:Pollards p-1-methode ru:P-1 метод Полларда th:ขั้นตอนวิธีพีลบหนึ่งของพอลลาร์ด