|
2013-08-11, 19:25
|
#12 |
|
"Dana Jacobsen"
Feb 2011
Bangkok, TH
2·5·7·13 Posts |
Not going to wade too deep in this, but I recommend:
Montgomery, "Speeding the Pollard and elliptic curve methods of factorization", 1987 Silverman already pointed this one out, and I agree it's a gem that is full of information. I find more in it every time I look at it. Brent, "Primality Testing and Integer Factorisation", 1990 (published 1991) Two books I like are "Prime Numbers and Computer Methods for Factorization" by Hans Riesel (1994), available at reasonable prices used; and "Prime Numbers: A Computational Perspective" by Crandall and Pomerance (2nd edition, mine is copyright 2010). The latter is available in electronic form here. I like having a paper copy, but given the free electronic price there isn't any reason not to peruse it. How useful Pollard's rho is depends on your application. It's always useful to know, and for CS geeks it's a fun thing to program, especially as it is quite short. I've found it to be quite useful in some cases when trying to factor tiny numbers quickly (SQUFOF and p-1 are better in the long run -- your mileage may vary). Hence I think it's a useful tool to have around if that's something you'll be doing. |
|
|
|
2013-08-11, 20:39
|
#13 | |
|
Bamboozled!
"๐บ๐๐ท๐ท๐ญ"
May 2003
Down not across
2·17·347 Posts |
Quote:
I have a DPhil in an entirely unrelated subject (physical chemistry, specifically molecular spectroscopy). That hasn't stopped me from doing useful (but admittedly not earth-shattering) work in other fields including cryptography and, more generally, information security. I've a lot of respect for Bruce and have learned much from him over the years. On one occasion, just before he was about to start, he asked why I was in his audience --- apparently under the impression that I already knew everything he was about to say. Needless to say, he was mistaken. |
|
|
|
|
|
2013-09-04, 16:50
|
#14 |
|
Just call me Henry
"David"
Sep 2007
Liverpool (GMT/BST)
3×23×89 Posts |
It just occurred to me that if the polynomial in pollard rho is x^2-2 then for 1.5x + gcds cost we could run pollard rho plus a lucas lehmer test at the same time. How much time would the gcds take in this circumstance for large exponents?
|
|
|
|
|
2013-09-04, 17:51
|
#15 |
|
Romulan Interpreter
"name field"
Jun 2011
Thailand
41·251 Posts |
Those orders are much higher, you won't find a factor in the first p-1 iterations. As someone said before, Pollard rho is a very inefficient algorithm. Try it for M67, M101, and see.
Last fiddled with by LaurV on 2013-09-04 at 17:52 |
|
|
|
|
2013-09-04, 18:47
|
#16 | ||
"Gang aft agley"
Sep 2002
2×1,877 Posts |
Quote:
Quote:
|
||
|
|
|
|
2013-09-04, 19:58
|
#17 | |
"Bob Silverman"
Nov 2003
North of Boston
5·17·89 Posts |
Quote:
I will offer a hint: Consider the orbit of a generator of the twisted sub-group of GF(P^2). Second hint: Look at the roots of x^2-2 in GF(P^2) (where P is the prime being sought) Third hint: consider looking for a closed form solution to the recursion: x_{n+1} = x_n^2 - 2 |
|
|
|
|
|
2013-09-04, 20:04
|
#18 | ||
|
Just call me Henry
"David"
Sep 2007
Liverpool (GMT/BST)
137758 Posts |
Quote:
It wouldn't surprise me if the number of iterations would only be enough in very few situations. Quote:
 It wouldn't surprise me if other choices of a that work for LL tests are also quite bad. We also have to remember that factors of 2^p-1 are of the form 2kp+1 which would be relatively large factors for rho to find. |
||
|
|
|
|
2013-09-04, 20:20
|
#19 | |
|
"Gang aft agley"
Sep 2002
2·1,877 Posts |
As for considering the GCD cost in Pollard Rho, there is this optimization (Wikipedia):
Quote:
|
|
|
|
|
|
2013-09-04, 21:09
|
#20 | |
|
"Bob Silverman"
Nov 2003
North of Boston
5·17·89 Posts |
Quote:
might learn how to respond to your 'surprise'. Try studying WHY the LL test works. |
|
|
|
|
|
2013-09-06, 01:42
|
#21 | |
Aug 2006
22·3·499 Posts |
Quote:
You mention a generator, so you must mean a twisted subgroup of the multiplicative group GF(p^2)* since the additive group has no generator (as all elements have order 1 or p). {1} and GF(p^2)* are trivial twisted subgroups of GF(p^2)*, you must not mean those. I looked at GF(9) as an example, and unless I am mistaken there are two nontrivial twisted subgroups: {1, 2} and {1, 2, a, b} where a and b are the square roots of 2. (I'm not sure of the usual terminology here.) Only the former has a generator, since a does not generate b and b does not generate a. But in any case, the orbit of a generator is surely the whole twisted subgroup, no? Else it would not be a generator. So I'm confused as to what you mean. Edit: Of course by 1 I mean the multiplicative identity and by 2 I mean 1+1 = -1. Last fiddled with by CRGreathouse on 2013-09-06 at 01:49 |
|
|
|
|
|
2013-09-06, 03:21
|
#22 | |
|
"Bob Silverman"
Nov 2003
North of Boston
756510 Posts |
Quote:
GF(p^2) The fact that there is a generator which is a solution to x^2 - 2 = 0 (and there is a closed form solution ) combined with the fact that the recurrence x_{n+1} = x_n^2 -2 is just squaring an element in the twisted sub-group shows that there is a closed form solution to the recurrence. Which makes it bad as a pseudo RNG (and hence bad for Pollard Rho) |
|
|
|
|
 |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Pollard rho with known factor of P-1 | henryzz | Math | 2 | 2017-08-15 12:13 |
| PFGW can't find a small factor. | Arkadiusz | Software | 7 | 2013-02-18 12:43 |
| How much ECM does it take to find a given factor? | geoff | Factoring | 5 | 2004-09-29 20:14 |
| Where I find the best program to it factor keys? I use AMD. | chrow | Factoring | 5 | 2004-02-19 10:15 |
| How large a factor can P-1 testing find ? | dsouza123 | Software | 3 | 2003-12-11 00:48 |
