Pollard concepts
Let n = pqr, where p and q are distinct primes and r is an integer, such that p − 1 is B- powersmooth and q − 1 is not B-powersmooth. Now, gcd(aM − 1, n) yields a proper factor of n.
In the case where q − 1 is B-powersmooth, the gcd may yield a trivial factor because q divides a M− 1. This is what makes the algorithm specialized. For example, 172189 = 421
× 409. 421 − 1 = 22×3×5×7 and 409 − 1 = 23×3×17. So, an appropriate value of B would be from 7 to 16. If B was selected less than 7 the gcd would have been 1 and if B was selected higher than 16 the gcd would have been n. Of course, we do not know what value of B is appropriate in advance, so this will factor into the algorithm.
To speed up calculations, we also know that when taking the gcd we can reduce one part modulo the other, so gcd(a M − 1, n) = gcd(a M − 1 mod n, n). This can be efficiently calculated using modular exponentiation and the Euclidean algorithm.
Algorithm and running time
The basic algorithm can be written as follows:
Inputs: n: a composite integer
Output: a non-trivial factor of n or failure
1. select a smoothness bound B
2. randomly pick a coprime to n (note: we can actually fix a, random selection here is not imperative)
3. for each prime q ≤ B
a ← aqe mode n (note: this is aM)
4. g ← gcd(a − 1, n)
5. if 1 < g < n then return g
6. if g = 1 then select a higher B and go to step 2 or return failure
7. if g = n then go to step 2 or return failure
If g = 1 in step 6, this indicates that for all p − 1 that none were B-powersmooth. If g = n in step 7, this usually indicates that all factors were B-powersmooth, but in rare cases it could indicate that a had a small order modulo p.
The running time of this algorithm is O(B × log B × log2n), so it is advantageous to pick a small value of B.