Public key cryptography and implementations of

Pollards rho algorithms

Kapil Chandak

2 July 2019

1 Introduction

2 Implementations of Pollard’s Rho algorithms

2.1 Factoring algorithm
2.2 Discrete log algorithm

Introduction
Cryptography is the study of techniques for secure communication in the
presence of third parties called adversaries. In cryptography, we construct
and analyze protocols that prevent third part to read and our private mes-
sages. Cryptography can mainly be divided into two parts shared secret-
key cryptography and public-key cryptography. I was a Microsoft intern
at R.C Bose center for cryptology and security at Indian Statistical Insti-
tute, Kolkata which was held during the period of May-July 2019. Dur-
ing the two months period of internship at R.C Bose center for cryptology
and security, we learnt for approx two weeks about various aspects of vari-
ous kinds of cryptography. We learnt about stream chipers, block chipers,
public-key cryptography, lattice cryptography, cryptography based on error
correction codes, quantum cryptography, hash functions(both keyed and un-
keyed) also the message authentication codes and digital signatures and the
various aspects of security like perfect security, semantic security, etc.I also
learnt about Byzantine computing and the Blockchain technology used in
cryptocurrencies.I liked the notions of Shannon’s entropy and also the zero
knowledge proofs idea. I developed an interest in public-key cryptography
due to the strong mathematical background it requires and hence started my

1
work along with Dr.Rana Barua who was working on that aspect. Public-key
cryptography is talking to someone secretly when you don’t have a shared
secret key. Like, consider two computers who never communicated with each
other or you want to share a message to someone who you never met. In all
of these scenarios, the users have not met and so they have no secret key so
if one user wants to send a message to another he will use receivers public
key to encrypt his message and the receiver will have his secret key and will
decrypt the message back. The public key and secret key are different hence
this form of cryptography is also known as asymmetric-key cryptography.
The public key and secret key are mathematically related to one another and
the relationship is based on a hard problem in mathematics which requires
too much time to solve it along with much of computational power.
I liked number theory and hence started with the R.S.A model. It is
built on the Euler’s Theorem

aφ(n) ≡ 1(mod(n))

It’s based on the fact that the factorization of a number with large factors
is very hard.The datails of the R.S.A and ElGamal cryptosystem can be
gathered from the book mentened at the end of the report.Its pubic key
will contain a number which is the product of two large prime numbers and
as factorization is hard the third party won’t know the factors and they
will communicate securely but if anyhow the third party is able to find the
factors then the third party will get the secret key and decrypt. There
are various algorithms to factorize a number. One of them is Pollard’s
Rho algorithm. It uses some of these concepts: Two numbers x ≡ y if their
absolute difference is an integer multiple of n or each of them leaves the same
remainder when divided by n.The concept of G.C.D and Birthday Paradox:
The probability of two persons having the same birthday is unexpectedly
high even for a small set of people. With these sets of assumptions and
also it uses f (x)=x2 + a as a function to randomly select numbers. The
implementation of the algorithm is as below. Pseudocode of Pollard’s rho
factoring algorithm:
Start with random numbers x and c and f (x) = x2 + c.
external f
x ← x1
0
x ← f (x)
p ← gcd(x − x0 , n)
while p=1

do{

2
 x ← f (x)
x0 ← f (x0 )
x0 ← f (x0 )
p ← gcd(x − x0 , n)}

if p=n

then return(’fail’)
else return(p)

How algorithm works

Let n be a composite . Since n is composite, it has a non trivial factor

√
f <= n.Now suppose we have to pick two numbers x and y from the
range [0, n-1]. The only time we get x ≡ y mod(n) is when x and y are
√
identical. However, since f <= n, there is a good chance x ≡ y mod(f)
even when x and y are not identical (Birthday Paradox).Suppose using the
random factors we found a xi and xj pair such that gcd(xi − xj ,n)=f >1
then xi ≡ xj mod(p) implies f (xi ) ≡ f (xj )mod(p) as we are using functions
with integral coefficiants and we know that the random numbers that we
are choosing are using functions and hence if xi ≡ xj mod(p) then xi+d ≡
xj+d mod(p) for any d> 0.So once in the sequence we get collusion and as
the set is finite we are also bound to get collusion,we are sure that the next
elements are also going to be congurent to each other.So we get a cycle of
length l=j-i the length of the cycle might even be shorter of length some
factor of l.So we have a initial number and the cycle of length l.It resembles
the greek letter ρ and hence the name Rho algorithm.The main idea behind
Pollard’s rho algorithm is randomly picking numbers,computing gcd and
birthday paradox.We may use efficient algorithms for gcd calculations to
even further reduce time.

Implementation of Pollard rho factoring algorithm in Python

import math
n=int(input(’n is’))
x=int(input(’x is’))
a=int(input(’a is’))
y=(x**2+a)%n
p=math.gcd(y-x,n)
while p==1:

3
 x=(x**2+a)%n
y=(y**2+a)%n
y=(y**2+a)%n
p=math.gcd(y-x,n)

if p==n:

print(’fail’)

else:

print(p)

Results
n x a Result
971519524513 1 1 986101
100001880003211 1 1 10000169
10065389520476071476829 1 1 100529784361
10065389520476071476829 5 10 100123456789
143 1 1 Fail
143 5 10 11

In case if the algorithm returns fail try for some other value of x and a
as it is a probabilistic algorithm it may return you fail.If it’s returning fail
for many values then number might also be prime.Here I took x and a to be
1 and 1 or 5 and 10 but we can pick any values of x and a.

ElGamal Cryptosystem
Another hard problem on which the cryptography is built is the discrete
log problem. The ElGamal cryptosystem uses concepts of groups, primi-
tive roots,dicrete log problem etc. The ElGamal cryptosystem is based on
the Diffie-Hellman key exchange protcol.If the attacker is able to find the
solution to the discrete log problem then the system is broken and he can
decrypt all messages. The principles of Pollard Rho algorithm like birthday
paradox, and randomly choosing numbers are used to solve the discrete log
problem but still, the algorithm is probabilistic and may not yield a positive
result in some cases so in that we may try changing the initials used in the
code or the definition of random functions. Also, it might happen that you
entered some wrong value and the number which we assumed might not be
the generator of that group. The code of the implementation is as below.The
pseudo code is:

4
procedure f (x, a, b)

if x ∈ S1

then f ← (β.x, a, (b + 1) modn)

else if x ∈ S2
then f ← (x2 , 2a, 2b modn)
else f ← (α.x, (a + 1), b modn)

Main
define the partition G = S1 ∪ S2 ∪ S3
(x, a, b) ← f (1, 0, 0) caution 1 should not go to S2
(x0 , a0 , b0 ) ← f (x, a, b)
while x 6= x0

do{
(x, a, b) ← f (x, a, b)
(x0 , a0 , b0 ) ← f (x0 , a0 , b0 )
(x0 , a0 , b0 ) ← f (x0 , a0 , b0 )}

if gcd(b’-b,n)6= 1

then return(’failure’)
else return (a − a0 )(b0 − b)−1 mod (n)

Working

The working of this algorithm is almost same as the last algorithm the use
of function to randomly choose integers and computation of gcd which is the
main feature of previous is present here also just the random functions are
different also in algorithm there are 3 random functions we need to take care
that our initial starting element x=1 a=0 b=0 should not go to the function
of x ∈ S2 .Because it will not give any new value and get stuck at that same
value.If the algorithm is not yielding any result we may consider different
initials like changing x or a or all three.Also we may change S1 , S2 , S3 .I used
extended eucleadian algorithm to find the inverse of the element required
in the last step we may also use ap−2 mod(p) to be inverse of a if order of
group is p which is prime.As Fermat’s Theorem says

ap−1 ≡ 1mod(p)

5
if p is prime which might also be considered a special case of Eiler’s Theorem
stated above.Also you may refer to pg 238,239 of Stinson for more informa-
tion but in short it uses the fact that x=αa β b which (1,0,0) obviously satisfies
for any α and β.Hence this is chosen as the standard start point.After tis
part the algoithm compares the triples(x2i , a2i , b2i ) and (xi , ai , bi ) and the
point they get x2i = xi so αa2i β b2i =αai β bi .After calculating this the final
answer of the inverse log problem is c = (ai − a2i )(b2i − bi )−1 mod(n).

Implementation of Pollard rho discrete log algorithm in Python

import math
import numpy as np
def order(c,p):

l=c
c=(l*c)%p
i=2
while c!=l:

c=(l*c)%p
i=i+1

return(i-1)

def f(g):

if g[0]%3==1:

g=([(d*g[0])%p,g[1]%p,(g[2]+1)%p])

elif g[0]%3==0:

g=([(g[0]**2)%p,2*g[1]%p,2*g[2]%p])

else:

g=([(c*g[0])%p,(g[1]+1)%p,g[2]%p])

return(g)

def exp(u,n):

6
 u=u%n
for k in range(1, n) :
if ((u* k) % n == 1) :
return (k)

c=int(input(’alpha is’))
d=int(input(’beta is’))
p=int(input(’prime is’))
n=order(c,p)
x=1
a=0
b=0
o=np.array([0,0,0])
g=np.array([x,a,b])
g=f(g)
o=f(g)
while g[0]!=o[0]:

g=f(g)
o=f(o)
o=f(o)

u=o[2]-g[2]
t=g[1]-o[1]
if math.gcd(g[2]-o[2],p)==1:

y=exp(u,n)
print((t*y)%n)
print(n)

else:

print(’fail’)

Results

Alpaha Beta number order inverse log

89 618 809 101 49
67 256 977 61 46
89 634 809 101 89
67 175 977 61 60

7
 Here in some cases it might not work try to change the def f(g) or
(1,0,0) as it is probabilistic algorithm also if it is giving traceback error
in print((t*y)%n) line then either generator is wrong or some wrong entry
as inverse does not exist in that case hence no solution.
In short during the course of internship I learnt the various aspects of
cryptography and in some deapth about public-key cryptography and how
the idea of Pollard Rho algorithm can be used to find solution to the vari-
ous hard problems in a speedy manner.I also learnt to type a document in
LATEX.The information required for this internship were gathered from the
book Cryptography Theory and Practice (3rd edition) by Douglas R. Stin-
son.Also the book Algebra by Michael Artin was used for gaining the knowl-
edge of groups.The lecture slides of Prof. Rana Barua were also useful for the
basic knowledge.Also the link http://www-math.ucdenver.edu/ wcherowi/
courses /m5410/exeucalg.html was useful for the knowledge of extended eu-
cleadian algorithm which was used to find the inverse in the last code. The
knowledge of typing in LATEXwas gained from the vedio series of Michelle
Krummel of typing in LATEXon youtube.