These are solutions to the following questions: https://hyperelliptic.org/tanja/teaching/crypto21/first.pdf

# Exercise 2

In [1]:
n = 246106655759
a = 3875506

## Exercise 2a

In [2]:
s = lcm([1,2,3,4,5,6,7,8,9,10,11,12,13])
s

360360

In [3]:
# To verify our answer, we factor s and see whether it has the expected form
s.factor()

2^3 * 3^2 * 5 * 7 * 11 * 13

## Exercise 2b

In [4]:
# Do not forget the __mod n__!
b = Mod(a ^ s, n)
b

202588267824

## Exercise 2c

In [5]:
p = int(gcd(b-1, n))
p

11056501

## Exercise 2d

In [6]:
q = n/p
q

22259

In [7]:
# As a sanity check, let us verify whether p*q = n
p * q == n

True

## Exercise 2e

In [8]:
(p-1).factor()

2^2 * 3^5 * 5^3 * 7 * 13

After dividing $p-1$ by the factors which $p-1$ and $s$ have in common, we obtain `3^3 * 5^2`.

In [9]:
(q-1).factor()

2 * 31 * 359

After dividing $q-1$ by the factors which $1-1$ and $s$ have in common, we obtain `31 * 359`.

In [10]:
s.factor()

2^3 * 3^2 * 5 * 7 * 11 * 13

After dividing $s$ by the factors which $p-1$ and $s$ have in common, we obtain `2 * 11`.

After dividing $s$ by the factors which $q-1$ and $s$ have in common, we obtain `2^2 * 3^2 * 5 * 7 * 11 * 13`.

In [11]:
GF(p)(a).multiplicative_order().factor()

2^2 * 3^2 * 5 * 7 * 13

After dividing by the factors which $p-1$ and $s$ have in common, we obtain `1` (i.e. no factors are left over).
<div class="alert alert-success">
    Note that this is a necessary (but not sufficient) condition for the $p-1$ method to work.
</div>

In [12]:
GF(q)(a).multiplicative_order().factor()

31 * 359

After dividing by the factors which $q-1$ and $s$ have in common, we obtain `31 * 359`.

<div class="alert alert-success">
    Note that this is also a necessary (but not sufficient) condition for the $p-1$ method to work; we need to have that this does not give $1$ (i.e. at least one factor is left over).
</div>

$p$ divides the `gcd` if and only if the order of $a$ (in $\mathbb{F}_p^*$) does not divide any of the factors which $p-1$ has, and $s$ does not have; that is, the order of $a$ should be divisible by neither $3^3=27$ nor $5^2=25$.

Out of every 675 numbers, there are $27+25-1$ numbers which divide either $3^3$ or $5^2$ (or both, for which we subtract one element).
Hence, for a fraction of $\frac{51}{675}$ of the bases $a$, we have that $p$ doesn't divide the `gcd`.

**We need that $p$ divides the gcd and $q$ does not divide the gcd.**

Similarly, we have that $q$ divides the `gcd` if and only if the order of $a$ in $\mathbb{F}_q^*$ does not divide any of the factors which $q-1$ has, and $s$ does not have; that is, the order of $a$ should be divisible by neither 31 nor 359.

Out of every $31*359=11129$ numbers, there are $31+359-1=389$ numbers which divide either 31 or 359 (or both, for which we subtract one element).
Hence, for a fraction of $\frac{389}{11129}$ of the bases $a$, we have that $q$ divides the `gcd`.

We have that the algorithm succeeds in factoring $n$ if and only if $p$ divides the `gcd` and $q$ does not divide the `gcd`.
This happens for a fraction of $\frac{51}{675}\left(1-\frac{389}{11129}\right)=\frac{12172}{166935}$ of the bases $a$.

<div class="alert alert-danger">
    Maybe I have flipped the numbers around here.
    How do I check this (apart from 'just trying')?
</div>

In [13]:
(p-1)/(3^3*5^2) # there are ... numbers which have order dividing 3^3 and 5^2, for which it will work

16380

In [14]:
# There are ... numbers 
(q-1)/(31*359)

2

We need $a^{s} = 1 \mod p$ and $a^{s} \neq 1 \mod q $ (the latter only holds if order of a in $F_q^*$ divides 2, which means the order is 1 or 2)

<div class="alert alert-success">
    <strong>This part has been verified below.</strong><br><br>
    Only 2 elements out of $q-1$ will make the method fail. The probability that it fails is $\frac{2}{q-1}$.
</div>

### Some notes on how many orders divide $p$, $q$ and $p$, but not $q$

In [None]:
dict_p = {}
ord_a_inFp_divides_s = 0
ord_a_inFp_not_divides_s = 0
# p_divides_gcd = 0
# p_not_divides_gcd = 0

for a in range(1, GF(p).cardinality()):
    order_of_a = GF(p)(a).multiplicative_order()
    
    if order_of_a in dict_p:
        dict_p[order_of_a] += 1
    else:
        dict_p[order_of_a] = 1
    
    if order_of_a.divides(s):
        ord_a_inFp_divides_s += 1
    else:
        ord_a_inFp_not_divides_s += 1
    
    # if Integer(p).divides(int(gcd(Mod(a^s-1, n), n))):
    #     p_divides_gcd += 1
    # else:
    #     p_not_divides_gcd += 1

In [None]:
ord_a_inFp_divides_s, ord_a_inFp_not_divides_s

In [None]:
ord_a_inFp_divides_s/(ord_a_inFp_divides_s + ord_a_inFp_not_divides_s)

In [None]:
# Let's see whether our beliefs are correct.
1/(3^3*5^2)

We have that the equation cannot hold when $3^3$ or $5^2$ is in the order of $a$ in $F_p^*$. This means that 

In [None]:
dict_q = {}
ord_a_inFq_divides_s = 0
ord_a_inFq_not_divides_s = 0
# q_divides_gcd = 0
# q_not_divides_gcd = 0

for a in range(1, GF(q).cardinality()):
    order_of_a = GF(q)(a).multiplicative_order()
    
    if order_of_a in dict_q:
        dict_q[order_of_a] += 1
    else:
        dict_q[order_of_a] = 1
    
    if order_of_a.divides(s):
        ord_a_inFq_divides_s += 1
    else:
        ord_a_inFq_not_divides_s += 1
    
    # if Integer(q).divides(int(gcd(Mod(a^s-1, n), n))):
    #     q_divides_gcd += 1
    # else:
    #     q_not_divides_gcd += 1

In [None]:
dict_q

In [None]:
ord_a_inFq_divides_s, ord_a_inFq_not_divides_s

In [None]:
ord_a_inFq_divides_s/(ord_a_inFq_divides_s+ord_a_inFq_not_divides_s)

In [None]:
# Let's check whether that result is the same as 2/(q-1), as suggested during the instructions
2/(q-1)

In [None]:
# q_divides_gcd, q_not_divides_gcd

In [None]:
# q_divides_gcd/(q_divides_gcd + q_not_divides_gcd)