Pollard's Rho Algorithm for Prime Factorization

Given a positive integer n, and that it is composite, find a divisor of it.
Example:

Input: n = 12;
Output: 2 [OR 3 OR 4]

Input: n = 187;
Output: 11 [OR 17]

Brute approach: Test all integers less than n until a divisor is found. 
Improvisation: Test all integers less than ?n
A large enough number will still mean a great deal of work. Pollard’s Rho is a prime factorization algorithm, particularly fast for a large composite number with small prime factors. The Rho algorithm’s most remarkable success was the factorization of eighth Fermat number: 1238926361552897 * 93461639715357977769163558199606896584051237541638188580280321. 
The Rho algorithm was a good choice because the first prime factor is much smaller than the other one.
Concepts used in Pollard’s Rho Algorithm:

1. Two numbers x and y are said to be congruent modulo n (x = y modulo n) if 
   
   1. their absolute difference is an integer multiple of n, OR,
   2. each of them leaves the same remainder when divided by n.
2. The Greatest Common Divisor is the largest number which divides evenly into each of the original numbers.
3. Birthday Paradox: The probability of two persons having same birthday is unexpectedly high even for small set of people.
4. Floyd's cycle-finding algorithm: If tortoise and hare start at same point and move in a cycle such that speed of hare is twice the speed of tortoise, then they must meet at some point.

Algorithm: 

1. Start with random x and c. Take y equal to x and f(x) = x² + c.
2. While a divisor isn't obtained 
   
   1. Update x to f(x) (modulo n) [Tortoise Move]
   2. Update y to f(f(y)) (modulo n) [Hare Move]
   3. Calculate GCD of |x-y| and n
   4. If GCD is not unity 
      
      1. If GCD is n, repeat from step 2 with another set of x, y and c
      2. Else GCD is our answer

Illustration:
Let us suppose n = 187 and consider different cases for different random values.

1. An Example of random values such that algorithm finds result: 
y = x = 2 and c = 1, Hence, our f(x) = x² + 1. 

👁 PollardRho1

2. An Example of random values such that algorithm finds result faster: 
y = x = 110 and ‘c’ = 183. Hence, our f(x) = x² + 183. 

👁 table

3. An Example of random values such that algorithm doesn't find result: 
x = y = 147 and c = 67. Hence, our f(x) = x² + 67. 

👁 PollardRho3

Below is implementation of above algorithm: 

Output: 

One of the divisors for 10967535067 is 104729

Time Complexity : O(sqrt(n)*logn)

Auxiliary Space: O(1)
How does this work?
Let n be a composite (non-prime). Since n is composite, it has a non trivial factor f < n. In fact, there is at least one f <= ?n . 
Now suppose we have to pick two numbers x and y from the range [0, n-1]. The only time we get x = y modulo n is when x and y are identical. However, since f < ?n, there is a good chance x = y modulo f even when x and y are not identical (Birthday Paradox). 
We begin by randomly selecting x with replacement from the set {0, 1, …, n-1} to form a sequence s₁, s₂, s₃ … Defining &sacute;_i = s_i mod f, our sequence now has each &sacute;_i belonging to {0, 1, …, f-1}. Because both the sets are finite, eventually there will be a repeated integer in both. We expect to achieve the repeat earlier in &sacute;_i, since f < n. 

Now, say &sacute;_i = &sacute;_j for i ? j, then, s_i = s_j modulo d. And hence, |s_i - s_j| will be a multiple of f. As per assumed above, n is also a multiple of f. Together this means that GCD of |s_i - s_j| and n will be positive integral multiple of f, and also our candidate divisor d! The catch here is that we just knew there had to be some divisor of n, and we didn’t even care of its value. Once we hit s_i and s_j (our final x and y) then each element in the sequence starting with s_i will be congruent modulo f to the corresponding element in the sequence starting with s_j, and hence, a cycle. If we graph the sequence s_i, we will observe the shape of Greek letter Rho (?). 
At the heart of Rho algorithm is picking up random values and evaluating GCDs. To decrease the costly GCD calculations, we can implement the Pollard’s Rho with Floyd’s cycle detection (which can be understood with the tortoise-hare analogy where the tortoise moves through each element one at a time in order, and the hare starts at the same point but moves twice as fast as the tortoise). We shall have some polynomial f(x) for the same, start with random x₀, y₀ = x₀, and compute x_i+1 = f(x_i) and y_i+1 = f(f(y_i)). Since we don’t know much about d, a typical choice for the polynomial is f(x) = x² + c (modulo n) (Yes, ‘c’ is also be chosen randomly).
Note:

1. Algorithm will run indefinitely for prime numbers.
2. The algorithm may not find the factors and return a failure for composite n. In that case, we use a different set of x, y and c and try again.
3. The above algorithm only finds a divisor. To find a prime factor, we may recursively factorize the divisor d, run algorithm for d and n/d. The cycle length is typically of the order ?d.

Time Complexity analysis: 
The algorithm offers a trade-off between its running time and the probability that it finds a factor. A prime divisor can be achieved with a probability around 0.5, in O(?d) <= O(n^1/4) iterations. This is a heuristic claim, and rigorous analysis of the algorithm remains open.