SÄVSTÄD
GA ARBETE
ATEAT
 ATEAT
SA
ST
TUT
E STC

MATEMATISKAINSTITUTIONEN,STOCKHOLMSUNIVERSITET

The art of integer fa torization

av

Joakim Marklund

2013 - No 12

Joakim Marklund

Självständigt arbete imatematik 15högskolepoäng, Grundnivå

Handledare: Johan Andersson

The art of Integer Factorization

Joakim Marklund June 3, 2013

Acknowledgements

I would like to thank my supervisor Johan Andersson for his great assistance and guidance during the writing process. I also thank my examiner Rikard B¨ogvad for his valuable comments.

A special thanks goes out to my friends and family who have been of great help and supported me during my time at the university.

Contents

1 Introduction 5

2 Mathematical Theory 6

2.1 Fundamental Theorem of Arithmetic . . . 6

2.2 Sieve of Eratosthenes . . . 6

2.3 Prime Number Theorem . . . 7

2.4 Fermat’s Little Theorem . . . 7

2.5 Euler’s Totient Function . . . 8

2.6 Euler’s Theorem . . . 8

2.7 Quadratic Residue . . . 8

2.8 Ordo (The big O-notation) . . . 9

2.9 Dickman-de Bruijn ρ function . . . 9

3 Public-key cryptography and RSA 10 3.1 Background . . . 10

3.2 Cryptography and RSA . . . 10

4 History of Factorization 11 4.1 Trial Division . . . 11

4.1.1 Method . . . 12

4.1.2 Analysis . . . 12

4.2 Fermat’s Factorization Method . . . 13

4.2.1 Method . . . 13

4.2.2 Example . . . 13

4.2.3 Analysis . . . 14

4.3 Maurice Kraitchik’s Algorithm . . . 14

4.3.1 Method . . . 15

4.3.2 Example . . . 15

4.4 Pollard’s p − 1 Algorithm . . . 16

4.4.1 Method . . . 16

4.4.2 Example . . . 17

4.4.3 Analysis . . . 17

4.5 Elliptic Curve Method . . . 18

4.5.1 Analysis . . . 18

4.6 Dixon’s Factorization Method . . . 19

4.6.1 Method . . . 19

4.6.2 Example . . . 20

4.7 The Quadratic Sieve . . . 21

4.7.1 Method . . . 21

4.7.2 Example . . . 22

4.7.3 Analysis . . . 26

4.8 General Number Field Sieve . . . 27

4.9 The Future . . . 27

5 Type of Algorithms 28 5.1 Probabilistic and Deterministic . . . 28

5.2 Special-purpose and General-purpose . . . 29

5.3 Conclusions . . . 30

6 RSA Records 30 6.1 Current Record . . . 31

6.2 Previous Records . . . 31

6.3 Future Challenges . . . 33

6.4 Security in the Future . . . 33

1 Introduction

Prime numbers, the building blocks of arithmetic, is the key fragment to all of number theory. Some people consider prime numbers to be the atoms of arithmetic, and who can blame them. As much as the periodic system exists in chemistry, one could build a system consistent of all prime num- bers, where the composed numbers could be multiplied together uniquely through prime numbers. Even though this analogy seems reasonable, we stumble onto some problems. The ancient Greeks have shown that there is an infinite amount of prime numbers, and we would therefore have to create a infinite system listing them all. Another problem will be to find them all, as they seem to appear in no logical or recurring order. Since of this day there exists no simple formula for discovering all the prime numbers.

Earlier this year, 25/01/2013 to be exact, the largest prime number yet had been found. It consists of over 17 million digits, and could be written as 2^57,885,161− 1. [25]

Over centuries people have been interested in prime numbers and their characterization, which have led to another aspect in number theory, in- teger factorization. Whenever the word integer factorization is used, the idea is to decompose a composite number into its key prime factors. Sup- pose we have an integer n which is a composite number, then the basic idea is to search for the primes that built n, i.e. n = p^a₁¹ × p^a₂²× ... × p^a_k^k, where the sequence p1 to pk are prime numbers and a1 to ak are positive integers.

Although factorization is of big importance in number theory, it is also a computational challenge. When we start to look at larger numbers, our own capacity can’t keep up with the speed of a computer. However, if we let the numbers grow even larger, the time amount and memory space that it would take for a computer to factorize is insufficient, and they have to forfeit as well. In theory, if we were able to construct quantum computers in the future, we could perform advanced calculations much faster. An al- gorithm has already been created depending on the existence of a quantum computer, and is called Shor’s algorithm. A paper on quantum computers was recently done at Stockholm University, and could be find here [15].

For now, the main things to increase the process of factorization is the algorithms at hand as well as computer power enhancements, which are the main stories in this paper. We will look at the history for different methods used to factorize, as well as some applications and close connections that integer factorization has to cryptography and security systems.

2 Mathematical Theory

This section will cover some of the theory that will be used throughout this paper. This contains mainly the areas of algebra and number theory, and will be given without proofs. The purpose of this chapter is to give a review of some important theorems in these areas.

2.1 Fundamental Theorem of Arithmetic

Every positive integer can be uniquely factorized as a product of prime numbers. This is equivalent to saying that every number can be expressed in exactly one way as a product of their corresponding prime numbers:

n = p^a₁¹ × p^a₂² × ... × p^a_k^k =

k

Y

i=1

p^a_iⁱ,

where pidenote the prime numbers that built n and ai are positive integers.

As this theorem holds fine over the natural numbers N, it’s important to be aware that this theorem is not true for more general number fields. In those fields the uniqueness implication does not hold any longer. For exam- ple in the complex ring Z[√

−5] we would have the factorization 6 = 2 × 3 = (1 +√

−5) × (1 −√

−5).

2.2 Sieve of Eratosthenes

The Sieve of Eratosthenes is a way to recognize whether a certain integer is prime or not. The process is done by stating all integers in an increasing fashion from 2 up to the number you want to find prime numbers for, de- noted n. The first number in this set, 2, must be a prime. We then cross off all numbers containing a multiple of 2, excluding the number itself. The first number that has not been crossed off, namely 3, must then be a prime.

Excluding 3 itself, cross off all multiplies of 3 and look for the next number that we have not crossed yet. We continue this procedure until we have worked our way up to n. One of the reasons that 1 is not interpreted as a prime number is because of the fundamental theorem of arithmetic ex- plained above. Since it states that all numbers can be expressed uniquely, adding 1 to our prime number list would make that statement false. All factors could then be rewritten as ’one times our unique factorization’, thus we exclude 1 as a prime number.

As stated in [2] (p. 19), we don’t have to look all the way up to n, but only up to the √

n. This is because after looking at √

n numbers, all num- bers above this point that have not been crossed of must be primes. If they

were not they would have to be a composite of a factor less than of equal to

√n. This holds because if n = a × b, then a ≤√

n or b ≤√ n.

Below shows a figure which illustrates how we would sieve through the first 100 integers, where the squares represent the prime numbers.

1 2 3
4 5 6
7
8
9 _10 11 _12 13 _14 _15 _16 17 _18 19 _20

21 _22 23 _24 _25 _26 _27 _28 29 _30 31 _32 _33 _34 _35 _36 37 _38 _39 _40 41 _42 43 _44 _45 _46 47 _48 _49 _50

51 _52 53 _54 _55 _56 _57 _58 59 _60 61 _62 _63 _64 _65 _66 67 _68 _69 _70 71 _72 73 _74 _75 _76 _77 _78 79 _80

81 _82 83 _84 _85 _86 _87 _88 89 _90

91 _92 _93 _94 _95 _96 97 _98 _99 _100^ 2.3 Prime Number Theorem

Even though there do not exist any simple formula for finding any particular prime number, it is possible to describe their asymptotic distribution [21].

If we let π(x) denote the number of primes less than or equal to x, then Gauss in 1792 proposed that the following asymptotic feature holds:

x→∞lim

π(x)

x/ log(x) = 1.

This turned out to be true and was proven independently in 1896 by Hadamard and de la Vall´ee Poussin. Intuitively this says that the average gap between prime numbers of size n is approximately log n. This could be interpreted as if we were to select a random integer between 1 and n, the probability that the integer chosen is a prime number will be about 1/ log n.

2.4 Fermat’s Little Theorem

Let p be a prime number and a an integer. Then Fermat’s little theorem states that

a^p ≡ a (mod p), or in other words a^p−1≡ 1 (mod p),

if p does not divide a. As an example we look at a = 3 and p = 7, where the GCD(3, 7) = 1. According to the theorem, this should be congruent to 1 mod 7. Calculating this we get 3⁷⁻¹ = 3⁶ = 729 ≡ 1 (mod 7), because 7 × 104 = 728.

2.5 Euler’s Totient Function

The totient function, mostly referred to as φ(n), counts the positive integers less than n which are relatively prime to n. The special case is the number 1 which counts as relatively prime to all numbers.

As an example we suppose n = 15. We are looking for numbers in which the GCD(x, 15) = 1. Since 15 has a common factor with 3, 5, 6, 9, 10 and 12, the rest of the numbers will be our answer. The integers x in which the equation above holds are therefore 1, 2, 4, 7, 8, 11, 13, 14. Counting these we find that φ(15) = 8. Given a prime factorization of n, the following two lemmas can be used to efficiently calculate the totient function.

Lemma 1. If GCD(n, m) = 1, then the totient function is calculated as φ(nm) = φ(n)φ(m).

Lemma 2. For any given prime number p to some power α, the totient function is always calculated to be φ(p^α) = p^α− p^α−1.

2.6 Euler’s Theorem

A generalization of Fermat’s little theorem, where φ(n) denotes Euler’s to- tient function, Euler’s theorem states that

a^φ(n) ≡ 1 (mod n), where a and n are integers such that GCD(a, n) = 1.

As an example we look at a = 3 and n = 10 (GCD(a, n) = 1). Then we have φ(10) = φ(2)φ(5) = (2 − 1)(5 − 1) = 4. Thus, according to the theorem, we get 3⁴= 81 ≡ 1 (mod 10), as intended.

2.7 Quadratic Residue

An integer b is called a quadratic residue if there exists another integer x, which we choose, such that the following equation holds:

x²≡ b (mod n).

As an example we can look at n = 7. We then calculate all the squares of the integers less than 7, and check the result:

1² ≡ 1 (mod 7), 2² ≡ 4 (mod 7), 3²≡ 2 (mod 7), 4² ≡ 2 (mod 7), 5² ≡ 4 (mod 7), 6²≡ 1 (mod 7).

With this information we have found the quadratic residues mod 7, which are 1, 2 and 4.

Worth mentioning is that there exists other techniques to determine whether an integer is a quadratic residue or a nonresidue other than just a plain brute force method, and those are generally faster than what we used above. One method [22] to find whether an integer is a quadratic residue or not is derived from Fermat’s little theorem, which is looking at the equation

r^(p−1)/2≡ ± 1 (mod p).

If the right-hand side happens to be +1 then r is a quadratic residue, and a nonresidue if it is −1.

2.8 Ordo (The big O-notation)

In determining whether an algorithm is effective or not, one often uses the symbol O to analyze its efficiency. This is a measure of describing the com- plexity of an algorithm, and how it responds to changes in input size. For example, O(n) would be growing linearly and in proportion to n. Other types could be exponential (O(cⁿ), c > 1) or logarithmic growth (O(log n)).

When using O one looks at the largest growing factor, since this will domi- nate the function for larger n.

If f (n) = n³ + 2n, the dominating factor in this function is n³, because for larger n the linear factor 2n will become negligible. We would then say that our function f (n) ∈ O(n³).

2.9 Dickman-de Bruijn ρ function

Let Ψ(x, y) be the number of integers less than x in which all prime factors are ≤ y. If P (n) is denoted as the largest prime factor of n, this could be expressed as

Ψ(x, y) = #{1 ≤ n ≤ x : P (n) ≤ y}.

Dickman [5] noticed that the proportion of integers up to x that only have prime factors ≤ x^1/u approaches a nonzero limit as x → ∞, for any fixed u ≥ 1. This limit is denoted ρ(u) and is known as the Dickman-de Bruijn ρ function. This ρ function is calculated by the delay differential equation uρ⁰(u) + ρ(u − 1) = 0, where ρ(u) = 1 for 0 ≤ u ≤ 1. More intuitively, the asymptotic feature can be read as

Ψ(x, x^1/u) ∼ xρ(u) as x → ∞.

3 Public-key cryptography and RSA

As much as integer factorization is of theoretical interest, it also plays an important role in cryptography. Here we will give an introduction to why this is the case, and how the RSA scheme correlates to integer factorization.

3.1 Background

Integer factorization becomes difficult for larger integers, as there is no known method to easily decompose a large number. Public-key cryptog- raphy is based on the fact that multiplication of two prime numbers is an easier task than knowing the end result and finding the corresponding fac- tors. This can be interpreted as if you know the primes p and q, finding n is easily done. However, knowing n only, p and q suddenly becomes really hard to find. In 1977 Rivest, Shamir and Adleman created a public key cryptosystem called RSA which exploits this asymmetry, and has ever since been a huge part of secure communication systems.

3.2 Cryptography and RSA

In the public key scheme, there is a distinct encryption and decryption key.

The object is to only let the decryption key be available for the person that are receiving the message. However, it is in theory possible to obtain the decryption key from just knowing the encryption key. The basic idea is to make this practically impossible, with the help of computers. If a time stamp in years could be made to measure the time it would take to find the decryption key, and if this would be implausible even by the use of the worlds fastest computers, the system is said to be secure.

The reason for calling it public key encryption scheme is because we allow the encryption key to be freely published. It does not matter if anyone were to find out the encryption key, as long as they can’t decrypt the encrypted message efficiently.

The way that RSA works [2] (p. 43) is we let p and q be large prime numbers, and n its product. We also have two integers, d (for decryption) and e (for encryption), such that

d × e ≡ 1 (mod φ(n)), (1)

where φ(n) denotes Euler’s totient function. We let the integers n and e be made public, and keep p, q and d secret. Let M be the message we want to send out, where M is a positive integer less than and relatively prime to n.

A longer message can be split into smaller parts such that each part is less than n.

To encode our message, we compute

E = M^e (mod n).

This is something that can be done rather quickly using the idea that a^2k ≡ (a²)^k (mod n) and a^2k+1 ≡ (a²)^k × a (mod n). Expressed using the big O-notation, this would take about O(log e) operations when we are dealing with multiplications and reductions mod n. Dealing with a logarith- mic growth, this means that the process is efficient even for larger e.

To finally decode our message, we use our hidden decryption key d to com- pute

E^d (mod n).

And we have received our message. This is because, due to Euler’s theorem, E^d≡ (M^e)^d≡ M^e×d ≡ M(multiple of φ(n))+1≡ M^kφ(n)+1

≡ (M^φ(n))^k× M ≡ 1^k× M ≡ 1 × M ≡ M (mod n),

which is the message we wanted to obtain. As stated, the problem in cryp- tography is finding the decryption key, d. However, if we would manage to find the primes p and q to the composed number n, φ(n) could easily be computed by

φ(n) = (p − 1) × (q − 1).

Knowing this, the decryption key d can be obtained by solving the congru- ence (1). Thus, our interest in finding the hidden decryption key d have now been reduced to finding the proper factorization of n.

4 History of Factorization

The question for finding the proper factorization of an integer n have taken many forms over the years, and this section will cover some of the ideas to how this can be done.

4.1 Trial Division

The most common method in integer factorization is called trial division, and is the easiest one to understand in this area. This is a brute-force method and will always achieve a proper factorization after numerous repetitions.

4.1.1 Method

The idea is to try and divide our number, n, by all integers less than n and check where the remainder is 0. If this is the case, we know n is divisible by this integer. This method works in theory for all numbers, but since we are looking at every number less than n, the time that it takes becomes overwhelming for larger numbers.

As you may know, or will realize, is that each composite number will have a prime factor less than √

n, and we would simply only need to test each prime number up to√

n and check if it divides n. If it does, we have found a factor of n. We then record this, and we move on to the next prime number.

After we checked all the prime numbers up to our limit, we have successfully found the factorization of n. If none of the prime numbers divide n, n itself must be a prime number. The reason for only checking the prime numbers instead of each integer is because we would not get any additional results to our data. For large numbers, dividing with each prime number is not a particular fast process. This also requires the assumption that we know all the prime numbers up to √

n. If n is chosen too large, this would cre- ate a problem. When we start taking on larger numbers, we can no longer check only primes since we don’t have an explicit formula for them, and the process will be even slower.

4.1.2 Analysis

The time complexity for trial division when we don’t have access to a prime table is in a worst case scenario O(√

n), since we have to look at all values less than√

n. The space complexity for this algorithm, i.e. the size of input becomes O(log n). The worst case occurs when n is only built up by two prime numbers, p and q, where p, q ≈√

n. As we can see the time complex- ity is polynomial in n, which makes the factorization process inefficient when n becomes large. Having access to a prime table will increase the speed of this algorithm slightly, but the space complexity will increase since we need to store all the primes up to a certain limit. Since π(√

n) ≈ ²

√n

log n due to the prime number theorem we will now have a time complexity of O(

√n log n), but the space complexity will increase to O(√

n). This is an improvement for the time complexity compared with the one above, but will still be a fairly slow process since√

n is the dominating factor for larger n.

This method is therefore only suitable for smaller numbers as well as for numbers with small prime factors. As we review larger numbers in this paper, the trial division method will no longer be competitive to the more complex algorithms created by Lenstra, Pomerance or Pollard.

4.2 Fermat’s Factorization Method

The method using trial division becomes inefficient for larger numbers as we don’t have enough capacity nor computer time to do this massive process.

In search for an alternative method we need to widen our range, and that is what Pierre de Fermat did in 1643.

4.2.1 Method

Fermat’s factorization method as it is called, is based on the fact [19] (p. 104) that we hopefully can rewrite the number we want to factorize, n = a × b, as the difference of two squares x and y.

n = x²− y²= (x + y)(x − y). (2) If we manage to succeed in rewriting n into this equation above, we imme- diately found a proper factorization. The problem that arises is how such a representation could be found for n? You may already realize that x >√

n, which means we should start by looking at numbers above the √

n. So if we consider the equation Q(m) = m² − n for different values of m above the√

n, and then look for relations such that the integer Q(m) happens to be a square. If this is the case, then we have found the relation such that (2) holds. If this does not occur we move on to the next value of x, i.e.

m + 1, and compute (m + 1)²− n and test whether or not this turns out a square. This process continues until we have a proper square that satisfies our equation above.

How much effort is then needed for this algorithm until success is guar- anteed? If n = a × b, where a < b, the factorization will be done when m reaches

x = a + b

2 , and thus y = a − b

2 . (3)

4.2.2 Example

To properly understand this method, we look at an example. Suppose n = 2883. √

2883 ≈ 53.69, which tells us that n itself is not a square. Looking for squares, we then start with

m = 54, Q(m) = 54²− 2883 = 33

33 can’t be represented as a square, and we continue our calculations onto m + 1, m + 2 etc.:

m Q(m)

55 142

56 253

57 366

58 481

59 598

60 717

61 838

62 961

When m = 62, we have arrived at a square. Q(m) = 961 = 31². With this information we easily calculate n as

n = 2883 = 62²− 31² = (62 − 31)(62 + 31) = 31 × 93.

4.2.3 Analysis

Something worth mentioning is that the numbers we are trying to factorize are preferred to be on odd form. Since we know that all even numbers have a factor 2, we can simply divide enough times by 2 to make it an odd number.

If we were to look for a difference of squares with even numbers, we might get ourselves into trouble, as we can see in the example below.

Suppose n = 2746. The proper factorization of n is 1373 × 2. Then the corresponding x and y, using equation (3), would have been 687.5 and 685.5.

Clearly we would not have found those corresponding x and y if we would have searched for them, and by dividing n by 2 from the start would have saved both time and effort.

If we compare Fermat’s method with the trial division, one might see that instead of testing small primes and going upwards, we now look for numbers close to √

n. If the composite number n does not have any factors close to its square root, Fermat’s factorization method is not that much of a better algorithm than trial division. If both a ≈ √

n and b ≈ √

n, the running time is about O(√

n). If this is not the case however we could end up with a running time as bad as O(n). Although we don’t have an improvement in terms of speed, it is of great theoretical interest as we shall see in the upcoming sections.

4.3 Maurice Kraitchik’s Algorithm

In the early stages of the 20th century, a Belgian mathematician named Mau- rice Kraitchik made an enhancement of Fermat’s difference-of-two-squares technique [16]. This method lays ground to some of the more complex algo- rithms that are most common when trying to factorize the largest numbers.

4.3.1 Method

Instead of looking for integers to satisfy the equation Fermat looked at:

n = x²− y²,

Kraitchik [9] thought that it could be sufficient to look at a difference of squares that were a multiple of n, i.e.

x² ≡ y² (mod n).

Now, some of the congruences may yield uninteresting solutions and some may be useful. The uninteresting ones were in fact x ≡ ± y (mod n) and, respectively, x 6≡ ± y (mod n) led to be the interesting ones.

If n is an odd number with two prime factors, then half of the solutions to x² ≡ y² (mod n) are of the interesting variety. For those solutions x and y, it turns out that the GCD(x − y, n) is a nontrivial factor of n. Indeed, n divides x²− y² = (x − y)(x + y), but divides neither factor.

4.3.2 Example

To clarify how this process is done we look at an example. Suppose n = 2759.

The squares above n are for m = 53 and above (53² = 2809). We then consider the same equation as Fermat Q(m) = m²− n, for m = 53, 54, 55...

and so on. Calculating these we get the following set:

50, 157, 266, 377, 490, 605...

As we start looking for squares in this sequence, one may notice that we haven’t found one yet, and continue searching the way Fermat did. But Kraitchik had another approach: he would try to find numbers x so that the product of a particular sequence would equal a square. This corresponds to finding

Q(m1) × Q(m2) × ... × Q(mk) = x² and m1× m₂× ... × m_k= y which then correlates to

y² = m²₁× m²₂× ... × m_k² ≡ (m²₁− n) × (m²₂− n)... × (m²_k− n)

= Q(m1) × Q(m2) × ... × Q(mk) = x² (mod n).

Thus, we have found a solution x² ≡ y² (mod n). A tricky question still remains, how do you actually find this set m1 to mk? What Kraitchik then noticed was that some numbers in the sequence Q(m) could be written as a product of prime factors:

50 = 2 × 5², 490 = 2 × 5 × 7², 605 = 5 × 11².

Some numbers such as 157, 266, 377, were not quite as easy to factorize, and would therefore yield no helpful result. These numbers were then just filtered away. With the factorized numbers Kraitchik then recognized that the product of these three numbers combined would turn out a square (2²× 5⁴× 7²× 11²= 3850²). Thus, we get the relations:

x =p

Q(m₁) × Q(m₂) × Q(m₃) = 2 × 5²× 7 × 11

= 3850 ≡ 1091 (mod 2759)

y = m1× m₂× m₃= 53 × 57 × 58

= 175218 ≡ 1401 (mod 2759).

We quickly note that 1091 6≡ ± 1401 (mod 2759), and can then compute the GCD(1401 − 1091, 2759) (or GCD(1401 + 1091, 2759)), where the first one is calculated, by Euclid’s algorithm, to 31. Thus, one prime factor to 2759 is 31, with the other one being 89 (31 × 89 = 2759).

4.4 Pollard’s p − 1 Algorithm

In 1974, John Pollard came up with an different technique called Pollard’s p − 1 algorithm. The main idea [3] is to use information about the order of an element in the group Zp to achieve a factor p of n. It is based on Fermat’s little theorem.

4.4.1 Method

If we suppose that n = p × q, we know that p divides n. By Fermat’s little theorem, we know that a^p−1≡ 1 (mod p), or equivalently d = a^p−1− 1 ≡ 0 (mod p), for any integer a relatively prime to p. Thus, GCD(d, n) = p, which is a factor of n. Because p is our unknown factor, this can’t be calculated immediately. What one could do is to compute a^m for values m = 1, 2, 3...

up until m reaches p−1 to achieve d, and thus GCD(d, n) = p. This however is quite ineffective, since we would need p−1 operations involving exponents.

There is however a more clever way to choose m, which do not require the need to do the exponential operations a^m up to m = p − 1. If m has the property (p − 1)|m, i.e. m = c(p − 1) for some positive integer c, then

a^m− 1 = a^c(p−1)− 1 = (a^(p−1))^c− 1 ≡ 1^c− 1 ≡ 0 (mod p).

This yields that GCD(a^m− 1, n) = p. Thus, we need to choose m such that we get a factor of n if (p − 1)|m.

This algorithm can be expressed in the following steps:

1. Select a random integer a₁, where 2 ≤ a₁ ≤ n − 1.

2. Compute d = GCD(a₁, n).

If d = 1, keep going.

If d 6= 1, we have found a proper factorization.

3. Calculate a_j = a^j_j−1.

4. Compute g = GCD(a_j− 1, n).

If g = 1, go back to step 3 with j → j + 1.

If g 6= 1 and g 6= n, we are done.

We will usually achieve a proper factorization when j reaches the largest prime factor of p − 1. After j steps, we get that a_j ≡ a^j!₁ (mod n).

4.4.2 Example

Suppose n = 2573. We start by choosing a₁ = 2, and compute GCD(2, 2573), which is 1. We therefore move on to calculate a₂, a₃ etc. Using the recursion formula from the method above we get

a2= a²₁ = 2² ≡ 4 (mod 2573) ⇒ GCD(4 − 1, 2573) = 1 a₃= a³₂ = 4³ ≡ 64 (mod 2573) ⇒ GCD(64 − 1, 2573) = 1 a4= a⁴₃ = 64⁴≡ 1256 (mod 2573) ⇒ GCD(1256 − 1, 2573) = 1 a₅= a⁵₄ = 1256⁵ ≡ 280 (mod 2573) ⇒ GCD(280 − 1, 2573) = 31 As we can see, using a5 we get that g 6= 1 nor n, turning 31 into a proper factorization of n. Thus, 2573 = 31 × 83.

4.4.3 Analysis

The running time of this algorithm depends a lot on the property of the composed number n, and its corresponding prime numbers. If p is a prime to our composed number, then we hope that p − 1 consists of smooth num- bers (numbers which have all prime factors less than some chosen bound, B). If this does not occur, we could be left in a so called worst case scenario.

This will correspond to ^p−1₂ = q, meaning that the only smooth numbers for p − 1 are 2 and another prime, q. If this is the case for our composite number n, the Pollard p − 1 algorithm is not faster than the algorithm for trial division. Example of numbers that would not perform well for this algorithm are 47 and 83, in which the equation above holds.

Then what are the odds of ending up in a worst case scenario? Or equiva- lently what is the probability that a random chosen integer between 1 and n have only prime factors which are ≥ m, i.e. no smooth factors? In reverse,

this could be analyzed using the Dickman-de Bruijn function. The proba- bility that a random integer between 1 and n is going to have the greatest prime factor ≤ n^1/2 is about ρ(2) = 1 − log 2, or 30 %. Thus, for about 30 % of the prime numbers, we will have a time complexity of about O(p¹²) steps . This corresponds to O(n¹⁴), which indicates that for certain integers n with suitable properties, this algorithm is faster than trial division or Fermat’s algorithm. If we were to look at an even smaller range where the factors are

≤ n^1/3, then the probability is about 4.8 % (ρ(3) ≈ 0.048).

If we however don’t know any particular properties more than that p − 1 is smooth, we can instead look at a more general case. If we let m = B and consider p to be a factor of n and that p − 1 is assumed to be smooth, the running time of this algorithm in modular multiplications is about O B_{ln B}^{ln n}
[12] (p. 93).

4.5 Elliptic Curve Method

Similar to the p − 1 algorithm, H.W Lenstra in 1987 [10] came up with an interesting approach to the factorization scheme, using elliptic curves. In- stead of dealing with a multiplicative group as we did in the Pollard’s p − 1 algorithm, we now look at a group of points on a random elliptic curve.

If we were to choose a single elliptic curve, the properties of this method is exactly the same as the one of Pollard’s algorithm above. The elliptic curve method is therefore a generalization where the group Zp is replaced by an elliptic curve over Zp. The order over this group will roughly be distributed accordingly to the Sato-Tate measure [20] over the interval p + 1 ± 2√

p. If the order in this group is smooth, we have a good chance to find a proper factorization of n. If the group order does not turn out to be smooth, we may not succeed and would have to choose a different elliptic curve and hope for a better outcome. The algorithm can thus be repeated until a complete factorization of n is found.

4.5.1 Analysis

Similar to the case in Pollard’s p − 1 algorithm, the choice of the smoothness bound B plays an important role. if we were to choose say B = p^1/3 we would have around ρ(3) = 0.048 = 4.8% chance of achieving a factorization with one chosen elliptic curve. Thus we would on average need to choose about _ρ(3)¹ ≈ 20 different curves for a decent chance to factorize our integer.

A similar analysis goes if we would choose B = p^1/n, then we want _ρ(n)¹ curves for a good chance of success. Thus, choosing a large B uses less curves but more time on each one while choosing a smaller B requires us to use more curves which will take more time. Asymptotically, the conjectured

running time for this algorithm is O(e^(1+o(1))

√log n log log n),

where the worst case scenario will occur when two prime factors are both close to the√

n. For a deeper insight into this algorithm and the underlying process, the original paper from Lenstra [10] is recommended.

4.6 Dixon’s Factorization Method

Coming back to the ideas of Fermat’s algorithm, John Dixon in 1981 [6]

came up with further improvements to the congruence of squares scheme.

Some parts to this algorithm comes from the work of Morrison-Brillhart, which involves the use of linear algebra.

4.6.1 Method

Dixon’s method is still looking for congruences of squares, just like Fermat and Kraitchik did, i.e.:

x² ≡ y² (mod n), x 6≡ ± y (mod n).

The improvements made in this method comes of the work by Morrison- Brillhart [13], and begins by choosing a bound B and identifying the so called factor base. This means that we choose an integer B and calculate all primes less than B, which will be called our factor base (denote this P ). We then start looking for integers m such that Q(m) = m²− n can be expressed in terms of our factor base. This is equivalent to the equation:

m²_i ≡Y

P_i^ai (mod n).

After finding a couple of these relations (usually sufficient that we find a few more than our factor base), we can use the knowledge from linear algebra to multiply some of these relations together in a way that the product will be a congruent square.

m²₁× m²₂× ... × m²_k≡Y

i

P_i^{(ai,1+ai,2+...+ai,k)} (mod n), (4)

where the exponents a_i,1+ a_i,2+ ... + a_i,k ≡ 0 (mod 2).

The reason for using modulo 2 in the exponent is because this would yield that every even number in the exponent would be 0, and every odd number would be 1. This indicates that if we could find a relation ai,1+ ai,2+ ... + a_i,k ≡ 0 (mod 2), we would have find an proper square. If such a rela- tionship is found, we have constructed our awaited congruence of squares

x² ≡ y²(mod n). We finally compute GCD(x+y, n) or GCD(x−y, n), which hopefully will yield our factorization. As stated in the section concerning Kraitchik, some solutions in this equality will not yield any significant re- sult. If x ≡ ± y, then we would get the factorization n = n × 1. We would then have to search for a different linear combination such that equation (4) holds, and hope for a better outcome. This algorithm uses a structured method to find the proper factorization, in comparison to what Kraitchik did. We can thus categorize this algorithm into two phases, a data collection phase and an evaluating phase. First we retrieve combinations of our fac- tor base, and for the second we search for relations to satisfy our equation above.

4.6.2 Example

To make this more clear we can look at an example. Suppose that n = 1189.

We decide to choose the factor base as {2, 3, 5, 7}, and we can start our data collection phase. We know that √

n ≈ 34.8. We then search for integers that could factor into our factor base, for instance

35² ≡ Q(35) ≡ 2²× 3²× 5⁰× 7⁰ (mod 1189) 37² ≡ Q(37) ≡ 2²× 3²× 5¹× 7⁰ (mod 1189) 69² ≡ Q(69) ≡ 2⁰× 3⁰× 5¹× 7⁰ (mod 1189)

After finding some integers that satisfies our request, we look for a combi- nation in which we can create a product where the exponents equal zero modulo 2. Looking at our exponents, we have the exponent vectors

35²⇒ {2, 2, 0, 0} = {0, 0, 0, 0} (mod 2) 37²⇒ {2, 2, 1, 0} = {0, 0, 1, 0} (mod 2) 69²⇒ {0, 0, 1, 0} = {0, 0, 1, 0} (mod 2)

Looking for perfect squares, we can immediately see that 35² is a perfect square (exponent vector is 0 (mod 2)). We can then apply Fermat’s algo- rithm directly and receive that 1189 = 35²− 6²= (35 − 6)(35 + 6) = 29 × 41.

If we however can’t get any immediate solutions and for the sake of il- lustration of this method, we can also look for other combinations. Using some linear algebra we note that combining 37 and 69 will also achieve an exponent vector that is 0 (mod 2). This translates to (69 × 37)² = 2² × 3² × 5², which can be rewritten as 2553² = 30². This yields that 2553 ≡ 30 (mod 1189), or 175 ≡ 30 (mod 1189). Finally we compute 1189 = GCD(175 − 30, 1189) × GCD(175 + 30, 1189) = 29 × 41.

4.7 The Quadratic Sieve

Implemented in 1981 by Carl Pomerance, an improvement to Kraitchik and Dixon’s methods came along [2] (p. 104). Judging by the name, one may already tell that a sieving process will be made. Much alike the sieve of Eratosthenes, we will use a sieve to sort through our integers in a methodical fashion.

4.7.1 Method

As in the sections of Dixon and Kraitchik we still look for congruences of squares, with the same incentive as before. The problem that arises with the earlier methods is the problem of finding integers m² which can be expressed in terms of our factor base. We again return to the polynomial used by Kraitchik in his method. With a slight variation, we create the quadratic polynomial

Q(x) = (x + d√

ne)²− n, which is used in our sieve. Here d√

ne denotes the smallest integer not less than√

n. This is called the ceiling function. With chosen integers x, we can calculate the respective values for Q.

The quadratic sieve can be expressed in three different steps:

1. Choose a smoothness bound B and then recognize the primes less than or equal to B. Looking at those prime numbers we then solve the equation

x² ≡ n (mod p).

The prime numbers that solves this equation then creates our factor base, and will be the basis for our sieving process. The reasoning behind this choice is that the values of Q(x) will only have prime factors p such that n is a quadratic residue mod p. Thus our factor base should be consistent of the prime numbers in which n is a quadratic residue mod p. The rest of the primes that does not fulfill the equation above are no longer useful and will be left aside.

2. The second part is to start the sieving operations, which means that for each prime of our factor base, we solve the equation

Q(x) = (x + d√

ne)²− n ≡ 0 (mod p).

Solving this for x, we will know which corresponding Q(x) will be di- visible by a certain prime. After completing this procedure for every

numbers. The smooth numbers will tell us that the initial number could be expressed in terms of the primes from our factor base.

We perform the sieving process to find a sufficient amount of num- bers that can be fully factorized into our factor base. As mentioned before, this should preferably be more than the amount of numbers in our factor base.

3. Use linear algebra (Gaussian elimination for example) to find such a relationship that the product of these prime numbers forms a perfect square. This corresponds to looking at a combination in which the exponents ai,1+ ai,2+ ... + a_i,k ≡ 0 (mod 2).

After finding such a relation corresponding to x² ≡ y², where x 6≡ ± y, we compute the GCD(x − y, n) or GCD(x + y, n) to find a nontrivial factor of n. If we don’t get a nontrivial factor (which would correspond to n = n×1), we search for a different combination of smooth numbers or try a different factor base.

4.7.2 Example

As an example we choose a random integer and try to decompose it into its corresponding prime numbers. Suppose n = 3953, where√

3953 ≈ 62.9.

Our ceiling function will then be d√

3953e = 63. Our first step is to obtain a factor base from a reasonable chosen bound B. We choose B = 17 and look onto the prime numbers less than or equal to 17, and solve the congruences x² ≡ n (mod p), i.e. the corresponding quadratic residues. Since B = 17, the primes ≤ 17 are 2, 3, 5, 7, 11, 13 and 17.

x²≡ 3953 (mod 2) ⇔ x² ≡ 1 (mod 2)

We can see that there exists an integer x such that x² ≡ 1. Thus, 3953 is a quadratic residue modulo 2, and we put 2 into our factor base. Continuing with 3, we get

x²≡ 3953 (mod 3) ⇔ x² ≡ 2 (mod 3)

In this case, there does not exists an integer x such that x² ≡ 2, and 3953 is not a quadratic residue modulo 3. Doing this process for all the primes, we get that our factor base will consist of {2, 11, 13, 17}.

After creating the factor base we move on to the data collection phase, and set up the sieve as:

Q(x) = (x + d√

3953e)²− n = (x + 63)²− 3953.

As n is fairly small, we choose to sieve through the first 0 ≤ x ≤ 20 of Q(x) and check for a combination of smooth numbers. If we don’t find any, we either raise our factor base or increase the bound of x.

We now perform the sieving operations, which again means solving the equa- tion Q(x) = (x+d√

ne)²−n ≡ 0 (mod p). If an entry divides more than once by the same prime, this will be done without further notice. This process is shown below:

Q(x) = (x + 63)²− 3953 ≡ 0 (mod 2) ⇒ (x + 1)²− 1 ≡ 0 (mod 2)

x²+ 2x + 1 − 1 ≡ 0 (mod 2) ⇔ x²≡ 0 (mod 2)

Which tells us that those x who solves the equation above, also divide Q(x).

Modulo 2 this corresponds to all even numbers. We can thus sieve through all even numbers from this prime.

Moving on to our next prime, 11, we need to find those x that solves Q(x) ≡ 0 (mod 11). With the same thought process as above we see that

Q(x) = (x + 63)²− 3953 ≡ 0 (mod 11) ⇒ (x − 3)²− 4 ≡ 0 (mod 11) which, solving for x, yields the numbers we can sieve through:

x ≡ 3 ± 2 (mod 11), x ≡ 1 or x ≡ 5.

Calculating with the same process for 13, we get

Q(x) = (x + 63)²− 3953 ≡ 0 (mod 13) ⇒ (x − 2)²− 1 ≡ 0 (mod 11) Solving for x we get x ≡ 2 ± 1 (mod 11), which gives that x ≡ 1 or x ≡ 3.

Finally, for 17, solving the equation Q(x) ≡ 0 yields that x ≡ 2 or x ≡ 8.

The sieving process is shown below:

0 1 2
3
4 5
6 7 8
9 _10

11 _12 13 _14 15 _16 17 _18 19 _20 (mod 2)

0
1 2 3 4 5
6 7 8 9 10

11 _12 13 14 15 _16 17 18 19 20 (mod 11)

0
1 2
3 4 5 6 7 8 9 10

11 12 13 14 15 16 17 18 19 20 (mod 13)

0 1 2
3 4 5 6 7 8
9 10

11 12 13 14 15 16 17 18 _19 20 (mod 17)

This tells us that when for example x = 0, the corresponding Q(0) will be divisible by 2 (the other three are not crossed over). Looking at x = 1, we can see that both 11 and 13 divides Q(1). As we are interested in smooth numbers from our sieving process, we express the procedure above in table form:

x x + 63 Q(x) 2 11 13 17

0 63 16 1 1 1 1

1 64 143 143 13 1 1

2 65 272 17 17 17 1

3 66 403 403 403 31 31

4 67 536 67 67 67 67

5 68 671 671 61 61 61

6 69 808 101 101 101 101

7 70 947 947 947 947 947

8 71 1088 17 17 17 1

9 72 1231 1231 1231 1231 1231

10 73 1376 43 43 43 43

11 74 1523 1523 1523 1523 1523

12 75 1672 209 19 19 19

13 76 1823 1823 1823 1823 1823

14 77 1976 247 247 19 19

15 78 2131 2131 2131 2131 2131

16 79 2288 143 13 1 1

17 80 2447 2447 2447 2447 2447

18 81 2608 163 163 163 163

19 82 2771 2771 2771 2771 163

20 83 2936 367 367 367 367

Here the last four columns represent the 4 prime numbers from our factor base, and each column indicates whether or not Q(x) is divisible by that prime. For example at x = 1, we saw that 11 and 13 divided Q(1), which in the table reads that 143 is not divisible by 2 (nothing happened), but 143/11 = 13 and 13/13 = 1. As we can read out from the table we are left with 5 smooth numbers (those which in our final column equals 1). Those numbers can be fully expressed in terms of our factor base. The numbers that did not yield a complete factorization from the sieving process are no

longer useful. The corresponding smooth numbers are:

16 = 2⁴× 11⁰× 13⁰× 17⁰ 143 = 2⁰× 11¹× 13¹× 17⁰ 272 = 2⁴× 11⁰× 13⁰× 17¹ 1088 = 2⁶× 11⁰× 13⁰× 17¹ 2288 = 2⁴× 11¹× 13¹× 17⁰ which, modulo 2, corresponds to the exponent vectors

{4, 0, 0, 0} ⇒ {0, 0, 0, 0} (mod 2) {0, 1, 1, 0} ⇒ {0, 1, 1, 0} (mod 2) {4, 0, 0, 1} ⇒ {0, 0, 0, 1} (mod 2) {6, 0, 0, 1} ⇒ {0, 0, 0, 1} (mod 2) {4, 1, 1, 0} ⇒ {0, 1, 1, 0} (mod 2)

Thus, we are looking for a system in which the exponents ai,1+ ai,2+ ... + a_i,k ≡ 0 (mod 2). This could also be expressed in vector form as finding a non-trivial solution to the linear system









0 0 0 0 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 1 1 0 0







 .

Looking at this matrix, we quickly see that the vector (0 1 0 0 1) solves the system. This then corresponds to our second and fifth number, which are 143 and 2288. The respective values for x + 63 to these values are 64 and 79. Thus we have found the relation

(64 × 79)²

| {z }

=˜x²

≡ (143 × 2288)²

| {z }

=y²

= (2²× 11 × 13)² (mod 3953),

where ˜x = x + 63. This gives that ˜x = 64 × 79 = 5056 ≡ 1103 (mod 3953) and y = 2²× 11 × 13 = 572 ≡ 572 (mod 3953). Since ˜x 6≡ ± y, we compute GCD(1103 − 572, 3953) or GCD(1103 + 572, 3953) to get the factorization of n. By Euclid’s algorithm, those values are calculated to be 59 and 67. This yields that 3953 = 59 × 67.

One may notice that a different solution vector could have been chosen, namely (0 0 1 1 0). This would have given that ˜x = 65 × 71 and y = 2⁵× 17¹. With the same thought process we would receive the GCD from those values which becomes 59 and 67, as intended.

4.7.3 Analysis

The heuristic running time for the quadratic sieve is e^(1+o(1))

√log n log log n, making it the second fastest algorithm when it comes to dealing with the largest and most difficult numbers, next to the general number field sieve.

One may notice that the quadratic sieve has the same asymptotic running time as the elliptic curve method, but it is in practice a faster method when dealing with numbers of type n = p × q (where p and q ≈√

n). This is due to the fact that the steps in the sieving process and matrix reduction are faster than the operations used in the elliptic curve method.

If we analyze the process behind this algorithm, one might realize that the factor base plays an important role. Obviously we can choose it very small, but that would create the problem that it would be harder to find smooth numbers. We would thus need to increase our bound for x, since only a very small proportion of number will factorize over a smaller factor base.

The other alternative would be to increase our factor base such that most of our numbers successfully factorizes in our bound. This however yields more smooth numbers, thus creating a larger matrix in which we need to find a linear combination for. Thus, given an integer n that we are trying to factorize, how should be choose B efficiently?

If we choose for example B = n^1/6, then one could ask the question what the running time of the algorithm would be. Well, first we notice that the num- bers x chosen from our polynomial will lie somewhere around n^1/2. We also would like to have around B numbers that are smooth. Using the Dickman- de Bruijn function we know that the probability of having a smooth number is roughly ρ(u). In this case we get that u = 3 corresponding to that around 5 % of our numbers used might be expressed in our factor base, meaning that we want to do around _ρ(3)¹ trials for a good chance of success. This means that we need a table of size about _ρ(3)^B . The number of operations to finding smooth numbers is then about _ρ(3)^B log log B. After finding those numbers, we will have a matrix roughly of size B × B that needs to be solved. Using Gaussian elimination this matrix will be solved in about O(B³) arithmetic operations. However, using the fastest matrix reduction methods available [17] (p. 9) (such as the Lanczos method or Wiedemann coordinate recurrence method) gives an asymptotically better running time then plain Gaussian elimination, with a complexity of about O(B^2+).

Looking at the other steps of the algorithm such as computing the GCD of the congruent squares or finding all primes in a certain bound will not asymptotically matter when looking at the running time. If we look at the

two steps above, we see that we get a total running time of O B log log B

ρ(3) + B^2+



= O(B^2+) = O(n^1/3+˜).

Thus, for a specific chosen bound B we get a corresponding running time for n. As the sieving process and the matrix operations both depend on B separately we want to choose B such that both steps have roughly the same running time, in order to optimize the algorithm. In our example above B was chosen such that the matrix operations would take more time than the sieving operations. Because we chose an arbitrary B, this was no optimal choice. To optimize the running time of the algorithm, it turns out that the factor base should roughly be of size [17] (p. 9):

B = e^(1/2+o(1))

√log n log log n.

4.8 General Number Field Sieve

The most efficient algorithm up to this day is the general number field sieve, and was invented by J. M. Pollard in 1988. The general number field sieve (or GNFS for short) works with the same incentive as Dixon’s method or the quadratic sieve, which is to find two congruent squares mod n. The difference lies in how we generate these squares, in which we now combine forming small rational integers mod n as well as ’small’ integers mod n in some chosen number field. This algorithm requires knowledge of algebraic number fields, and will therefore not be covered in detail in this paper. For the interested reader I recommend [18] for a more in-depth view on the me- chanics of the GNFS.

The GNFS has a heuristic complexity of factoring n of O

e^((64/9)1/3+o(1))(log n)^1/3(log log n)^2/3 ,

which is a bit faster then the quadratic sieve algorithm. In practice the two latter algorithms are the chosen tools when attempting to factor large and

’hard’ composite numbers. Generally, the quadratic sieve is the best choice when dealing with numbers up to 120 digits. For decimal digits larger than 120, the GNFS is currently the most efficient algorithm.

4.9 The Future

So, where are we heading when we look at the future of integer factorization?

Well, this is of course impossible to predict, but looking back over the years we can see that no new efficient algorithm has been created since the late

80’s, and the GNFS remains the best algorithm. Most improvements that have been done is based around smoothness and factor bases, but are these improvements enough to break the greatest factorization challenges? It is very likely that we will have to choose another strategy in order to find an algorithm that efficiently factorize large integers, and hopefully one which runs in polynomial time in log n (O((log n)^c) for some constant c).

Until such an algorithm is found (if there even exists one) or until we are able to create a quantum computer capable of running Shor’s algorithm, integer factorization remains to be an interesting challenge.

5 Type of Algorithms

In the area of integer factorization there are different types of algorithms that are done in different ways. Because of this they can be categorized accordingly, and this section will cover how this process is done.

5.1 Probabilistic and Deterministic

Looking through some of the most common algorithms in this genre, we can quickly distinguish certain features in them. There are mainly two types of algorithms within the area of integer factorization, called deterministic and probabilistic. The deterministic algorithms searches systematically for divisors, and could often be analyzed using the O-notation (depending on the complexity of the algorithm). Algorithms such as trial division and Fermat’s factorization method are searching for divisors in a methodical fashion and we can know for sure that they will successfully factorize our integer. Thus they applies in the section of deterministic algorithms. The fastest deterministic algorithm known is a variant of an algorithm of Pollard and Strassen due to Costa and Harvey [4], and has a time complexity of

O n^1/4× log n

√log log n

! .

The other type of algorithms are called probabilistic. The probabilistic algorithms could also be divided into two subgroups, provable and heuristic ones. As stated by its name, those type of algorithms involves chance and randomness in some way. We may no longer be a 100 % certain to find an integer that factorizes our composed number given a specific period of time.

However, in exchange for the randomness in our method, these algorithms will ’usually’ be done quicker than a deterministic one. An example of such an algorithm is a variation of Dixon’s factorization method, in which we instead of systematically looking at integers we can generate random integers and hope that those integers squared (mod n) turns out smooth

to some chosen bound. Dixon’s method in this case is an algorithm which has been proven to always achieve a proper factorization with any given probability arbitrarily close to 1 with a running time of about

O e²

√2 log n log log n .

Another probabilistic algorithm which we haven’t talked about but will also achieve a correct output is the Schnorr-Seysen-Lenstra algorithm, an algo- rithm that was rigorously proven in 1992 by Pomerance and Lenstra [11] un- der the assumption of the generalized Riemann hypothesis. Dixon’s method as explained in section 4.6, where we don’t look at random integers, is in practice a faster variant than the one explained above, but has not been proven mathematically. As most probabilistic algorithms are not proven, we can not be certain that these will achieve a proper factorization. One therefore often looks at heuristic arguments when determining the running time of those algorithms. The general number field sieve, the quadratic sieve and the elliptic curve method are some examples of algorithms which in practice works fine but are not proven mathematically. As time becomes a crucial part when dealing with larger numbers, the probabilistic algorithms will dominate because the time and space complexity for deterministic al- gorithms is insufficient with today’s technology.

5.2 Special-purpose and General-purpose

The factoring algorithms could also be divided into two subgroups because of their specific purpose. All the algorithms in this paper are not applicable for every situation, and should thus preferably be used where it suits them the most.

The first set, the special-purpose algorithms, have their running time de- pendent on the integer n and its properties. This could be that the factor p of n have certain features, or that the integer at hand have some small prime factors. These types of algorithms are generally used to factorize ’special’

numbers, as well as numbers which contains small factors. In this category we find trial division, Fermat’s factorization method, Pollard’s p − 1 algo- rithm & the elliptic curve method.

The other set, the general-purpose algorithms, have a time complexity which depends only on the size of the integer to be factorized, n. These algorithms are therefore used when no special features in our integer are detected and the special-purpose algorithms have failed. Since most RSA numbers are built up in a way to avoid simplicity, these types of algorithms come well in hand. This set includes Dixon’s factorization method, the quadratic sieve &

the general number field sieve. These algorithms have a running time which

is subexponential [7] (p. 41), meaning a time complexity of O

e(c+o(1))(log n)^α(log log n)^1−α

where α is a constant satisfying 0 < α < 1 and c is a constant, both dependent on the algorithm used.

5.3 Conclusions

As we have seen, there are many different methods and algorithms to use when trying to factorize an integer. All of these algorithms can be used for any number, but could be very inefficient depending on the structure or size of the number. This will cover some of the most common areas of use for the algorithms reviewed in this paper.

If we were looking to factorize integers up towards 12-14 digits, trial di- vision is sufficient enough with the help of a computer. For larger numbers, the p − 1 algorithm or Elliptic curve method (ECM) might come in handy.

This depends heavily on the number that we are trying to factorize, and its properties. If one of the factors p have the special property that p − 1 is smooth, then the p − 1 algorithm can easily handle numbers between 20 and 100 digits, if we have enough computer power and the requirement above is met.

If certain properties can not be found, which becomes the case when dealing with RSA numbers, we have to look at the general-purpose methods. As stated before, these methods only depend on the size of the integer, and does not require any special properties. This group involves the quadratic sieve as well as the general number field sieve, which is the methods of choice when trying to decompose the hardest integers (called RSA numbers).

Thus, whether you are trying to decrypt the most complex cases or sim- ply wishing to decompose a random integer, consider the structure of the integer at hand and then choose the best algorithm that suites the particular situation.

6 RSA Records

As we have taken on fairly small numbers throughout this paper, we will now look at the more complex cases. These special integers are of certain forms and are considered to be harder to factorize than most numbers. Particularly it is because of their massive size, but also because of their properties. To make it as difficult as possible, the composite number n is often split into 2 prime numbers, p and q. Furthermore our composed number are set up in a

way that we cannot easily detect certain divisors (no small prime factors) or that no special algorithms can efficiently factorize it, such as Pollard’s p − 1 algorithm or trial division.

6.1 Current Record

The current record [8] that stands is the factorization of a RSA-768 number, factorized in December 2009. The number consisted of 768 bits, or equiv- alently 232 digits, and the factorization took around 2 years to complete.

The process was done by the GNFS (general number field sieve), and has the representation:

RSA-768

123018668453011775513049495838496272077285356959533479219732245215 172640050726365751874520219978646938995647494277406384592519255732 630345373154826850791702612214291346167042921431160222124047927473 7794080665351419597459856902143413

This was decomposed to its proper prime numbers, which turned out to be:

3347807169895689878604416984821269081770479498371376856891 2431388982883793878002287614711652531743087737814467999489 × 3674604366679959042824463379962795263227915816434308764267 6032283815739666511279233373417143396810270092798736308917 6.2 Previous Records

Using the running time of the GNFS (f (n) = e^{(64/9)1/3(log n)1/3}(log log n)^2/3), we can get a feeling for the difficulties of these numbers. Below shows approximated running times of the previous and current record as well as some future challenges.

RSA number f (n)

RSA-512 1.75653... × 10¹⁹ RSA-768 1.07756... × 10²³ RSA-1024 1.31587... × 10²⁶ RSA-2048 1.53301... × 10³⁵

By the table above we can see that f (RSA-768)/f (RSA-512) ≈ 6000, which tells us that the RSA-768 is about 6000 times harder to factorize than the previous challenge, the RSA-512. This number was successfully factorized in 1999, and the current record (RSA-768) happened just about 10 years after that.