Volume pp A Survey of Mo dern Integer Factorization Algorithms Peter L Montgomery Las Colindas Road San Rafael CA USA email pmontgomcwinl Every p ositive integer is expressible as a pro duct of prime numb ers in a unique way Although it is easy to prove that this factorization exists it is b elieved very hard to factoranarbitrary integer We survey the b est known algorithms for this problem and give some factorizations found at CWI Introduction An integer n is said to b e a prime number or simply prime if the only divisors of n are and n There are innitely many prime numb ers the rst four b eing and If n andn is not prime then n is said to b e comp osite The integer is neither prime nor comp osite tal Theorem of Arithmetic states that every p ositiveinteger The Fundamen can b e expressed as a nite p erhaps empty pro duct of prime numb ers and that this factorization is unique except for the ordering of the factors Table has some sample factorizations Table Sample factorizations The existence of this factorization is an easy consequence of the denition of prime number and the wellordering principle The uniqueness pro of is only slightly harder However this existence pro of gives no clue ab out how to eciently nd the factors of a large given integer No p olynomialtime algorithm for solving this problem is known Factoring large integers has fascinated mathematicians for centuries Gauss wrote The problem of distinguishing prime numb ers from comp osites and of resolving comp osite numb ers into their prime factors is one of the most imp ortant and useful in all of arithmetic The dignity of science seems to demand that every aid to the solution of such an elegant and celebrated problem b e zealously cultivated Some b o oks are devoted to tabulating the factors of numb ers of sp ecial form The most referenced such table is the Cunningham table which lists known n factors of b for bases b and small n Brent et al extend Some of these factorizations app ear in which these tables through b n n also has some factors of a b Brillhart et al give factors of the Fib onacci numb ers and related Lucas numbers The RSA Challenge is building a table of factorizations of partition numb ers Factorization was once primarily of academic interest It gained in prac tical imp ortance after the intro duction of the RSA publickey cryptosystem see x The cryptographic strength of RSA dep ends up on the dicultyof factoring large numb ers Let N b e a large comp osite integer Until the s the b est algorithms for factoring N to ok time O N for some One such algorithm is trial divi p N This changed when Mor sion which tries to divide N by all primes up to rison and Brillhart intro duced the continued fraction metho d whose time is n o p p o log log N log N exp o log N log log N O N Mo dern algorithms for factoring N fall into two ma jor categories Algo rithms in the rst category nd small prime factors quickly These include trial division Pollard Rho P and the elliptic curve metho d Algorithms in the second category factor a numb er regardless of the sizes of its prime factors but cost much more when applied to larger integers These algorithms include continued fraction quadratic sieve and numb er eld sieve In practice algorithms in b oth categories are imp ortant Given a large in teger with no clue ab out the sizes of its prime factors one typically tries algo rithms in the rst category until the cofactor ie the quotient after dividing byknown prime factors of the original numb er is suciently small Then one tries an algorithm in the second category if the cofactor is not itself prime If An algorithm is said to b e p olynomialtime if its worst case execution time is b ounded by a p olynomial function of the length of the input If one wants to factor N whose length is O log N then an O log N algorithm would b e p olynomialtime whereas an O N algorithm is not one is unable to nd a suciently small cofactor or a prime cofactor using metho ds in the rst category the factorization remains incomplete The interpretation of suciently small has changed considerably as tech nology has progressed In the s John Brillhart and John Selfridge p predicted that factoring numbers over digits would be hard In the s Richard Guy p predicted that few numb ers over digits would b e factored In the cuto is around digits We illustrate some algorithms using N This number was selected using CWIs street address Williams and Shallit give a computational history of factoring and primality testing from to ie b efore the era of electronic computers Richard Guy gives a go o d survey of factorization metho ds known in Brillhart et al giveachronology of developments in factorization b oth by the Cunningham pro ject hardware and software esp the metho ds used Robert Silverman gives a more recent exp osition Several textb o oks cover factorization We review some elementary number theory We review some fundamental algorithms which will b e needed later Notations The symbols Q R and Z denote the sets of rational numbers real numb ers and integers resp ectively If x and y are integers then x j y read x divides y means that y is a if and only if there exists k Z such that y kx multiple of x That is x j y The greatest common divisor GCD of two integers x and y is denoted gcdx y The GCD is always p ositive unless x y If gcdx y then x and y are said to b e coprime they have no common divisors except Review of Elementary Number Theory This section reviews some elementary and analytic numb er theory Pro ofs can b e found in manynumb er theory textb o oks Congruence classes and modular arithmetic Fix n Twointegers x and y are said to b e congruentmodulon if x y is divisible by n This is written x y mo d n For xed n the relation is an equivalence relation reexive symmetric transitive The equivalence classes are called congruence classes A set with exactly one representative from each congruence class is called a complete residue system There are exactly n congruence classes The canonical complete residue system is f n g We omit the mo dulus n writing simply x y when the mo dulus is clear from the context The relation is preserved under addition subtraction and multiplication If x x y y and n are integers such that x y mo d n and x y mo d n then x x y y mo d n x x y y mo d n x x y y mo d n These are easily proved using the denition of For example x x y y ultiples of n x y x y x y isasumoftwom Equation says that it is meaningful to add subtract or multiply two congruence classes since the equivalence class of the result do es not dep end up on the selections of the representatives The congruence classes mo dulo n form a commutative ring under these op erations This ring denoted by ZnZ is called integers mo dulo n When n is prime division by nonzero elements is p ossible and this ring is a eld often written GF n A corollary to is that if f is a p olynomial in k variables with integer co ecients and if x y mo d nfor i k then i i f x x x f y y y mo d n k k Occasionally we write r r where r and r are rational numb ers rather than integers The notation a b a b mo d n means that the numera tor of a b a b is divisible by n and that its denominator is coprime to n That is a b a b mo d n and gcdb b n Properties of prime numbers Let p b e a prime number The following prop erties are stated without pro of and p j xy then p j x or p j y Equivalently if xy If x y Z mo d p then x mo d pory mo d p Unique factorization As previously mentioned every p ositiveinteger can b e written as a p erhaps empty pro duct of primes and this representa tion is unique except for ordering See Table for some examples p p p The p olynomials X Y and X Y are congruentmodulop For example every term in X Y X Y X Y X Y X Y XY is divisible by This can b e proved using the binomial theorem p Fermats little theorem If a Zthen a a mo d p In particular p if p do es not divide athen a mo d p One pro of uses the last prop erty and induction on a Chinese remainder theorem Let n and n b e coprime p ositiveintegers If r and r are arbitrary integers then the two congruences x r mo d n and x r mo d n may b e replaced by a single congruence x r mo d n n where r is chosen to satisfy r r mo d n andr r mo d n This is known as the Chinese Remainder Theorem For example the two congruences x mo d and x mo d are equivalent to the single congruence x mo d To conrm this note rst that such an equation exists since and are coprime cf If holds then there exist integers k and suchthat x k k Hence k x x x k k k k k k whichshows that x mo d Converselyif x mo d say x k then x k k implying A generalization allows more than two mo duli If gcdn n for i j i j k ie if the integers n n are pairwise coprime and if r Z k i i then the system of congruences for all x r mo d n i k i i is equivalent to a single congruence x r mo d n n n k when r is suitably chosen There are ecientways to nd this r given the fn g i and fr g i When we know an upp er b ound on an integer x then we can determine x uniquely if we knowit mo dulo enough primes More precisely if we know that jxjB and if wecho ose n n n B then determines x k uniquely Smooth numbers