Fermat-Kraitchik Factorization Method for factoring large numbers: training for RMO

Reference: Elementary Number Theory, David M. Burton, 6th Edition.

In a fragment of a letter in all probability to Father Marin Mersenne in 1643, Fermat described a technique of his for factoring large numbers. This represented the first real improvement over the classical method of attempting to find a factor of n by dividing by all primes not exceeding \sqrt{n}. Fermat’s factorization scheme has at its heart the observation that the search for factors of an odd integer n (because powers of 2 are easily recognizable and may be removed at the outset, there is no loss in assuming that n is odd) is equivalent to obtaining integral solutions of x and y of the equation n = x^{2} - y^{2}.

If n is the difference of two squares, then it is apparent that n can be factored as n = x^{2}-y^{2} = (x+y)(x-y).

Conversely, when n has the factorization n=ab, with a \geq b \geq 1, then we may write n = (\frac{a+b}{2})^{2}-(\frac{a-b}{2})^{2}

Moreover, because n is taken to be an odd integer, a and b are themselves odd, hence, \frac{a+b}{2} and \frac{a-b}{2} will be nonnegative integers.

One begins the search for possible x and y satisfying the equation n=x^{2}-y^{2} or what is the same thing, the equation x^{2}-n=y^{2} by first determining the smallest integer k for which k^{2} \geq n. Now, look successively at the numbers k^{2}-n, (k+1)^{2}-n, (k+2)^{2}-n, (k+3)^{2}-n, \ldots until a value of m \geq n is found making m^{2}-n a square. The process cannot go on indefinitely, because we eventually arrive at (\frac{n+1}{2})^{2}-n=(\frac{n-1}{2})^{2} the representation of n corresponding to the trivial factorization n=n.1. If this point is reached without a square difference having been discovered earlier, then n has no other factors other than n and 1, in which case it is a prime.

Fermat used the procedure just described to factor 2027651281=44021.46061 in only 11 steps, as compared with making 4580 divisions by the odd primes up to 44021. This was probably a favourable case designed on purpose to show the chief virtue of this method: it does not require one to know all the primes less than \sqrt{n} to find factors of n.

\bf{Example}

To illustrate the application of Fermat’s method, let us factor the integer n=119143. From a table of squares, we find that 345^{2}<119143<346^{2}; thus it suffices to consider values of k^{2}-119143 for those k that satisfy the inequality 346 \leq k < (119143+1)/2=59572. The calculations begin as follows:

346^{2}-119143=119716-119143=573

347^{2}-119143=120409-119143=1266

348^{2}-119143=121104-119143=1961

349^{2}-119143=121801-119143=2658

350^{2}-119143=122500-119143=3357

351^{2}-119143=123201-119143=4058

352^{2}-119143=123904-119143=4761=69^{2}

This last line exhibits the factorization 119143=352^{2}-69^{2}=(352+69)(352-69)=421.283, where both the factors are prime. In only seven steps, we have obtained the prime factorization of the number 119143. Of course, one does not always fare so luckily — it may take many steps before a difference turns out to be a square.

Fermat’s method is most effective when the two factors of n are of nearly the same magnitude, for in this case, a suitable square will appear quickly. To illustrate, let us suppose that n=233449 is to be factored. The smallest square exceeding n is 154^{2} so that the sequence k^{2}-n starts with:

154^{2}-23449=23716-23449=267

155^{2}-23449=24025-23449=576=24^{2}. Hence, the factors of 23449 are 23449=(155+24)(155-24)=131

When examining the differences k^{2}-n as possible squares, many values can be immediately excluded by inspection of the final digits. We know, for instance, that a square must end in one of the six digits 0,1,4,5,6,9. This allows us to exclude all the values in the above example, save for 1266, 1961, 4761. By calculating the squares of the integers from 0 to 99 modulo 100, we see further that, for a square, the last two digits are limited to the following 22 possibilities:

00; 01, 04; 09; 16; 21; 24; 25; 29; 36; 41; 44; 49; 56; 61; 64; 69; 76; 81; 84; 89; 96.

The integer 1266 can be eliminated from consideration in this way. Because 61 is among the last two digits allowable in a square, it is only necessary to look at the numbers 1961 and 4761; the former is not a square, but 4761=69^{2}.

There is a generalization of Fermat’s factorization method that has been used with some success. Here, we look for distinct integers x and y such that x^{2}-y^{2} is a multiple of n rather than n itself, that is, x^{2} \equiv y^{2} \pmod {n}
.
Having obtained such integers d=gcd(x-y,n) (or, d=gcd(x+y,n)) can be calculated by means of the Euclidean Algorithm. Clearly, d is a divisor of n, but is it a non-trivial divisor? In other words, do we have 1<d<n?

In practice, n is usually the product of two primes p and q, with p<q so that d is equal to 1, p, q, or pq. Now, the congruence x^{2} \equiv y^{2} \pmod{n} translates into pq|(x-y)(x+y). Euclid's lemma tells us that p and q must divide one of the factors. If it happened that p|x-y and q|x-y, or expressed as a congruence x \equiv y \pmod{n}. Also, p|x+y and q|x+y yield x \equiv -y \pmod{n}. By seeking integers x and y satisfying x^{2} \equiv y^{2} \pmod{n}, where x \not\equiv \pm \pmod{n}, these two situations are ruled out. The result of all this is that d is either p or q, giving us a non-trivial divisor of n.

\bf{Example}

Suppose we wish to factor the positive integer n=2189 and happen to notice that 579^{2} \equiv 18^{2} \pmod{2189}. Then, we compute gcd(579-18,2189)=gcd(561,2189)=11 using the Euclidean Algorithm:

2189=3.561+506
561=1.506+55
506=9.55+11
55=5.11

This leads to the prime divisor 11 of 2189. The other factor, namely 199, can be obtained by observing that gcd(579+18,2189)=gcd(597,2189)=199

The reader might wonder how we ever arrived at a number, such as 579, whose square modulo 2189 also turns out to be a perfect square. In looking for squares close to multiples of 2189, it was observed that 81^{2} -3.2189 = -6 and 155^{2}-11.2189=-54 which translates into 81^{2} \equiv -2.3 \pmod{2189} and 155^{2} \equiv -2.3^{3} \pmod{2189}.

When these congruences are multiplied, they produce (81.155)^{2} \equiv (2.3^{2})^{2} \pmod{2189}. Because the product 81.155 = 12555 \equiv -579 \pmod{2189}, we ended up with the congruence 579^{2} \equiv 18^{2} \pmod{2189}.

The basis of our approach is to find several x_{i} having the property that each x_{i}^{2} is, modulo n, the product of small prime powers, and such that their product’s square is congruent to a perfect square.

When n has more than two prime factors, our factorization algorithm may still be applied; however, there is no guarantee that a particular solution of the congruence x^{2} \equiv y^{2} \pmod{n}, with x \not\equiv \pm \pmod{n} will result in a nontrivial divisor of n. Of course, the more solutions of this congruence that are available, the better the chance of finding the desired factors of n.

Our next example provides a considerably more efficient variant of this last factorization method. It was introduced by *Maurice Kraitchik* in the 1920’s and became the basis of such modern methods as the *quadratic sieve algorithm*.

\bf{Example}

Let n=12499 be the integer to be factored. The first square just larger than n is 112^{2} = 12544. So. we begin by considering the sequence of numbers x^{2}-n for x=112, 113, \ldots. As before, our interest is in obtaining a set of values x_{1}, x_{2}, x_{3}, \ldots x_{k} for which the product (x_{1}-n)(x_{2}-n)\ldots (x_{k}-n) is a square, say y^{2}. Then, (x_{1}x_{2}\ldots x_{k})^{2} \equiv y^{2} \pmod{n}, which might lead to a non-factor of n.

A short search reveals that 112^{2}-12499=45; 117^{2}-12499=1190; 121^{2}-12499=2142; or, written as congruences, 112^{2} \equiv 3^{2}.5 \pmod{12499} ; 117^{2} \equiv 2.5.7.17 \pmod{12499}; 121^{2} \equiv 2.3^{2}.7.17 \pmod{12499}. Multiplying these together results in the congruence: (112.117.121)^{2} \equiv (2.3^{2}.5.7.17)^{2} \pmod{12499}, that is, 1585584^{2} \equiv 10710^{2}\pmod{12499}. But, we are unlucky with this square combination. Because 1585584 \equiv 10710 \pmod{12499} only a trivial divisor of 12499 will be found. To be specific,

gcd(1585584+10710,21499)=1

gcd(1585584-10710,12499)=12499

After further calculation, we notice that

113^{2} \equiv 2.5.3^{3} \pmod{12499}

127^{2} \equiv 2.3.5.11^{2} \pmod{12499}

which gives rise to the congruence (113.127)^{2} \equiv (2.3^{2}.5.11)^{2} \pmod{12499}.

This reduce modulo 12499 to 1852^{2} \equiv 990^{2} \pmod{12499} and fortunately, 1852 \not\equiv \pm {990}\pm\pmod{12499}. Calculating

gcd(1852-990,12499)=gcd(862,12499)=431 produces the factorization 12499 =29.431

Problem to Practise:

Use Kraitchik’s method to factor the number 20437.

Cheers,
Nalin Pithwa

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.