# Fermat-Kraitchik Factorization Method for factoring large numbers: training for RMO

Reference: Elementary Number Theory, David M. Burton, 6th Edition.

In a fragment of a letter in all probability to Father Marin Mersenne in 1643, Fermat described a technique of his for factoring large numbers. This represented the first real improvement over the classical method of attempting to find a factor of n by dividing by all primes not exceeding $\sqrt{n}$. Fermat’s factorization scheme has at its heart the observation that the search for factors of an odd integer n (because powers of 2 are easily recognizable and may be removed at the outset, there is no loss in assuming that n is odd) is equivalent to obtaining integral solutions of x and y of the equation $n = x^{2} - y^{2}$.

If n is the difference of two squares, then it is apparent that n can be factored as $n = x^{2}-y^{2} = (x+y)(x-y)$.

Conversely, when n has the factorization $n=ab$, with $a \geq b \geq 1$, then we may write $n = (\frac{a+b}{2})^{2}-(\frac{a-b}{2})^{2}$

Moreover, because n is taken to be an odd integer, a and b are themselves odd, hence, $\frac{a+b}{2}$ and $\frac{a-b}{2}$ will be nonnegative integers.

One begins the search for possible x and y satisfying the equation $n=x^{2}-y^{2}$ or what is the same thing, the equation $x^{2}-n=y^{2}$ by first determining the smallest integer k for which $k^{2} \geq n$. Now, look successively at the numbers $k^{2}-n$, $(k+1)^{2}-n$, $(k+2)^{2}-n$, $(k+3)^{2}-n$, $\ldots$ until a value of $m \geq n$ is found making $m^{2}-n$ a square. The process cannot go on indefinitely, because we eventually arrive at $(\frac{n+1}{2})^{2}-n=(\frac{n-1}{2})^{2}$ the representation of n corresponding to the trivial factorization $n=n.1$. If this point is reached without a square difference having been discovered earlier, then n has no other factors other than n and 1, in which case it is a prime.

Fermat used the procedure just described to factor $2027651281=44021.46061$ in only 11 steps, as compared with making 4580 divisions by the odd primes up to 44021. This was probably a favourable case designed on purpose to show the chief virtue of this method: it does not require one to know all the primes less than $\sqrt{n}$ to find factors of n.

$\bf{Example}$

To illustrate the application of Fermat’s method, let us factor the integer $n=119143$. From a table of squares, we find that $345^{2}<119143<346^{2}$; thus it suffices to consider values of $k^{2}-119143$ for those k that satisfy the inequality $346 \leq k < (119143+1)/2=59572$. The calculations begin as follows:

$346^{2}-119143=119716-119143=573$

$347^{2}-119143=120409-119143=1266$

$348^{2}-119143=121104-119143=1961$

$349^{2}-119143=121801-119143=2658$

$350^{2}-119143=122500-119143=3357$

$351^{2}-119143=123201-119143=4058$

$352^{2}-119143=123904-119143=4761=69^{2}$

This last line exhibits the factorization $119143=352^{2}-69^{2}=(352+69)(352-69)=421.283$, where both the factors are prime. In only seven steps, we have obtained the prime factorization of the number 119143. Of course, one does not always fare so luckily — it may take many steps before a difference turns out to be a square.

Fermat’s method is most effective when the two factors of n are of nearly the same magnitude, for in this case, a suitable square will appear quickly. To illustrate, let us suppose that $n=233449$ is to be factored. The smallest square exceeding n is $154^{2}$ so that the sequence $k^{2}-n$ starts with:

$154^{2}-23449=23716-23449=267$

$155^{2}-23449=24025-23449=576=24^{2}$. Hence, the factors of 23449 are $23449=(155+24)(155-24)=131$

When examining the differences $k^{2}-n$ as possible squares, many values can be immediately excluded by inspection of the final digits. We know, for instance, that a square must end in one of the six digits 0,1,4,5,6,9. This allows us to exclude all the values in the above example, save for 1266, 1961, 4761. By calculating the squares of the integers from 0 to 99 modulo 100, we see further that, for a square, the last two digits are limited to the following 22 possibilities:

00; 01, 04; 09; 16; 21; 24; 25; 29; 36; 41; 44; 49; 56; 61; 64; 69; 76; 81; 84; 89; 96.

The integer 1266 can be eliminated from consideration in this way. Because 61 is among the last two digits allowable in a square, it is only necessary to look at the numbers 1961 and 4761; the former is not a square, but $4761=69^{2}$.

There is a generalization of Fermat’s factorization method that has been used with some success. Here, we look for distinct integers x and y such that $x^{2}-y^{2}$ is a multiple of n rather than n itself, that is, $x^{2} \equiv y^{2} \pmod {n}$
.
Having obtained such integers $d=gcd(x-y,n)$ (or, $d=gcd(x+y,n)$) can be calculated by means of the Euclidean Algorithm. Clearly, d is a divisor of n, but is it a non-trivial divisor? In other words, do we have $1?

In practice, n is usually the product of two primes p and q, with $p so that d is equal to 1, p, q, or pq. Now, the congruence $x^{2} \equiv y^{2} \pmod{n}$ translates into $pq|(x-y)(x+y)$. Euclid's lemma tells us that p and q must divide one of the factors. If it happened that $p|x-y$ and $q|x-y$, or expressed as a congruence $x \equiv y \pmod{n}$. Also, $p|x+y$ and $q|x+y$ yield $x \equiv -y \pmod{n}$. By seeking integers x and y satisfying $x^{2} \equiv y^{2} \pmod{n}$, where $x \not\equiv \pm \pmod{n}$, these two situations are ruled out. The result of all this is that d is either p or q, giving us a non-trivial divisor of n.

$\bf{Example}$

Suppose we wish to factor the positive integer $n=2189$ and happen to notice that $579^{2} \equiv 18^{2} \pmod{2189}$. Then, we compute $gcd(579-18,2189)=gcd(561,2189)=11$ using the Euclidean Algorithm:

$2189=3.561+506$
$561=1.506+55$
$506=9.55+11$
$55=5.11$

This leads to the prime divisor 11 of 2189. The other factor, namely 199, can be obtained by observing that $gcd(579+18,2189)=gcd(597,2189)=199$

The reader might wonder how we ever arrived at a number, such as 579, whose square modulo 2189 also turns out to be a perfect square. In looking for squares close to multiples of 2189, it was observed that $81^{2} -3.2189 = -6$ and $155^{2}-11.2189=-54$ which translates into $81^{2} \equiv -2.3 \pmod{2189}$ and $155^{2} \equiv -2.3^{3} \pmod{2189}$.

When these congruences are multiplied, they produce $(81.155)^{2} \equiv (2.3^{2})^{2} \pmod{2189}$. Because the product $81.155 = 12555 \equiv -579 \pmod{2189}$, we ended up with the congruence $579^{2} \equiv 18^{2} \pmod{2189}$.

The basis of our approach is to find several $x_{i}$ having the property that each $x_{i}^{2}$ is, modulo n, the product of small prime powers, and such that their product’s square is congruent to a perfect square.

When n has more than two prime factors, our factorization algorithm may still be applied; however, there is no guarantee that a particular solution of the congruence $x^{2} \equiv y^{2} \pmod{n}$, with $x \not\equiv \pm \pmod{n}$ will result in a nontrivial divisor of n. Of course, the more solutions of this congruence that are available, the better the chance of finding the desired factors of n.

Our next example provides a considerably more efficient variant of this last factorization method. It was introduced by *Maurice Kraitchik* in the 1920’s and became the basis of such modern methods as the *quadratic sieve algorithm*.

$\bf{Example}$

Let $n=12499$ be the integer to be factored. The first square just larger than n is $112^{2} = 12544$. So. we begin by considering the sequence of numbers $x^{2}-n$ for $x=112, 113, \ldots$. As before, our interest is in obtaining a set of values $x_{1}, x_{2}, x_{3}, \ldots x_{k}$ for which the product $(x_{1}-n)(x_{2}-n)\ldots (x_{k}-n)$ is a square, say $y^{2}$. Then, $(x_{1}x_{2}\ldots x_{k})^{2} \equiv y^{2} \pmod{n}$, which might lead to a non-factor of n.

A short search reveals that $112^{2}-12499=45$; $117^{2}-12499=1190$; $121^{2}-12499=2142$; or, written as congruences, $112^{2} \equiv 3^{2}.5 \pmod{12499}$ ; $117^{2} \equiv 2.5.7.17 \pmod{12499}$; $121^{2} \equiv 2.3^{2}.7.17 \pmod{12499}$. Multiplying these together results in the congruence: $(112.117.121)^{2} \equiv (2.3^{2}.5.7.17)^{2} \pmod{12499}$, that is, $1585584^{2} \equiv 10710^{2}\pmod{12499}$. But, we are unlucky with this square combination. Because $1585584 \equiv 10710 \pmod{12499}$ only a trivial divisor of 12499 will be found. To be specific,

$gcd(1585584+10710,21499)=1$

$gcd(1585584-10710,12499)=12499$

After further calculation, we notice that

$113^{2} \equiv 2.5.3^{3} \pmod{12499}$

$127^{2} \equiv 2.3.5.11^{2} \pmod{12499}$

which gives rise to the congruence $(113.127)^{2} \equiv (2.3^{2}.5.11)^{2} \pmod{12499}$.

This reduce modulo 12499 to $1852^{2} \equiv 990^{2} \pmod{12499}$ and fortunately, $1852 \not\equiv \pm {990}\pm\pmod{12499}$. Calculating

$gcd(1852-990,12499)=gcd(862,12499)=431$ produces the factorization $12499 =29.431$

Problem to Practise:

Use Kraitchik’s method to factor the number 20437.

Cheers,
Nalin Pithwa

# Questions based on Wilson’s theorem for training for RMO

1(a) Find the remainder when $15!$ is divided by 17.
1(b) Find the remainder when $2(26!)$ is divided by 29.

2: Determine whether 17 is a prime by deciding if $16! \equiv -1 {\pmod 17}$

3: Arrange the integers 2,3,4, …, 21 in pairs a and b that satisfy $ab \equiv 1 {\pmod 23}$.

4: Show that $18! \equiv -1 {\pmod 437}$.

5a: Prove that an integer $n>1$ is prime if and only if $(n-2)! \equiv 1 {\pmod n}$.
5b: If n is a composite integer, show that $(n-1)! \equiv 0 {\pmod n}$, except when $n=4$.

6: Given a prime number p, establish the congruence $(p-1)! \equiv {p-1} {\pmod {1+2+3+\ldots + (p-1)}}$

7: If p is prime, prove that for any integer a, $p|a^{p}+(p-1)|a$ and $p|(p-1)!a^{p}+a$

8: Find two odd primes $p \leq 13$ for which the congruence $(p-1)! \equiv -1 {\pmod p^{2}}$ holds.

9: Using Wilson’s theorem, prove that for any odd prime p:
$1^{2}.3^{2}.5^{2}.\ldots (p-2)^{2} \equiv (-1)^{(p+1)/2} {\pmod p}$

10a: For a prime p of the form $4k+3$, prove that either

$(\frac{p-1}{2})! \equiv 1 {\pmod p}$ or $(\frac{p-1}{2})! \equiv -1 {\pmod p}$

10b: Use the part (a) to show that if $4k+3$ is prime, then the product of all the even integers less than p is congruent modulo p to either 1 or -1.

More later,
Nalin Pithwa.

# Wilson’s theorem and related problems in Elementary Number Theory for RMO

I) Prove Wilson’s Theorem:

If p is a prime, then $(p-1)! \equiv -1 {\pmod p}$.

Proof:

The cases for primes 2 and 3 are clearly true.

Assume $p>3$

Suppose that a is any one of the p-1 positive integers $1,2,3, \ldots {p-1}$ and consider the linear congruence
$ax \equiv 1 {\pmod p}$. Then, $gcd(a,p)=1$.

Now, apply the following theorem: the linear congruence $ax \equiv b {\pmod n}$ has a solution if and only if $d|b$, where $d = gcd(a,b)$. If $d|b$, then it has d mutually incongruent solutions modulo n.

So, by the above theorem, the congruence here admits a unique solution modulo p; hence, there is a unique integer $a^{'}$, with $1 \leq a^{'} \leq p-1$, satisfying $aa^{'} \equiv 1 {\pmod p}$.

Because p is prime, $a = a^{'}$ if and only if $a=1$ or $a=p-1$. Indeed, the congruence $a^{2} \equiv 1 {\pmod p}$ is equivalent to $(a-1)(a+1) \equiv 0 {\pmod p}$. Therefore, either $a-1 \equiv 0 {\pmod p}$, in which case $a=1$, or $a+1 \equiv 0 {\pmod p}$, in which case $a=p-1$.

If we omit the numbers 1 and p-1, the effect is to group the remaining integers $2,3, \ldots (p-2)$ into pairs $a$ and $a^{'}$, where $a \neq a^{'}$, such that the product $aa^{'} \equiv 1 {\pmod p}$. When these $(p-3)/2$ congruences are multiplied together and the factors rearranged, we get

$2.3. \ldots (p-2) \equiv 1 {\pmod p}$

or rather

$(p-2)! \equiv 1 {\pmod p}$

Now multiply by p-1 to obtain the congruence

$(p-1)! \equiv p-1 \equiv -1 {\pmod p}$, which was desired to be proved.

An example to clarify the proof of Wilson’s theorem:

Specifically, let us take prime $p=13$. It is possible to divide the integers $2,3,4, \ldots, 11$ into $(p-3)/2=5$ pairs, each product of which is congruent to 1 modulo 13. Let us write out these congruences explicitly as shown below:

$2.7 \equiv 1 {\pmod {13}}$
$3.9 \equiv 1 {\pmod {13}}$
$4.10 \equiv 1 {\pmod {13}}$
$5.8 \equiv 1 {\pmod {13}}$
$6.11 \equiv 1 {\pmod {13}}$

Multpilying these congruences gives the result $11! = (2.7)(3.9)(4.10)(5.8)(6.11) \equiv 1 {\pmod {13}}$

and as $12! \equiv 12 \equiv -1 {\pmod {13}}$

Thus, $(p-1)! \equiv -1 {\pmod p}$ with prime $p=13$.

Further:

The converse to Wilson’s theorem is also true. If $(n-1)! \equiv -1 {\pmod n}$, then n must be prime. For, if n is not a prime, then n has a divisor d with $1 1$ is prime if and only if $(n-1)! \equiv -1 {\pmod n}$. Unfortunately, this test is of more theoretical than practical interest because as n increases, $(n-1)!$ rapidly becomes unmanageable in size.

Let us illustrate an application of Wilson’s theorem to the study of quadratic congruences{ What we mean by quadratic congruence is a congruence of the form $ax^{2}+bx+c \equiv 0 {\pmod n}$, with $a \not\equiv 0 {\pmod n}$ }

Theorem: The quadratic congruence $x^{2}+1 \equiv 0 {\pmod p}$, where p is an odd prime, has a solution if and only if $p \equiv 1 {\mod 4}$.

Proof:

Let a be any solution of $x^{2}+1 \equiv 0 {\pmod p}$ so that $a^{2} \equiv -1 {\pmod p}$. Because $p \not |a$, the outcome of applying Fermat’s Little Theorem is

$1 \equiv a^{p-1} \equiv (a^{2})^{(p-1)/2} \equiv (-1)^{(p-1)/2} {\pmod p}$

The possibility that $p=4k+3$ for some k does not arise. If it did, we would have

$(-1)^{(p-1)/2} = (-1)^{2k+1} = -1$

Hence, $1 \equiv -1 {\pmod p}$. The net result of this is that $p|2$, which is clearly false. Therefore, p must be of the form $4k+1$.

Now, for the opposite direction. In the product

$(p-1)! = 1.2 \ldots \frac{p-1}{2} \frac{p+1}{2} \ldots (p-2)(p-1)$

we have the congruences

$p-1 \equiv -1 {\pmod p}$
$p-2 \equiv -2 {\pmod p}$
$p-3 \equiv -3 {\pmod p}$
$\vdots$
$\frac{p+1}{2} \equiv - \frac{p-1}{2} {\pmod p}$

Rearranging the factors produces
$(p-1)! \equiv 1.(-1).2.(-2) \ldots \frac{p-1}{2}. (-\frac{p-1}{2}) {\pmod p} \equiv (-1)^{(p-1)/2}(.2. \ldots \frac{p-1}{2})^{2}{\pmod p}$

because there are $(p-1)/2$ minus signs involved. It is at this point that Wilson’s theorem can be brought to bear; for, $(p-1)! \equiv -1 {\pmod p}$, hence,

$-1 \equiv (-1)^{(p-1)/2}((\frac{p-1}{2})!)^{2} {\pmod p}$

If we assume that p is of the form $4k+1$, then $(-1)^{(p-1)/2} =1$, leaving us with the congruence

$-1 \equiv (-\frac{p-1}{2})^{2}{\pmod p}$.

The conclusion is that the integer $(\frac{p-1}{2})!$ satisfies the quadratic congruence $x^{2}+1 \equiv 0 {\pmod p}$.

Let us take a look at an actual example, say, the case $p=13$, which is a prime of the form $4k+1$. Here, we have $\frac{p-1}{2}=6$, and it is easy to see that $6! = 720 \equiv 5 {\pmod {13}}$ and $5^{2}+1 = 26 \equiv 0 {\pmod {13}}$.

Thus, the assertion that $((p-1)!)^{2}+1 \equiv 0 {\pmod p}$ is correct for $p=13$.

Wilson’s theorem implies that there exists an infinitude of composite numbers of the form $n!+1$. On the other hand, it is an open question whether $n!+1$ is prime for infinitely many values of n. Refer, for example:

https://math.stackexchange.com/questions/949520/are-there-infinitely-many-primes-of-the-form-n1

More later! Happy churnings of number theory!
Regards,
Nalin Pithwa