# Fermat-Kraitchik Factorization Method for factoring large numbers: training for RMO

Reference: Elementary Number Theory, David M. Burton, 6th Edition.

In a fragment of a letter in all probability to Father Marin Mersenne in 1643, Fermat described a technique of his for factoring large numbers. This represented the first real improvement over the classical method of attempting to find a factor of n by dividing by all primes not exceeding $\sqrt{n}$. Fermat’s factorization scheme has at its heart the observation that the search for factors of an odd integer n (because powers of 2 are easily recognizable and may be removed at the outset, there is no loss in assuming that n is odd) is equivalent to obtaining integral solutions of x and y of the equation $n = x^{2} - y^{2}$.

If n is the difference of two squares, then it is apparent that n can be factored as $n = x^{2}-y^{2} = (x+y)(x-y)$.

Conversely, when n has the factorization $n=ab$, with $a \geq b \geq 1$, then we may write $n = (\frac{a+b}{2})^{2}-(\frac{a-b}{2})^{2}$

Moreover, because n is taken to be an odd integer, a and b are themselves odd, hence, $\frac{a+b}{2}$ and $\frac{a-b}{2}$ will be nonnegative integers.

One begins the search for possible x and y satisfying the equation $n=x^{2}-y^{2}$ or what is the same thing, the equation $x^{2}-n=y^{2}$ by first determining the smallest integer k for which $k^{2} \geq n$. Now, look successively at the numbers $k^{2}-n$, $(k+1)^{2}-n$, $(k+2)^{2}-n$, $(k+3)^{2}-n$, $\ldots$ until a value of $m \geq n$ is found making $m^{2}-n$ a square. The process cannot go on indefinitely, because we eventually arrive at $(\frac{n+1}{2})^{2}-n=(\frac{n-1}{2})^{2}$ the representation of n corresponding to the trivial factorization $n=n.1$. If this point is reached without a square difference having been discovered earlier, then n has no other factors other than n and 1, in which case it is a prime.

Fermat used the procedure just described to factor $2027651281=44021.46061$ in only 11 steps, as compared with making 4580 divisions by the odd primes up to 44021. This was probably a favourable case designed on purpose to show the chief virtue of this method: it does not require one to know all the primes less than $\sqrt{n}$ to find factors of n.

$\bf{Example}$

To illustrate the application of Fermat’s method, let us factor the integer $n=119143$. From a table of squares, we find that $345^{2}<119143<346^{2}$; thus it suffices to consider values of $k^{2}-119143$ for those k that satisfy the inequality $346 \leq k < (119143+1)/2=59572$. The calculations begin as follows:

$346^{2}-119143=119716-119143=573$

$347^{2}-119143=120409-119143=1266$

$348^{2}-119143=121104-119143=1961$

$349^{2}-119143=121801-119143=2658$

$350^{2}-119143=122500-119143=3357$

$351^{2}-119143=123201-119143=4058$

$352^{2}-119143=123904-119143=4761=69^{2}$

This last line exhibits the factorization $119143=352^{2}-69^{2}=(352+69)(352-69)=421.283$, where both the factors are prime. In only seven steps, we have obtained the prime factorization of the number 119143. Of course, one does not always fare so luckily — it may take many steps before a difference turns out to be a square.

Fermat’s method is most effective when the two factors of n are of nearly the same magnitude, for in this case, a suitable square will appear quickly. To illustrate, let us suppose that $n=233449$ is to be factored. The smallest square exceeding n is $154^{2}$ so that the sequence $k^{2}-n$ starts with:

$154^{2}-23449=23716-23449=267$

$155^{2}-23449=24025-23449=576=24^{2}$. Hence, the factors of 23449 are $23449=(155+24)(155-24)=131$

When examining the differences $k^{2}-n$ as possible squares, many values can be immediately excluded by inspection of the final digits. We know, for instance, that a square must end in one of the six digits 0,1,4,5,6,9. This allows us to exclude all the values in the above example, save for 1266, 1961, 4761. By calculating the squares of the integers from 0 to 99 modulo 100, we see further that, for a square, the last two digits are limited to the following 22 possibilities:

00; 01, 04; 09; 16; 21; 24; 25; 29; 36; 41; 44; 49; 56; 61; 64; 69; 76; 81; 84; 89; 96.

The integer 1266 can be eliminated from consideration in this way. Because 61 is among the last two digits allowable in a square, it is only necessary to look at the numbers 1961 and 4761; the former is not a square, but $4761=69^{2}$.

There is a generalization of Fermat’s factorization method that has been used with some success. Here, we look for distinct integers x and y such that $x^{2}-y^{2}$ is a multiple of n rather than n itself, that is, $x^{2} \equiv y^{2} \pmod {n}$
.
Having obtained such integers $d=gcd(x-y,n)$ (or, $d=gcd(x+y,n)$) can be calculated by means of the Euclidean Algorithm. Clearly, d is a divisor of n, but is it a non-trivial divisor? In other words, do we have $1?

In practice, n is usually the product of two primes p and q, with $p so that d is equal to 1, p, q, or pq. Now, the congruence $x^{2} \equiv y^{2} \pmod{n}$ translates into $pq|(x-y)(x+y)$. Euclid's lemma tells us that p and q must divide one of the factors. If it happened that $p|x-y$ and $q|x-y$, or expressed as a congruence $x \equiv y \pmod{n}$. Also, $p|x+y$ and $q|x+y$ yield $x \equiv -y \pmod{n}$. By seeking integers x and y satisfying $x^{2} \equiv y^{2} \pmod{n}$, where $x \not\equiv \pm \pmod{n}$, these two situations are ruled out. The result of all this is that d is either p or q, giving us a non-trivial divisor of n.

$\bf{Example}$

Suppose we wish to factor the positive integer $n=2189$ and happen to notice that $579^{2} \equiv 18^{2} \pmod{2189}$. Then, we compute $gcd(579-18,2189)=gcd(561,2189)=11$ using the Euclidean Algorithm:

$2189=3.561+506$
$561=1.506+55$
$506=9.55+11$
$55=5.11$

This leads to the prime divisor 11 of 2189. The other factor, namely 199, can be obtained by observing that $gcd(579+18,2189)=gcd(597,2189)=199$

The reader might wonder how we ever arrived at a number, such as 579, whose square modulo 2189 also turns out to be a perfect square. In looking for squares close to multiples of 2189, it was observed that $81^{2} -3.2189 = -6$ and $155^{2}-11.2189=-54$ which translates into $81^{2} \equiv -2.3 \pmod{2189}$ and $155^{2} \equiv -2.3^{3} \pmod{2189}$.

When these congruences are multiplied, they produce $(81.155)^{2} \equiv (2.3^{2})^{2} \pmod{2189}$. Because the product $81.155 = 12555 \equiv -579 \pmod{2189}$, we ended up with the congruence $579^{2} \equiv 18^{2} \pmod{2189}$.

The basis of our approach is to find several $x_{i}$ having the property that each $x_{i}^{2}$ is, modulo n, the product of small prime powers, and such that their product’s square is congruent to a perfect square.

When n has more than two prime factors, our factorization algorithm may still be applied; however, there is no guarantee that a particular solution of the congruence $x^{2} \equiv y^{2} \pmod{n}$, with $x \not\equiv \pm \pmod{n}$ will result in a nontrivial divisor of n. Of course, the more solutions of this congruence that are available, the better the chance of finding the desired factors of n.

Our next example provides a considerably more efficient variant of this last factorization method. It was introduced by *Maurice Kraitchik* in the 1920’s and became the basis of such modern methods as the *quadratic sieve algorithm*.

$\bf{Example}$

Let $n=12499$ be the integer to be factored. The first square just larger than n is $112^{2} = 12544$. So. we begin by considering the sequence of numbers $x^{2}-n$ for $x=112, 113, \ldots$. As before, our interest is in obtaining a set of values $x_{1}, x_{2}, x_{3}, \ldots x_{k}$ for which the product $(x_{1}-n)(x_{2}-n)\ldots (x_{k}-n)$ is a square, say $y^{2}$. Then, $(x_{1}x_{2}\ldots x_{k})^{2} \equiv y^{2} \pmod{n}$, which might lead to a non-factor of n.

A short search reveals that $112^{2}-12499=45$; $117^{2}-12499=1190$; $121^{2}-12499=2142$; or, written as congruences, $112^{2} \equiv 3^{2}.5 \pmod{12499}$ ; $117^{2} \equiv 2.5.7.17 \pmod{12499}$; $121^{2} \equiv 2.3^{2}.7.17 \pmod{12499}$. Multiplying these together results in the congruence: $(112.117.121)^{2} \equiv (2.3^{2}.5.7.17)^{2} \pmod{12499}$, that is, $1585584^{2} \equiv 10710^{2}\pmod{12499}$. But, we are unlucky with this square combination. Because $1585584 \equiv 10710 \pmod{12499}$ only a trivial divisor of 12499 will be found. To be specific,

$gcd(1585584+10710,21499)=1$

$gcd(1585584-10710,12499)=12499$

After further calculation, we notice that

$113^{2} \equiv 2.5.3^{3} \pmod{12499}$

$127^{2} \equiv 2.3.5.11^{2} \pmod{12499}$

which gives rise to the congruence $(113.127)^{2} \equiv (2.3^{2}.5.11)^{2} \pmod{12499}$.

This reduce modulo 12499 to $1852^{2} \equiv 990^{2} \pmod{12499}$ and fortunately, $1852 \not\equiv \pm {990}\pm\pmod{12499}$. Calculating

$gcd(1852-990,12499)=gcd(862,12499)=431$ produces the factorization $12499 =29.431$

Problem to Practise:

Use Kraitchik’s method to factor the number 20437.

Cheers,
Nalin Pithwa