Computers and Mathematics with Applications 61 (2011) 2463–2467

Contents lists available at ScienceDirect

Computers and Mathematics with Applications

journal homepage: www.elsevier.com/locate/camwa

Prime factorization using square root approximation

Joseph Zalaket ∗ , Joseph Hajj-Boutros
Department of Computer Science, University of Saint-Esprit de Kaslik, Jounieh, Lebanon
Department of Mathematics, University of Saint-Esprit de Kaslik, Jounieh, Lebanon

article info abstract

Article history: Many cryptosystems are based on the factorization of large integers. The complexity of
Received 28 May 2009 this type of factorization is still an advantage for data security developers and a challenge
Received in revised form 27 October 2010 for both mathematicians and cryptanalysts. The security of RSA relies on the difficulty of
Accepted 20 February 2011
factoring large integers. The factorization was studied earlier by old civilizations like the
Greek, but their methods were extended after the emergence of computers. The paradox
Keywords:
of RSA is that, in order to make RSA more efficient, we use a modulus n = pq, which is
Integer factorization
Prime factorization
as small as possible. On the other hand, it is sufficient to factor n in order to decrypt the
Cryptography encrypted messages. In this paper, we propose a new factorization method based on the
RSA square root approximation. This method allows in reducing the search for candidate prime
factors of a given integer by approximating each prime factor before considering it as a
candidate.
© 2011 Elsevier Ltd. All rights reserved.

1. Introduction

The best-known cryptosystem based on the RSA (Rivest–Shamir–Adleman) [1] public key was proposed in 1978. In this
system, two prime numbers p and q are chosen to be so large, that factoring the product n = pq is well beyond the computing
capabilities for the existing algorithms and computers. In this paper, we show how it is hard to factor large integers with
the existing methods as it is very difficult to find a general-purpose algorithm for this computationally hard problem. We
propose a new heuristic method based on the square root approximation that allows factoring large integers. Our approach
is based on the idea that any supplementary information which is known about the factored number or its factors can often
be useful to save a large amount of computation time.
Any non-prime integer can be decomposed into smaller numbers called factors, for which their multiplication produces
the original integer. For example, the factors of 12 are (2, 2, 3), as 12 = 2 × 2 × 3. By contrast, a prime integer is an integer
that cannot be decomposed further and its only factors are 1 and itself. √
The prime factors of any non-prime integer n can be found among a set {P1 , P2 , . . . , Pk }, where Pi ≤ n, ∀1 ≤ i ≤ k.
The simplest way to factor n is by using the trial division method, in which n is divided blindly by smaller prime numbers
(starting with 2, 3, 5, 7 and so on). A prime number is chosen as a√ factor if the remainder of the division is zero. The procedure
is repeated to search for all prime numbers less than or equal to n. This method can be used to factor small integers formed
by some digits, but it is definitely inappropriate for large numbers because of its huge time complexity.
Another method consists of evaluating the greatest common divisor GCD of (P1 × P2 × · · · × Pk , n), where i=1 Pi is
∏n
denoted as the primorial pn #. Therefore, despite its advantage compared to the trial division method, the primorial method
is still ineffective to find prime factors of large integers because of its time consumption.
Our method consists of finding a reduced primorial Rp = (Pi × Pi+1 × · · · × Pj ), where the GCD of (Rp , n) gives the first
two factors of n in a reduced time. This process is repeated for the obtained two factors until achieving all the prime factors
of n.

∗ Corresponding author at: Department of Computer Science, University of Saint-Esprit de Kaslik, Jounieh, Lebanon.
E-mail addresses: [email protected] (J. Zalaket), [email protected] (J. Hajj-Boutros).

0898-1221/$ – see front matter © 2011 Elsevier Ltd. All rights reserved.
doi:10.1016/j.camwa.2011.02.027
2464 J. Zalaket, J. Hajj-Boutros / Computers and Mathematics with Applications 61 (2011) 2463–2467

The rest of this paper is organized as follows: In Section 2, we present an overview of the mostly used factorization
methods. In Section 3, we present the mathematical formulation used in our technique. In Section 4, we present a complete
factorization algorithm based on the square root approximation then we append to it by a running example. In Section 5,
we present the conclusion of our work and the future work.

2. Overview

In this section, we present the mostly used factorization methods. The complexity of finding prime factors varies from
one method to another, but we remark that, no single factorization algorithm is able to minimize the time complexity for
finding factors of all integers. Consequently, many factorization algorithms may be useful, such that each algorithm can be
faster than some others for some spread set of integers.

2.1. Trial division method

The trial division method [2] consists of dividing an integer n incrementally by smaller integers (starting with divisor
d = 2, 3, 4, 5, 6, 7 and so on). At each step, if the integer n is divided by a divisor d, n is replaced by the result of the division
and the test will recursively continue from the last divisor d. An improvement of the trial division method is to choose only
prime divisors. Therefore, the composite numbers are skipped from the test and this can speed up the search for prime
factors.

2.2. Pollard’s rho method

Pollard’s rho method also known as Pollard’s Monte Carlo factorization method [3] works in the first stage of iterating a
formula until it falls into a cycle. In a second stage, the method detects cycles and tries to remove them.
To factor an integer n, we assume that n = pq, where p and q are two unknown prime factors of n. The method starts
with iterating a polynomial formula such as
xn+1 = x2n + a(mod n).
Since p and q are relatively prime, the Chinese remainder theorem guarantees that each value of x(mod n) corresponds
uniquely to the pair of values (x(mod p), x(mod q)). Therefore, the sequence of xn follows exactly the same formula modulo
p and q:
xn+1 = [xn (mod p)]2 + a(mod n)
xn+1 = [xn (mod q)]2 + a(mod n)
√ √
the sequence (x(mod p)) (resp. (x(mod q))) will fall into a much shorter cycle of length p (resp. q). It can be verified
that two values x1 and x2 have the same remainder with p (x1 (mod p) = x2 (mod p)) (resp. with q) if GCD(|x2 − x1 | , n) = p
(resp. q).

2.3. Pollard’s P-1 method

This method [4] is specifically adapted to find prime factor p such that p − 1 has only small prime divisors. Let n be an
integer to be factorized, search for prime divisors p of n, such that p − 1 is B-power-smooth. Recall that, an integer m is said
e e
to be B-power-smooth if powers pi i of all prime factors of m are such that pi i ≤ B. Suppose that p | n and a > 1 is an integer
that is prime to p. According to the Fermat little theorem, we have
ap−1 ≡ 1 (mod p).
Assume that p − 1 is B-power-smooth and let m = LCM (1, 2, 3, . . . , B), which means that B | m and p − 1 | m, and thus
am ≡ 1 (modp).
Hence, p|am − 1, we also have p|n, p|GCD(am − 1, n) and GCD(am − 1, n) > 1.
Therefore, if we have in addition am − 1 ̸≡ 0 (mod n), that means GCD(am − 1, n) is a proper divisor of n.
A variant of Pollard’s p − 1 method is the Williams p + 1 method [5]. It uses Lucas sequences to achieve rapid factorization
if some factor p of n has a decomposition of p + 1 in small prime factors. Usually p + 1 method finds different prime factors
than the ones found by the p − 1 method. Applying the two methods to factor n can be efficient, if we ignore the increased
time complexity.

2.4. Elliptic curve method

The elliptic curve method (ECM) is based on Pollard’s p − 1 method. It was originally proposed by Lenstra [6]. Thereafter,
extended by Brent [7] and Montgomery [8]. The original part of the algorithm proposed by Lenstra is typically referred to as
Phase 1 and the extension by Brent and Montgomery is called Phase 2.
 J. Zalaket, J. Hajj-Boutros / Computers and Mathematics with Applications 61 (2011) 2463–2467 2465

Let n be the number to factor. In phase 1, an elliptic curve is E (Z/nZ) = {(x : y : z ) ∈ P2 (Z/nZ), y2 z ≡ x3 + axz 2 +
bz mod n}, where a, b are two parameters from Z/nZ, and P2 (Z/nZ) is the projective plan over Z/nZ. The neutral element
3

O = (0 : 1 : 0), also called the point at infinity. The key idea is that computations in E (Z/nZ) are projected to E (Z/pZ) for
any prime divisor p of n, with the particular case of quantities which are zero in E (Z/pZ) and different from zero in E (Z/nZ).
Choose randomly a curve E and a point p on it then compute Q = k × p, where k is the product of all prime powers less than
an upper bound B1 . Let p be a prime divisor of n, if the order of E over E (Z/pZ) divides k, then Q will be the neutral element
of E (Z/pZ), thus its z-coordinate will be zero modulo p, hence GCD(z , n) will reveal the factor p (unless z is zero modulo,
another factor of n).
Phase 1 succeeds when all prime factors of g = #E (Z/pZ) are less than the upper bound B1 . Phase 2 allows one prime
factor g1 of g to be as large as another bound B2 . By considering two categories (ai Q ) and (bj Q ) of points on E, and by checking
whether two such points are equal over E (Z/pZ). If ai Q = (xi : yi : zi ) and bj Q = (x′j : y′j : zj′ ), then GCD(xi zj′ − x′j zi , n) will
be non-trivial. This will succeed when g1 divides a non-trivial ai − bj .
There are two variations of phase 2.
The birthday paradox continuation [7] chooses ai and bj randomly, expecting that the differences ai − bj will cover most
primes up to B2 .
The standard continuation [8] chooses ai and bj , so that every prime up to B2 divides at least one ai − bj .

3. Square root approximation technique

Let n be a non-prime integer such that n = A × B, where A and B are two integer factors of n. We assume that any prime
integer factor B can be expressed as
P2 m
B=A× + (1)
q2 q2
2
where p and q are prime or relatively prime, m is an integer and qm2 is small compared to A × Pq2 .
For example, let A = 137 and B = 379. Now using Eq. (1) and replacing A and B by their respective values and by
52 13 25 13
setting p = 5, q = 3 and m = −13, we can get B = 137 × 32
− 32
= 137 × 9
− 9
= 379. We remark that,
13
9
≈ 1.45 ≪ 137 × ≈ 380.56. 25
9
By replacing B in n = A × B by its value as defined in Eq. (1), we get
n = A×B
 2 
P m
=A A 2 + 2
q q
A 2 p2 Am
= + 2
q2q
A 2 p2
 
m
= 2 1+ 2 .
q Ap
Calculating the square root of n this will give

√ A2 p2
 
m
n = 1+
q2 Ap2

A2 p2

m
= × 1+
q2 Ap2
 1  1
Ap m 2 m m 2 m
= × 1+ 2 as ≪1⇒ 1+ 2 ≈1+
q Ap Ap2 Ap2 2Ap
√ Ap m
⇒ n≈ + . (2)
q 2pq
m
In Eq. (2), ≺ 1 which leads us to do the following approximations:
2pq
√ √
. The integer part of n is [ n] ≈ q ± ϵ .
Ap
√ √ √
. The fractional part of n is ( n − [ n]) × pq ≈ k ± ϵ ′ , where k is a positive integer or half-integer and 0 ≤ ϵ ≺ 1 and
0 ≤ ϵ ≪ 1.
′
√ √
Therefore, searching for a k by multiplying the fractional part n − [ n] by r = pq, once k is found, the resulting r can
be decomposed √ into pq and q by using any of the factorization methods, as r is a small integer. Thereafter, multiplying the
integer part [ n] by p gives a number which is approximately equal to A.
2466 J. Zalaket, J. Hajj-Boutros / Computers and Mathematics with Applications 61 (2011) 2463–2467

√
Example. n = 51,923 ⇒ n = 227.86618. √
By multiplying 0.86618, the fractional part of n, incrementally by possible nearest obtained integer divisors, we obtain
the first adjacent integer r = 15, as
0.86618 × 15 = 12.9927, such that, for r = 15, k = 13 and ϵ ′ = 0.0073.
Factorizing r into p and q gives√p = 3 and q = 5.
Multiplying the integer part, [ n] × p = 227 × 53 = 378.3333 ≈ 379, for ϵ = 0.6666 as 379 is the nearest prime
q

number to 378.3333.
⇒ A = 379 and by dividing An = 51,923
379
= 137 = B.
⇒ n = 51,923 = A × B = 379 × 137 and thus, the prime factors of 51,923 are 379 and 137.
Remark. In this example, A was approximated exactly to its real value, but in practice some adjacent prime numbers will
be chosen as approximation for A, and then the exact value of A will be chosen among them by calculating the GCD of their
product together with n.

4. The factorization algorithm

In this section, we present the factorization algorithm (see Algorithm 1) that takes as input an integer n and generates
two factors A and B of n, where at least one of them is prime and such that n = A × B. If n has more than two prime factors
then one of its returned two components will be non-prime (assume that A is prime and B is non-prime). In this case, the
same algorithm can be recursively called to decompose the non-prime component (assumed B) until getting all the prime
factors of n.

Algorithm 1: Factorization algorithm based on square root approximation

Data: n: an integer number to be factorized, Pr : a list of subset of prime numbers, Upr: a threshold indicating the highest
r = pq allowed, Highstep: a threshold indicating the steps allowed to find a solution
Result: A and B: 2 integer factors n
begin
Initialization;
ϵ := 0.02, r := 2, steps := 0;
√ √ 
fx := n− n ;
Iterate until finding factors or until reaching the threshold specified for steps;
repeat
while (r ≺ Upr AND fx × r ̸= [fx × r] ± ϵ ) do
find a possible multiplier r of fx which generates its nearest integer;
steps := steps + 1;
factor r into p and q;
√  q
A := n × p;
if A is not a divisor of n then
find in Pr the nearest value Pri to A;
A := GCD (Pri−2 × Pri−1 × Pri × Pri+1 × Pri+2 , n);

until A is an integer divisor of n OR steps ≻ Highstep;

if steps ≺ Highstep then
B := n/A;
else
print("n is prime or no solution is found for the chosen thresholds");
end

4.1. Running example

√
• n = 14,789,166,241 ⇒ n = 121,610, 7159,793√ .
By multiplying 0, 7159793, the fractional part of n, by r = 81, we get approximately an integer as 0, 7159,793 × 81 =
57, 9943,233 ≈ 58.
= 3 and q = 27 or p = q = 9.
r can be factorized into p and q such that, p √
q
For the two factorizations of r calculating [ n] × p does not generate an approximate divisor of n. For this reason, we
search for another√r incrementally (here we can multiply the previous r by 10 as we are sure that by multiplying r by the
fractional part of n we will get an integer according to the previous result).
 J. Zalaket, J. Hajj-Boutros / Computers and Mathematics with Applications 61 (2011) 2463–2467 2467

√ r = 810 which can be factorized into p = 10 and q = 81.

By choosing
⇒ A = [ n] × pq = 121,610 × 10 81
= 15,013.
But A = 15,013 is not a divisor of n, by searching an adjacent prime number we get A = 15,031 which is a divisor of n
and thus, n is factorized into A = 15,031 and B = 983,911.

5. Conclusion

In this paper, we presented a new factorization algorithm based on the square root approximation of the factored number.
Compared to other methods, our method is very simple to be applied while being a competitor to these ones as it is able to
factor integers in a constant time. With a good approximation, our method is able to find factors very fast by performing only
few steps. The most optimal results which widely overcome the other factorization techniques are obtained by factoring
integers composed of exactly two prime numbers (see example Section 4.1). We are looking for an enhancement of the
performance in the case of factorization of integers composed by multiple factors (more than 3 components). A combination
of our algorithm with other existing algorithms such as, elliptic curve [6], Pollard’s P − 1 [4] and others, especially with which
are using the hardware capabilities [9,10] seems to be feasible. Such a combination can be useful at some iteration steps
when finding a precise approximation can take a long time using our algorithm at these steps. As additional future work,
we will adopt our proposed approximation technique in an algorithm that tests for prime numbers in order to discover new
large prime numbers.

References

[1] William Stallings, Cryptography and Network Security, 4th edition, Prentice Hall, 2005, ISBN 0131873164.
[2] Kenneth H. Rosen, An Introduction to Cryptography (Discrete Mathematical and Applications), 1st edition, Chapman and Hall/CRC, 2000, ISBN
1584881275.
[3] John M. Pollard, A Monte Carlo method for factorization, BIT 15 (1975) 331–334. ISSN 0006-3835.
[4] John M. Pollard, Theorems on factorization and primality testing, in: Proceedings of the Cambridge Philosophical Society, 76, 1974, pp. 521–528. ISSN
0305-0041.
[5] Hugh C. Williams, A p + 1 method of factoring, Mathematics of Computation 39 (1982) 225–234. ISSN 0025-5718.
[6] Hendrik W. Lenstra, Factoring integers with elliptic curves, Annals of Mathematics 126 (1987) 649–673. ISSN 0003-486X.
[7] Richard P. Brent, Some integer factorization algorithms using elliptic curves, Australian Computer Science Communications 8 (1986) 149–163. ISSN
0157-3055.
[8] Peter L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization, Mathematics of Computation 48 (1987) 243–264. ISSN 0025-
5718.
[9] K. Gaj, S. Kwon, P. Baier, P. Kohlbrenner, H. Le, M. Khaleeluddin, R. Bachimanchi, Implementing the elliptic curve method of factoring in reconfigurable
hardware, in: Proceedings of Cryptographic Hardware and Embedded Systems Workshop, CHESS 2006, Yokohama, Japan, Oct. 2006.
[10] C. McIvor, M. McLoone, J. McCanny, A. Daly, W. Marnane, Fast montgomery modular multiplication and rsa cryptographic processor architectures, in:
Proceedings of the 37th IEEE Computer Society Asilomar Conference on Signals, Systems and Computers, Nov. 2003, pp. 379–384.