Integer factorization

“The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors, is known to be one of the most important and useful in arithmetic,” Gauss wrote in his Disquisitiones Arithmeticae in 1801. “The dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.” But what exactly is the problem? Do we want to distinguish prime numbers from composite numbers? Or do we want to find all the prime factors of composite numbers? These are quite different problems. Imagine, for example, that someone gives you a 10000-digit composite number. It turns out that you can use “Artjuhov’s generalized Fermat test”—the “sprp test”—to quickly write down a reasonably short proof that the number is in fact composite. However, unless you’re extremely lucky, you won’t be able to find all the prime factors of the number, even with today’s state-ofthe-art factorization methods. Do we care whether the answer is accompanied by a proof? Is it good enough to have an answer that’s always correct but not accompanied by a proof? Is it good enough to have an answer that has never been observed to be incorrect? Consider, for example, the “Baillie-Pomerance-Selfridge-Wagstaff test”: if n ∈ 3 + 40Z is a prime number then 2 + 1 and x + 1 are both zero in the ring (Z/n)[x]/(x − 3x + 1); nobody has been able to find a composite n ∈ 3+40Z satisfying the same condition, even though such n’s are conjectured to exist. (Similar comments apply to arithmetic progressions other than 3+40Z.) If both 2 + 1 and x + 1 are zero, is it unacceptable to claim that n is prime? Do we actually want to find all the prime factors of the input? Or are we satisfied with one prime divisor? Or any factorization? More than 70% of all integers n are divisible by 2 or 3 or 5, and are therefore very easy to factor if we’re satisfied with one prime divisor. On the other hand, some integers n have the form pq where p and q are primes; for these integers n, finding one factor is just as difficult as finding the complete factorization. Do we want to be able to find the prime factors of every integer n? Or are we satisfied with an algorithm that gives up when n has large prime factors? Some algorithms don’t seem to care how large the prime factors are: for example, “the Pollard-Buhler-Lenstra-Pomerance-Adleman number-field sieve” is conjectured to find the prime factors of n using exp((64/9 + o(1))(log n)(log log n)) simple operations. Other algorithms are much faster at finding small primes: