Is Integer Factorization Harder Than RSA Factorization?

Is the integer factorization problem harder than RSA factorization: $n = pq$?

This is a cross-post from http://math.stackexchange.com/questions/40971/is-the-factorization-problem-harder-than-rsa-factorization-n-pq Let FACT denote the integer factoring problem: given $n \in \mathbb{N},$ find primes $p_i \in \mathbb{N},$ and integers $e_i \in \mathbb{N},$ such that $n = \prod_{i=0}^{k} p_{i}^{e_i}.$ Let RSA denote the special case of factoring problem where $n = pq$ and $p,q$ are primes. That is, given $n$ find primes $p,q$ or NONE if there is no such factorization. Clearly, RSA is an instance of FACT. Is FACT harder than RSA? Given an oracle that solves RSA in polynomial time, could it be used to solve FACT in polynomial time? (A pointer to literature is much appreciated.) Edit 1: Added the restriction on computational power to be polynomial time. Edit 2: As pointed out in http://cstheory.stackexchange.com/questions/6704/is-the-integer-factorization-problem-harder-than-rsa-factorization-n-pq/6777#6777 that there are papers arguing for and against RSA harder (or easier than) FACT. I found the following papers so far: D. Boneh and R. Venkatesan. Breaking RSA may be easier than factoring. EUROCRYPT 1998. http://crypto.stanford.edu/~dabo/papers/no_rsa_red.pdf D. Brown: Breaking RSA may be as difficult as factoring. Cryptology ePrint Archive, Report 205/380 (2006) http://eprint.iacr.org/2005/380.pdf G. Leander and A. Rupp. On the Equivalence of RSA and Factoring regarding Generic Ring Algorithms. ASIACRYPT 2006. http://www.iacr.org/archive/asiacrypt2006/42840239/42840239.pdf D. Aggarwal and U. Maurer. Breaking RSA Generically Is Equivalent to Factoring. EUROCRYPT 2009. http://eprint.iacr.org/2008/260.pdf I have to go through them and find a conclusion. Is someone aware of these results can provide a summary?
Answer:

I found this paper entitled http://crypto.stanford.edu/~dabo/papers/no_rsa_red.pdf. They argue that computing $e$th roots modulo $n=pq$ might be easier than factoring $n=pq$. However, they don't address the question you asked about: they don't consider whether or not factoring integers of the form $n=pq$ might be easier than factoring arbitrary integers. As a result, this answer is pretty much irrelevant to your particular question.

user17 at Theoretical Computer Science Visit the source

Was this solution helpful to you?

Other answers

As far as I can see, an efficient algorithm for factoring semiprimes (RSA) does not automatically translate into an efficient algorithm for factoring general integers (FACT). However, in practice, semiprimes are the hardest integers to factor. One reason for this is that the maximum size of the smallest prime is dependent on the number of factors. For an integer $N$ with $f$ prime factors, the maximum size of the smallest prime factor is $\lfloor N^\frac{1}{f} \rfloor$, and so (via the http://en.wikipedia.org/wiki/Prime_number_theorem) there are approximately $\frac{f N^\frac{1}{f}}{\log(N)}$ possibilities for this. Thus increasing $f$ decreases the number of possibilities for the smallest prime factor. Any algorithm which works be successively reducing this space of probabilities will then work best for large $f$ and worst for $f=2$. This is borne out in practice, as many classical factoring algorithms are much faster when the number being factored has more than 2 prime factors. Further the http://en.wikipedia.org/wiki/General_number_field_sieve, the fastest known classical factoring algorithm, and http://en.wikipedia.org/wiki/Shor%27s_algorithm, the polynomial time quantum factoring algorithm, work equally well for non-semiprimes. In general, it seems much more important that the factors by http://en.wikipedia.org/wiki/Coprime than that they be prime. I think part of the reason for this is the decision version of factoring co-primes is most naturally described as a http://en.wikipedia.org/wiki/Promise_problem, and any way of removing the promise of the input being semiprime is to either introduce an indexing on the semiprimes (which in itself I suspect is as hard as factoring them), or by generalising the problem to include non-semiprimes. It seems likely that in the latter case the most efficient algorithm would solve FACT as well as RSA, though I have no proof of this. However, a proof is a little to much to ask for, since given an oracle for RSA proving that this cannot efficiently solve FACT amounts to proving that $P\neq NP$. Lastly it is worth pointing out that RSA (the cryptosystem, not the factoring problem you defined above) trivially generalizes beyond semi-primes.

Joe Fitzsimons

Not quite a complete answer, but seems to be an improvement: The research papers cited above compare the problem of computing eth roots mod N, i.e. doing the private key operation in the RSA cryptosystem, to the problem of factoring, i.e. finding the private key, in both cases, using only the public key. In this case, the factoring problem is not the general case, but the semiprime case. In other words, they are considering a different question. I believe that it is known, see Knuth's AoCP, that most numbers N have prime factorizations whose bit lengths compare in bit length to that of N, on average something like 1/2, 1/4, 1/8, ..., or perhaps even falling off more sharply, as in 2/3, 2/9, 2/27, ... but maybe flattening out. So, for general random N of size small enough that the smaller factors can be expected to be found quickly by trial division or Lenstra's ECM, then what remains may be a semiprime, though an unbalanced one. This is a kind of reduction, but it depensds heavily on the distribution of factors, and it is a slow reduction, in that it invokes other factorization algorithms. Also, there is no known test for determining if a number is semiprime or not. This only means that if one just applied a semiprime factorization algorithm to a general number, and it always failed, then one has solved an unknown problem.

user18217

Wouldn't the following be a polynomial time algorithm for RSA: Start walking through the integers starting with 2 and stopping at sqrt(n) or even n if we want because it's still O(n) steps. (If we reach sqrt(n), return NONE because n is itself prime.) At each step test for whether i divides n, which takes O((ln(n)^2) time using school division. For the first number found that divides n, we know it is prime, so call it p. And we also have q (which needs to be tested) from the same division. Now if q is prime (same procedure), we return (p, q) and if not we return NONE. Won't that work and run in O(n * (ln(n)^2)) time?

marshallf

Related Q & A:

what is the difference between sum of first n primes and prime(prime(n?Best solution by Mathematics
Wat is the difference btwn Desktop n My Computer n My Documents?Best solution by Yahoo! Answers
How to cook ROAST CHICKEN n HAINANESE CHICKEN n FRIED CRISPY CHICKEN n WHITECICKEN SAMBALCHCIKEN ROAST CHICKEN?Best solution by Yahoo! Answers
Where r the FUEL tanks n AMMO store n ENGINE in a ARMY ARMY tank?Best solution by Yahoo! Answers
Which country is surrounded totally surrounded by MILLIONS n MILLIONS n MILLIONS n MILLIONS of MUSLIMS MUSLIMS?Best solution by Yahoo! Answers

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.