When is a large semiprime possible to factor?

Question

Under which conditions is a large semiprime possible to factor? In particular, is the following 400-digit semiprime actually trivial to factor into primes?

6962155154859963260211100482357357666900094513013513488352858667799199787495340476167566639530574848375895722792291996203873323650274512138128403360943634134259376986501375967452208380337012919869885380406071772232795575963202558402893589313281327208179913789760736615950818685956393838601277519011418885197723428318400763080858914698836058070301404903262955501113318317950597435778777212408626799143

Answer 1

"Trivial" is almost certainly the wrong word for this. A better question is if it is reasonable to efficiently factor. First, it is worth mentioning that your semi-prime is 400 decimal digits. Multiplying this by $\log_2(10)$, we see that it is $\approx 1300$ bits long. This is vastly larger than the largest claimed factoring (of semiprimes) record of 829 bits. So the answer is "no", unless your semiprime has special structure that makes it "weak".

What special structure might semi-primes have? Let $N = p_1p_2$ be the factorization. There are a few candidates, which work if

1. One of the $p_i$ is small (say at most $\approx 60$ bits), then the elliptic curve method is reasonable to run.

2. One of the $p_i$ is such that $p_i+1$ is smooth, e.g. all prime factors of $p_i+1$ are bounded by some reasonably small number $B$. Then William's $p+1$ algorithm is reasonable.

3. One of the $p_i$ is such that $p_i-1$ is powersmooth, e.g. all prime power factors of $p_i-1$ are bounded by some reasonably small number $B$. Then Pollard's $p-1$ algorithm is reasonable.

There may be a few other "special structures" that I am missing (I seem to remember one if $p_1\approx p_2$, but can't recall the name now). Your only real chance of factoring the number is for it to be improperly generated though, which all of the above would be examples of, so unless you have a specific reason to think they are improperly generated (say this is a CTF challenge) I wouldn't bother trying to break it.

If you have a reason to think this should be improperly generated, implementations of these exist. For example, Sage has an implementation of the ECM (via GMP-ECM). In the GMP-ECM page itself, I also see references to $p-1$ and $p+1$, but I don't know if sage directly tries these as well (as they are only really useful if you suspect the semiprimes have been improperly generated).

But without hitting one of these cases of "weak semiprimes" (which are exceedingly unlikely to occur if the semiprime is properly generated --- so unless you have reason to think this is a weak RSA semiprime it is probably not even worth checking).

Answer 2

Yes, this 400 digit semiprime does have a large weakness that enables it to be factored in hours.

I have factored this number, so you could be kind and tell me where this CTF is so that I can get credit.(Said half joking)

Neither Fermat's nor ECM nor SNFS is going to help you in any reasonable amount of time.

The p factor has 41606 in the 15-19th upper digits and q has 89827 in the 15-19th upper digits.

---

Update _{^{(moved here by moderator)}}

Perhaps this class of methods? No
Or/and using a multiplier? No

Spoiler alert - the factors are given below. . . . .

n= 6962155154859963260211100482357357666900094513013513488352858667799199787495340476167566639530574848375895722792291996203873323650274512138128403360943634134259376986501375967452208380337012919869885380406071772232795575963202558402893589313281327208179913789760736615950818685956393838601277519011418885197723428318400763080858914698836058070301404903262955501113318317950597435778777212408626799143
                                                                                          p= 1055314811678641606424788110765439117222699930257095408671007391029759113842109970448108699505224742945927781061767905202515184760446787611555372203775837301834490832771874109424228620164137709228509254318229660698954763303449460372503950485172061048411036447824270015301213488707
                                                                                          q= 6597230587321689827469274987496974524162638657985346941557775305494810601668451103917887716603988821282535336087463657549

Answer 3

The technique used was to reduce N to a special form that was easily factored.

Displayed N in binary and noticed hundreds of 0's in between 4 numbers.

This was reduced to the following:

N = a2^1228+b2^875+c*2^353+d

where a= 1506291488774150974626762365373 b= 322571915263178581 c= 576377099039115423 d= 123431

Treating this as a polynomial in x, with x=2:

N = ax^1228+bx^875+c*x^353+d

This factors very quickly to:

(359561509069941x^353+77)(4189245652768553*x^875 + 1603)

Answer 4

In a comment @Sam Blake asked a follow up question about an integer to factor:

7215955072690155355400859323297730634528493510676300043022948136348249037517276095868127042993906604904230826475281383188764473510881994780947137238252071087749294743150564851420395422525735221770067605216401023

The question is this 2nd semiprime actually trivial to factor into primes?

This semiprime is not weak because it does not give up its' special form very easily.

It is weak for an adversary with nation state capability because it is only 701 bits. A 2048 bit or higher modulus with equal bitlength p and q are recommended.

Also it doesn't appear to have weakness using Fermat's, p-1, it's ratio is not near a small fraction, ECM is not helpful.

This integer does not appear to match a special form that is easy to factor. Even though once the special form is recognized the number can be factored with much less effort, detecting which special form can be very time consuming as there are many forms.

What hints are you willing to give? That this is a semiprime? That the factors are of unequal length? That the factors are polynomials with terms: a0 x 2^(k0) + a1 x 2^(k1) + a2 x 2^(k2)...