Integer factorization is believed to lie in the grey zone between P and NP-complete. It sits in NP ∩ coNP — verifiable in both directions — yet no polynomial algorithm is known, and no NP-hardness reduction exists. RSA's security rests on this ambiguity.
Rather than asking "is factoring hard?", we ask: how much of the factoring landscape
is actually hard? Following the P/NP/P sandwich framework from
polynomial Sudoku solving and
PolySAT, we decompose the space of n-bit
semiprimes into polynomial zones flanking an NP strip, parameterized by a budget
exponent a.
For an n-bit semiprime N = p × q:
Following cdcl(a) from the Sudoku paper, we parameterize the total number of arithmetic operations as:
For fixed a, this is polynomial in n. Each technique receives a fraction of
the budget. The wall — the bit size where the technique ladder fails — moves
rightward as a increases.
| Tier | Technique | Complexity | Works When |
|---|---|---|---|
| 0 | Trivial checks | O(1) | N even, perfect power |
| 1 | Trial division | O(na) | Small factor < na |
| 2 | Pollard's rho | O(2n/4) | General — birthday bound |
| 3 | Pollard's p-1 | O(B log B) | p-1 is B-smooth |
| 4 | Fermat | O(|p-q|2/N1/2) | p ≈ q |
| 5 | Fourier probe | O(na) | Structured bit patterns |
Pollard's rho is the workhorse. Its expected complexity is O(N1/4) = O(2n/4) GCD operations. Within a polynomial budget na:
For n = 50: a ≥ 50 / (4 × 5.64) ≈ 2.2 — rho fits comfortably in n2.5.
For n = 100: a ≥ 100 / (4 × 6.64) ≈ 3.8 — needs n4.
For n = 200: a ≥ 200 / (4 × 7.64) ≈ 6.5 — "polynomial" budget is n6.5.
For n = 2048 (RSA-2048): a ≥ 2048 / (4 × 11) ≈ 46.5 — n47 operations.
The required exponent grows linearly with n. This is the same phenomenon as Sudoku's n=5 mid-strip: the "polynomial" budget must grow so fast with problem size that it becomes effectively exponential. The polynomial framing doesn't break — for any fixed a, the budget is polynomial — but the a needed to solve grows with n, destroying the polynomial guarantee.
AUMA's Fourier probe (order-1 Walsh-Hadamard coefficients) scores each bit position of a candidate factor by evaluating N mod x with targeted bit flips. The hope: some bits of p have stronger "signal" than others.
Result: low-order bits show detectable bias (the LSB is always 1 for odd primes; bit 1 has mild correlation with N mod 4). High-order bits show no signal — the carry chain from multiplication acts as a diffusion mechanism, exactly like SHA-256's message schedule in the PolySAT experiments.
This mirrors the PolySAT finding: moulinette achieves 93.5% structural novelty on SHA-256 CNF but zero hardness reduction. Cryptographic diffusion — whether from hash functions or multiplication carries — defeats syntactic/Fourier analysis.
| Property | Sudoku | SAT | Factoring |
|---|---|---|---|
| Complexity class | NP-complete | NP-complete | NP ∩ coNP |
| P-Left coverage | (n3+2n)/n4 | BCP peels ~10% | Trial + rho + pm1 + Fermat |
| cdcl(a) wall | n=5 mid-strip | SHA-256 core | Balanced semiprimes > 2n/4 |
| Fourier helps? | No (local constraints) | No (diffusion) | No (carry diffusion) |
| Algebraic escape? | No | No | Yes — NFS, ECM, lattice |
The key difference: factoring has algebraic structure that Sudoku and SAT lack. The number field sieve exploits smoothness in algebraic number fields — something invisible to any Boolean/SAT encoding. Our sandwich captures the combinatorial hardness but cannot account for algebraic shortcuts.
All benchmarks run on a single t3.micro (2 vCPU, 1GB RAM, ~$7.50/month) — the cheapest general-purpose EC2 instance. Pure Python, zero dependencies, no C extensions. The sandwich eats composites of any shape: semiprimes, highly composite numbers, prime powers. Recursive factorization splits until all factors are confirmed prime via Miller-Rabin.
| Bits | N (example) | Evals | Time | Technique |
|---|---|---|---|---|
| 50 | 827,645,660,345,381 | 224K | 12ms | rho |
| 60 | 867,617,983,059,235,987 | 546K | 38ms | rho |
| 70 | 872,320,052,306,992,843,891 | 1.0M | 88ms | rho |
| 80 | 1,037,406,423,024,995,396,315,989 | 3.3M | 458ms | rho |
| 90 | 734,161,861,083,105,052,078,671,551 | 8.5M | 1.5s | rho |
| 100 | 999,924,788,784,990,627,355,480,102,499 | 65M | 24s | rho (a=4.5) |
| 110+ | Wall — budget exhausted at a=4.0 | |||
The 100-bit semiprime 999924788784990627355480102499 = 951533318763589 × 1050856306413191
was factored in 24 seconds on the potato at a=4.5. Brute-force trial division to
√N would require ~225 ≈ 33M divisions; Pollard's rho with 3 restarts
(different random walks, same total budget) finds the birthday collision in ~65M iterations.
Two views of the same data: the budget wall (unlimited time, does the budget suffice?) and the time wall (1-second timeout, can the potato finish?).
| Exponent a | Wall (bits) | Theory: n/(4 log n) | Delta |
|---|---|---|---|
| 2.0 | 30 | ~26 | +4 |
| 2.5 | 55 | ~46 | +9 |
| 3.0 | 70 | ~63 | +7 |
| 3.5 | 85 | ~78 | +7 |
| 4.0 | 90 | ~92 | -2 |
Budget wall retreats monotonically: more budget = more bits cracked.
| Exponent a | Wall (bits) | Solved | Notes |
|---|---|---|---|
| 2.0 | 24 | 52/168 | Budget too small |
| 2.5 | 46 | 75/168 | |
| 3.0 | 56 | 88/168 | |
| 3.5 | 76 | 106/126 | |
| 4.0 | 86 | 116/117 | Sweet spot |
| 4.5 | 84 | 112/114 | Budget large, time tight |
| 5.0 | 62 | 78/81 | Timeout kills before budget exhausts |
The time-optimal exponent is a=4.0, not higher. Past a=4.0, the budget grows faster than the potato can execute — rho has enough evaluations to find the factor but can't finish them in 1 second. The wall retreats from 86b back to 62b at a=5.0. This is a new dimension the Sudoku paper doesn't explore: when wall-clock time constrains, there's a Goldilocks exponent where budget is large enough to solve but small enough to complete.
For the potato (~50M rho-ops/sec) with T=1s: a* ≈ 4.0. On faster hardware, a* shifts rightward. The Goldilocks exponent is a property of the machine-algorithm pair, not the problem alone.
At a=3.0, 10 balanced semiprimes per bit size (1s timeout):
| Bits | trial | rho | pm1 | fermat | fail |
|---|---|---|---|---|---|
| 10 | 10 | 0 | 0 | 0 | 0 |
| 15 | 10 | 0 | 0 | 0 | 0 |
| 20 | 8 | 2 | 0 | 0 | 0 |
| 25-50 | 0 | 10 | 0 | 0 | 0 |
| 55 | 0 | 9 | 1 | 0 | 0 |
| 60 | 0 | 4 | 2 | 0 | 4 |
Trial division dominates to ~20 bits, then rho takes 100% of wins from 25-50 bits. At the boundary (55-60b), pm1 starts sneaking in — when rho's budget runs out, pm1 occasionally catches a factor with smooth p-1. By 60 bits, 4/10 instances fail entirely.
Fermat never fires on balanced semiprimes — rho runs before it. On close-factor pairs (|p-q| < 200), Fermat solves in 1 eval, but rho steals the kill. The technique order matters: rho's 40% budget slice runs second, Fermat's 10% runs fifth.
The honest summary: past trial division, the "sandwich" on balanced semiprimes is really a rho dial. The other techniques matter for structured composites (pm1 for smooth factors, Fermat for close factors, trial for highly composite numbers), but RSA-hard instances live where only rho reaches.
AUMA-inspired Fourier probing (order-1 bit scoring via N mod x with targeted flips) was tested head-to-head against rho on 50 samples per bit size, tight budget n2:
| Bits | Fourier wins | Rho wins | Both fail |
|---|---|---|---|
| 16 | 0 | 50 | 0 |
| 20 | 0 | 50 | 0 |
| 24 | 0 | 50 | 0 |
| 28 | 0 | 49 | 1 |
| 32 | 0 | 44 | 6 |
| 36 | 0 | 17 | 33 |
| 40 | 0 | 16 | 34 |
Fourier probe wins exactly 0 out of 350 trials. Not once. The carry chain in integer multiplication diffuses bit-level structure identically to SHA-256's message schedule in the PolySAT experiments. Low-order bits show mild bias (LSB is always 1 for odd primes), but high-order bits are indistinguishable from random. This is the same wall as moulinette's 93.5% structural novelty / 0% hardness reduction on SHA-256 CNF — cryptographic diffusion defeats Fourier analysis, whether the diffusion comes from hash rounds or multiplication carries.
Pollard's rho is probabilistic: a single random walk may cycle without finding a factor. The 10x method from Sudoku applies: split the budget into 3 attempts with different c values.
30-sample comparison per bit size (a=3.0 budget, 1s timeout):
| Bits | Single-only | Restart-only | Both solve | Both fail | Net |
|---|---|---|---|---|---|
| 30-50 | 0 | 0 | 30 | 0 | 0 |
| 60 | 4 | 5 | 21 | 0 | +1 |
| 70 | 6 | 3 | 1 | 20 | -3 |
At the boundary (60b), restarts provide a marginal +1 net advantage. But at 70 bits, restarts hurt: net -3. Splitting the budget into shorter walks means each attempt is too brief for rho to build enough GCD state. Single-shot with the full budget works better when the walk needs to be long.
This is the opposite of Sudoku's 10x result. Sudoku walks are binary — they solve in the first 10% of budget or never. Rho's success curve is gradual: the probability of finding a collision grows with walk length. Cutting walks short doesn't just waste a failed attempt — it prevents successful walks from reaching their collision. The 10x method transfers to methods with early-knowledge success profiles, not to methods with cumulative-state profiles like rho.
The /factor endpoint accepts any integer and
recursively splits until all factors are confirmed prime via Miller-Rabin.
| Shape | Example | Factorization | Evals | Time |
|---|---|---|---|---|
| Semiprime | 1,488,391 | 1217 × 1223 | 358 | 0.12ms |
| Highly composite | 2,075,673,600 | 210 × 34 × 52 × 7 × 11 × 13 | 93 | 0.4ms |
| Triple prime | 443,700,193,717,695,617 | 687223 × 711131 × 907909 | 315K | 12ms |
| Prime power | 4,936,446,198,683 | 170273 | 9 | <0.1ms |
| Smooth (101b) | 1.6 × 1030 | 2 × 3 × 52 × 75 × ... × 472 | 515 | 0.9ms |
| Unbalanced | 945,744,143,654,729 | 911 × 1,038,138,467,239 | 320 | 0.14ms |
| Prime | 997 | 997 | 0 | <0.1ms |
Unbalanced semiprimes are trivial — trial division finds the small factor in ~300 evals regardless of how large the cofactor is. Prime powers are instant — perfect-power detection in the trivial checks catches them. Smooth numbers are sub-millisecond — P-Right peels factors of 2 and 3, trial division catches the rest. The only hard shape is balanced semiprimes, where both factors are large and structureless.
| Key Size | Rho budget | Required a | Potato status |
|---|---|---|---|
| RSA-50 | 212.5 ≈ 5.7K | ~2.2 | 12ms |
| RSA-80 | 220 ≈ 1M | ~3.2 | 458ms |
| RSA-100 | 225 ≈ 33M | ~3.8 | 24s (a=4.5) |
| RSA-200 | 250 ≈ 1015 | ~6.5 | Years on cluster |
| RSA-512 | 2128 | ~14.2 | Infeasible (rho) |
| RSA-2048 | 2512 | ~46.5 | Cosmic infeasibility |
The potato cracks everything up to 100 bits. The real contribution is the continuous complexity dial: by measuring where the wall hits as a function of a, we map the exact boundary between "polynomial enough" and "effectively exponential." Try it yourself: /factor any integer, /climb to find the wall.
The sandwich framework applies cleanly to integer factorization. A t3.micro potato cracks 100-bit semiprimes in 24 seconds with polynomial budget n4.5. The budget wall tracks rho's birthday bound at a ≥ n/(4 log n) within ~10%. This is the same mechanism as Sudoku's n=5 mid-strip and PolySAT's SHA-256 core: "polynomial with growing exponent" is how combinatorial hardness manifests across all three domains.
Three findings that surprised us:
1. Rho is everything. Past 25 bits, Pollard's rho accounts for 100% of balanced-semiprime factorizations. Fourier probing: 0/350. Fermat and pm1 never fire on RSA-shaped inputs. The technique ladder matters for structured composites (unbalanced, smooth, close-factor), but the NP strip — where RSA keys live — belongs entirely to rho.
2. The Goldilocks exponent. Under wall-clock constraints, there exists a time-optimal exponent a* where the wall is deepest. On the potato with 1s timeout: a*=4.0 (wall at 86b). Higher exponents have enough budget but can't finish — the wall retreats from 86b at a=4.0 to 62b at a=5.0. This is a machine-algorithm property, not a problem property. The Sudoku paper treats budget as the only dimension; real systems have a second axis (time) that creates a non-monotonic optimum.
3. Restarts hurt rho. The 10x method — cheap fast failures + more attempts — works beautifully on Sudoku walks (binary success profile). On rho, it backfires at 70 bits: net -3 vs single-shot. Rho has a cumulative-state success profile — collision probability grows with walk length. Cutting walks short prevents successful walks from reaching their collision. The 10x method transfers to early-knowledge methods, not cumulative-state methods.
Factoring's escape hatch — algebraic structure in NP ∩ coNP — means the combinatorial wall is not the whole story. The number field sieve operates in sub-exponential time Ln[1/3, c], suggesting the NP strip may be thinner than for NP-complete problems. The sandwich captures the combinatorial hardness faithfully; whether algebraic tunnels can bypass it remains the central open question.
References:
[1] Dana, C. "A O(2n/2) Universal Maximization Algorithm." Ecole Polytechnique, 2023.
[2] Dana, C. & Claude. "Polynomial Sudoku Solving and the P/NP Sandwich." March 2026.
[3] Dana, C. & Claude. "PolySAT: 12 Polynomial Techniques on SAT." March 2026.
[4] Dana, C. & Claude. "polyauma: Universal Maximization in Polynomial Budget." March 2026.
[5] Pollard, J. M. "A Monte Carlo method for factorization." BIT, 1975.
[6] Lenstra, H. W. "Factoring integers with elliptic curves." Annals of Mathematics, 1987.
[7] Lenstra, A. K. et al. "The number field sieve." STOC, 1990.