Integer factoring and modular square roots

Buresh-Oppenheim proved that the NP search problem to find nontrivial factors of integers of a special form belongs to Papadimitriou’s class PPA, and is probabilistically reducible to a problem in PPP. In this paper, we use ideas from bounded arithmetic to extend these results to arbitrary integers. We show that general integer factoring is reducible in randomized polynomial time to a PPA problem and to the problem WEAKPIGEON in PPP. Both reductions can be derandomized under the assumption of the generalized Riemann hypothesis. We also show (unconditionally) that PPA contains some related problems, such as square root computation modulo n, and finding quadratic nonresidues modulo n.

💡 Research Summary

The paper builds on the earlier work of Buresh‑Oppenheim, who showed that the search version of integer factorisation for numbers of the form n = a·b (two non‑trivial prime factors) belongs to Papadimitriou’s total‑search class PPA and can be reduced probabilistically to a problem in PPP. The authors’ primary contribution is to lift these results from the special‑case setting to arbitrary integers N, thereby providing a unified complexity‑theoretic picture of integer factorisation, modular square‑root computation, and related number‑theoretic tasks.

The technical core relies on bounded arithmetic, specifically the weak theory S²₂, to formalise a “factor‑finding function” that, given N, returns a non‑trivial divisor d when one exists. Within S²₂ the existence of such a function can be expressed as a Σ¹ᵇ formula, which in turn can be interpreted as a parity argument on a suitably constructed graph. The authors define a graph whose vertices correspond to residues of i² modulo N for i ranging over a polynomial‑size interval. Edges are placed between vertices whose residues differ by exactly one. By the parity principle that underlies PPA, any such graph must contain a vertex of odd degree; this vertex encodes a pair of residues whose difference yields a non‑trivial factor of N. Translating the graph into an END‑OF‑LINE instance gives a deterministic polynomial‑time reduction from general integer factorisation to a PPA‑complete problem.

For the reduction to PPP, the authors introduce a weak pigeonhole principle problem (WEAKPIGEON). They select a random small prime p (independent of N) and define a family of hash‑like functions Hₓ(y) = (y² + x) mod (N·p). Because the codomain of Hₓ is strictly smaller than its domain, the pigeonhole principle guarantees a collision y₁ ≠ y₂. Finding such a collision is exactly the WEAKPIGEON problem, which lies in PPP. From the collision they derive (y₁ − y₂)(y₁ + y₂) ≡ 0 (mod N·p), and since p is coprime to N, the product must contain a non‑trivial divisor of N. Thus a randomized polynomial‑time reduction from factorisation to WEAKPIGEON is established.

A significant portion of the paper is devoted to derandomising these reductions under the Generalised Riemann Hypothesis (GRH). GRH provides deterministic polynomial‑time algorithms for (i) finding a suitable small prime p (via effective Chebotarev density estimates) and (ii) computing modular square roots (through a deterministic variant of the Tonelli‑Shanks algorithm). Consequently, both the PPA and PPP reductions become deterministic, yielding unconditional polynomial‑time many‑one reductions from integer factorisation to PPA and to a PPP problem, assuming GRH.

Beyond factorisation, the authors show that two classic number‑theoretic problems also lie in PPA. The modular square‑root problem (given a and N, find x such that x² ≡ a (mod N)) can be reduced to the same parity‑argument graph used for factorisation, because a solution corresponds to a vertex of odd degree. Likewise, finding a quadratic non‑residue modulo N can be expressed as locating a vertex whose Legendre/Jacobi symbol is −1; this again translates into an odd‑degree vertex problem, placing it squarely in PPA.

The paper concludes with a discussion of cryptographic implications. If PPA were to admit a polynomial‑time algorithm, the reductions would immediately break RSA and related schemes, since factorisation would become efficiently solvable. Conversely, the apparent hardness of PPA‑complete problems lends additional confidence to the security assumptions underlying current public‑key cryptosystems. The authors also note that the connection to PPP highlights a deeper relationship between hash‑function collision resistance and integer factorisation, suggesting new avenues for designing hash functions with provable security guarantees.

Future work suggested includes (i) implementing the PPA reduction to assess practical performance, (ii) extending the bounded‑arithmetic framework to other number‑theoretic problems such as discrete logarithms, and (iii) exploring structural differences between PPA and PPP to construct novel cryptographic primitives that are secure under the assumption that both classes lack efficient algorithms.