In mathematics, the **integer prime-factorization** (also known as **prime decomposition**) problem is this: given a positive integer, write it as a product of prime numbers. For example, given the number 45, the prime factorization would be 3^{2}·5. The factorization is always unique, according to the fundamental theorem of arithmetic. This problem is of significance in mathematics, cryptography, complexity theory, and quantum computers.

The complete list of factors can be derived from the prime factorization by incrementing the exponents from zero until the number is reached. For example, since 45 = 3^{2}·5, 45 is divisible by 3^{0}·5^{0}, 3^{0}·5^{1}, 3^{1}·5^{0}, 3^{1}·5^{1}, 3^{2}·5^{0}, and 3^{2}·5^{1}, or 1, 5, 3, 15, 9, and 45. In contrast, the prime factorization only includes prime factors.

Given two large prime numbers, it is easy to multiply them together. However, given their product, it appears to be difficult to find the factors. This is relevant for many modern systems in cryptography. If a fast method were found for solving the integer factorization problem, then several important cryptographic systems would be broken, including the RSA public-key algorithm and the Blum Blum Shub random number generator.

Although fast factoring is *one* way to break these systems, there may be *other* ways to break them that don't involve factoring. So it is possible that the integer factorization problem is truly hard, yet these systems can still be broken quickly. A rare exception is the Blum Blum Shub generator. It has been proved to be exactly as hard as integer factorization. There is no way to break it without also solving integer factorization quickly.

If a large, *n*-bit number is the product of two primes that are roughly the same size, then no algorithm is known that can factor in polynomial time. That means there is no known algorithm that can factor it in time O(*n*^{k}) for any constant *k*. There are algorithms, however, that are faster than &Theta(e^{n}). In other words, the best known algorithms are sub-exponential, but super-polynomial. In particular, the best known asymptotic running time is for the general number field sieve (GNFS) algorithm, which is:

It is not known exactly which complexity classes contain the integer factorization problem. The decision-problem form of it ("does *N* have a factor less than *M*?") is known to be in both NP and co-NP. This is because both YES and NO answers can be checked if given the prime factors along with their primality proofs. It is known to be in BQP because of Shor's algorithm. It is suspected to be outside of all three of the complexity classes P, NP-Complete, and co-NP-Complete. If it could be proved that it is in either NP-Complete or co-NP-Complete, that would imply NP = co-NP. That would be a very surprising result, therefore integer factorization is widely suspected to be outside both of those classes. Many people have tried to find polynomial-time algorithms for it and failed, therefore it is widely suspected to be outside P.

Interestingly, the decision problem "is *N* a composite number?" (or equivalently: "is *N* a prime number?") appears to be much easier than the problem of actually finding the factors of *N*. Specifically, the former can be solved in polynomial time (in the number *n* of digits of *N*), according to a recent preprint given in the references, below. In addition, there are a number of probabilistic algorithms that can test primality very quickly if one is willing to accept the small possibility of error. The easiness of prime testing is a crucial part of the RSA algorithm, as it is necessary to find large prime numbers to start with.

- Richard P. Brent, "Recent Progress and Prospects for Integer Factorisation Algorithms",
*Computing and Combinatorics"*, 2000, pp.3-22. download - Manindra Agarwal, Nitin Saxena, Neeraj Kayal, "PRIMES is in P", Preprint, August 6, 2002, http://www.cse.iitk.ac.in/news/primality.html
- The "PRIMES is in P" FAQ http://crypto.cs.mcgill.ca/~stiglic/PRIMES_P_FAQ.html