Lenstra elliptic curve factorization

From Wikipedia, the free encyclopedia

The Lenstra elliptic curve factorization or the elliptic curve factorization method (ECM) is a fast, sub-exponential running time algorithm for integer factorization which employs elliptic curves. Technically, the ECM is classified as a deterministic algorithm as all "random" steps (such as the choice of curves) used can be derandomized (using pseudo-random sources) and done in a deterministic way. (This is not to say that the algorithm can't be implemented in a probabilistic way, if one so chooses, provided one has a true source of randomness.)

For general purpose factoring, ECM is the third-fastest known factoring method. The second fastest is the multiple polynomial quadratic sieve and the fastest is the general number field sieve; both are probabilistic algorithms, in the sense there is no guarantee that they will return a non trivial factor in the expected running time; there is an exponentially small probability they will take an exponential amount of time.

Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. Currently, it is still the best algorithm for divisors not greatly exceeding 20 to 25 digits (64 to 83 bits or so), as its running time is dominated by the size of the smallest factor p rather than by the size of the number n to be factored. The largest factor found using ECM so far was discovered on August 24, 2006 by B. Dodson and has 67 digits [1]. Increasing the number of curves tested improves the chances of finding a factor, but they are not linear with the increase in the number of digits.

Contents

[edit] Lenstra's elliptic curve factorization

The Lenstra elliptic curve factorization method to find a factor of the given number n works as follows:

  • Pick a random elliptic curve over \mathbf{Z}/n\mathbf{Z}, given by an equation of the form y2 = x3 + ax + b, and a non-trivial point A on it. The group law on this curve is given by rational functions; divisions of residue classes modulo n can be performed using the Euclidean algorithm. If in the remaining part of the algorithm a non-zero element of \mathbf{Z}/n\mathbf{Z} is encountered which fails to be invertible, we get in effect a factorization of n.
  • Compute eA in the group of (\mathbf{Z}/n\mathbf{Z})-valued points of the elliptic curve, where e is product of small primes raised to small powers, as in the p − 1 algorithm. This can be done one prime at a time, thus efficiently.
  • Hopefully, eA is a zero element of the elliptic curve group in Zp but not in Zq, for two prime divisors p and q of n — as in the p − 1 method, it is unlikely that both groups will have an order which is a divisor of e. Then we can find a factor of n by finding the greatest common divisor of the x-coordinate of eA and n, since this coordinate will be zero in Zp.
  • If it does not work, we can try again with some other curve and starting point.

The complexity depends on the size of the factor and can be represented by O(e(1 + o(1)) √(ln p ln ln p)), where p is the smallest factor of n.

[edit] Derivation

ECM is at its core an improvement of the older p − 1 algorithm. The p − 1 algorithm finds prime factors p such that p − 1 is b-powersmooth for small values of b. For any e, a multiple of p − 1, and any a relatively prime to p, by Fermat's little theorem we have ae1 (mod p). Then gcd(ae − 1, n) is likely to produce a factor of n. However, the algorithm fails when p-1 has large prime factors, as is the case for numbers containing strong primes, for example.

ECM gets around this obstacle by considering the group of a random elliptic curve over the finite field Zp, rather than considering the multiplicative group of Zp which always has order p − 1.

The order of the group of an elliptic curve over Zp varies (randomly) between p + 1 − 2√p and p + 1 + 2√p by Hasse's theorem, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield-Erdös-Pomerance theorem with suitably optimized parameter choices, and the L-notation, we can expect to try L[√2 / 2, √2] curves before getting a smooth group order. This heuristic estimate is very reliable in practice.

[edit] See also

  • UBASIC for practical program (ECMX).
  • GMP-ECM, an efficient implementation of ECM.
  • ECMNet, an easy client-server implementation that works with several factorization projects.
  • pyecm, a python implementation of ECM. Much faster with psyco and/or gmpy.

[edit] Other external links

[edit] References

  • Brent, Richard P. "Factorization of the tenth Fermat number." Mathematics of Computation 68 (1999), 429-451.
  • Cohen, Henri. A Course in Computational Algebraic Number Theory. Springer-Verlag, New York, Berlin, Heidelberg, 1996. ISBN 0-387-55640-0.
  • Lenstra, A. K. and Lenstra Jr., H. W. (editors), The development of the number field sieve. Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993. MR 96m:11116.
  • Lenstra Jr., H. W. "Factoring integers with elliptic curves." Annals of Mathematics (2) 126 (1987), 649-673. MR 89g:11125.
  • Pomerance, Carl; Richard Crandall (2001). "Section 7.4: Elliptic curve method", Prime Numbers: A Computational Perspective, 1st edition, Springer, 301–313. ISBN 0-387-94777-9. 
  • Pomerance, Carl. "The quadratic sieve factoring algorithm." Advances in Cryptology, Proc. Eurocrypt '84, Lecture Notes in Computer Science, Vol. 209, Springer-Verlag, Berlin, 1985, 169-182. MR 87d:11098.
  • Silverman, Robert D. "The Multiple Polynomial Quadratic Sieve." Mathematics of Computation 48 (1987), 329-339.
Languages