Lenstra elliptic curve factorization

The Lenstra elliptic curve factorization or the elliptic curve factorization method (ECM) is a fast, sub-exponential running time algorithm for integer factorization which employs elliptic curves. For general purpose factoring, ECM is the third-fastest known factoring method. The second fastest is the multiple polynomial quadratic sieve and the fastest is the general number field sieve. The Lenstra elliptic curve factorization is named after Hendrik Lenstra.

Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. Currently^[update], it is still the best algorithm for divisors not greatly exceeding 20 to 25 digits (64 to 83 bits or so), as its running time is dominated by the size of the smallest factor p rather than by the size of the number n to be factored. Frequently, ECM is used to remove small factors from a very large integer with many factors; if the remaining integer is still composite, then it has only large factors and is factored using general purpose techniques. The largest factor found using ECM so far has 73 digits and was discovered on 6 March 2010 by Joppe Bos, Thorsten Kleinjung, Arjen Lenstra and Peter Montgomery.^[1] Increasing the number of curves tested improves the chances of finding a factor, but they are not linear with the increase in the number of digits.

1 Lenstra's elliptic curve factorization
2 Why does the algorithm work?
3 An example
4 The algorithm with projective coordinates
5 Twisted Edwards curves
6 Stage 2
7 Success probability using EECM-MPFQ
8 Hyperelliptic Curve Method (HECM)
9 See also
10 References
11 External links

Lenstra's elliptic curve factorization

The Lenstra elliptic curve factorization method to find a factor of the given number n works as follows:

Pick a random elliptic curve over $\mathbf{Z}/n\mathbf{Z}$ , given by an equation of the form y² = x³ + ax + b (mod n), and a non-trivial point P on it. Say, pick first a point P=(x,y) with random non-zero coordinates x,y (mod n), then pick a random non-zero a (mod n), then take b = y² - x³ - ax (mod n).
We will compute certain multiples $kP=P\boxplus\dots\boxplus P$ (k times) of the point P using the standard addition rule $\boxplus$ on our elliptic curve: given two points P,Q on the curve, their sum $P\boxplus Q$ can be computed using the formulas given in the group law section of the article on elliptic curves. These formulas contain the "slope" of the line connecting P and Q, hence involve divisions between residue classes modulo n, which can be performed using the extended Euclidean algorithm. In particular, division by some v (mod n) includes the calculation of the greatest common divisor gcd(v,n).

If the slope is of the form u/v with gcd(u,n)=1, then v=0 (mod n) means that the result of the $\boxplus$ -addition will be $\infty$ , the point at infinity on the curve. However, if gcd(v,n) is neither 1 nor n, then the $\boxplus$ -addition will not produce a meaningful point on the curve, which shows that our elliptic curve is not a group (mod n), but, more importantly for now, gcd(v,n) is a non-trivial factor of n.
Compute eP on the elliptic curve (mod n), where e is product of many small numbers: say, a product of small primes raised to small powers, as in the p − 1 algorithm, or the factorial B! for some not too large B. This can be done efficiently, one small factor at a time. Say, to get B!P, first compute 2P, then 3(2P), then 4(3!P), and so on. Of course, B should be small enough so that B-wise $\boxplus$ -addition can be performed in reasonable time.
- If we were able to finish all the calculations above without encountering non-invertible elements (mod n), then we need to try again with some other curve and starting point.
- If we found $kP=\infty$ at some stage (the point at infinity on the elliptic curve), then again we should start over with a new curve and starting point, since $\infty$ is the zero element for $\boxplus$ , so after this point we would be just repeating $\infty\boxplus\dots\boxplus\infty=\infty$ .
- If we encountered a gcd(v,n) at some stage that was neither 1 nor n, then we are done: it is a non-trivial factor of n.

The time complexity depends on the size of the factor and can be represented by O(e^{(√2 + o(1)) √(ln p ln ln p)}), where p is the smallest factor of n.

Why does the algorithm work?

If p and q are two prime divisors of n, then y² = x³ + ax + b (mod n) implies the same equation also (mod p) and (mod q). These two smaller elliptic curves with the $\boxplus$ -addition are now genuine groups. If these groups have N_p and N_q elements, respectively, then for any point P on the original curve, by Lagrange's theorem, $kP=\infty$ on the curve (mod p) implies that k divides N_p; moreover, $N_p P=\infty$ . The analogous statement holds for q. When the elliptic curve is chosen randomly, then N_p and N_q are random numbers close to p+1 and q+1, respectively (see below). Hence it is unlikely that most of the prime factors of N_p and N_q are the same, and it is quite likely that while computing eP, we will encounter some kP that is $\infty$ (mod p) but not (mod q), or vice versa. When this is the case, kP does not exist on the original curve, and in the computations we found some v with either gcd(v,p)=p or gcd(v,q)=q, but not both. That is, gcd(v,n) gave a non-trivial factor of n.

ECM is at its core an improvement of the older p − 1 algorithm. The p − 1 algorithm finds prime factors p such that p − 1 is b-powersmooth for small values of b. For any e, a multiple of p − 1, and any a relatively prime to p, by Fermat's little theorem we have a^e ≡ 1 (mod p). Then gcd(a^e − 1, n) is likely to produce a factor of n. However, the algorithm fails when p-1 has large prime factors, as is the case for numbers containing strong primes, for example.

ECM gets around this obstacle by considering the group of a random elliptic curve over the finite field Z_p, rather than considering the multiplicative group of Z_p which always has order p − 1.

The order of the group of an elliptic curve over Z_p varies (quite randomly) between p + 1 − 2√p and p + 1 + 2√p by Hasse's theorem, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield-Erdős-Pomerance theorem with suitably optimized parameter choices, and the L-notation, we can expect to try L[√2 / 2, √2] curves before getting a smooth group order. This heuristic estimate is very reliable in practice.

An example

The following example is from Trappe & Washington (2006), with some details added.

We want to factor n=455839. Let's choose the elliptic curve y² = x³ + 5x - 5, with the point P=(1,1) on it, and let's try to compute (10!)P.

First we compute 2P. The slope of the tangent line at P is s=(3x²+5)/(2y)=4, and then the coordinates of 2P=(x′,y′) are x′=s²-2x=14 and y′=s(x-x′)-y=4(1-14)-1=-53, all numbers understood (mod n). Just to check that this 2P is indeed on the curve: (-53)²=2809=14³+5·14-5.

Then we compute 3(2P). The slope of the tangent line at 2P is s=(3·14²+5)/(2(-53))=-593/106 (mod n). Using the Euclidean algorithm: 455839=4300·106+39, then 106=2·39+28, then 39=28+11, then 28=2·11+6, then 11=6+5, then 6=5+1. Hence gcd(455839,106)=1, and working backwards (a version of the extended Euclidean algorithm): 1=6-5=2·6-11=2·28-5·11=7·28-5·39=7·106-19·39=81707·106-19·455839. Hence 106^-1=81707 (mod 455839), and -593/106=133317 (mod 455839). Given this s, we can compute the coordinates of 2(2P), just as we did above: 4P=(259851,116255). Just to check that this is indeed a point on the curve: y²=54514=x³+5x-5 (mod 455839). After this, we can compute $3(2 P)=4 P \boxplus 2 P$ .

We can similarly compute 4!P, and so on, but 8!P requires inverting 599 (mod 455839). The Euclidean algorithm gives that 455839 is divisible by 599, and we have found a factorization 455839=599·761.

The reason that this worked is that the curve (mod 599) has 640=2⁷·5 points, while (mod 761) it has 777=3·7·37 points. Moreover, 640 and 777 are the smallest positive integers k such that $kP=\infty$ on the curve (mod 599) and (mod 761), respectively. Since 8! is a multiple of 640 but not a multiple of 777, we have $8!P=\infty$ on the curve (mod 599), but not on the curve (mod 761), hence the repeated addition broke down here, yielding the factorization.

The algorithm with projective coordinates

Before we consider the projective plane over $(\mathbb{Z}/n\mathbb{Z})$ /~, first have a look at the 'normal' projective space over $\mathbb{R}$ . Now, instead of studying the points, the lines through the origin will be studied. The line can be represented a non-zero point $(x,y,z)$ if you use the equivalence relation ~ on it, given by: $(x,y,z)=(x',y',z')$ if and only if there exists a non-zero number $c$ such that $x'=cx$ , $y'=cy$ and $z'=cz$ . Due to this equivalence relation the space will be called a plane. In the projective plane, points, denoted by $(x:y:z)$ , are 'the same' as lines in a threedimensional space that go through the origin. Remark that the point $(0:0:0)$ does not exist here, because these does not represent a line. Now we observe that almost all lines go to the $(X,Y,1)$ -plane, except from the lines parallel to this plane. This lines are in the projective plane the 'points of infinity' that are used in the affine $(X,Y)$ -plane above.

In the algorithm only the group structure of an elliptic curve over the field $\mathbb{R}$ is used. Therefore we not necessarily need the field $\mathbb{R}$ . A finite field will also provide a group structure on the elliptic curve. However, considering the same curve and operation over $(\mathbb{Z}/n\mathbb{Z})$ /~ with $n$ not a prime does not give a group. The Elliptic Curve Method makes use of the failure cases of the addition law.

We now state the algorithm in projective coordinates. The neutral element is then given by the point in infinity $(0:1:0)$ . Let $n$ be a (positive) integer and consider the elliptic curve (a set of points with some structure on it) $E(Z/nZ)=\{(x:y:z) \in P^2\ |\ y^2z=x^3%2Bax^2z%2Bbz^3\}$ .

Pick $x_P,y_P,a$ in $\mathbb{Z}/n\mathbb{Z}$ and let $a$ be unequal to zero.
Calculate $b = y_P^2 - x_P^3 - ax_P$ . The elliptic curve $E$ is then in Weierstrass form given by $y^2 = x^3 %2B ax %2B b$ and by using projective coordinates the elliptic curve is given by the homogenous equation $ZY^2=X^3%2BaZ^2X%2BbZ^3$ . It has the point $P=(x_P:y_P:1)$ .
Choose an upperbound $B \in \mathbb{Z}$ for this elliptic curve. Remark: You will only find factors $p$ if the group order of the elliptic curve $E$ over $\mathbb{Z}/p\mathbb{Z}$ (denoted by # $E(\mathbb{Z}/p\mathbb{Z})$ ) is B-smooth, which means that all prime factors of # $E(\mathbb{Z}/p\mathbb{Z})$ have to be less or equal to $B$ .
Calculate $k={\rm lcm}(1,\dots ,B)$ .
Calculate $k P�:= P %2B P %2B \ldots %2B P$ (k times) in the ring $E(\mathbb{Z}/n\mathbb{Z})$ . Note that if # $E(\mathbb{Z}/n\mathbb{Z})$ is $B$ -smooth and $n$ is prime (and therefore $\mathbb{Z}/n\mathbb{Z}$ is a field) that $k P = (0:1:0)$ . However, if only # $E(\mathbb{Z}/p\mathbb{Z})$ is B-smooth for some divisor $p$ of $n$ , the product might not be (0:1:0) because addition and multiplication are not well-defined if $n$ is not prime. In this case, a non-trivial divisor can be found!
If not, then go back to step 2. If this does occur, then you will notice this when simplifying the product $kP$ .

In point 5 it is said that under the right circumstances a non-trivial divisor can be found. As pointed out in Lenstra's article (Factoring Integers with Elliptic Curves) the addition needs the assumption $\gcd(x_1-x_2,n)=1$ . If $P,Q$ are not $(0:1:0)$ and distinct (otherwise addition works similar, but a little different), then addition works as follows:

To calculate: $R = P %2B Q;$ $P = (x_1:y_1:1)$ , $Q = (x_2:y_2:1)$ ,
$\lambda =(y_1-y_2) (x_1-x_2)^{-1}$ ,
$x_3 = \lambda^2 - x_1 - x_2$ ,
$y_3 = \lambda(x_1-x_3) - y_1$ ,
$R = P %2B Q = (x_3:y_3:1)$ .

If addition fails, this will be due calculating $\lambda$ fails. In particular, because $(x_1-x_2)^{-1}$ can not always be calculated if $n$ is not prime (and therefore $\mathbb{Z}/n\mathbb{Z}$ is not a field). Without making use of $\mathbb{Z}/n\mathbb{Z}$ being a field, one could calculate:

$\lambda'=y_1-y_2$ ,
$x_3' = {\lambda'}^2 - x_1(x_1-x_2)^2 - x_2(x_1-x_2)^2$ ,
$y_3' = \lambda'(x_1(x_1-x_2)^2-x_3') - y_1(x_1-x_2)^3$ ,
$R = P %2B Q = (x_3'(x_1-x_2):y_3':(x_1-x_2)^3)$ , and simplify if possible.

This calculation is always legal and if the gcd of the $Z$ -coordinate with $n$ is unequal to 1 or $n$ , so when simplifying fails, then a non-trivial divisor of $n$ is found.

Twisted Edwards curves

The use of Edwards curves needs fewer modular multiplications and less time then the use of Montgomery curves or Weierstrass curves (other used methods). Using Edwards curves you can also find more primes.

Definition: Let $k$ be a field in which $2 \neq 0$ , and let $a,d \in k\setminus\{0\}$ with $a\neq d$ . Then the twisted Edwards curve $E_{E,a,d}$ is given by $ax^2%2By^2=1%2Bdx^2y^2.$ An Edwards curve is a twisted Edwards curve in which $a=1$ .

There are five known ways to build a set of point on an Edwards curve: the set of affine points, the set of projective points, the set of inverted points, the set of extended points and the set of completed points.

The set of affine points is given by: $\{(x,y)\in A^2�: ax^2%2By^2=1%2Bdx^2y^2\}$ .

The addition law is given by $(e,f),(g,h) \mapsto \left(\frac{eh%2Bfg}{1%2Bdegfh},\frac{fh-aeg}{1-degfh}\right)$ . The point (0,1) is its neutral element and the negative of $(e,f)$ is $(-e,f)$ . The other representations are defined similar to how the projective Weierstrass curve follows from the affine.

Any elliptic curve in Edwards form has a point of order 4. So the torsion group of an Edwards curve over $\mathbb{Q}$ is isomorphic to either $\mathbb{Z}/4\mathbb{Z}, \mathbb{Z}/8\mathbb{Z}, \mathbb{Z}/12\mathbb{Z}, \mathbb{Z}/2\mathbb{Z} \times \mathbb{Z}/4\mathbb{Z}$ or $\mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}$ .

The most interesting cases for ECM are $\mathbb{Z}/12\mathbb{Z}$ and $\mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}$ , since they force the group orders of the curve modulo primes to be divisible by 12 and 16 respectively. The following curves have a torsion group isomorphic to $\mathbb{Z}/12\mathbb{Z}$ :

$x^2%2By^2=1%2Bdx^2y^2$ with point $(a,b)$ where $b \notin\{-2,-1/2,0,\pm1\}, a^2=-(9b^2%2B2b)$ and $d=-(2b%2B1)/(a^2b^2)$
$x^2%2By^2=1%2Bdx^2y^2$ with point $(a,b)$ where $a=\frac{u^2-1}{u^2%2B1}, b=-\frac{(u-a)^2}{u^2%2B1}$ and $d=\frac{(u^2%2B1)^3(u^2-4u%2B1)}{(u-1)^6(u%2B1)^2}, u\notin\{0,\pm1\}.$

Every Edwards curve with a point of order 3 can be written in the ways shown above. Curves with torsion group isomorphic to $\mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}$ and $\mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}$ can be found on http://eprint.iacr.org/2008/016 page 30-32.

Stage 2

The above text is about the first stage of elliptic curve factorisation. There one hopes to find a prime divisor $p$ such that $sP$ is the neutral element of $E(\mathbb{Z}/p\mathbb{Z})$ . In the second stage one hopes to have found a prime divisor $q$ such that $sP$ has small prime order in $E(\mathbb{Z}/q\mathbb{Z})$ .

We hope the order to be between $B_1$ and $B_2$ , where $B_1$ is determined in stage 1 and $B_2$ is new stage 2 parameter. Checking for a small order of $sP$ , can be done by computing $(ls)P$ modulo $n$ for each prime $l$ .

Success probability using EECM-MPFQ

For speedup techniques using Edward curves and implementation results, see: http://eprint.iacr.org/2008/016 page 30-32.

Hyperelliptic Curve Method (HECM)

There are recent developments in using hyperelliptic curves to factor integers. Cosset shows in his article (of 2010) that one can build a hyperelliptic curve with genus two (so a curve $y^2=f(x)$ with $f$ of degree 5) which gives the same result as using two 'normal' elliptic curves at the same time. By making use of the Kummer Surface calculation is more efficient. The disadvantages of the hyperelliptic curve (versus an elliptic curve) are compensated by this alternative way of calculating. Therefore Cosset roughly claims that using hyperelliptic curves for factorization is no worse than using elliptic curves.

References

^ 50 largest factors found by ECM

Bernstein, D. J.; Birkner, P.; Lange, T.; Peters, C. (2008). "ECM using Edwards curves". ePrint archive 2008/016. http://eprint.iacr.org/2008/016.
Bosma, W.; Hulst, M. P. M. van der (1990). Primality proving with cyclotomy. Ph.D. Thesis, Universiteit van Amsterdam. OCLC 256778332.
Brent, Richard P. (1999). "Factorization of the tenth Fermat number". Mathematics of Computation 68 (225): 429–451. doi:10.1090/S0025-5718-99-00992-8.
Cohen, Henri (1996). A Course in Computational Algebraic Number Theory. New York, Berlin, Heidelberg: Springer-Verlag. ISBN 0-387-55640-0.
Cosset, R. (2010). "Factorization with genus 2 curves". Mathematics of Computation 79 (270): 1191–1208. doi:10.1090/S0025-5718-09-02295-9.
Lenstra, A. K.; Lenstra Jr., H. W., eds (1993). The development of the number field sieve. Lecture Notes in Mathematics. 1554. Berlin: Springer-Verlag. MR 96m:11116.
Lenstra Jr., H. W. (1987). "Factoring integers with elliptic curves". Annals of Mathematics 126 (3): 649–673. JSTOR 1971363. MR 89g:11125.
Pomerance, Carl; Richard Crandall (2001). "Section 7.4: Elliptic curve method". Prime Numbers: A Computational Perspective (1st ed.). Springer. pp. 301–313. ISBN 0-387-94777-9.
Pomerance, Carl (1985). "The quadratic sieve factoring algorithm". Advances in Cryptology, Proc. Eurocrypt '84. Lecture Notes in Computer Science. 209. Berlin: Springer-Verlag. pp. 169–182. MR 87d:11098.
Pomerance, Carl (1996). "A Tale of Two Sieves" (PDF). Notices of the American Mathematical Society 43 (12): 1473–1485. http://www.ams.org/notices/199612/pomerance.pdf.
Silverman, Robert D. (1987). "The Multiple Polynomial Quadratic Sieve". Mathematics of Computation 48 (177): 329–339. doi:10.1090/S0025-5718-1987-0866119-8.
Trappe, W.; Washington, L. C. (2006). Introduction to Cryptography with Coding Theory (Second ed.). Pearson Prentice Hall. ISBN 0-13-186239-1.
Watras, Marcin (2008). Cryptography, Number Analysis, and Very Large Numbers. Bydgoszcz: Wojciechowski-Steinhagen. PL:5324564.

External links

Factorization using the Elliptic Curve Method, a Java applet which uses ECM and switches to the Self-Initializing Quadratic Sieve when it is faster.
GMP-ECM, an efficient implementation of ECM.
ECMNet, an easy client-server implementation that works with several factorization projects.
pyecm, a python implementation of ECM. Much faster with psyco and/or gmpy.
Distributed computing project yoyo@Home Subproject ECM is a program for Elliptic Curve Factorization which is used by a couple of projects to find factors for different kind of numbers.

Number-theoretic algorithms

Primality tests	AKS · APR · Baillie–PSW · ECPP · Elliptic curve · Pocklington · Fermat · Lucas · Lucas–Lehmer · Lucas–Lehmer–Riesel · Proth's theorem · Pépin's · Solovay–Strassen · Miller–Rabin · Trial division

Sieving algorithms	Sieve of Atkin · Sieve of Eratosthenes · Sieve of Sundaram · Wheel factorization

Integer factorization algorithms	CFRAC · Dixon's · ECM · Euler's · Pollard's rho · p − 1 · p + 1 · QS · GNFS · SNFS · rational sieve · Fermat's · Shanks' square forms · Trial division · Shor's

Multiplication algorithms	Ancient Egyptian multiplication · Karatsuba algorithm · Toom–Cook multiplication · Schönhage–Strassen algorithm · Fürer's algorithm

Discrete logarithm algorithms	Baby-step giant-step · Pollard rho · Pollard kangaroo · Pohlig–Hellman · Index calculus · Function field sieve

GCD algorithms	Binary GCD · Euclidean · Extended Euclidean · Lehmer's

Modular square root algorithms	Cipolla · Pocklington's · Tonelli–Shanks

Other algorithms	Chakravala · Cornacchia · integer relation algorithm · integer square root · Modular exponentiation · Schoof's

Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests (current article is always in bold).