Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

21.3 Factoring with Elliptic Curves

Suppose $n = p q$ $n = p q$ is a number we wish to factor. Choose a random elliptic curve mod $n$ $n$ and a point on the curve. In practice, one chooses several (around 14 for numbers around 50 digits; more for larger integers) curves with points and runs the algorithm in parallel.

How do we choose the curve? First, choose a point $P$ $P$ and a coefficient $b .$ $b .$ Then choose $c$ $c$ so that $P$ $P$ lies on the curve $y^{2} = x^{3} + b x + c .$ $y^{2} = x^{3} + b x + c .$ This is much more efficient than choosing $b$ $b$ and $c$ $c$ and then trying to find a point.

For example, let $n = 2773 .$ $n = 2773 .$ Take $P = (1, 3)$ $P = (1, 3)$ and $b = 4 .$ $b = 4 .$ Since we want $3^{2} \equiv 1^{3} + 4 \cdot 1 + c,$ $3^{2} \equiv 1^{3} + 4 \cdot 1 + c,$ we take $c = 4 .$ $c = 4 .$ Therefore, our curve is

\begin{matrix} E : & y^{2} \equiv x^{3} + 4 x + 4 & (\mod 2773) . \end{matrix}

$\begin{matrix} E : & y^{2} \equiv x^{3} + 4 x + 4 & (\mod 2773) . \end{matrix}$

We calculated $2 P = (1771, 705)$ $2 P = (1771, 705)$ in a previous example. Note that during the calculation, we needed to find $6^{- 1} (m o d 2773) .$ $6^{- 1} (m o d 2773) .$ This required that $gcd (6, 2773) = 1$ $gcd (6, 2773) = 1$ and used the extended Euclidean algorithm, which was essentially a gcd calculation.

Now let’s calculate $3 P = 2 P + P .$ $3 P = 2 P + P .$ The line through the points $2 P = (1771, 705)$ $2 P = (1771, 705)$ and $P = (1, 3)$ $P = (1, 3)$ has slope 702/1770. When we try to invert 1770 mod 2773, we find that $gcd (1770, 2773) = 59,$ $gcd (1770, 2773) = 59,$ so we cannot do this. So what do we do? Our original goal was to factor 2773, so we don’t need to do anything more. We have found the factor 59, which yields the factorization $2773 = 59 \cdot 47 .$ $2773 = 59 \cdot 47 .$

Here’s what happened. Using the Chinese remainder theorem, we can regard $E$ $E$ as a pair of elliptic curves, one mod 59 and the other mod 47. It turns out that $3 P = ∞ (m o d 59),$ $3 P = ∞ (m o d 59),$ while $4 P = ∞ (m o d 47) .$ $4 P = ∞ (m o d 47) .$ Therefore, when we tried to compute $3 P,$ $3 P,$ we had a slope that was infinite mod 59 but finite mod 47. In other words, we had a denominator that was 0 mod 59 but nonzero mod 47. Taking the gcd allowed us to isolate the factor 59.

The same type of idea is the basis for many factoring algorithms. If $n = p q,$ $n = p q,$ you cannot separate $p$ $p$ and $q$ $q$ as long as they behave identically. But if you can find something that makes them behave slightly differently, then they can be separated. In the example, the multiples of $P$ $P$ reached $∞$ $∞$ faster mod 59 than mod 47. Since in general the primes $p$ $p$ and $q$ $q$ should act fairly independently of each other, one would expect that for most curves $E (m o d p q)$ $E (m o d p q)$ and points $P,$ $P,$ the multiples of $P$ $P$ would reach $∞$ $∞$ mod $p$ $p$ and mod $q$ $q$ at different times. This will cause the gcd to find either $p$ $p$ or $q .$ $q .$

Usually, it takes several more steps than 3 or 4 to reach $∞$ $∞$ mod $p$ $p$ or mod $q .$ $q .$ In practice, one multiplies $P$ $P$ by a large number with many small prime factors, for example, 10000!. This can be done via successive doubling (the additive analog of successive squaring; see Exercise 21). The hope is that this multiple of $P$ $P$ is $∞$ $∞$ either mod $p$ $p$ or mod $q .$ $q .$ This is very much the analog of the $p - 1$ $p - 1$ method of factoring. However, recall that the $p - 1$ $p - 1$ method (see Section 9.4) usually doesn’t work when $p - 1$ $p - 1$ has a large prime factor. The same type of problem could occur in the elliptic curve method just outlined when the number $m$ $m$ such that $m P$ $m P$ equals $∞$ $∞$ has a large prime factor. If this happens (so the method fails to produce a factor after a while), we simply change to a new curve $E .$ $E .$ This curve will be independent of the previous curve and the value of $m$ $m$ such that $m P = ∞$ $m P = ∞$ should have essentially no relation to the previous $m .$ $m .$ After several tries (or if several curves are treated in parallel), a good curve is often found, and the number $n = p q$ $n = p q$ is factored. In contrast, if the $p - 1$ $p - 1$ method fails, there is nothing that can be changed other than using a different factorization method.

Example

We want to factor $n = 455839 .$ $n = 455839 .$ Choose

\begin{matrix} E : y^{2} \equiv x^{3} + 5 x - 5, & P = (1, 1) . \end{matrix}

$\begin{matrix} E : y^{2} \equiv x^{3} + 5 x - 5, & P = (1, 1) . \end{matrix}$

Suppose we try to compute $10! P .$ $10! P .$ There are many ways to do this. One is to compute $2! P, 3! P = 3 (2! P), 4! P = 4 (3! P), \dots .$ $2! P, 3! P = 3 (2! P), 4! P = 4 (3! P), \dots .$ If we do this, everything is fine through $7! P,$ $7! P,$ but $8! P$ $8! P$ requires inverting $599 (m o d n) .$ $599 (m o d n) .$ Since $gcd (599, n) = 599,$ $gcd (599, n) = 599,$ we can factor $n$ $n$ as $599 \times 761 .$ $599 \times 761 .$

Let’s examine this more closely. A computation shows that $E (m o d 599)$ $E (m o d 599)$ has $640 = 2^{7} \times 5$ $640 = 2^{7} \times 5$ points and $E (m o d 761)$ $E (m o d 761)$ has $777 = 3 \times 7 \times 37$ $777 = 3 \times 7 \times 37$ points. Moreover, 640 is the smallest positive $m$ $m$ such that $m P = ∞$ $m P = ∞$ on $E (m o d 599),$ $E (m o d 599),$ and 777 is the smallest positive $m$ $m$ such that $m P = ∞$ $m P = ∞$ on $E (m o d 761) .$ $E (m o d 761) .$ Since $8!$ $8!$ is a multiple of 640, it is easy to see that $8! P = ∞$ $8! P = ∞$ on $E (m o d 599),$ $E (m o d 599),$ as we calculated. Since $8!$ $8!$ is not a multiple of $777,$ $777,$ it follows that $8! P \neq ∞$ $8! P \neq ∞$ on $E (m o d 761) .$ $E (m o d 761) .$ Recall that we obtain $∞$ $∞$ when we divide by 0, so calculating $8! P$ $8! P$ asked us to divide by $0 (m o d 599) .$ $0 (m o d 599) .$ This is why we found the factor 599.

For more examples, see Examples 45 and 46 in the Computer Appendices.

In general, consider an elliptic curve $E (m o d p)$ $E (m o d p)$ for some prime $p .$ $p .$ The smallest positive $m$ $m$ such that $m P = ∞$ $m P = ∞$ on this curve divides the number $N$ $N$ of points on $E (m o d p)$ $E (m o d p)$ (if you know group theory, you’ll recognize this as a corollary of Lagrange’s theorem), so $N P = ∞ .$ $N P = ∞ .$ Quite often, $m$ $m$ will be $N$ $N$ or a large divisor of $N .$ $N .$ In any case, if $N$ $N$ is a product of small primes, then $B!$ $B!$ will be a multiple of $N$ $N$ for a reasonably small value of $B .$ $B .$ Therefore, $B! P = ∞ .$ $B! P = ∞ .$

A number that has only small prime factors is called smooth. More precisely, if all the prime factors of an integer are less than or equal to $B,$ $B,$ then it is called B-smooth. This concept played a role in the $x^{2} \equiv y^{2}$ $x^{2} \equiv y^{2}$ method and the $p - 1$ $p - 1$ factoring method (Section 9.4), and the index calculus attack on discrete logarithms (Section 10.2).

Recall from Hasse’s theorem that $N$ $N$ is an integer near $p .$ $p .$ It is possible to show that the density of smooth integers is large enough (we’ll leave small and large undefined here) that if we choose a random elliptic curve $E (m o d p),$ $E (m o d p),$ then there is a reasonable chance that the number $N$ $N$ is smooth. This means that the elliptic curve factorization method should find $p$ $p$ for this choice of the curve. If we try several curves $E (m o d n),$ $E (m o d n),$ where $n = p q,$ $n = p q,$ then it is likely that at least one of the curves $E (m o d p)$ $E (m o d p)$ or $E (m o d q)$ $E (m o d q)$ will have its number of points being smooth.

In summary, the advantage of the elliptic curve factorization method over the $p - 1$ $p - 1$ method is the following. The $p - 1$ $p - 1$ method requires that $p - 1$ $p - 1$ is smooth. The elliptic curve method requires only that there are enough smooth numbers near $p$ $p$ so that at least one of some randomly chosen integers near $p$ $p$ is smooth. This means that elliptic curve factorization succeeds much more often than the $p - 1$ $p - 1$ method.

The elliptic curve method seems to be best suited for factoring numbers of medium size, say around 40 or 50 digits. These numbers are no longer used for the security of factoring-based systems such as RSA, but it is sometimes useful in other situations to have a fast factorization method for such numbers. Also, the elliptic curve method is effective when a large number has a small prime factor, say of 10 or 20 decimal digits. For large numbers where the prime factors are large, the quadratic sieve and number field sieve are superior (see Section 9.4).

21.3.1 Singular Curves

In practice, the case where the cubic polynomial $x^{3} + b x + c$ $x^{3} + b x + c$ has multiple roots rarely arises. But what happens if it does? Does the factorization algorithm still work? The discriminant $4 b^{3} + 27 c^{2}$ $4 b^{3} + 27 c^{2}$ is zero if and only if there is a multiple root (this is the cubic analog of the fact that $a x^{2} + b x + c$ $a x^{2} + b x + c$ has a double root if and only if $b^{2} - 4 a c = 0$ $b^{2} - 4 a c = 0$ ). Since we are working mod $n = p q,$ $n = p q,$ the result says that there is a multiple root mod $n$ $n$ if and only if the discriminant is 0 mod $n .$ $n .$ Since $n$ $n$ is composite, there is also the intermediate case where the gcd of $n$ $n$ and the discriminant is neither 1 nor $n .$ $n .$ But this gives a nontrivial factor of $n,$ $n,$ so we can stop immediately in this case.

Example

Let’s look at an example:

y^{2} = x^{3} - 3 x + 2 = (x - 1)^{2} (x + 2) .

$y^{2} = x^{3} - 3 x + 2 = (x - 1)^{2} (x + 2) .$

Given a point $P = (x, y)$ $P = (x, y)$ on this curve, we associate the number

(y + \sqrt{3} (x - 1)) / (y - \sqrt{3} (x - 1)) .

$(y + \sqrt{3} (x - 1)) / (y - \sqrt{3} (x - 1)) .$

It can be shown that adding the points on the curve corresponds to multiplying the corresponding numbers. The formulas still work, as long as we don’t use the point $(1, 0) .$ $(1, 0) .$ Where does this come from? The two lines tangent to the curve at $(1, 0)$ $(1, 0)$ are $y + \sqrt{3} (x - 1) = 0$ $y + \sqrt{3} (x - 1) = 0$ and $y - \sqrt{3} (x - 1) = 0 .$ $y - \sqrt{3} (x - 1) = 0 .$ This number is simply the ratio of these two expressions.

Since we need to work mod $n,$ $n,$ we give an example mod 143. We choose 143 since 3 is a square mod 143; in fact, $82^{2} \equiv 3 (m o d 143) .$ $82^{2} \equiv 3 (m o d 143) .$ If this were not the case, things would become more technical with this curve. We could easily rectify the situation by choosing a new curve.

Consider the point $P = (- 1, 2)$ $P = (- 1, 2)$ on $y^{2} = x^{3} - 3 x + 2 (m o d 143) .$ $y^{2} = x^{3} - 3 x + 2 (m o d 143) .$ Look at its multiples:

\begin{matrix} P = (- 1, 2), & 2 P = (2, 141), & 3 P = (112, 101), & 4 P = (10, 20) . \end{matrix}

$\begin{matrix} P = (- 1, 2), & 2 P = (2, 141), & 3 P = (112, 101), & 4 P = (10, 20) . \end{matrix}$

When trying to compute $5 P,$ $5 P,$ we find the factor 11 of 143.

Recall that we are assigning numbers to each point on the curve, other than (1,1). Since we are working mod 143, we use 82 in place of $\sqrt{3} .$ $\sqrt{3} .$ Therefore, the number corresponding to $(- 1, 2)$ $(- 1, 2)$ is $(2 + 82 (- 1 - 1)) / (2 - 82 (- 1 - 1)) = 80 (m o d 143) .$ $(2 + 82 (- 1 - 1)) / (2 - 82 (- 1 - 1)) = 80 (m o d 143) .$ We can compute the numbers for all the points above:

\begin{matrix} P \leftrightarrow 80, & 2 P \leftrightarrow 108, & 3 P \leftrightarrow 60, & 4 P \leftrightarrow 81. \end{matrix}

$\begin{matrix} P \leftrightarrow 80, & 2 P \leftrightarrow 108, & 3 P \leftrightarrow 60, & 4 P \leftrightarrow 81. \end{matrix}$

Let’s compare with the powers of 80 mod 143:

\begin{array}{l} 80^{1} \equiv 80, & 80^{2} \equiv 108, & 80^{3} \equiv 60, & 80^{4} \equiv 81, & 80^{5} \equiv 45. \end{array}

$\begin{array}{l} 80^{1} \equiv 80, & 80^{2} \equiv 108, & 80^{3} \equiv 60, & 80^{4} \equiv 81, & 80^{5} \equiv 45. \end{array}$

We get the same numbers. This is simply the fact mentioned previously that the addition of points on the curve corresponds to multiplication of the corresponding numbers. Moreover, note that $45 \equiv 1 (m o d 11),$ $45 \equiv 1 (m o d 11),$ but not mod 13. This corresponds to the fact that 5 times the point $(- 1, 2)$ $(- 1, 2)$ is $∞$ $∞$ mod 11 but not mod 13. Note that 1 is the multiplicative identity for multiplication mod 11, while $∞$ $∞$ is the additive identity for addition on the curve.

It is easy to see from the preceding that factorization using the curve $y^{2} = x^{3} - 3 x + 2$ $y^{2} = x^{3} - 3 x + 2$ is essentially the same as using the classical $p - 1$ $p - 1$ factorization method (see Section 9.4).

In the preceding example, the cubic equation had a double root. An even worse possibility is the cubic having a triple root. Consider the curve

y^{2} = x^{3} .

$y^{2} = x^{3} .$

To a point $(x, y) \neq (0, 0)$ $(x, y) \neq (0, 0)$ on this curve, associate the number $x / y .$ $x / y .$ Let’s start with the point $P = (1, 1)$ $P = (1, 1)$ and compute its multiples:

\begin{matrix} P = (1, 1), & 2 P = (\frac{1}{4}, \frac{1}{8}), & 3 P = (\frac{1}{9}, \frac{1}{27}), \dots, & m P = (\frac{1}{m^{2}}, \frac{1}{m^{3}}) . \end{matrix}

$\begin{matrix} P = (1, 1), & 2 P = (\frac{1}{4}, \frac{1}{8}), & 3 P = (\frac{1}{9}, \frac{1}{27}), \dots, & m P = (\frac{1}{m^{2}}, \frac{1}{m^{3}}) . \end{matrix}$

Note that the corresponding numbers $x / y$ $x / y$ are $1, 2, 3, \dots, m .$ $1, 2, 3, \dots, m .$ Adding the points on the curve corresponds to adding the numbers $x / y .$ $x / y .$

If we are using the curve $y^{2} = x^{3}$ $y^{2} = x^{3}$ to factor $n,$ $n,$ we need to change the points $m P$ $m P$ to integers mod $n,$ $n,$ which requires finding inverses for $m^{2}$ $m^{2}$ and $m^{3}$ $m^{3}$ mod $n .$ $n .$ This is done by the extended Euclidean algorithm, which is essentially a gcd computation. We find a factor of $n$ $n$ when $gcd (m, n) \neq 1 .$ $gcd (m, n) \neq 1 .$ Therefore, this method is essentially the same as computing in succession $gcd (2, n), gcd (3, n), gcd (4, n), \dots$ $gcd (2, n), gcd (3, n), gcd (4, n), \dots$ until a factor is found. This is a slow version of trial division, the oldest factorization technique known. Of course, in the elliptic curve factorization algorithm, a large multiple $(B!) P$ $(B!) P$ of $P$ $P$ is usually computed. This is equivalent to factoring by computing $gcd (B!, n),$ $gcd (B!, n),$ a method that is often used to test for prime factors up to $B .$ $B .$

In summary, we see that the $p - 1$ $p - 1$ method and trial division are included in the elliptic curve factorization algorithm if we allow singular curves.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 21.3 Factoring with Elliptic Curves

Create new playlist

Sign In

Sign Up

Table of Contents for
21.3 Factoring with Elliptic Curves