Practically speaking, ECM is considered a special-purpose factoring algorithm, as it is most suitable for finding small factors. Currently[update], it is still the best algorithm for divisors not exceeding 50 to 60 digits, as its running time is dominated by the size of the smallest factor p rather than by the size of the number n to be factored. Frequently, ECM is used to remove small factors from a very large integer with many factors; if the remaining integer is still composite, then it has only large factors and is factored using general-purpose techniques. The largest factor found using ECM so far has 83 decimal digits and was discovered on 7 September 2013 by R. Propper.[1] Increasing the number of curves tested improves the chances of finding a factor, but they are not linear with the increase in the number of digits.
Algorithm
The Lenstra elliptic-curve factorization method to find a factor of a given natural number works as follows:
Pick a random elliptic curve over (the integers modulo ), with equation of the form together with a non-trivial point on it.
This can be done by first picking random , and then setting to assure the point is on the curve.
One can define Addition of two points on the curve, to define a group. The addition laws are given in the article on elliptic curves.
We can form repeated multiples of a point : . The addition formulae involve taking the modular slope of a chord joining and , and thus division between residue classes modulo , performed using the extended Euclidean algorithm. In particular, division by some includes calculation of the .
Assuming we calculate a slope of the form with , then if , the result of the point addition will be , the point "at infinity" corresponding to the intersection of the "vertical" line joining and the curve. However, if , then the point addition will not produce a meaningful point on the curve; but, more importantly, is a non-trivial factor of .
Compute on the elliptic curve (), where is a product of many small numbers: say, a product of small primes raised to small powers, as in the p-1 algorithm, or the factorial for some not too large . This can be done efficiently, one small factor at a time. Say, to get , first compute , then , then , and so on. is picked to be small enough so that -wise point addition can be performed in reasonable time.
If we finish all the calculations above without encountering non-invertible elements (), it means that the elliptic curves' (modulo primes) order is not smooth enough, so we need to try again with a different curve and starting point.
If we encounter a we are done: it is a non-trivial factor of .
The time complexity depends on the size of the number's smallest prime factor and can be represented by exp[(√2 + o(1)) √ln p ln ln p], where p is the smallest factor of n, or , in L-notation.
Explanation
If p and q are two prime divisors of n, then y2 = x3 +ax + b (mod n) implies the same equation also modulo p and modulo q. These two smaller elliptic curves with the -addition are now genuine groups. If these groups have Np and Nq elements, respectively, then for any point P on the original curve, by Lagrange's theorem, k > 0 is minimal such that on the curve modulo p implies that k divides Np; moreover, . The analogous statement holds for the curve modulo q. When the elliptic curve is chosen randomly, then Np and Nq are random numbers close to p + 1 and q + 1, respectively (see below). Hence it is unlikely that most of the prime factors of Np and Nq are the same, and it is quite likely that while computing eP, we will encounter some kP that is ∞ modulo p but not modulo q, or vice versa. When this is the case, kP does not exist on the original curve, and in the computations we found some v with either gcd(v,p) = p or gcd(v, q) = q, but not both. That is, gcd(v, n) gave a non-trivial factor of n.
ECM is at its core an improvement of the older p − 1 algorithm. The p − 1 algorithm finds prime factors p such that p − 1 is b-powersmooth for small values of b. For any e, a multiple of p − 1, and any arelatively prime to p, by Fermat's little theorem we have ae ≡ 1 (modp). Then gcd(ae − 1, n) is likely to produce a factor of n. However, the algorithm fails when p - 1 has large prime factors, as is the case for numbers containing strong primes, for example.
The order of the group of an elliptic curve over Zp varies (quite randomly) between p + 1 − 2√p and p + 1 + 2√p by Hasse's theorem, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield–Erdős–Pomerance theorem with suitably optimized parameter choices, and the L-notation, we can expect to try L[√2/2, √2] curves before getting a smooth group order. This heuristic estimate is very reliable in practice.
We want to factor n = 455839. Let's choose the elliptic curve y2 = x3 + 5x – 5, with the point P = (1, 1) on it, and let's try to compute (10!)P.
The slope of the tangent line at some point A=(x, y) is s = (3x2 + 5)/(2y) (mod n). Using s we can compute 2A. If the value of s is of the form a/b where b > 1 and gcd(a,b) = 1, we have to find the modular inverse of b. If it does not exist, gcd(n,b) is a non-trivial factor of n.
First we compute 2P. We have s(P) = s(1,1) = 4, so the coordinates of 2P = (x′, y′) are x′ = s2 – 2x = 14 and y′ = s(x – x′) – y= 4(1 – 14) – 1 = –53, all numbers understood (mod n). Just to check that this 2P is indeed on the curve: (–53)2 = 2809 = 143 + 5·14 – 5.
Then we compute 3(2P). We have s(2P) = s(14,-53) = –593/106 (mod n). Using the Euclidean algorithm: 455839 = 4300·106 + 39, then 106 = 2·39 + 28, then 39 = 28 + 11, then 28 = 2·11 + 6, then 11 = 6 + 5, then 6 = 5 + 1. Hence gcd(455839, 106) = 1, and working backwards (a version of the extended Euclidean algorithm): 1 = 6 – 5 = 2·6 – 11 = 2·28 – 5·11= 7·28 – 5·39 = 7·106 – 19·39 = 81707·106 – 19·455839. Hence 106−1 = 81707 (mod 455839), and –593/106 = –133317 (mod 455839). Given this s, we can compute the coordinates of 2(2P), just as we did above: 4P = (259851, 116255). Just to check that this is indeed a point on the curve: y2 = 54514 = x3 + 5x – 5 (mod 455839). After this, we can compute .
We can similarly compute 4!P, and so on, but 8!P requires inverting 599 (mod 455839). The Euclidean algorithm gives that 455839 is divisible by 599, and we have found a factorization 455839 = 599·761.
The reason that this worked is that the curve (mod 599) has 640 = 27·5 points, while (mod 761) it has 777 = 3·7·37 points. Moreover, 640 and 777 are the smallest positive integers k such that kP = ∞ on the curve (mod 599) and (mod 761), respectively. Since 8! is a multiple of 640 but not a multiple of 777, we have 8!P = ∞ on the curve (mod 599), but not on the curve (mod 761), hence the repeated addition broke down here, yielding the factorization.
The algorithm with projective coordinates
Before considering the projective plane over first consider a 'normal' projective space over : Instead of points, lines through the origin are studied. A line may be represented as a non-zero point , under an equivalence relation ~ given by: ⇔ ∃ c ≠ 0 such that x' = cx, y' = cy and z' = cz. Under this equivalence relation, the space is called the projective plane; points, denoted by , correspond to lines in a three-dimensional space that pass through the origin. Note that the point does not exist in this space since to draw a line in any possible direction requires at least one of x',y' or z' ≠ 0. Now observe that almost all lines go through any given reference plane - such as the (X,Y,1)-plane, whilst the lines precisely parallel to this plane, having coordinates (X,Y,0), specify directions uniquely, as 'points at infinity' that are used in the affine (X,Y)-plane it lies above.
In the algorithm, only the group structure of an elliptic curve over the field is used. Since we do not necessarily need the field , a finite field will also provide a group structure on an elliptic curve. However, considering the same curve and operation over with n not a prime does not give a group. The Elliptic Curve Method makes use of the failure cases of the addition law.
We now state the algorithm in projective coordinates. The neutral element is then given by the point at infinity . Let n be a (positive) integer and consider the elliptic curve (a set of points with some structure on it) .
Pick with a ≠ 0.
Calculate . The elliptic curve E is then in Weierstrass form given by and by using projective coordinates the elliptic curve is given by the homogeneous equation . It has the point .
Choose an upperbound for this elliptic curve. Remark: You will only find factors p if the group order of the elliptic curve E over (denoted by ) is B-smooth, which means that all prime factors of have to be less or equal to B.
Calculate .
Calculate (k times) in the ring . Note that if is B-smooth and n is prime (and therefore is a field) that . However, if only is B-smooth for some divisor p of n, the product might not be (0:1:0) because addition and multiplication are not well-defined if n is not prime. In this case, a non-trivial divisor can be found.
If not, then go back to step 2. If this does occur, then you will notice this when simplifying the product
In point 5 it is said that under the right circumstances a non-trivial divisor can be found. As pointed out in Lenstra's article (Factoring Integers with Elliptic Curves) the addition needs the assumption . If are not and distinct (otherwise addition works similarly, but is a little different), then addition works as follows:
To calculate: ,
,
,
,
.
If addition fails, this will be due to a failure calculating In particular, because can not always be calculated if n is not prime (and therefore is not a field). Without making use of being a field, one could calculate:
,
,
,
, and simplify if possible.
This calculation is always legal and if the gcd of the Z-coordinate with n ≠ (1 or n), so when simplifying fails, a non-trivial divisor of n is found.
The use of Edwards curves needs fewer modular multiplications and less time than the use of Montgomery curves or Weierstrass curves (other used methods). Using Edwards curves you can also find more primes.
Definition. Let be a field in which , and let with . Then the twisted Edwards curve is given by An Edwards curve is a twisted Edwards curve in which .
There are five known ways to build a set of points on an Edwards curve: the set of affine points, the set of projective points, the set of inverted points, the set of extended points and the set of completed points.
The set of affine points is given by:
.
The addition law is given by
The point (0,1) is its neutral element and the inverse of is .
The other representations are defined similar to how the projective Weierstrass curve follows from the affine.
Any elliptic curve in Edwards form has a point of order 4. So the torsion group of an Edwards curve over is isomorphic to either or .
The most interesting cases for ECM are and , since they force the group orders of the curve modulo primes to be divisible by 12 and 16 respectively. The following curves have a torsion group isomorphic to :
with point where and
with point where and
Every Edwards curve with a point of order 3 can be written in the ways shown above. Curves with torsion group isomorphic to and may be more efficient at finding primes.[2]
Stage 2
The above text is about the first stage of elliptic curve factorisation. There one hopes to find a prime divisor p such that is the neutral element of .
In the second stage one hopes to have found a prime divisor q such that has small prime order in .
We hope the order to be between and , where is determined in stage 1 and is new stage 2 parameter.
Checking for a small order of , can be done by computing modulo n for each prime l.
GMP-ECM and EECM-MPFQ
The use of Twisted Edwards elliptic curves, as well as other techniques were used by Bernstein et al[2] to provide an optimized implementation of ECM. Its only drawback is that it works on smaller composite numbers than the more general purpose implementation, GMP-ECM of Zimmerman.
Hyperelliptic-curve method (HECM)
There are recent developments in using hyperelliptic curves to factor integers. Cosset shows in his article (of 2010) that one can build a hyperelliptic curve with genus two (so a curve with f of degree 5), which gives the same result as using two "normal" elliptic curves at the same time. By making use of the Kummer surface, calculation is more efficient. The disadvantages of the hyperelliptic curve (versus an elliptic curve) are compensated by this alternative way of calculating. Therefore, Cosset roughly claims that using hyperelliptic curves for factorization is no worse than using elliptic curves.
Quantum version (GEECM)
Bernstein, Heninger, Lou, and Valenta suggest GEECM, a quantum version of ECM with Edwards curves.[3] It uses Grover's algorithm to roughly double the length of the primes found compared to standard EECM, assuming a quantum computer with sufficiently many qubits and of comparable speed to the classical computer running EECM.
^ abBerstein, Daniel J.; Birkner, Peter; Lange, Tanja; Peters, Christiane (January 9, 2008). "ECM Using Edwards Curves"(PDF). Cryptology ePrint Archive. (see top of page 30 for examples of such curves)
^Bernstein D.J., Heninger N., Lou P., Valenta L. (2017) Post-quantum RSA. In: Lange T., Takagi T. (eds), Post-Quantum Cryptography. PQCrypto 2017. Lecture Notes in Computer Science, vol 10346. Springer, Cham
Pomerance, Carl (1985). "The quadratic sieve factoring algorithm". Advances in Cryptology, Proc. Eurocrypt '84. Lecture Notes in Computer Science. Vol. 209. Berlin: Springer-Verlag. pp. 169–182. doi:10.1007/3-540-39757-4_17. ISBN978-3-540-16076-2. MR0825590.
Trappe, W.; Washington, L. C. (2006). Introduction to Cryptography with Coding Theory (Second ed.). Saddle River, NJ: Pearson Prentice Hall. ISBN978-0-13-186239-5. MR2372272.
Distributed computing project yoyo@Home Subproject ECM is a program for Elliptic Curve Factorization which is used to find factors for different kinds of numbers.
Sungai Kunene di dekat air terjun Epupa. Sungai Kunene adalah sungai yang mengalir dari dataran tinggi Angola selatan hingga daerah perbatasan Angola-Namibia. Sungai ini lalu mengalir ke arah barat di sepanjang perbatasan hingga mencapai Samudra Atlantik. Panjang sungai ini mencapai 1.050 km dengan luas daerah aliran sungai sebesar 106.560 km². Rata-rata debit tahunannya tercatat sebesar 174 m³/s di mulut sungainya.[1] Di aliran sungai ini terdapat air terjun Epupa yang me...
1905–1907 U.S. Congress 59th United States Congress58th ←→ 60thUnited States Capitol (1906)March 4, 1905 – March 4, 1907Members90 senators386 representatives6 non-voting delegatesSenate majorityRepublicanSenate PresidentCharles W. Fairbanks (R)House majorityRepublicanHouse SpeakerJoseph G. Cannon (R)SessionsSpecial: March 4, 1905 – March 18, 19051st: December 4, 1905 – June 30, 19062nd: December 3, 1906 – March 3, 1907 The 59th United States Congress was a meeting...
Image traditionnelle d’une femme perse portant une coupe de vin, comme dépeinte au palais de Hasht Behesht, Ispahan, Iran, XVIIe siècle. La condition des femmes dans la société iranienne a connu de nombreuses évolutions au cours de l'histoire, depuis l'égalité complète ou presque avec l'homme dans la mythologie ou aux temps préislamiques, la perte de leur indépendance durant la période islamique, le début de leur émancipation avec la révolution constitutionnelle, les gran...
Josh GadGad di Annie Awards ke-41 pada 2014LahirJoshua Ilan Gad23 Februari 1981 (umur 42)Hollywood, Florida, ASAlmamaterCarnegie Mellon College of Fine ArtsPekerjaanPemeran, pengisi suara, komedian, penyanyiTahun aktif2002–sekarangDikenal atasFrozenThe Book of MormonBeauty and the BeastSuami/istriIda Darvish (m. 2008)Anak2 Joshua Ilan Gad[1] (lahir 23 Februari 1981[2]) adalah seorang pemeran, pengisi suara, komedian dan penyanyi Ameri...
Токмацький район адміністративно-територіальна одиниця Герб Прапор Колишній район на карті Запорізька область Основні дані Країна: Україна Область: Запорізька область Код КОАТУУ: 2325200000 Утворений: 7 березня 1923 Ліквідований: 17 липня 2020 р. Населення: ▼ 20 988 (01.11.2020) Пло�...
هذه المقالة يتيمة إذ تصل إليها مقالات أخرى قليلة جدًا. فضلًا، ساعد بإضافة وصلة إليها في مقالات متعلقة بها. (أبريل 2016) استمع إلى هذه المقالة (4 دقائق)noicon هذا الملف الصوتي أُنشئ من نسخة هذه المقالة المؤرخة في 24 مايو 2009 (2009-05-24)، ولا يعكس التغييرات التي قد تحدث للمقالة بعد ه
English clergyman and politician This article is about the clergyman. For other people named Stephen Gardiner, see Stephen Gardiner (disambiguation). The Right ReverendStephen GardinerBishop of WinchesterPortrait by Quentin MatsysChurchRoman Catholic / Church of EnglandProvinceCanterburyDioceseWinchesterIn office1531–1551, 1553–1555Other post(s)Lord ChancellorMaster of Trinity Hall, CambridgeOrdersConsecration3 December 1531Personal detailsBorn(1483-07-27)27 July 1483Bury St EdmundsDied12...
هذه المقالة يتيمة إذ تصل إليها مقالات أخرى قليلة جدًا. فضلًا، ساعد بإضافة وصلة إليها في مقالات متعلقة بها. (مارس 2019) دون ك. هال معلومات شخصية الميلاد 6 مارس 1867 إيو بلين، مقاطعة بورتاغ الوفاة 24 أكتوبر 1953 (86 سنة) جوليت مواطنة الولايات المتحدة الحياة العملية المهن
Not to be confused with John Stephenson (director). British filmmaker and puppeteer John StevensonStevenson in 2018Born1958 (age 64–65)London, EnglandOccupation(s)Animator, art director, film director, motion capture performer, puppeteer, storyboard artist, voice actorYears active1978–present John Stevenson (born 1958) is a British animator, film director and puppeteer with over 40 years of experience in animation. Life and career Stevenson worked as a story artist on the fe...
Lúcifer (BR) Lucifer (série de televisão) Informação geral Formato série Gênero Polícia processual Comédia dramática Mistério Crime Terror Fantasia Duração 60 minutos Estado Finalizada Baseado em Personagens criados para a Vertigode Neil GaimanSam KiethMike Dringenberg Desenvolvedor(es) Tom Kapinos País de origem Estados Unidos Idioma original inglês Produção Diretor(es) de criação Gerard Jones Produtor(es) Alex Katsnelson Michael Azzolino Erik Holmberg Nathan Hope Pro...
لطيفة القعود معلومات شخصية الميلاد سنة 1956 (العمر 66–67 سنة) الرفاع مواطنة البحرين مناصب عضو مجلس النواب البحريني في المنصب2006 – 2014 الحياة العملية المدرسة الأم جامعة نوتنغهامجامعة فرجينياجامعة حلوان المهنة سياسية تعديل مصدري - تعديل لطيفة مح�...
District in London, England For other uses, see Covent Garden (disambiguation). Human settlement in EnglandCovent GardenInterior of the former vegetable market, 2006Covent GardenLocation within Greater LondonOS grid referenceTQ303809London boroughWestminsterCamdenCeremonial countyGreater LondonRegionLondonCountryEnglandSovereign stateUnited KingdomPost townLONDONPostcode districtWC2PoliceMetropolitanFireLondonAmbulanceLondon UK ParliamentCities of London and...
County of the Holy Roman Empire For other uses, see Oldenburg. This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: County of Oldenburg – news · newspapers · books · scholar · JSTOR (January 2013) (Learn how and when to remove this template message) County of OldenburgGrafschaft Oldenburg (German)1108[1&...
Christian denominational views on the issue of abortion This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article uses bare URLs, which are uninformative and vulnerable to link rot. Please consider converting them to full citations to ensure the article remains verifiable and maintains a consistent citation style. Several templates and tools are available to assist in formatting, such ...
African-American carnival organizations in New Orleans Mardi Gras Indians gathering along Bayou St. John for Super Sunday 1991 Mardi Gras Indians (also known as Black Masking Indians) are black carnival revelers in New Orleans, Louisiana, who dress up for Mardi Gras in suits influenced by Native American ceremonial apparel. Collectively, their organizations are called tribes. There are about 38 tribes which range in size from half a dozen to several dozen members. The groups are largely indep...
English territorial police force This article is about the police force in Surrey, England. For the police force in Surrey, British Columbia, Canada, see Surrey Police Service. Surrey PoliceAgency overviewFormed1 January 1851[1]Annual budget£261.7 million (2021/22)[2]Jurisdictional structureOperations jurisdictionSurrey, United KingdomMap of Surrey Police's jurisdictionSize642 square miles (1,660 km2)Population1.1 millionOperational structureOverviewed by His Majest...
Hamlet in Cornwall, England Piper's Pool Methodist Chapel Piper's Pool (or Pipers Pool) is a hamlet in east Cornwall, England, UK. It is on the A395 road about 5½ miles west of Launceston.[1] References Cornwall portal ^ Ordnance Survey One-inch Map of Great Britain; Bodmin and Launceston, sheet 186. 1961 (Pipers Pool). vte Ceremonial county of CornwallCornwall PortalUnitary authorities Cornwall Council Council of the Isles of Scilly Major settlements(cities in italics) Bodmin Bude C...
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Pietermaritzburg – news · newspapers · books · scholar · JSTOR (October 2022) (Learn how and when to remove this template message) Capital city of KwaZulu-Natal, South Africa City in KwaZulu-Natal, South AfricaPietermaritzburg umGungundlovu (Zulu)CityFrom ...