Appendix H
Elliptic Curve Factorisation
Lenstra’s Elliptic Curve Factorisation (ECF) technique is an analogue of
Pollard’s so-called ‘p − 1 method’, in which the group Z/p)× is replaced
by the group on an elliptic curve E(Fp ) over a finite field. So we start by
describing Pollard’s method.
H.1
The Pollard “p − 1 method”
We want to factorise a large number n.
It is a straightforward matter to determine whether n is prime, using the
Miller-Rabin algorithm. We may therefore suppose that n is composite.
Suppose p is a prime factor of n. By Fermat’s Little Theorem, if p - a
then
ap−1 ≡ 1 mod p.
Hence
ak ≡ 1 mod p
if p − 1 | k.
It follows that
d = gcd(ak − 1, n) > 1
since p is a factor of both numbers.
It would be very bad luck if we found a factor d of n in this way, and
then discovered that d = n. We may therefore suppose in this case that we
have a proper factor of n.
But how do we choose k? We make the assumption at this point that the
prime-factors of p − 1 are all (relatively) small.
428–99 H–1
H.2
Elliptic curve factorisation
Let n, as before, be a large composite integer that we wish to factorise.
Suppose p is a prime factor of n. Let
E(Q) : y 2 = x3 + bx + c
(b, c ∈ Z)
be an elliptic curve over Q. Unless we are very unlucky (or very lucky) p will
be a good prime for E, ie the curve
E(Fp ) : y 2 = x3 + bx + c
over the finite field Fp is still elliptic. (We say lucky because p is a bad prime
if and only if
p | ∆ = −(4b3 + 27c2 ).
Thus if p is a bad prime,
d = gcd(∆, n) > 1;
so if we wished we could compute this gcd at the outset. However, the probability of p being bad is so small that this is probably not worth considering.)
Suppose the curve E(Fp ) contains N points. By Hasse’s Theorem,
√
√
p + 1 − 2 p < N < p + 1 + 2 p.
Suppose N is b-smooth. As before, let
Y
k=
q e(q) .
q≤b
Then
N | k.
Suppose P ∈ E(Q). We express P in homogeneous coordinates:
P = [X, Y, Z],
where X, Y, Z ∈ Z.
It is a straightforward matter to find a formula for the sum of two points:
[X1 , Y1 , Z1 ] + [X2 , Y2 , Z2 ] = [X3 , Y3 , Z3 ],
where X3 , Y3 , Z3 are polynomials in X1 , Y1 , Z1 , X2 , Y2 , Z2 with integer coefficients:
X3 , Y3 , Z3 ∈ Z[X1 , Y1 , Z1 , X2 , Y2 , Z2 ].
428–99 H–2
In effect, we simply have to dress up our usual computation
x1 + x2 + x3 = m2 ,
y3 = mx3 + c
in homogeneous form.
As a special case, this gives a formula for the double of a point:
2[X, Y, Z] = [X1 , Y1 , Z1 ],
where X1 , Y1 , Z1 are polynomials over Z in X, Y, Z.
Using these formulae we can compute
rP = [Xr , Yr , Zr ]
for any r ∈ N.
Now let
Pp = [X mod p, Y mod p, Z mod p]
be the point of E(Fp ) corresponding to P ∈ E(Q). By Lagrange’s Theorem,
N Pp = 0,
and therefore
kPp = 0.
But kPp is just the point we get from
kP = [Xk , Yk , Zk ]
by reduction modp. It follows that
Zk ≡ 0 mod p.
(We also have Xk ≡ 0 mod p. However, this follows from the result for Zk
since the only point of E(Fp ) on the line at infinity Z = 0 is O = [0, 1, 0].)
It follows that
d = gcd(Zk , n) > 1;
and unless we are very unlucky this will give us a proper factor of n.
Note that in constructing Zk for this purpose we can work throughout
modn.
This method has one very large advantage over Pollard’s p − 1 method;
by changing the coefficients b, c in the elliptic curve we change N , which
√
√
probably ranges at random over the interval (p + 1 − 2 p, p + 1 + 2 p). This
428–99 H–3
allows us many chances of finding a ‘smooth’ N, while Pollard’s method only
gives us the one chance p − 1.
Analysis shows that if we have some idea of the size of p then it pays to
√
choose b of order p, and move on to another elliptic curve if this fails.
Incidentally, it is easier to choose the point P = [X, Y, Z] first, and then
find b, c so that the elliptic curve contains this point, rather than choosing
the curve and then looking for a rational point on it.
428–99 H–4