ELLIPTIC CURVES AND INTEGER FACTORIZATION

Transcription

1 ELLIPTIC CURVES AND INTEGER FACTORIZATION HAORU LIU Abstract. Elliptic curves are a class of cubic curves over fields which can be endowed with an algebraic structure. They are particularly useful in number theory due to their properties over finite fields. In this paper, we outline basic properties of elliptic curves and fundamental ideas in factorization, followed by a description of H. W. Lenstra s elliptic curve factorization algorithm and an analysis of its running time. Contents. Elliptic curves and the chord-tangent group law. Algebraic group factorization methods 3 3. The elliptic curve method Running time 6 Acknowledgements 8 References 8. Elliptic curves and the chord-tangent group law Definition.. The projective plane P (F) over a field F is the set of ordered triplets (w,x,y) F 3 along with the equivalence relation (w,x,y) (w,x,y ) if there exists some k F such that w = kw, x = kx, and y = ky Definition.. The line at infinity in P is the set of solutions to the equation w = 0 Geometrically, the projective plane can be seen as the set of all lines through the origin in F 3. It is identical to the familiar plane F with the addition of a line at infinity, as for each point (w,x,y) in P, we can associate a point (x,y) in F by noting that (w,x,y) (,xw,yw ) for w 0 Definition.3. An elliptic curve in the projective plane over some field F is the set of points satisfying an equation of the form wy +a wxy+a 3 w y = x 3 +a wx + a 4 w x + a 6 w 3 with coefficients in F, where the equation cannot be factored over F and where any line through any point on the curve intersects the curve no less than twice. Such a curve is also referred to as a nonsingular cubic. Setting w = 0 in the above definition, we have that x = 0. Since the value of the y-coordinate may be freely determined due to the equivalence relation, we denote this single point at infinity by O, with the coordinates (0,0,). Date: August 0, 0.

2 HAORU LIU Applying the above projection into F and assuming that we are not at infinity, we obtain the formula y +a xy+a 3 y = x 3 +a x +a 4 x+a 6 for an elliptic curve. Definition.4. The chord-tangent composition of two points P and Q on an elliptic curve E is denoted by PQ and is defined as the third point of intersection of the line through P and Q with E. If P and Q are the same point, the line through them is given by the tangent to the curve at P. The point PQ determined by this definition is easily shown to exist and may be determined through algebraic manipulations of the elliptic curve equation. Its coordinates can be expressed in terms of the coordinates of P and Q and the coefficients of E. It is useful to take note of a geometric special case. When one of the points involved is O, we must use the projective form of the line, given by aw+bx+cy = 0. If we have O = (0,0,) and P = (α,β,γ), we must have c = 0. Then, assuming that w 0, we can normalize the non-projective equation of the line to read a+bx = 0, or x = b/a = β. Thus, the line is simply the vertical line through P. Proposition.5. An elliptic curve over a field not of characteristic or 3 may be expressed as the set of solutions to an equation of the form y = x 3 +c x+c Proof. Let the nonsingular cubic be represented by the equation presented above in.3. Let y = y + ax+a3 and x = x. Under this change of variables, the equation takes the form (.6) (y ) = (x ) 3 + b 4 (x ) + b x + b 3 4, where b = a +4a, b = a a 3 +a 4, and b 6 = a 3 +4a 6. Then, let y = y and x = x + b. Applying this change of variables, the equation becomes (.7) (y ) = (x ) 3 c 48 x c 864, where c = b 4b and c = b 3 +36b b 6b 3. If we have an equation in this form, it is reasonable to ask whether it represents an elliptic curve. Through analytic methods, one may determine that the curve is nonsingular if and only if 4c 3 +7c 0. Proposition.8. The chord-tangent group law on an elliptic curve E is defined as the relation P +Q = O(PQ), or the composition of O with PQ. This group law, together with the locus of points of E over a field F, forms an abelian group. Proof. Through similar algebraic manipulations as in the chord-tangent composition, we can arrive at a formula for the point P +Q given the equation of E and the coordinates of P and Q. Commutativity is derived from the commutativity of the chord-tangent composition. The identity element of this group is O. Examining O(OP), if we draw the vertical line through P, it intersects E at O, P, and OP. Thus, it is immediately clear that O(OP) = P. The existance of inverses is also clear: for any point P, let P = OP. Then, P + ( P) = O(P(OP)). The line through P and OP is a vertical line which intersects the curve at O, and so O(P(OP)) = OO = O. Finally, the associativity of this group law may be proven by examining the intersections of cubic curves in P, though the detailed proof is outside the scope of this paper and may be found in [].

3 ELLIPTIC CURVES AND INTEGER FACTORIZATION 3 However, it should be noted that the chord-tangent composition is not associative, as O(OP) = P, while (OO)P = OP. Remark.9. For two points (x,y ), (x,y ), the sum (x 3,y 3 ) of the two points on an elliptic curve given by y = x 3 +c x+c is the following: Let Then, we have (.0) (.) λ = { 3x +c y when x = x and y = y otherwise y y x x x 3 = x x +λ y 3 = y +λ(x x 3 ). Algebraic group factorization methods We now digress from the topic of elliptic curves to present the basic idea behind Lenstra s factorization algorithm. Lenstra s algorithm is part of a family of factorization algorithms known as the p family, named after the original p method discovered by Pollard. We first present this method as an introduction to the idea behind the Lenstra algorithm. Fix N as the number that we wish to factor. Assume that it is composite, as we may determine if N is prime beforehand using dedicated primality tests. We start with a few definitions to establish the groups that we will be working with. Definition.. Define G(n) for n N to be the multiplicative group of integers modulo n. This group consists of the integers less than n which are coprime to n with the operation of multiplication modulo n. We will be mostly concerned with the groups G(p), where p is a prime divisor of N. While we do not know what the p are, we can still work with these groups through the following maps. Definition.. Let p be any prime divisor of N. Define the map β p : G(N) G(p) to be the reduction modulo p. That is, for any n G(N), n maps to n (mod p) in G(p). We should first note that this map is a homomorphism, as this property makes the p algorithm possible. We now give a definition of what it means for a number to be nice in the context of factorization, as this property allows us to construct a number that will eliminate the need to know the actual prime factors of N. Definition.3. Fix B N. If the prime factorization of some integer n is p k p k p l k l, then n is B-powersmooth if (.4) max i l p i ki B The property of B-powersmoothness is particularly important when applied to the order of the groups that we will be working with. If the order of some G(p) is B-powersmooth, then we may construct a number Q(B) defined as (.5) Q(B) = p B p max{k N pk B}

4 4 HAORU LIU such that Q(B) is a multiple of p. This is useful, as Q(B) is totally independent from p, as long as we make the assumption that there is some prime divisor of N such that p is B-powersmooth. We shall now describe the steps involved in the p algorithm. Fix positive integers N and B. Then, find some element a G(N) ( usually serves as a good choice). Now, we compute a Q(B). Since we have assumed that there is some p N that is B-powersmooth, we have that β p (a Q(B) ) = β p (a) Q(B) =, as the order of G(p) divides Q(B). However, since β p is simply the reduction modulo p, we have that a Q(B) is a multiple of p. This guarantees that gcd(a Q(B),N) >, and thus we have found a factor of N. There are still a few ways that this could go wrong. First, our B could be chosen too small such that no p N has p B-powersmooth. This is illustrated by the following example: Example.6. Let N = and let B = 5. Computing Q(B), we have Q(B) = = Since N is obviously odd, choose a =. In G(34547), Q(B) = 9. Taking gcd(9,34547), we get. This happened since = 79 93, and neither 78 nor 9 are 5-powersmooth. The other way that this could go wrong is choosing B to be too large. In normal circumstances, this would not be a problem, as we are limited by the running time of the program. However, this is still theoretically possible if N is a sufficiently smooth number. As a final example, we shall factor successfully with the p method, this time taking B = 86. In this case, Q(B) is a 37-digit number which will be omitted for the sake of space, and Q(B) = 4. If we compute gcd(3, 34547), we obtain 93, and we are done. In summary, the algorithm works by first associating to every n N a group G(n) along with homomorphisms from G(N) to each G(p), where p is a prime divisor of N. Then, we attempt to find a nontrivial element in the kernel of one of the homomorphisms, so that the element, along with the structure of the group, leads us to a divisor of N. We will see a similar process followed in the elliptic curve method. 3. The elliptic curve method Before we begin to describe the elliptic curve method in detail, we first need a few properties of elliptic curves over fields other than R and Q. Notation 3.. For any prime p, let F p denote the field consisting of the integers {,,p } under the operations of addition and multiplication modulo p. Definition 3.. Let P be the set of points (w, x, y), where w, x, y Z/nZ and gcd(w, x, y, n) =. Let two points (w, x, y), (w, x, y ) of P be equivalent if (w, x, y) = (aw, ax, ay ) for some invertible a Z/nZ. The projective plane over the ring Z/nZ is defined as the set of equivalence classes on P. Note that if n is prime, we have the usual definition of the projective plane over a field. In that case, we have a decomposition (3.3) P (Z/pZ) = (Z/pZ) {(w,x,y) w = 0} by identifying the points where w 0 with the representative of their equivalence class where w =. We will refer to the (Z/pZ) part of the decomposition as the

5 ELLIPTIC CURVES AND INTEGER FACTORIZATION 5 affine part, for the simple reason that points there can be represented as points on the affine plane. However, if we are working in Z/NZ for some composite N, there will exist nonzero non-invertible elements. Thus, the decomposition (3.4) P (Z/nZ) = (Z/nZ) {(w,x,y) w = 0} {(w,x,y) gcd(w,n) > } must also include the set of points where w is noninvertible, so that the triple is not equivalent to one where w =. Definition 3.5. For some N coprime to 6, an elliptic curve E over Z/NZ is defined as the set of solutions to the projective equation y w = x 3 +c xw +c w 3, where c, c Z/NZ and 4c 3 +7c is invertible. This definition of an elliptic curve over a ring provides a starting point for obtaining the group G(N) we used in the p method. While the points on this sort of elliptic curve may not actually form a group if N is composite, it will not matter for our purposes as a breakdown in the computation of group operations will lead us to a factor of N. In fact, since the group operations defined in.0 and. are only valid in the affine part, any computation that falls in the non-affine part will yield a factor of N. We now define the analogs to the homomorphisms used in the p method. Definition 3.6. Let N be some composite integer. For any p N, we define the map β p : E(Z/NZ) E(Z/pZ) as the reduction of the coordinates modulo p Of course, the equation representing E(Z/pZ) is simply the equation of E(Z/N Z) with its coefficients reduced modulo p. In addition, note that our requirement that 4c 3 +7c is invertible in Z/NZ ensures that the reduced equation is an elliptic curve, since 4c 3 +7c being coprime to N implies that it is nonzero modulo any divisor of N. Since E(Z/NZ) is a subset of P (Z/NZ), it can be partitioned into the three parts mentioned earlier: one where w is invertible, one where w is zero, and one where w is nonzero and noninvertible. We now describe the algorithm itself. First, fix N N as the composite number to be factored, and fix B as a bound on the smoothness of the orders of the elliptic curve groups over Z/pZ for the prime divisors that we seek. For the purposes of convenience, choose some elliptic curve with c =, thus with the equation y = x 3 +ax+. Foranyellipticcurveofthisform,wehavetheelementa 0 = (,0,) on the curve. Let Q(B) be defined as in (.5). Then, try to compute Q(B)a 0 in E(Z/N Z) using the affine equations described in (.0) and (.). At some point, we expect the computation of λ to fail due to the lack of an inverse of either y or x x. At this point, we are done, as this implies that we have found some integer not coprime to N. A factor follows by taking the gcd. Otherwise, we start over with a different value for a, changing the elliptic curve. There are some details of this algorithm that are worth considering. We begin with this proposition. Proposition 3.7. Let the elliptic curve E a (Z/pZ) be represented by the equation y = x 3 +ax+ over Z/pZ for some prime p N. If the order of this curve is B- powersmooth, then ka 0 lies in the non-affine part of E a (Z/NZ) for some k Q(B).

6 6 HAORU LIU Proof. First, note that the point a 0 mentioned in the description of the algorithm is in every reduction of E a (Z/NZ). In E a (Z/pZ), we therefore have that Q(B)a 0 = (0,0,). Suppose for the purpose of contradiction that ka 0 lies in the affine part of E a (Z/NZ) for every k Q(B). Thus, since the reduction maps are homomorphisms where addition is defined in E a (Z/NZ), we find that β p (Q(B)a 0 ) = (0,0,) for each p N. This implies that the w-coordinate of Q(B)a 0 is not coprime to N, and thus Q(B)a 0 cannot be in the affine part. The about proposition shows that our method is guaranteed to find a factor if we are given the smoothness of the order of the group. 3.. Running time. We now give a brief description of the running time of the elliptic curve method. First, we state two theorems that serve as a starting point for our analysis. Theorem 3.8 (Hasse). p+ #E(Z/pZ) < p, where #E(Z/pZ) is the number of points on an elliptic curve over Z/pZ. Theorem 3.9 (Canfield, Erdös, Pomerance). Let L(x) = e lnxlnlnx. Then, the probability that some n < x is L(x) a -smooth is as x. L(x) a +o() Since we are mostly interested in large values of p, we note that #E(Z/pZ) < p+ p+. Since p+ p+ is O(p), we can take #E(Z/pZ) to be less than p when applying (3.9). WealsonotethatifsomenumbernisL(x) a -smooth,itisalsol(x) a -powersmooth for some other a, as we can simply multiply a by the largest exponent in the prime factorization of n to get a. Thus, the distinction between smoothness and powersmoothness will be negligible here. Fix some value of a. By (3.9), we have that the probability of #E(Z/pZ) being L(p) a -powersmooth is L(p) a +o(). If we choose B = L(p) a, then we expect to try L(p) a +o() curves before we find a suitable curve. In order to find an expression for the number of group operations needed on each curve, we need the following theorem. Theorem 3.0 (Prime Number theorem). Let π(x) be the number of primes less than or equal to x. Then, π(x) (3.) lim x x/ln(x) = Now, we derive a result relating to the asymptotic behavior of Q(B). Proposition 3.. For any sequence a n defined over N, let A(x) = n x a n. Let f be some continuously differentiable monotone increasing function on an interval [x, y]. Then, (3.3) x n y a n f(n) = A(y)f(y) A(x)f(x) y x A(t)f (t)dt

7 ELLIPTIC CURVES AND INTEGER FACTORIZATION 7 Proof. By the summation by parts identity, we have that a n f(n) = A( y )f( y ) A( x )f( x +) x n y = A( y )f( y ) A( x )f( x +) = x n y n+ x n y n x ( y ) ( A(y)f(y) A(t)f (t) A(x)f(x)+ y = A(y)f(y) A(x)f(x) y x A(t)f (t)dt Definition 3.4. Define the Chebyshev θ-function as (3.5) θ(x) = p x ln(p) A(n)(f(n+) f(n)) x A(t)f (t)dt ) A(t)f (t) y x A(t)f (t) Lemma 3.6. Suppose that x. Then, (3.7) θ(x) = π(x) ln(x) where π(x) is defined as in 3. π(t) dt t Proof. Let a n be the indicator function of primes, where a n = if n is prime, and 0 otherwise. Then, taking f(x) = ln(x) and noting that A(x) = π(x), we have that θ(x) = a n f(x) n x = π(x)ln(x) Since π(x) = 0 for x <, this completes the proof. π(x) x dx Proposition 3.8. θ(x) is asymptotically equal to x. That is, θ(x) lim x x = Proof. We have by Theorem 3.0 that the first term in the expression for θ(x) x tends to as x. Thus, we need to show that By Theorem 3.0, π(t) t = O ( lim x x lim x x ln(t) ). Thus, π(t) dt = 0 t π(t) dt = lim t x x ln(t) dt, If we split the integral into two integrals over (, x) and ( x,x), we find that the following inequality holds due to the monotone decreasing nature of x x ln(t) dt+ x ln(t) dt x ln() + x x ln( x) ln(t).

8 8 HAORU LIU Multiplying by x and taking x, we see that the limit is indeed 0. We are now close to an expression for the asymptotic behavior of Q(B). First, note that ln(q(b)) = p Bkln(p) where k is the exponent found in.5. If we expand by k, we can rewrite this sum as ln(p) n=p B /n Since the inner sum is empty for n > log (B), we have the expression (3.9) ln(q(b)) = θ(b /n ) n log (B) Now, we establish a relationship between the asymptotic growth of ln(q(b)) and θ(b). We have ln(q(b)) θ(b) = θ(b /n ) n log (B) log (B)θ( B) log (B) Bln( B) B(lnB) = ln Dividing through by B, we obtain a bound on the difference between ln(q(b)) B and θ(b) B, which vanishes as B. Thus, we have that ln(q(b)) = O(B), or Q(B) = O(expB). ThenumberofgroupoperationsneededtoreachQ(B)a 0 ismucheasiertoderive. By repeatedly doubling and adding terms to reach Q(B), we are essentially doing long multiplication in base-. First, we compute all the power of multiples of a 0 up to Q(B) in log (Q(B)) operations. Then, we step through the binary digits of Q(B) and add together all the precomputed multiples where a appears in the representation, taking another log (Q(B)) operations at most for a total of log (Q(B)) operations. Thus, since the magnitude of Q(B) is O(exp(B)), the number of group operations needed per curve is on the order of B. Since we chose B = L(p) a, we therefore obtain a total expected running time of L(p) a+/(a)+o(). Taking a = /, we have a running time of L(p) +o(). Since our N is composite, we are guaranteed a prime factor p N. Thus, we can restate our running time in terms of N, giving L(N) +o(). Acknowledgements. I would like to thank John Wilmes for his guidance in each step of the paper writing process. References [] Dale Husemöller Elliptic Curves Springer-Verlag [] A Course in Computational Algebraic Number Theory Henri Cohen Springer-Verlag [3] Introduction to Analytic Number Theory; Tom Apostol; Springer-Verlag 976