Improving Lenstra s Elliptic Curve Method

Transcription

1 Oregon State University Masters Paper Improving Lenstra s Elliptic Curve Method Author: Lukas Zeller Advisor: Holly Swisher August 2015

2 Abstract In this paper we study an important algorithm for integer factorization: Lenstra s Elliptic Curve Method. We first discuss how and why this method works and then draw from various research papers to demonstrate how it can be improved. In order to achieve this, we take a look at the torsion subgroup of elliptic curves and review methods for how to generate elliptic curves with prescribed torsion.

3 Contents Abstract i Contents ii 1 Preface Introduction Acknowledgements Elliptic Curves Historical Background Basic Vocabulary The Group Law Lenstra s Elliptic Curve Method Preliminaries Euclidean Algorithm Fermat s Little Theorem Fast Powering Algorithm Pollard s p 1 Algorithm Why Pollard s p 1 Algorithm works Lenstra s Elliptic Curve Method (ECM) Why Lenstra s ECM works Comparing Trial Division, Pollard s p 1, and Lenstra s ECM The Torsion Subgroup Nagell-Lutz Theorem Mordell s Theorem Mazur s Theorem Generalizing Mordell s and Mazur s Theorem Hasse s Theorem ii

4 Contents iii Why Lenstra s ECM works (continued) Example Constructing Elliptic Curves with prescribed Torsion or larger Rank Methods for finding curves with prescribed torsion The method of Dujella and Najman Ranks of Elliptic Curves Summary and Conclusion 42

5 Chapter 1 Preface Strong cryptography can resist an unlimited application of violence. No amount of coercive force will ever solve a math problem. Julian Assagne, A Call to Cryptographic Arms 1.1 Introduction Elliptic curves have wide applications in many areas, most notably cryptography and number theory. In number theory, for instance, they were used in Andrew Wiles proof of Fermat s Last Theorem. On the other hand, elliptic curves are used for a variant of publickey cryptography, fittingly named Elliptic Curve Cryptography. Then again, an application to both number theory and cryptography is Lenstra s Elliptic Curve Method, one of the fastest algorithms used to find prime factors of large integers. Cryptography is the study of encrypting information. The goal is to transform the information in such a way that it becomes unrecognizable, infeasible to decrypt by an adversary, and easy to decrypt by the intended recipient. The significance of integer factorization in the area of cryptography is that it is considered a difficult problem. To be more precise, it is a prime example pun intended of a so-called one-way function. One-way functions 1

6 Contents 2 are easy to compute in one direction, in our case this would mean multiplying two integers, and nearly impossible to reverse in reasonable time, in our case this would mean finding the prime divisors of a random integer. This type of function is useful in cryptography, and in fact the entirety of online-security is based on the difficulty of reversing one-way functions. The most prominent algorithm in public-key cryptography is the RSA method, which can be broken if the prime factors of the public key are known. The public key is a large semi-prime, an integer with exactly two prime factors and of size 100 digits. If we tried for all prime numbers up to 50 digits whether they divide the public key in means of finding a prime factor, this would take us several billions of years even using the fastest computers available today. So next to a certain fascination with prime numbers there is a strong incentive to study integer factorization in the modern day world: efficient factorizing algorithms can compromise ones online-privacy, so it is important to know which algorithms exist, how they work, and how well they perform. One short example: given n = 8051, we could find prime factors of n by trying 2, 3, 5, etc. In doing so, we would reach p = 83 after 23 steps and find that 8051 = Notice that = (90 7)(90 + 7) = = We can generalize this insight by realizing that in fact any odd integer can be written as the difference of squares 1, that is for any odd integer n we have that n = a 2 b 2 for some integers a and b. Equivalently, n + b 2 = a 2. This form suggests that if we can find an integer b such that n + b 2 is square, then we can deduce two factors of n. With n = 8051, we try b = 1, 2, 3,... until we reach b = 7 and find = 8100 = This yields the factors 90 7 = 83 and = 97 in only 7 steps. The above method is called Fermat Factorization and works particularly well if n is semiprime with two factors near n. Over the years, further algorithms and more generalpurpose methods have been developed, but they are too plentiful to mention, let alone discuss. In this discussion, we focus on Lenstra s Elliptic Curve Method (ECM). For this, we first demonstrate how elliptic curves form additive groups, and later dive deeper into the theory behind elliptic curves. We will see how the torsion subgroup of an elliptic curve affects its usefulness for ECM, and how we can create elliptic curves with prescribed torsion. ( p In the case of odd primes, p = p 1 = + p 1 ) ( p + 1 p 1 ) = ( ) 2 ( p + 1 p ) 2

7 Contents 3 This paper is largely self-contained. Some basic understanding in ring theory as well as some enthusiasm for the wonderful world of prime numbers, however, is required. 1.2 Acknowledgements My greatest thanks go to my advisor Holly Swisher for her ongoing support and invaluable feedback. She helped me stay focused and showed me numerous ways to improve the paper beyond the scope of the initial draft. There is so much more to be said about this topic, there are so many more research papers to be read and written, but with her help I feel like I ve created a nice window into the world of elliptic curves. Special thanks go to my mother for the repeated spell checking and introducing me to elliptic curves I couldn t and almost certainly wouldn t have done it without you. Not least, I want to thank my girlfriend for all her patience and love. As fascinating as the abstract world of elliptic curves is, I wouldn t have been able to see this through without her keeping me connected to the real world.

8 Chapter 2 Elliptic Curves This chapter gives a brief introduction into elliptic curves and illustrates how they form additive groups. An illustrative way of doing this is by plotting the real points on an elliptic curve and geometrically motivating the group law. 2.1 Historical Background Even though their name might suggest otherwise, elliptic curves actually look nothing like ellipses. They are, however, closely related to ellipses in that elliptic curves arose from studying the arc length of ellipses. The arc length of an ellipse is computed by integrating the square root of a cubic or quartic polynomial, f(x), so the integrand can be written as y = f(x). This yields our object of interest, a curve of the form y 2 = f(x) where f(x) is a cubic polynomial. We give a formal definition in Section 2.2. To illustrate what these curves look like, the real values for four different curves of the form y 2 = x 3 + ax + b are plotted in figure 2.1. Note that the first curve has a cusp and the third curve has a self-intersection. These curves are called singular and will be excluded from our formal definition later. Further, the non-singular curves have either one or two components. 4

9 Chapter 2. Elliptic Curves 5 Figure 2.1: Elliptic curves with cusp, two components, a self intersection, one component. 2.2 Basic Vocabulary Definition 2.1. Let R be a ring. The characteristic of R, denoted char(r), is the n smallest positive integer n such that 1 R = 0 R. If there exists no such integer n, then char(r) = 0. Example 2.1. i=1 Any field K containing Q has char(k) = 0. For a finite field F p with p prime, char(f p ) = p. The ring Z/nZ has characteristic n. Remark 2.2. In fact, for any field K we have that char(k) = 0 or char(k) = p for some prime p. Definition 2.3. Let K be a field. We say that K is a perfect field, if either K has characteristic 0, or, when K has characteristic p > 0, then K p {x p x K} = K. Example 2.2. Any finite field or any infinite field K with char(k) = 0, such as Q, R, C, is perfect. An imperfect field can be neither, so it must be an infinite field with positive characteristic. For example, the field k(x) of all rational functions in X with char(k) > 0 is imperfect. Definition 2.4. Let K be a perfect field. The projective n-space over K, denoted P n (K), is the set of all (n+1)-tuples (x 0,..., x n ) K n+1 such that at least one x i is non-zero, modulo the equivalence relation given by

10 Chapter 2. Elliptic Curves 6 (x 0,..., x n ) (y 0,..., y n ) there exists a non-zero constant c K such that for all indices i, we have x i = cy i. In other words, x y when x and y are scalar multiples of one another. In the following, we let n = 2, and call P 2 (K) the projective plane. Further, we write (x : y : z) for the equivalence class of (x, y, z) P 2 (K). The colon suggests that only the ratios between x, y, and z matter. To illustrate this, consider K = R. Any two points P 1 = (x 1, y 1, z 1 ), P 2 = (x 2, y 2, z 2 ) on a line through the origin are scalar multiples of one another, so P 1 P 2. That is, (x 1, y 1, z 1 ) = c(x 2, y 2, z 2 ) for some c 0, so the ratio (x 1 : y 1 : z 1 ) is the same as (x 2 : y 2 : z 2 ). Therefore, each equivalence class in P 2 (R) defines a line through the origin, and conversely, for every line through the origin, any non-zero point is in the same equivalence class. Note that there is no corresponding line for (0 : 0 : 0), since (0 : 0 : 0) P 2 (R) by our definition. Definition 2.5. A projective plane curve C F over a field K is the set of solutions to the polynomial equation C F : F (X, Y, Z) = 0, where F K[X, Y, Z] is a non-constant polynomial with all terms having the same degree. Example 2.3. The curve C F : X + Y + Z = 0 describes a plane in R 3. The curve C G : XY + Y 2 Y Z = 0 describes two intersecting planes, namely Y = 0 and X + Y Z = 0, in R 3. The curve C H : X 3 + X 2 Z XY Z + XZ 2 Y 2 Z Y Z 2 + Z 3 = 0 describes an elliptic curve (see below). Definition 2.6. A point P = (a, b, c) on a projective plane curve C F is a singular point if all partial derivatives of F vanish at P, i.e. df dx (P ) = df dy df (P ) = (P ) = 0. dz

11 Chapter 2. Elliptic Curves 7 A curve containing a singular point is called a singular curve, a curve containing no singular points is called a non-singular curve. Definition 2.7. An elliptic curve E is a nonsingular projective plane curve of degree 3 over a field K, denoted E/K. The curve is given by a Weierstrass equation of the form E : Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3. (2.1) The set of all points on E/K is denoted E(K) = {(X : Y : Z) P 2 (K) X, Y, Z satisfy (2.1)}. Note that O = (0 : 1 : 0) is the only point on E/K with z = 0, so it is customary to set z = 1 for all other points. The point O is called the point at infinity. In the context of this paper, we will focus on the fields R and Q, as well as finite fields and rings with large characteristic. In particular, the fields we consider don t have characteristic 2 or 3. This allows us to rewrite (2.1) as follows: Lemma 2.8. Let E be an elliptic curve over a field K with char(k) 2, 3. Then E can be written in the form E : y 2 = x 3 + Ax + B, (2.2) with A, B K. Proof. From (2.1), we get Y 2 /Z 2 + a 1 XY/Z 2 + a 3 Y/Z = X 3 /Z 3 + a 2 X 2 /Z 2 + a 4 X/Z + a 6 by dividing through Z 3. Since O is the only point on E for which Z = 0, we ignore this point at the moment and include it again later. Let x = X/Z, y = Y/Z, then y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6. (2.3)

12 Chapter 2. Elliptic Curves 8 Now, if char(k) 2, then we may replace y in (2.3) by y = (y a 1 x a 3 )/2 (division by 2 isn t possible when char(k) = 2) to complete the square. Then y 2 = 4x 3 + b 2 x 2 + 2b 4 x + b 6, (2.4) where b 2 = a a 2, b 4 = 2a 4 + a 1 a 3, and b 6 = a a 6. Finally, if char(k) 3, then we can replace x by (x 3b 2 )/36 and y by y/108 (division by 36 = or 108 = isn t possible if char(k) {2, 3}) to eliminate the x 2 term and obtain y 2 = x 3 27c 4 x 54c 6, (2.5) where c 4 = b b 4 and c 6 = b b 2b 4 216b 6. Replacing A = 27c 4 and B = 54c 6 then yields (2.2). For non-singularity of E, we need only check that the the discriminant = 16(4A 3 +27B 2 ) is nonzero. In this case, x 3 + Ax + B has three distinct roots. This ensures that the curve is non-singular and thus has no cusps, self-intersections, or isolated points. Since for all K we consider char(k) 2, 3, we may use the representations (2.1) and (2.2) interchangeably though it does involve quite a bit of algebra to transform the coefficients from one representation to the other. For simplicity, most of our curves will be represented in the form (2.2), for which E(K) now denotes the set E(K) = {(x, y) K 2 x, y satisfy (2.2)} {O}. Note that we needed to explicitly include O. This is because an elliptic curve E/K lies in the projective plane P 2 (K), however, without O, E(K) contains only points in the affine plane K 2. The point O lies on the line at infinity (in projective coordinates the line Z = 0), which can be thought of as a circle surrounding K 2. Augmenting K 2 with this line yields the projective plane and, in a sense, completes the affine plane, as now parallel lines intersect at a single point on the line at infinity. In this sense, diametrically opposite points on the circle are equivalent, since parallel lines stretch in two directions. In particular, O = O. We will elaborate on the properties of O in the next section.

13 Chapter 2. Elliptic Curves 9 Remark 2.9. It also makes sense to define an elliptic curve over a ring R and then consider E(R). However, the group law we are about to describe for elliptic curves over fields will fail to work for those points or elements of rings that have no multiplicative inverses. We will make use of this in Lenstra s Elliptic Curve Algorithm (see Chapter 3.3). 2.3 The Group Law Recall that a group is a set G, together with an operation, which satisfies these properties: Associativity of : For any a, b, c in G we have that a (b c) = (a b) c. Identity element of G: In G there is an element e such that for any a G we have that a e = e a = a. The element e is called the identity element of G. Inverse elments in G: For each element a G there is an element a 1 G such that a a 1 = a 1 a = e. The element a 1 is called the inverse element of a. Further, an abelian group is a group that satisfies the following property. Commutativity of *: For any a, b G we have that a b = b a. Let E : y 2 = x 3 + ax + b be an elliptic curve. We show that the set of all real points on E, that is E(R) = {(x, y) R 2 y 2 = x 3 + ax + b} {O}, forms an abelian group together with an addition operation that we will define next. From this, inverse elements follow in a natural way. Furthermore, the point at infinity, O, will be the identity element. Let P, Q be points on E. The idea behind addition performed on points of elliptic curves is a geometric one: in order to add P and Q, first draw a line through them. The line intersects the curve in a third point, P Q. The sum of P and Q is now defined to be

14 Chapter 2. Elliptic Curves 10 Figure 2.2: Visualization of point addition on an elliptic curve. P + Q := (P Q) (see Figure 2.2). This already gives us that P + Q = Q + P, since the line through P and Q is the same as the line through Q and P. Here, if P = (x, y) is a point on E, then P = (x, y) results from reflecting P across the x-axis. Since E is symmetric across the x-axis, P is also on E. This allows us to define point subtraction in a very simple way: P Q = P + ( Q). We claim that any line in the plane intersects E at three (not necessarily distinct) points. Figure 2.3: Possible line intersections. Perhaps the most obvious scenario is when the line intersects the curve in three distinct points, as in the first image in Figure 2.3. In this case, P + Q = R.

15 Chapter 2. Elliptic Curves 11 Similarly, we can draw a line tangent to a point on the curve that intersects the curve at another point, as in the second image in Figure 2.3. Here, the line intersects the curve twice at Q, so P + Q = Q and Q + Q = P. We can also draw a vertical line that intersects the curve at seemingly only two points, as in the third image in Figure 2.3. However, there is another intersection at O, so P + Q = O = O. Note that Q = P, so P + Q = P + ( P ) = P P = O works out nicely. Similarly, P + O = Q = ( P ) = P, so we can use point addition, subtraction, and O on elliptic curves just as we would use addition, subtraction, and 0 with integers. This simultaneously covers the second and third property of the Group Law: there is an identity element, O, and any point P E(K) has the inverse element P E(K). Remark We won t cover associativity, as it is much more elaborate to illustrate. A proof can be found in [20], p Finally, we can draw a vertical line that is tangent to a point on the curve, like in the last image in Figure 2.3. This line intersects the curve twice at P and once at O, so P + P = P P = O. We ve illustrated point addition, the role of O as the identity element, inverse elements in E(K), and our claim that any line intersects an elliptic curve at three points geometrically but in order to use this for Lenstra s Elliptic Curve Method and our later discussion, we need to develop formulas to compute the described addition both algebraically and efficiently. We use the formulas given in [20], Chapter I Section 4. These formulas can be used for any two points on an elliptic curve other than O or additive inverses. In this case, we just use that P + O = P and P P = O for any point P E(K). Let E : y 2 = x 3 + ax + b be an elliptic curve. Given two distinct points P 1, P 2 E(K), we wish to find P 1 + P 2. We assume that P 1 P 2 and that neither point is O. Let P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ), P 1 P 2 = (x 3, y 3 ), P 1 + P 2 = (x 3, y 3 ). The line through P 1 and P 2 has the equation y = λx + ν, where λ = y 2 y 1 x 2 x 1 and ν = y 1 λx 1 = y 2 λx 2. (2.6)

16 Chapter 2. Elliptic Curves 12 In order to find the third point of intersection, P 3 = (x 3, y 3 ), we note that y 3 = λx 3 + ν and y 2 3 = x3 3 + ax 3 + b must both hold. Thus, we consider the equation y 2 = (λx + ν) 2! = x 3 + ax + b. Then 0 = x 3 λ 2 x 2 + (a 2λν)x + (b ν 2 ). This is a cubic equation in x, and we know that its three roots x 1, x 2, x 3 are precisely the x-coordinates where the line through P 1 and P 2 intersects E. Thus, (x x 1 )(x x 2 )(x x 3 ) = x 3 λ 2 x 2 + (a 2λν)x + (b ν 2 ). We now solve for x 3 in terms of x 1 and x 2 by equating coefficients to obtain x 3 = λ 2 x 1 x 2 and y 3 = λx 3 + ν. We summarize our results: Lemma (Point Addition Formulas) Let E : y 2 = x 3 + ax + b be an elliptic curve over a field K, char(k) 2, 3. Further, let P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ) E(K). Let λ and ν be as in (2.6). Then 1. P i = O P 1 + P 2 = P 3 i for i = 1, 2 2. P 1 = P 2 P 1 + P 2 = O 3. P 1, P 2 O, P 1 ±P 2 P 1 + P 2 = (x 3, y 3 ) = (λ 2 x 1 x 2, λx 3 + ν)

17 Chapter 2. Elliptic Curves 13 Now, if P 1 = P 2, we compute the tangent line at P 1 by observing that y 2 = f(x) gives 2y dy dx = f (x), so then From this, we find λ = dy dx = f (x) 2y = 3x2 + a. 2y Lemma (Duplication Formula) Let E/K be an elliptic curve like before with a point P = (x, y). We denote the x and y coordinate of 2P as x(2p ) and y(2p ), respectively. Then x(2p ) = x4 2ax 2 8bx + a 2 4x 3 + 4ax + 4b and y(2p ) = λ(x x(2p )) y Corollary Let E/Q be an elliptic curve, then E(Q) is an abelian group. Proof. By our discussion in this section, E(R) is an abelian group. Note that O E(Q), so E(Q). Further, let E : y 2 = x 3 + ax + b be the representation of E and P = (c, d), Q = (e, f) E(Q). Then Q = (e, f) E(Q), and in order to compute P Q, let λ = f d e c and ν = d λc. Note that λ, ν Q. If P = Q, then P Q = O E(Q). If P = Q, then P Q = 2P and x(2p ) = c4 2ac 2 8bc + a 2 4c 3 + 4ac + 4b so again P Q E(Q). Finally, if P ±Q, then Q and y(2p ) = λ(c c(2p )) d Q, x(p + Q) = λ 2 c e Q and y(p + Q) = λ x(p + Q) + ν Q, so P Q E(Q) in either case. By the Subgroup Criterion, E(Q) is a subgroup of E(R) and as such an abelian group.

18 Chapter 3 Lenstra s Elliptic Curve Method This chapter motivates the usage of elliptic curves for integer factorization. We first review some preliminaries that we will use in the two factoring algorithms. 3.1 Preliminaries The simplest method of finding the prime factors of a given integer n is the well known Trial Division. We check for every prime p between 2 and n whether p divides n. This is fairly efficient if n < but for larger n we need a more sophisticated approach. There are numerous factorization methods with differing suitability for factoring certain integers. For instance, Trial Division is efficient for integers with many small factors, the previously mentioned Fermat Factorization is particularly efficient if an integer n has two factors near n, and the so-called General Number Field Sieve is the currently best known method to find factors of integers with more than 100 digits. Many of these methods make use of the greatest common divisor, the largest integer that divides two given integers, in various ways. We discuss Pollard s p 1 Algorithm as a warm-up before taking a look at Lenstra s Elliptic Curve Method. The algorithms are relatively similar, albeit the latter being much more involved. Given an integer n, Pollard s p 1 creates various integers m and finds gcd(n, m). 14

19 Chapter 3. Lenstra s Elliptic Curve Method 15 The goal is to find one m so that gcd(n, m) yields a non-trivial factor (i.e. not 1 or n) of n. Lenstra s Algorithm uses the greatest common divisor of n and different integers d to find the multiplicative inverse of d modulo n. Both algorithms rely on the efficiency of finding the greatest common divisor of n and other integers. So before we discuss either of the two algorithms, we first show how to find the greatest common divisor of any two integers and how many steps it takes to do this Euclidean Algorithm For positive integers a and b, our goal is to efficiently find gcd(a, b). By the Division Algorithm, we can write a = b q + r for some integers q, r where 0 r < b. We claim that gcd(a, b) = gcd(b, r). Proof. Let c = gcd(a, b), then a = ck and b = cl for some integers k, l. Note that then r = a bq = ck clq = c(k lq), and since k lq is an integer, gcd(a, b) divides r. Therefore, gcd(a, b) gcd(b, r). Now, let c = gcd(b, r). Similar to before, b = ck and r = cl for some integers k, l, so a = bq + r = ckq + cl = c(kq + l) gives us that gcd(b, r) divides a and therefore gcd(b, r) gcd(a, b). In conclusion, gcd(a, b) = gcd(b, r). Now, in order to find gcd(b, r), we write b = r q 1 + r 2, where 0 r 2 < r. This leads to the following sequence of equations: a = bq + r gcd(a, b) = gcd(b, r) b = rq 1 + r 2 gcd(a, b) = gcd(r, r 2 ) r = r 2 q 2 + r 3 gcd(a, b) = gcd(r 2, r 3 ) r n 2 = r n 1 q n 1 + r n gcd(a, b) = gcd(r n 1, r n ) r n 1 = r n q n + 0 gcd(a, b) = r n The sequence of remainders decreases until it reaches 0. When this happens, we terminate and find that the greatest common divisor of a and b is the previous remainder, denoted r n. This method is called the Euclidean Algorithm and was first described by Euclid around 300 BC. The following Lemma demonstrates how efficient it is.

20 Chapter 3. Lenstra s Elliptic Curve Method 16 Lemma 3.1. For any integers a, b, computing gcd(a, b) takes at most 2 log 2 (min{a, b}) steps. Proof. We first claim that r i+1 < 1 2 r i 1 for all i = 2,.., n 1, that is, with every two steps of the Euclidean Algorithm the remainder is more than halved. Recall that the sequence of remainders decreases, so r i+1 < r i for all i. Case 1: If r i 1 2 r i i, then r i+1 < r i 1 2 r i i and we are done. Case 2: If r i > 1 2 r i i, then r i+1 = r i 1 r i q i by definition < r i r i 1q i by assumption r i > 1 2 r i i r i < 1 2 r i 1 = r i 1 (1 1 2 q i)... = 1 2 r i 1 q i 1 by Euclidean Algorithm, q i 1 since r i+1 > 0, so q i = 1 Without loss of generality a b, and after the first step r < b. Thus, r 2 < 1 2 b, r 4 < 1 2 r 2 < 1 4 b,..., r 2i < 1 2 i b. As soon as 2 i b, we get r 2i < 1, which means that r 2i = 0. By taking logarithms with base 2 on both sides, this becomes i log 2 b r 2i = 0. We terminate the gcd-process once r 2i = 0, which happens after at most 2 log 2 (b) steps. The Euclidean Algorithm can be extended to express the greatest common divisor of any two integers as a linear combination of those two integers. This expression is called Bezout s identity. Proposition 3.2. (Bezout s identity) For any integers a, b with gcd(a, b) = d, there exist integers x, y such that d = ax + by.

21 Chapter 3. Lenstra s Elliptic Curve Method 17 Proof. The idea is to run through the Euclidean Algorithm and then reverse it by iteratively expressing r n as linear combinations of the previous remainders. In order to do this, we express the new remainder in each line as a linear combination of the previous two remainders: a = bq + r r = a bq b = rq 1 + r 2 r 2 = b rq 1... r n 3 = r n 2 q n 2 + r n 1 r n 1 = r n 3 r n 2 q n 2 r n 2 = r n 1 q n 1 + r n r n = r n 2 r n 1 q n 1 r n 1 = r n q n We start with the final equation on the right side and use the equation above it to replace r n 1 with its linear combination in terms of r n 3 and r n 2 : r n = r n 2 r n 1 q n 1 = r n 2 (r n 3 r n 2 q n 2 )q n 1 = r n 2 (1 + q n 2 q n 1 ) r n 3 q n 1 We ve expressed r n as a linear combination of r n 2 and r n 3! In the next step, we replace r n 2 with its linear combination in terms of r n 4 and r n 3 and collect terms. This lets us express r n as a linear combination of r n 3 and r n 4. We continue doing this procedure until we ve expressed r n as a linear combination of a and b. This algorithm is called the Extended Euclidean Algorithm and takes about twice as long as the Euclidean Algorithm itself. As it turns out, we can use this to find modular multiplicative inverses: Proposition 3.3. If gcd(a, b) = 1 for integers a and b, then Bezout s identity 1 = ax + by yields the multiplicative inverse of a modulo b, namely x. Proof. This can be easily seen from the definition of multiplicative inverses: ax 1 (mod b) if and only if there exists an integer y such that ax = 1 + yb.

22 Chapter 3. Lenstra s Elliptic Curve Method 18 Rewriting the last equation gives exactly Bezout s identity, 1 = ax yb Fermat s Little Theorem Theorem 3.4. (Fermat) Let p be prime, then for any integer a, a p 1 1 (mod p). Remark 3.5. This is a very handy theorem. For one, it can be proved that an integer n is composite by finding an integer a such that a n 1 1 (mod n). Next, if p is a prime factor of n and a is coprime to n, then we have that a K(p 1) 1 (mod p) for any positive integer K. If we now let k = K(p 1), we get that a k 1 0 (mod p), so p a k 1 for any exponent k where k is a multiple of p 1. Proof. We prove the equivalent statement that for any prime p and integer a, we have that a p a (mod p). We do this by induction on a. Fix any prime p. For the base case a = 1, we have 1 p 1 (mod p). Now suppose a p a (mod p) is true for some integer a. By the Binomial Theorem, (a + 1) p = a p + ( ) p 1 a p ( p p 1) a + 1 a p + 1 (mod p). The last equality holds, since p ( p k) for any 0 < k < p. Now, since a p a (mod p), we get (a + 1) p a + 1 (mod p) Fast Powering Algorithm Pollard s p 1 algorithm, discussed in the next section, involves computing the greatest common divisor of n, the integer we want to factorize, and a k 1, where a is any integer and k is a fairly large exponent (up to ). While computing a k may seem computationally expensive, we can use properties of the greatest common divisor to save a lot of work. For example, applying the Division Algorithm gives a k 1 = nq + r for some integers q and r. Note that r a k 1 (mod n), so gcd(n, a k 1) = gcd(n, r) = gcd(n, a k 1 (mod n)). Instead of finding a k 1, we now need to find a k 1 (mod n). This may look like only a minor improvement, however, modular exponentiation can be done very efficiently with a

23 Chapter 3. Lenstra s Elliptic Curve Method 19 method called the Fast Powering Algorithm. For instance, computing (mod 1000) in a naive way would involve first computing and then looking at the last three digits. This can be done much more quickly by first writing the exponent as the sum of powers of 2 and then using repeated modular squaring: We have that 218 = , so then = = Below, we compute 3 2i for i = 1,..., 7. i i (mod 1000) Once we compute 3 2i (mod 1000), we can easily compute 3 2i+1 (mod 1000) = (3 2i ) 2 (mod 1000), by a single modular squaring operation. We square 7 times in total and then perform another 4 multiplications: (mod 1000) = (mod 1000) = (mod 1000) = 489 (mod 1000). So we reduced our work to 11 modular multiplications, a significant improvement! For computing a b (mod n) in general, these are the steps involved in the Fast Powering Algorithm: 1. Express b as the sum of powers of 2, i.e. b = k α i 2 i with α i {0, 1} and 2 k being the highest power of 2 smaller than b. 2. Compute c i = a 2i (mod n) for i = 0,..., k iteratively by repeated modular squaring operations, i.e. a 2i+1 3. Now, a b (mod n) k i=0 (mod n) = (a 2i ) 2 (mod n). i=0 c α i i (mod n).

24 Chapter 3. Lenstra s Elliptic Curve Method Pollard s p 1 Algorithm Given a composite (i.e. positive and non-prime) integer n, we want to find one of its factors. Pollard s p 1 Algorithm is as follows. Pollard s p 1 Algorithm 1. Choose any integer B. 2. Choose an integer k which is a product of small primes raised to small powers relative to B. For example, a good choice is k = lcm(2, 3,..., B). 3. Chose any integer a between 1 and n. 4. If gcd(a, n) > 1, we are done. Otherwise, proceed to the Step Let x = a k and calculate D = gcd(x 1, n). If 1 < D < n, we are done. If D = 1, go back to Step 1 and choose a larger B. If D = n, go back to Step 1 and choose a smaller B. Note that the majority of computations are done in step 5, where we compute gcd(x 1, n). This can be done efficiently using the previously discussed Euclidean Algorithm and Fast Powering methods. However, it isn t entirely obvious what a good choice for B in Step 1 is. With lower values for B it becomes easier to compute the gcd in step 5, but if B is too small the gcd will be 1. Higher values for B are more likely to yield a non-trivial gcd, but computing the gcd in step 5 takes much longer. In practice, one chooses B 100 and increases the value until a non-trivial factor is found. For values higher than B = 10 6, this process becomes infeasible with current day technology and more powerful factorizing algorithms need to be used. Example Consider n = Let B = 8, k =lcm(2,..., 8) = 840, a = 2. Then gcd( , n) = 421 immediately yields a non-trivial factor of n, so then n = We could find either factor very quickly using Trial Division, so these examples only serve to demonstrate how the algorithm works and not how efficient it is. In order to illustrate its efficiency, we would need to choose much higher numbers, which in turn would make it difficult to understand how the algorithm works.

25 Chapter 3. Lenstra s Elliptic Curve Method 21 Example Consider n = Let B = 8, k =lcm(2,...8) = 840, a = 2. Then gcd(2 840, n) = 1, so we need to increase B. After increasing B to 191 we find the non-trivial factor p = gcd(2 lcm(2,...,b), n) = 383. This gives us n = Why Pollard s p 1 Algorithm works Definition 3.6. Let B be a positive integer. An integer n is called B-smooth, if all prime factors of n are at most B. This definition allows us to quantify more precisely for which integers n Pollard s p 1 Algorithm yields prime factors, namely exactly when n has prime factors p for which p 1 is B-smooth for B < In Example 3.2.1, p = 421 was a factor of n and we found it so easily as p 1 = 420 = is 8-smooth. In Example 3.2.2, for the factor p = 383 we have that p 1 = 382 = is 191-smooth, so we had to increase B accordingly high. More specifically, let n have a prime factor p such that p 1 is B-smooth for some integer B. In the final step of the algorithm, we compute gcd(a k 1, n), where a is coprime to n (i.e. gcd(a, n) = 1) and k is B-smooth. Recall that Fermat s Little Theorem tells us that p a k 1 if k is a multiple of p 1. We don t know p or p 1 to begin with, but if we ve chosen a large enough B so that p 1 and k are B-smooth, then k is likely a multiple of p 1. If not, then gcd(a k 1, n) = 1 and we need to increase B further. Increasing B should be done liberally until either B > 10 6, in which case we abandon the process altogether, or until gcd(a k 1, n) > 1. In this case k is a multiple of p 1, so gcd(a k 1, n) is a multiple of p. Of course, gcd(a k 1, n) n, and if equality holds we need to decrease B. Decreasing B should be done more gradually until gcd(a k 1, n) < n in which case we ve found a non-trivial factor of n. 3.3 Lenstra s Elliptic Curve Method (ECM) Again, let n be an integer for which we wish to find one of its factors. In order to use ECM efficiently, we require that n isn t divisible by 2 or 3 and that n isn t a perfect power. If n is divisible by 2 or 3 (which is easily checked by looking at the last digit and the cross-sum of

26 Chapter 3. Lenstra s Elliptic Curve Method 22 n), then we already have found a factor, and in order to proceed with ECM we repeatedly divide n by 2 and 3 until we can t do this anymore. If on the other hand n is a perfect power, that is n = m k where m > 1 and k 2, then the only factor of n is m. One way to check this is to approximate k n for k = 2,..., log 10 n (e.g. with Newton s Method) and test whether the closest integers raised to the power of k equal n. If this procedure yields that factor m, there is no need to use ECM. Lenstra s Elliptic Curve Method Given an integer n, we use the following steps to find factors of n. 1. Check that n isn t divisible by 2 or 3, and that n isn t a perfect power. 2. Choose random integers a, x, y between 1 and n. 3. Let b = y 2 x 3 ax (mod n). 4. Calculate D = gcd(4a b 2, n). If 1 < D < n, we are done. If D = 1, proceed to Step 5. If D = n, go back to Step 2 and choose a different a. 5. Let E be the elliptic curve E : y 2 = x 3 + ax + b, and let P = (x, y) E. 6. Choose a number k which is a product of small primes raised to small powers. For example, a good choice is k = lcm(2, 3,..., B) for some integer B Compute kp (mod n). 8. If kp lies on E, go back to Step 2 and choose different values for a, x, and y. Otherwise, Step 7 yields a factor of n (see Chapter 3.3.1). Note that Steps 2 and 3 produce coefficients for an elliptic curve E for which we know that P lies on E. In this description of the algorithm, there isn t a systematic way of choosing good values for a, x, and y but heuristically speaking, choosing random values is sufficient to eventually find a non-trivial factor. Improvements on this aspect of the algorithm will be discussed in more depth in Chapter 5.

27 Chapter 3. Lenstra s Elliptic Curve Method 23 When computing kp in Step 7, we can use a variant of the Fast Powering Algorithm. For instance, 6P = P +...+P = 2P +4P = 2P +2 (2P ), so we can use the Duplication Formula from Lemma 2.10 to save expensive computation time. Recall that, given P = (x, y), we have that x(2p ) = x4 2ax 2 8bx + a 2 4x 3 + 4ax + 4b. To compute 2P (mod n), we need to find the multiplicative inverse of the denominator modulo n. x(2p ) (mod n) = (x 4 2ax 2 8bx + a 2 ) (4x 3 + 4ax + 4b) 1 (mod n). If we denote the denominator as d = 4x 3 + 4ax + 4b and gcd(d, n) = 1, then we can find Bezout s identity 1 = αd + βn for some integers α, β. Recall that α is the multiplicative inverse of d modulo n. We then obtain x(2p ) (mod n) = x4 2ax 2 8bx + a 2 4x 3 + 4ax + 4b (mod n) = (x 4 2ax 2 8bx + a 2 ) α (mod n). In a similar fashion, we find y(2p ): y(2p ) (mod n) = 3x2 + a (x(2p ) x) + y (mod n). 2y If gcd(2y, n) = 1, we can find integers γ, δ such that 1 = γ(2y) + δn. Then y(2p ) (mod n) = (3x 2 + a) γ (x(2p ) x) + y (mod n). From this, we find (4P = 2(2P )) (mod n) using the Duplication Formula on 2P (mod n). Finally, 6P (mod n) = 2P + 4P (mod n) using the Point Addition Formulas provided in Lemma 2.9. In general, the following steps allow us to efficiently compute kp (mod n):

28 Chapter 3. Lenstra s Elliptic Curve Method Express k as the sum of powers of 2, i.e. k = k α i 2 i with α i {0, 1} and 2 k being the highest power of 2 smaller than k. 2. Compute 2 i P (mod n) for i = 0,..., k iteratively by repeatedly using the Duplication Formula, i.e. 2 i+1 P (mod n) 2(2 i P ) (mod n). 3. Now, kp (mod n) = k α i 2 i P (mod n). i=0 i=0 Example Consider n = Let E : y 2 = x 3 + 5x 5, P = (1, 1), k = 10! We begin by finding 2!P = 2P (mod n) by using the Duplication Formula. x(2p ) = 56/4 = 14 y(2p ) = (1 14) 1 = P = (14, 53) The x- and y-coordinates of 2P are integers, so we didn t need to find any multiplicative inverses. Next, we find 3!P = 2P + 4P modulo n by using the Duplication Formula on 2P. x(4p ) 37041/11236 (mod n) (mod n) (mod n) y(4p ) 593/( 106) ( ) + 53 (mod n) (mod n) (mod n) 4P = (259851, ) (mod n) Now, x(6p ) λ (mod n) and y(6p ) λx(6p ) + y(2p ) λx(2p ), where λ (mod n) / (mod n) (mod n) (mod n)

29 Chapter 3. Lenstra s Elliptic Curve Method 25 So then x(6p ) (mod n) (mod n) y(6p ) (mod n) (mod n) 6P = (179685, 28708) Similarly, we find that 4!P, 5!P,..., 7!P all lie on E, but computing 8!P requires inverting 599 modulo n which isn t possible. This is because 599 is a factor of n, and we conclude that n = Why Lenstra s ECM works As we ve mentioned before, elliptic curves are defined over fields. Yet in Lenstra s ECM we consider a curve defined over the ring Z/nZ, where n is the integer we wish to factorize. For almost all elements x Z/nZ, x has a multiplicative inverse, so Z/nZ is almost a field. The only elements y Z/nZ that don t have a multiplicative inverse are those for which gcd(y, n) > 1. We call these elements zero divisors of Z/nZ. Lenstra s ECM attempts to find these zero divisors by systematically adding rational points on the curve, anticipating that eventually one point addition will fail. When performing ECM, all denominators D involved in the process of computing kp (mod n) must have a multiplicative inverse modulo n. This is the case if and only if gcd(d, n) = 1, since otherwise D n/ gcd(n, D) 0 (mod n). Therefore, as long as gcd(d, n) = 1 holds we can continue finding kp (mod n). However, once gcd(d, n) > 1, we ve found a divisor of n exactly what we were after! This explanation still doesn t cover why Example worked out nicely, that is why the curve we chose yielded a factor of n. The following two chapters explain in depth which kind of curves are most useful for integer factorization and how to find them.

30 Chapter 3. Lenstra s Elliptic Curve Method Comparing Trial Division, Pollard s p 1, and Lenstra s ECM With Trial Division we can easily find factors with up to 10 digits with modern computing power. For this we keep a list of all prime numbers with up to 10 digits and check the integer we wish to factorize for divisibility by each prime in our list. We could extend this list to find even larger factors, but it is preferable to have a more efficient algorithm that requires no such list (or perhaps a very small list). Trial Division requires π(2 n/2 ) 21+n/2 n ln 2 steps to determine whether or not n has a prime factor, where π(x) counts the number of primes that are at most x. Pollard s p 1 algorithm only finds certain prime factors efficiently, namely B-smooth factors for B The range of this algorithm is with prime factors up to 18 digits, which is well beyond Trial Division, however, Pollard s p 1 algorithm doesn t find many prime factors larger than 10 digits. Only about 1/4 of all 12 digit primes and about 1/27 of all 18 digit primes p are such that p 1 is smooth [18]. Increasing B increases the number of prime factors this algorithm can find, but as the time complexity of O(B log B log 2 n) depends heavily on the size of B, Lenstra s ECM performs much better in practice. Lenstra s ECM is known to reliably find factors with up to 25 digits, and there has even been found a prime factor with 83 digits using ECM [6]. The algorithm is, however, much more difficult to implement as the point addition is a more complicated procedure and it isn t quite clear which elliptic curve should be chosen. It is not clear when we should stop using Lenstra s ECM to find factors. In fact, the success of Lenstra s ECM is somewhat random (if we choose random curves), but even so its average success rate is so high that in practice one typically uses Lenstra s ECM after using Trial Division to filter out more small factors before moving on to more general purpose factoring algorithms.

31 Chapter 4 The Torsion Subgroup Recall that the points of an elliptic curve form an additive group. As with any group, we can define the order of an element: Definition 4.1. Let E be an elliptic curve over a field K with char(k) 2, 3. A point P E(K) has finite order if there exists a positive integer k such that kp = O. We call the least such k the order of P. The set of all points of finite order is called the torsion subgroup of E(K), denoted E(K) tors. Points of finite order are also called torsion points. Remark 4.2. For any field K, O E(K) tors since 1 O = O. The significance of the torsion subgroup is that Lenstra s ECM is particularly likely to find a prime factor when the torsion subgroup of the chosen elliptic curve is large. Before we talk about how to find elliptic curves with large torsion subgroup, we first discuss the properties of torsion points, which torsion subgroups we can expect and why a large torsion subgroup increases our chances of success. We will see that an elliptic curve can have different torsion subgroups over different fields and illustrate this with an example. 27

32 Chapter 4. The Torsion Subgroup Nagell-Lutz Theorem If an elliptic curve is defined over Z (which it always is with ECM), then we can characterize all torsion points with the following theroem. Theorem 4.3. (Nagell-Lutz) Let y 2 = x 3 +ax+b be an elliptic curve with integer coefficients a and b. Let D = 4a 3 27b 2. If P = (x, y) is a rational torsion point, then 1. x and y are integers 2. either y = 0, in which case P has order 2, or y D The first result tells us that all torsion points are in fact integer points. The converse is not true, as there may be integer points of infinite order. The second result helps us find all torsion points by finding all divisors d of D and then checking whether solving d 2 = x 3 + ax + b for x yields an integer point. 4.2 Mordell s Theorem Recall that the set of rational points on E, E(Q), forms an abelian group by Corollary The following theorem gives us an even better understanding of this set. Theorem 4.4. (Mordell s Theorem)[15] Let E/Q be an elliptic curve. Then E(Q) is finitely generated. A proof of Mordell s Theorem can be found in [20], Chapter III. Corollary 4.5. Let E/Q be an elliptic curve. Then E(Q) = Z r E(Q) tors with r 0. Proof. Since E(Q) is an abelian group, we can apply the Fundamental Theorem For Finitely Generated Abelian Groups: E(Q) = Z r Z/n 1 Z Z/n 2 Z... Z/n s Z,

33 Chapter 4. The Torsion Subgroup 29 where n i+1 n i for 1 i < s. Now, Z r makes up the points of infinite order, whereas the tail Z/n 1 Z... Z/n s Z is exactly the set of points of finite order, E(Q) tors. Remark 4.6. The quantity r in Corollary 4.3 is called the rank of the curve. One important property of the rank is that it needs to be strictly positive in order for ECM to work. We will discuss the rank more thoroughly in Chapter Mazur s Theorem Due to the following theorem we know that only a few torsion subgroups are possible for elliptic curves defined over Q: Theorem 4.7. (Mazur s Theorem)[13] E(Q) tors is isomorphic to one of the following 15 groups: Z/mZ for 1 m 10, m = 12 Z/2Z Z/2mZ for 1 m 4 Note that Mazur s and Mordell s Theorem characterize only E(Q) and its torsion subgroup. It is possible and reasonable to look for similar results with other number fields. 4.4 Generalizing Mordell s and Mazur s Theorem Definition 4.8. A field K containing Q may be considered a vector space over Q, with dimension d = dim Q (K). We call d the degree of K over Q, denoted [K : Q]. If [K : Q] <, then we call K a number field. As it turns out, Mordell s Theorem and Mazur s Theorem can be generalized for general number fields. Theorem 4.9. (Mordell-Weil Theorem)[22] Let E be an elliptic curve defined over a number field K. Then E(K) is a finitely generated abelian group.

34 Chapter 4. The Torsion Subgroup 30 Theorem (Kamienny-Kenku-Momose, 1992)[9, 11] Let E be an elliptic curve over a number field K, [K : Q] = 2. Then the torsion subgroup E(K) tors is isomorphic to one of the following 26 groups: Z/mZ for 1 m 16, m = 18 Z/2Z Z/2mZ for 1 m 6 Z/3Z Z/3mZ for 1 m 2 Z/4Z Z/4Z As with Mazur s Theorem, this is a complete list of all possible torsion subgroups over quadratic fields. There are similar results for higher degree number fields, but they have not been completed yet. Theorem (Jeon-Kim-Schweizer, 2006) [8] Let E be an elliptic curve over a number field K, [K : Q] = 3. For an infinite number of non-isomorphic elliptic curves, the following torsion subgroups arise: Z/mZ for 1 m 16, m = 18, 20 Z/2Z Z/2mZ for 1 m 7 Now, let E be an elliptic curve over a number field K, [K : Q] = 4. For an infinite number of non-isomorphic elliptic curves, the following torsion subgroups arise: Z/mZ for 1 m 18, m = 20, 21, 22, 24 Z/2Z Z/2mZ for 1 m 9 Z/3Z Z/3mZ for 1 m 3 Z/4Z Z/4mZ for 1 m 2 Z/5Z Z/5Z Z/6Z Z/6Z

35 Chapter 4. The Torsion Subgroup 31 This list isn t exhaustive, since the elliptic curve E : y 2 + xy + y = x 3 x 2 + 5x + 5 has torsion subgroup Z/21Z over the cubic subfield of Q(η 9 ), as shown by Najman in [17]. Najman continues to prove that there are no other elliptic curves defined over Q that don t fit on the list, but there still may be similar elliptic curves defined over cubic or quartic fields whether they exist is still an open question [21]. The list of torsion subgroups that can arise infinitely often over quintic or higher degree number fields has yet to be determined. However, it is known that there is an upper bound on the size of the torsion subgroup of elliptic curves: Theorem (Merel, 1994)[14] For every positive integer d there is a constant B(D) such that for every elliptic curve E/K with [K : Q] = d we have E(K) tors B(d). The currently best known bound B(d) = (1 + 3d/2) 2 (for d > 2) was found by Oesterlé in 1994, but not published [21]. Once we have developed methods for creating specific elliptic curves, we can use these lists of possible torsion subgroups to specify which torsion subgroup our elliptic curve in the ECM should have. Heuristically speaking, a large torsion subgroup increases the success chances for ECM, which we will illustrate in section 5. Recall that in the version of ECM presented in 3.3 we first selected a random integer point and constructed an elliptic curve around that point, so we didn t have any control over the the torsion subgroup (over any number field). A few recently developed methods for creating elliptic curves with prescribed torsion subgroup are covered in Chapter 5. Before moving on to these methods, we first explain why a large torsion subgroup of E(Q) over different number fields helps us factor an integer and show an example how this plays out in practice.

36 Chapter 4. The Torsion Subgroup Hasse s Theorem Recall that in Pollard s p 1 algorithm, we found a factor p of n if p 1 was smooth, i.e. the product of small primes. This algorithm becomes infeasible when n has no factor p such that p 1 is B-smooth for B With Lenstra s algorithm, however, we instead need E(F p ) to be smooth, where p is the smallest factor of n. By the following theorem the size of this group is flexible: Choosing different curves E 1 and E 2 gives different results for E i (F p ), but they are within a certain range, depending on the value of p. Theorem (Hasse)[5] Let E be an elliptic curve over the finite field F p, where p is prime. Then p p < E(F p ) < p p. A proof for Hasse s Theorem can be found in [19], p.131. Hasse s Theorem allows us now to explain exactly why we were able to use ECM in Example 3.3.1, and why we seek elliptic curves with large torsion subgroups Why Lenstra s ECM works (continued) In Example 3.3.1, we found that n = = by choosing the elliptic curve E : y 2 = x 3 + 5x 5 and computing 8!P, where P = (1, 1). This is because E(F 599 ) = 640 = is 5-smooth, whereas E(F 761 ) = 777 = isn t. On a side note, the size of the torsion group is rather large: E(Q tors ) = 9. Generally speaking, if p and q are prime factors of n, then a point P = (x, y) on E : y 2 = x 3 + ax + b (mod n) lies on both E (mod p) and E (mod q). Since p and q are prime, the smaller sets of points E(Z/pZ) and E(Z/qZ) form genuine additive groups (because Z/pZ and Z/qZ are fields). Since Z/pZ and Z/qZ are isomorphic to F p and F q, respectively, we instead consider E(F p ) and E(F q ). By Hasse s Theorem, E(F p ) and E(F q ) are flexible, so for different curves these sizes vary. Now, the algorithm only yields a factor p of n if we choose a curve E with the property that E(F p ) is smooth and E(F q ) isn t for all other factors q, and that only E(F p ) divides the