Download Lenstra`s Elliptic Curve Factorization Algorithm - RIT

lenstra’s elliptic curve factorization
algorithm
Tamalika Mukherjee
May 12, 2015
Rochester Institute of Technology
introduction
What are Elliptic Curves?
Let A, B ∈ R be constants such that 4A3 + 27B2 ̸= 0. A non-singular
elliptic curve is the set E of solutions (x, y) ∈ RxR to the equation:
y2 = x3 + Ax + B
together with a special point O called the point at infinity.
2
Addition Law on Elliptic Curves
Given points P(x1 , y1 ) and Q(x2 , y2 ), define R = P + Q where R is
(x3 , y3 ) as:
x3 = λ2 − x1 − x2
y3 = λ(x1 − x3 ) − y1
Here λ is given by:
{
λ=
−1
(y2 − y2 )(x2 − x1 ) mod N
−1
(3x1 2 + a)(2y1 ) mod N
: P ̸= Q
:P=Q
3
Pseudo-group
Let G be a set, ”+” be an operation and P, Q ∈ G.
If P + Q = R cannot always be an element in R, then we can say that
G is a pseudo-group and ”+” is called pseudo-add.
4
Pseudo-group Law
Define VN as
VN = {(x, y) ∈ E|x, y ∈ ZN , E : y2 = x3 + Ax + B}
∪
O
Suppose P, Q ∈ G, R = P + Q.
1. If P = O, then R = Q. If Q = O, then R = P.
2. If P, Q ̸= O, then suppose that P = (x1 , y1 ), Q = (x2 , y2 ). We have the
following possibilities:
5
Pseudo-Group Law (ctd.)
1. Compute d1 = gcd(x1 − x2 , N). If 1 < d1 < N, then stop and give a
non-trivial factor of N.
2. If d1 = 1, calculate R = (x3 , y3 ) where x3 = λ2 − x1 − x2 and
y3 = λ(x1 − x3 ) − y1 and λ = (y2 − y2 )(x2 − x1 )−1 mod N.
3. If d1 = N, then compute d2 = gcd(y1 + y2 , N). If 1 < d2 < N, then
stop and give a non-trivial factor of N.
4. If d2 = 1, calculate R = (x3 , y3 ) where x3 = λ2 − x1 − x2 and
y3 = λ(x1 − x3 ) − y1 and λ = (3x1 2 + a)(y1 + y2 )−1 mod N.
5. If d2 = N, then let R = O.
6
the elliptic curve method
Basic Idea
Suppose p is the smallest prime factor of N and w, w′ are two fixed
bounds. Let k be a < w >-smooth number: the largest prime factor
of k is less than w. Define:
∏ e
k=
pi i
√
where pi ≤ w, pei i ≤ w′ = p + 1 + 2 p
Note:
k << pw
In other words
log k << w log p
8
Basic Idea
We want to choose a random elliptic curve E : y2 = x3 + Ax + B,
A, B ∈ ZN and a random point P = (x, y) on VN and compute kP.
9
Lenstra’s algorithm
[Input]. Integer N to be factored.
1. Choose random values A, a and b modulo N.
2. Set P = (a, b) and B ≡ b2 − a3 − A.a (mod N).
Let E be the elliptic curve E : y2 = x3 + Ax + B.
3. Loop j = 2, 3, 4, . . . up to a specified bound.
3.1
3.2
3.3
3.4
3.5
Compute Q = jP (mod N) and set P = Q.
If computation in Step 3.1 fails, then we have found a d > 1 with d|N.
If d < N, then success, return d.
If d = N, go back to step 1 and choose a new curve and point.
Increment j and loop again.
10
time complexity of the original ecm
Theorem
Let x > 0, α > 1 and ρ(α) be the probability that an integer between
1
1 and x has its largest prime factor ≤ x α .
Theorem
If ϵ > 0 is arbitrary and 3 ≤ α ≤ (1 − ϵ) log x/ log log x, then
ρ(α) = exp(−α(log α + o(log α)))
as x → ∞
12
Some Useful Conjectures
∙ Conjecture 1:
√
√
Let s be a random integer in the interval (p + 1 − p, p + 1 + p),
1
then the probability that s has all its prime factors ≤ p α is
approximately ρ(α), when p → ∞.
1
∙ By defining L(p)u = p α and rewriting ρ(α) in terms of this
definition, we get:
∙ Conjecture 2:
√
√
Let s be a random integer in the interval (p + 1 − p, p + 1 + p).
Then the probability that s has all its prime factors ≤ L(p)u is
approximately L(p)−1/2u+o(1) , when p → ∞.
√
Here L(p) = exp( log p log log p)
13
Expected Running Time
∙ Consider a unit of running time to be O(log3 N) - this is the
amount of time to perform an inverse operation mod N in
pseudo-addition.
∙ kP can be computed in O(log k) units of running time using the
repeated squaring algorithm - this is the dominating time of one
trial.
∙ The success probability of performing one trial is h = log p/f(w),
where f(w) is the probability that a random integer in the interval
√
√
(p + 1 − p, p + 1 + p) has all its prime factors ≤ w.
∙ The the total time of Lenstra’s algorithm is O(h log k) units of
running time.
14
Optimal Running Time
∙ Recall that log k << w log p, thus h log k << w log2 p/f(w).
∙ Using Conjecture 2, replace w = L(p)u , then
f(L(p)u ) = L(p)−1/(2u)+o(1) , for p → ∞.
w
L(p)u
∙
=
= L(p)u+1/(2u)+o(1)
f(w)
L(p)−1/(2u)+o(1)
w
∙ To minimize
, we should minimize u + 1/(2u), which is
f(w) √
minimum at u = 1/ 2.
∙ Thus the optimal h =
log p
f(w)
= L(p)1/
√
2+o(1)
∙ Therefore the optimal running time is
√
h log k = O(hw log p) = L(p)1/
2+o(1)
√
L(p)1/
2+o(1)
= L(p)
√
2+o(1)
15
time for an example
Problem
Let N = 13333, we want to factor N using Lenstra’s algorithm.
∏
We choose a bound w = 20 and calculate k = p⌈log(w)/ log(p)⌉ , where
p is a prime such that p ≤ w. In this case k = 4976640.
To make our implementation easier we only use elliptic curves of the
form y2 = x3 + Ax + 1 mod N
We choose A randomly from ZN and set B = 1 and P(0, 1).
17
Trial runs
First Run:
Trial number: 0
Choice of a: 10845
Choice of Elliptic Curve:
y2 = x3 + 10845x + 1
Factor of N is 67
Second Run:
Trial number: 0
Choice of a: 2899
Choice of Elliptic Curve:
y2 = x3 + 2899x + 1
Trial number: 1
Choice of a: 3385
Choice of Elliptic Curve:
y2 = x3 + 3385x + 1
Trial number: 2
Choice of a: 11859
Choice of Elliptic Curve:
y2 = x3 + 11859x + 1
Factor of N is 67
18
Questions?
Thank You!
19
References
Richard P. Brent.
Some Integer Factorization Algorithms using Elliptic Curves.
Australian Computer Science Communications, 8:149–163, 1986.
Xun He.
Lenstra’s Factoring Method with Elliptic Curves, 2005.
Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman.
An Introduction to Mathematical Cryptography.
Springer, 2008.
H. W. Lenstra.
Factoring Integers with Elliptic Curves.
Annals of Mathematics, 126(3):649–673, 1987.
20