Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download lecture 3
Document related concepts
Transcript
Cryptography
Diffie Hellman key exchange
Factoring and primality
Cryptography
Factoring and primality
Diffie Hellman key exchange
A and B select a finite field Fq public. They want to share an
integer m < q = p n as
key for symmetric encryption.
Pthe common
i
Write
it in base p as
ai p and use the element
P
i ∈ F (x)/f (x).
a
x
p
i i
Cryptography
Factoring and primality
Diffie Hellman key exchange
A and B select a finite field Fq public. They want to share an
integer m < q = p n as
key for symmetric encryption.
Pthe common
i
Write
it in base p as
ai p and use the element
P
i ∈ F (x)/f (x).
a
x
p
i i
In order to find a point, they select three elements x, y , b ∈ Fq and
construct b = y 2 − x 3 − ax. Trivially the point P = (x, y ) will be
in the elliptic curve E = y 2 = x 3 + ax + b. If the curve is not
appropriate, start over.
Cryptography
Factoring and primality
Diffie Hellman key exchange
A and B select a finite field Fq public. They want to share an
integer m < q = p n as
key for symmetric encryption.
Pthe common
i
Write
it in base p as
ai p and use the element
P
i ∈ F (x)/f (x).
a
x
p
i i
In order to find a point, they select three elements x, y , b ∈ Fq and
construct b = y 2 − x 3 − ax. Trivially the point P = (x, y ) will be
in the elliptic curve E = y 2 = x 3 + ax + b. If the curve is not
appropriate, start over.
A and B select a random integers kA , kB < |E (Fq )| and send
kA P, kB P respectively. Each of them multiply by its own key to
get the common enciphering key.
Remark. kP is polynomial in k and q by repeated doubling the
point.
Cryptography
Factoring and primality
In some cases we can break the Diffie Hellman decisional problem
on the group of rational points on an elliptic curve with the Weil
Pairing.
Cryptography
Factoring and primality
In some cases we can break the Diffie Hellman decisional problem
on the group of rational points on an elliptic curve with the Weil
Pairing.
Example: Take y 2 = x 3 + 1 over Fp , p ≡ 2 (mod 3). The map
x → x 3 is an automorphism of F∗p → F∗p , hence there are exactly
(p − 1)/2 non-zero squares, (−1, 0) and ∞ which gives p + 1
points.
Cryptography
Factoring and primality
In some cases we can break the Diffie Hellman decisional problem
on the group of rational points on an elliptic curve with the Weil
Pairing.
Example: Take y 2 = x 3 + 1 over Fp , p ≡ 2 (mod 3). The map
x → x 3 is an automorphism of F∗p → F∗p , hence there are exactly
(p − 1)/2 non-zero squares, (−1, 0) and ∞ which gives p + 1
points.
Exercise: Let y 2 = x 3 + b (mod p), with p ≡ 2 (mod 3).
a) Suppose that E [n] ⊂ E (Fp ). Show that n|p − 1 and n2 |p + 1.
Conclude that n ≤ 2.
b) Show that E [2] ( E (Fp ).
c) Show that E (Fp ) is cyclic of order p + 1.
Cryptography
Factoring and primality
Let ω a cubic root of unity ω ∈ Fp2 − Fp .
Lemma: β : E (Fp2 ) → E (Fp2 ) such that β(x, y ) = (ωx, y ) is an
automorphism. (Exercise)
Cryptography
Factoring and primality
Let ω a cubic root of unity ω ∈ Fp2 − Fp .
Lemma: β : E (Fp2 ) → E (Fp2 ) such that β(x, y ) = (ωx, y ) is an
automorphism. (Exercise)
Lemma: Let ên (P1 , P2 ) = en (P1 , β(P2 )). Then for any point
P ∈ E (Fp ) of order n, not a multiple of 3, ên (P, P) is a primitive
n-th root of unity.
Cryptography
Factoring and primality
Let ω a cubic root of unity ω ∈ Fp2 − Fp .
Lemma: β : E (Fp2 ) → E (Fp2 ) such that β(x, y ) = (ωx, y ) is an
automorphism. (Exercise)
Lemma: Let ên (P1 , P2 ) = en (P1 , β(P2 )). Then for any point
P ∈ E (Fp ) of order n, not a multiple of 3, ên (P, P) is a primitive
n-th root of unity.
Proof. If uP = v β(P), then β(vP) = uP ∈ E (Fp ), and so if
vP = (x, y ), ωx ∈ Fp which is not possible, unless x = 0, but
(0, 1) has order 3 - n.
Cryptography
Factoring and primality
Let P, Q ∈ E (Fp ) ∩ E [n], p - n. If en (P, Q) = 1, then xP = Q. We
want to decide wether in a given 4-tuple (P, aP, bP, Q), Q = abP.
Now ên (P, Q) = ên (P, P)x and
ên (aP, bP) = ên (P, abP) = ên (P, P)ab .
They will be equal only if Q = abP.
Cryptography
Factoring and primality
Let P, Q ∈ E (Fp ) ∩ E [n], p - n. If en (P, Q) = 1, then xP = Q. We
want to decide wether in a given 4-tuple (P, aP, bP, Q), Q = abP.
Now ên (P, Q) = ên (P, P)x and
ên (aP, bP) = ên (P, abP) = ên (P, P)ab .
They will be equal only if Q = abP.
Note that we did not need to solve the DL even in finite fields.
Cryptography
El Gamal Cryptosystem:
Factoring and primality
Cryptography
Factoring and primality
El Gamal Cryptosystem:
We first need to embed the messages into the group of an elliptic
curve over Fp , y 2 = x 3 + Ax + B. Write the message as
xj = 100m + j, m < p. Let sj = xj3 + xj A + B. The probability of
finding a square is 1 − 1/2100 .
Cryptography
Factoring and primality
El Gamal Cryptosystem:
We first need to embed the messages into the group of an elliptic
curve over Fp , y 2 = x 3 + Ax + B. Write the message as
xj = 100m + j, m < p. Let sj = xj3 + xj A + B. The probability of
finding a square is 1 − 1/2100 .
B selects an elliptic curve with hard DL and a point P on it, with
order a large prime. Secretly selects s and makes public R = sP.
Cryptography
Factoring and primality
El Gamal Cryptosystem:
We first need to embed the messages into the group of an elliptic
curve over Fp , y 2 = x 3 + Ax + B. Write the message as
xj = 100m + j, m < p. Let sj = xj3 + xj A + B. The probability of
finding a square is 1 − 1/2100 .
B selects an elliptic curve with hard DL and a point P on it, with
order a large prime. Secretly selects s and makes public R = sP.
A wants to send M. Selects a random k, and computes
M1 = kP, M2 = M + kR. Different k for different messages.
Cryptography
Factoring and primality
El Gamal Cryptosystem:
We first need to embed the messages into the group of an elliptic
curve over Fp , y 2 = x 3 + Ax + B. Write the message as
xj = 100m + j, m < p. Let sj = xj3 + xj A + B. The probability of
finding a square is 1 − 1/2100 .
B selects an elliptic curve with hard DL and a point P on it, with
order a large prime. Secretly selects s and makes public R = sP.
A wants to send M. Selects a random k, and computes
M1 = kP, M2 = M + kR. Different k for different messages.
B is able to decrypt. Why?
Cryptography
An elliptic analog of RSA
Factoring and primality
Cryptography
An elliptic analog of RSA
B selects p, q ≡ 2 (mod 3), and n = pq.
Selects ed ≡ 1 (mod (p + 1)(q + 1))
Factoring and primality
Cryptography
Factoring and primality
An elliptic analog of RSA
B selects p, q ≡ 2 (mod 3), and n = pq.
Selects ed ≡ 1 (mod (p + 1)(q + 1))
A represents her messages as M = (m1 , m2 ) on the elliptic curve
y 2 = x 3 + m22 − m13 mod n, and computes the cipher
C = (c1 , c2 ) = eM.
Cryptography
Factoring and primality
An elliptic analog of RSA
B selects p, q ≡ 2 (mod 3), and n = pq.
Selects ed ≡ 1 (mod (p + 1)(q + 1))
A represents her messages as M = (m1 , m2 ) on the elliptic curve
y 2 = x 3 + m22 − m13 mod n, and computes the cipher
C = (c1 , c2 ) = eM.
M = dC
Cryptography
Remarks.
• The addition formulas do not depend on b.
Factoring and primality
Cryptography
Factoring and primality
Remarks.
• The addition formulas do not depend on b.
• In the addition formula there is (y2 − y1 )/(x2 − x1 ) this is always
possible, since it is hard to factorize n or is the point ∞.
Cryptography
Factoring and primality
Remarks.
• The addition formulas do not depend on b.
• In the addition formula there is (y2 − y1 )/(x2 − x1 ) this is always
possible, since it is hard to factorize n or is the point ∞.
• E (Z/nZ) ' E (Fp ) × E (Fq ), so |E (Z/nZ)| = (p + 1)(q + 1).
Otherwise it is not possible to find the order of the group without
factoring n.
Cryptography
Factoring and primality
Remarks.
• The addition formulas do not depend on b.
• In the addition formula there is (y2 − y1 )/(x2 − x1 ) this is always
possible, since it is hard to factorize n or is the point ∞.
• E (Z/nZ) ' E (Fp ) × E (Fq ), so |E (Z/nZ)| = (p + 1)(q + 1).
Otherwise it is not possible to find the order of the group without
factoring n.
• To embed the message as a point of a fixed elliptic curve mod n
would again have been very hard without knowing the factorization
of n. In fact, finding square roots is equivalent to factoring.
Cryptography
Factoring and primality
Remarks.
• The addition formulas do not depend on b.
• In the addition formula there is (y2 − y1 )/(x2 − x1 ) this is always
possible, since it is hard to factorize n or is the point ∞.
• E (Z/nZ) ' E (Fp ) × E (Fq ), so |E (Z/nZ)| = (p + 1)(q + 1).
Otherwise it is not possible to find the order of the group without
factoring n.
• To embed the message as a point of a fixed elliptic curve mod n
would again have been very hard without knowing the factorization
of n. In fact, finding square roots is equivalent to factoring.
If we know d, (p + 1)|ed − 1 = v 2K and 1/2 of the points in
E (Fp ) will have order divisible by 2k , where 2k ||(p + 1). Compute
Ri+1 = 2Ri . Note that mod p and mod q are independent events.
Cryptography
Factoring and primality
• For p prime, ap−1 ≡ 1 (mod p). If an−1 ≡ (mod n), n is a
pseudoprime to the base a.
Cryptography
Factoring and primality
• For p prime, ap−1 ≡ 1 (mod p). If an−1 ≡ (mod n), n is a
pseudoprime to the base a.
If n is not pseudoprime for a base b then for 50% of the bases
(a, n) = 1 it will not be pseudoprime.
Cryptography
Factoring and primality
• For p prime, ap−1 ≡ 1 (mod p). If an−1 ≡ (mod n), n is a
pseudoprime to the base a.
If n is not pseudoprime for a base b then for 50% of the bases
(a, n) = 1 it will not be pseudoprime.
n−1
• An Euler pseudoprime is a number such that b 2 = bn
(mod n). If n is Euler pseudoprime, then is pseudoprime. There
are no analog of Carmichael numbers.
Cryptography
Factoring and primality
• For p prime, ap−1 ≡ 1 (mod p). If an−1 ≡ (mod n), n is a
pseudoprime to the base a.
If n is not pseudoprime for a base b then for 50% of the bases
(a, n) = 1 it will not be pseudoprime.
n−1
• An Euler pseudoprime is a number such that b 2 = bn
(mod n). If n is Euler pseudoprime, then is pseudoprime. There
are no analog of Carmichael numbers.
• n is strong pseudoprime to the base b if n − 1 = 2s t and either
r
b t ≡ 1 (mod n) or b 2 t ≡ −1 (mod n) for some 0 ≤ r < s. It can
be strong pseudoprime for at most 25% of the bases.
Cryptography
Factoring and primality
• For p prime, ap−1 ≡ 1 (mod p). If an−1 ≡ (mod n), n is a
pseudoprime to the base a.
If n is not pseudoprime for a base b then for 50% of the bases
(a, n) = 1 it will not be pseudoprime.
n−1
• An Euler pseudoprime is a number such that b 2 = bn
(mod n). If n is Euler pseudoprime, then is pseudoprime. There
are no analog of Carmichael numbers.
• n is strong pseudoprime to the base b if n − 1 = 2s t and either
r
b t ≡ 1 (mod n) or b 2 t ≡ −1 (mod n) for some 0 ≤ r < s. It can
be strong pseudoprime for at most 25% of the bases.
Theorem. Let n > 1 and E an elliptic curve modulo n. Suppose
there exist prime numbers l1 , . . . lk and points
P
of order each prime. Suppose
Q1 . . . , Pn ∈ E (Z/nZ)
(l1 + 1) > (n1/4 + 1)2 .Then n is prime.
Cryptography
Factoring and primality
Proof: Reduce Pi modulo p|n to get a point of order li in E (Fp )
for all i = 1 · · · , k and any p|n.
Q
√
√
Hence, (1 + p)2 > |E (Fp )| > li > (n1/4 + 1)2 , so p > n for
all p|n which is imposible if n is composite.
Cryptography
Factoring and primality
Proof: Reduce Pi modulo p|n to get a point of order li in E (Fp )
for all i = 1 · · · , k and any p|n.
Q
√
√
Hence, (1 + p)2 > |E (Fp )| > li > (n1/4 + 1)2 , so p > n for
all p|n which is imposible if n is composite.
Example. Is 907 prime?
Yes. Consider E := y 2 = x 3 + 10x − 2 (mod n) and the point
(819, 784) of order 71 > (9071/4 + 1)2 ≈ 42
Cryptography
Factoring and primality
Proof: Reduce Pi modulo p|n to get a point of order li in E (Fp )
for all i = 1 · · · , k and any p|n.
Q
√
√
Hence, (1 + p)2 > |E (Fp )| > li > (n1/4 + 1)2 , so p > n for
all p|n which is imposible if n is composite.
Example. Is 907 prime?
Yes. Consider E := y 2 = x 3 + 10x − 2 (mod n) and the point
(819, 784) of order 71 > (9071/4 + 1)2 ≈ 42
To find the curve test randomly until find one with a point of large
prime order, but not too large.
Cryptography
Factoring and primality
Proof: Reduce Pi modulo p|n to get a point of order li in E (Fp )
for all i = 1 · · · , k and any p|n.
Q
√
√
Hence, (1 + p)2 > |E (Fp )| > li > (n1/4 + 1)2 , so p > n for
all p|n which is imposible if n is composite.
Example. Is 907 prime?
Yes. Consider E := y 2 = x 3 + 10x − 2 (mod n) and the point
(819, 784) of order 71 > (9071/4 + 1)2 ≈ 42
To find the curve test randomly until find one with a point of large
prime order, but not too large. The point is (1, 3) has order 13 · 71
Cryptography
Factoring and primality
Factorization
• The pollard’s ρ method can be used to factorize. It will use the
fact that there will be a match at independent speed modulo the
factors of n. Let f ∈ Z[x], f : Z/r Z → Z/r Z and x0 ∈ Z. We
consider the sequence xi+1 = f (xi ).
Cryptography
Factoring and primality
Factorization
• The pollard’s ρ method can be used to factorize. It will use the
fact that there will be a match at independent speed modulo the
factors of n. Let f ∈ Z[x], f : Z/r Z → Z/r Z and x0 ∈ Z. We
consider the sequence xi+1 = f (xi ).
Let n be composite. There exist a√constant C such that for any
λ ∈ R+ the method will fail in C λ(n)1/4 log3 n with probability
less than e −λ
Cryptography
Factoring and primality
Factorization
• The pollard’s ρ method can be used to factorize. It will use the
fact that there will be a match at independent speed modulo the
factors of n. Let f ∈ Z[x], f : Z/r Z → Z/r Z and x0 ∈ Z. We
consider the sequence xi+1 = f (xi ).
Let n be composite. There exist a√constant C such that for any
λ ∈ R+ the method will fail in C λ(n)1/4 log3 n with probability
less than e −λ
Example: n = 4087. 24086 ≡ 491 (mod 4087). n is composite.
Cryptography
Factoring and primality
Factorization
• The pollard’s ρ method can be used to factorize. It will use the
fact that there will be a match at independent speed modulo the
factors of n. Let f ∈ Z[x], f : Z/r Z → Z/r Z and x0 ∈ Z. We
consider the sequence xi+1 = f (xi ).
Let n be composite. There exist a√constant C such that for any
λ ∈ R+ the method will fail in C λ(n)1/4 log3 n with probability
less than e −λ
Example: n = 4087. 24086 ≡ 491 (mod 4087). n is composite.
f (x) = x 2 + 8x + 1, x0 = 2, x1 = 21, x2 = 610 and
(610, 4087) = 61. Hence 4087 = 61 · 67
Cryptography
Factoring and primality
Factorization
• The pollard’s ρ method can be used to factorize. It will use the
fact that there will be a match at independent speed modulo the
factors of n. Let f ∈ Z[x], f : Z/r Z → Z/r Z and x0 ∈ Z. We
consider the sequence xi+1 = f (xi ).
Let n be composite. There exist a√constant C such that for any
λ ∈ R+ the method will fail in C λ(n)1/4 log3 n with probability
less than e −λ
Example: n = 4087. 24086 ≡ 491 (mod 4087). n is composite.
f (x) = x 2 + 8x + 1, x0 = 2, x1 = 21, x2 = 610 and
(610, 4087) = 61. Hence 4087 = 61 · 67
f (x) = x 2 + 5, x11 = 1139 = 67 · 17,
f (x) = x 2 + x + 1, x4 = 2745 = 5 · 9 · 61
Cryptography
Factoring and primality
Factorization
Fermat factorization. n composite with factor very close to each
other, then n = t 2 − s 2 with s very small.
Cryptography
Factoring and primality
Factorization
Fermat factorization. n composite with factor very close to each
other, then n = t 2 − s 2 with s very small.
n = 141467, t = 377, 378... and t = 414 gives s = 173. What if
a ≈ 3b. Then,
√ 3n = a(3b), has factors very close.
Start with [ 3n] + 1 = 652 and 6552 − 3 · 141467 = 682 .
Cryptography
Factoring and primality
Factorization
Fermat factorization. n composite with factor very close to each
other, then n = t 2 − s 2 with s very small.
n = 141467, t = 377, 378... and t = 414 gives s = 173. What if
a ≈ 3b. Then,
√ 3n = a(3b), has factors very close.
Start with [ 3n] + 1 = 652 and 6552 − 3 · 141467 = 682 .
Idea. If t 2 ≡ s 2 (mod n) and t 6= ±s (mod n), then
1 < (t + s, n) < n.
Cryptography
Factoring and primality
Factorization
Fermat factorization. n composite with factor very close to each
other, then n = t 2 − s 2 with s very small.
n = 141467, t = 377, 378... and t = 414 gives s = 173. What if
a ≈ 3b. Then,
√ 3n = a(3b), has factors very close.
Start with [ 3n] + 1 = 652 and 6552 − 3 · 141467 = 682 .
Idea. If t 2 ≡ s 2 (mod n) and t 6= ±s (mod n), then
1 < (t + s, n) < n.
Definition. A factor base is a set B = {−1, p1 , . . . , ph }. Given n,
b is a B-number if the factors of b 2 (mod n) are in B.
Cryptography
Factoring and primality
Factorization
Fermat factorization. n composite with factor very close to each
other, then n = t 2 − s 2 with s very small.
n = 141467, t = 377, 378... and t = 414 gives s = 173. What if
a ≈ 3b. Then,
√ 3n = a(3b), has factors very close.
Start with [ 3n] + 1 = 652 and 6552 − 3 · 141467 = 682 .
Idea. If t 2 ≡ s 2 (mod n) and t 6= ±s (mod n), then
1 < (t + s, n) < n.
Definition. A factor base is a set B = {−1, p1 , . . . , ph }. Given n,
b is a B-number if the factors of b 2 (mod n) are in B.
In a set {bQ
+ 1 B-numbers, there is a subset S
1 . . . , bh+1
Q} of h 2α
2
such that S bi ≡ p∈B p p (mod n)
Cryptography
Factoring and primality
Factorization
Fermat factorization. n composite with factor very close to each
other, then n = t 2 − s 2 with s very small.
n = 141467, t = 377, 378... and t = 414 gives s = 173. What if
a ≈ 3b. Then,
√ 3n = a(3b), has factors very close.
Start with [ 3n] + 1 = 652 and 6552 − 3 · 141467 = 682 .
Idea. If t 2 ≡ s 2 (mod n) and t 6= ±s (mod n), then
1 < (t + s, n) < n.
Definition. A factor base is a set B = {−1, p1 , . . . , ph }. Given n,
b is a B-number if the factors of b 2 (mod n) are in B.
In a set {bQ
+ 1 B-numbers, there is a subset S
1 . . . , bh+1
Q} of h 2α
2
such that S bi ≡ p∈B p p (mod n)
Use linear algebra to find the subset.
Cryptography
Factoring and primality
Factorization
To find the set of B-numbers, try numbers
√
kn with small k.
Cryptography
Factoring and primality
Factorization
To find the set of B-numbers, try numbers
√
kn with small k.
The probability for a number n ≤ x having factors less than y is
log x
48
6
like u −u , where u = log
y . For x ≈ 10 , y ≈ 10 , then u ≈ 8
Cryptography
Factoring and primality
Factorization
To find the set of B-numbers, try numbers
√
kn with small k.
The probability for a number n ≤ x having factors less than y is
log x
48
6
like u −u , where u = log
y . For x ≈ 10 , y ≈ 10 , then u ≈ 8
√
It runs in subexponential time O(exp(c r log r )).
Cryptography
Factoring and primality
Factorization
Quadratic Sieve.
Rather than factoring bi2 (mod n), sieve the numbers t 2 − n where
√
t runs through t = [ n] + m for m up to certain constant A, by
the prime factors in B.
Cryptography
Factoring and primality
Factorization
Quadratic Sieve.
Rather than factoring bi2 (mod n), sieve the numbers t 2 − n where
√
t runs through t = [ n] + m for m up to certain constant A, by
the prime factors in B.
Make a list with all the values of t 2 − n which are B numbers.
Find a solution t1 of t 2 − n ≡ 0 (mod p β ) and all t ≡ ±t1
(mod p α ), α ≤ β
Cryptography
Factoring and primality
Factorization
Quadratic Sieve.
Rather than factoring bi2 (mod n), sieve the numbers t 2 − n where
√
t runs through t = [ n] + m for m up to certain constant A, by
the prime factors in B.
Make a list with all the values of t 2 − n which are B numbers.
Find a solution t1 of t 2 − n ≡ 0 (mod p β ) and all t ≡ ±t1
(mod p α ), α ≤ β
Proceed as in the Fermat factor base.
Cryptography
Factoring and primality
Factorization
Quadratic Sieve.
Rather than factoring bi2 (mod n), sieve the numbers t 2 − n where
√
t runs through t = [ n] + m for m up to certain constant A, by
the prime factors in B.
Make a list with all the values of t 2 − n which are B numbers.
Find a solution t1 of t 2 − n ≡ 0 (mod p β ) and all t ≡ ±t1
(mod p α ), α ≤ β
Proceed as in the Fermat factor base.
√
The expected time is O(exp((1 + ) r log r ))
Cryptography
Factoring and primality
Factorization
Quadratic Sieve.
Rather than factoring bi2 (mod n), sieve the numbers t 2 − n where
√
t runs through t = [ n] + m for m up to certain constant A, by
the prime factors in B.
Make a list with all the values of t 2 − n which are B numbers.
Find a solution t1 of t 2 − n ≡ 0 (mod p β ) and all t ≡ ±t1
(mod p α ), α ≤ β
Proceed as in the Fermat factor base.
√
The expected time is O(exp((1 + ) r log r ))
There is an improved version called number field sieve which works
in O(exp((1 + )r 1/3 log r 2/3 ))
Cryptography
Factorization
Example: Factor 1042387. p ≤ 50, A = 500
Factoring and primality
Cryptography
Factorization
Example: Factor 1042387. p ≤ 50, A = 500
Factoring and primality
Cryptography
Factoring and primality
Factorization
Example: Factor 1042387. p ≤ 50, A = 500
The sum of the first three give a square, unfortunately is in both
sides 111078
Cryptography
Factoring and primality
Factorization
Example: Factor 1042387. p ≤ 50, A = 500
The sum of the first three give a square, unfortunately is in both
sides 111078
The last is the fifth, and gives (1112 · 1520)2 ≡ (33 · · · 17 · 23 · 47)2
(mod 1042387), given the factor 1487.
Cryptography
Factoring and primality
Factorization
Elliptic curve method. We want to factor n = pq ≈ 10100 . Is
good to find primes p < 1040
• Select around 20 elliptic curves Ei (mod n) and Pi ∈ Ei (We can
not compute square roots, but we can do C = y 2 − x 3 − Ax.)
Cryptography
Factoring and primality
Factorization
Elliptic curve method. We want to factor n = pq ≈ 10100 . Is
good to find primes p < 1040
• Select around 20 elliptic curves Ei (mod n) and Pi ∈ Ei (We can
not compute square roots, but we can do C = y 2 − x 3 − Ax.)
• Choose B around 108 , and compute B!Pi
Cryptography
Factoring and primality
Factorization
Elliptic curve method. We want to factor n = pq ≈ 10100 . Is
good to find primes p < 1040
• Select around 20 elliptic curves Ei (mod n) and Pi ∈ Ei (We can
not compute square roots, but we can do C = y 2 − x 3 − Ax.)
• Choose B around 108 , and compute B!Pi
If it succeeds, select B1 > B and start again. Otherwise, we have
found a factor.
Cryptography
Factoring and primality
Factorization
Elliptic curve method. We want to factor n = pq ≈ 10100 . Is
good to find primes p < 1040
• Select around 20 elliptic curves Ei (mod n) and Pi ∈ Ei (We can
not compute square roots, but we can do C = y 2 − x 3 − Ax.)
• Choose B around 108 , and compute B!Pi
If it succeeds, select B1 > B and start again. Otherwise, we have
found a factor.
The order of the curve will be on the interval
√
√
p + 1 − 2 p, p + 1 + 2 p and a positive proportion are smooth. If
the point Ei lies in that curve, B!P = ∞ (mod p) and it is unlikely
that, at the same time B!P = ∞ (mod q).
Cryptography
Factoring and primality
Factorization
Example. Factor 4453. We take E := y 2 = x 3 + 10x − 2
(mod 4453). Let P = (1, 3) . We compute 2P the slope is
3x 2 +10
= 13
2y
6 = 3713 (mod 4453), so 2P = (4332, 3230)
3227
2P + P has slope 3230−3
4332−1 = 4331 . But (4331, 4453) = 61, which is
a nontrivial factor. 4453 = 61 · 73
Cryptography
Factoring and primality
Factorization
Example. Factor 4453. We take E := y 2 = x 3 + 10x − 2
(mod 4453). Let P = (1, 3) . We compute 2P the slope is
3x 2 +10
= 13
2y
6 = 3713 (mod 4453), so 2P = (4332, 3230)
3227
2P + P has slope 3230−3
4332−1 = 4331 . But (4331, 4453) = 61, which is
a nontrivial factor. 4453 = 61 · 73
modulo 61 we have 2P = (1, 58), 3P = ∞, but
modulo 73, we have 2P = (25, 18), 3P = (28, 44) . . . 64P = ∞
