Prime Numbers

7.4 Elliptic curve method 335
a random point on the curve. If one is working with a true elliptic curve
over a finite field, points on it can easily be found via Algorithm 7.2.1. But
if one is working over Zn with n composite, the call to the square root in
this algorithm is not likely to be useful. However, it is possible to completely
bypass Algorithm 7.2.1 and find a random curve and a point on it by choosing
the point before the curve is fully defined! Namely, choose a at random, then
choose a point (x0,y0) atrandom,thenchooseb such that (x0,y0) isonthe
curve y 2 = x 3 + ax + b; thatis,b = y 2 0 − x 3 0 − ax0.
With these two approaches to finding a random curve, we can formalize
the question of the likelihood of the curve order having a particular property.
Suppose p is a prime larger than 3, and let S be a set of integers in the
Hasse interval (p +1− 2 √ p, p +1+2 √ p). For example, S might be the set
of B-smooth numbers in the interval for some appropriate value of B (see
Section 1.4.5), or S might be the set of prime numbers in the interval, or the
set of doubles of primes. Let N1(S) be the number of pairs (a, b) ∈ F 2 p with
4a 3 +27b 2 =0andwith#Ea,b(Fp) ∈S.LetN2(S) be the number of triples
(a, x0,y0) ∈ F 3 p such that for b = y 2 0 − x 3 0 − ax0, wehave4a 3 +27b 2 =0
and #Ea,b(Fp) ∈S. What would we expect for the counts N1(S),N2(S)? For
the first count, there are p 2 choices for a, b to begin with, and each number
#Ea,b(Fp) falls in an interval of length 4 √ p, so we might expect N1(S) tobe
about 1
4 (#S)p3/2 . Similarly, we might expect N2(S) tobeabout1 4 (#S)p5/2 .
That is, in each case we expect the probability that the curve order lands
in the set S to be about the same as the probability that a random integer
chosen from (p +1− 2 √ p, p +1+2 √ p) lands in S. The following theorem says
that this is almost the case.
Theorem 7.3.2 (Lenstra). There is a positive number c such that if p>3
is prime and S is a set of integers in the interval (p +1− 2 √ p, p +1+2 √ p)
with at least 3 members, then
N1(S) >c(#S)p 3/2 / ln p, N2(S) >c(#S)p 5/2 / ln p.
This theorem is proved in [Lenstra 1987], where also upper bounds, of the
same approximate order as the lower bounds, are given.
7.4 Elliptic curve method
A subexponential factorization method of great elegance and practical
importance is the elliptic curve method (ECM) of H. Lenstra. The elegance
will be self-evident. The practical importance lies in the fact that unlike QS
or NFS, ECM complexity to factor a number n depends strongly on the size
of the least prime factor of n, and only weakly on n itself. For this reason,
many factors of truly gigantic numbers have been uncovered in recent years;
many of these numbers lying well beyond the range of QS or NFS.
Later in this section we exhibit some explicit modern ECM successes that
exemplify the considerable power of this method.