Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.4 Elliptic curve method 337 B1 = 10000; // Or whatever is a practical initial “stage-one limit” B1. 2. [Find curve Ea,b(Zn) and point (x, y) ∈ E] Choose random x, y, a ∈ [0,n− 1]; b =(y 2 − x 3 − ax) modn; g =gcd(4a 3 +27b 2 ,n); if(g == n) goto [Find curve ...]; if(g >1) return g; // Factor is found. E = Ea,b(Zn); P =(x, y); // Elliptic pseudocurve and point on it. 3. [Prime-power multipliers] for(1 ≤ i ≤ π(B1)) { // Loop over primes pi. Find largest integer ai such that p ai i ≤ B1; for(1 ≤ j ≤ ai) { // j is just a counter. P = [pi]P , halting the elliptic algebra if the computation of some d−1 for addition-slope denominator d signals a nontrivial g =gcd(n, d), in which case return g; // Factor is found. } } 4. [Failure] Possibly increment B1; // See text. goto [Find curve ...]; What we hope with basic ECM is that even though the composite n allows only a pseudocurve, an illegal elliptic operation—specifically the inversion required for slope calculation from Definition 7.1.2—is a signal that for some prime p|n we have [k]P = O, where k = p a i i ≤B1 p ai i , with this relation holding on the legitimate elliptic curve Ea,b(Fp). Furthermore, we know from the Hasse Theorem 7.3.1 that the order #Ea,b(Fp) isin the interval (p+1−2 √ p, p+1+2 √ p). Evidently, we can expect a factor if the multiplier k is divisible by #E(Fp), which should, in fact, happen if this order is B1-smooth. (This is not entirely precise, since for the order to be B1-smooth it is required only that each of its prime factors be at most B1, but in the above display, we have instead the stronger condition that each prime power divisor of the order is at most B1. We could change the inequality defining ai to p ai i ≤ n +1+2√n, but in practice the cost of doing so is too high for the meager benefit it may provide.) We shall thus think of the stage-one limit B1 as a smoothness bound on actual curve orders in the group determined by the hidden prime factor p. It is instructive to compare ECM with the Pollard p−1 method (Algorithm 5.4.1). In the p − 1 method one has only the one group Z∗ p (with order p − 1), and one is successful if this group order is B-smooth. With ECM one has

338 Chapter 7 ELLIPTIC CURVE ARITHMETIC a host of elliptic-curve groups to choose from randomly, each giving a fresh chance at success. With these ideas, we may perform a heuristic complexity estimate for ECM. Suppose the number n to be factored is composite, coprime to 6, and not a proper power. Let p denote the least prime factor of n and let q denote another prime factor of n. Algorithm 7.4.2 will be successful in splitting n if we choose a, b, P in Step [Find curve ...] and if for some value of k of the form k = p a l where l ≤ π(B1) anda ≤ al, wehave i

7.4 Elliptic curve method 337<br />

B1 = 10000; // Or whatever is a practical initial “stage-one limit” B1.<br />

2. [Find curve Ea,b(Zn) and point (x, y) ∈ E]<br />

Choose random x, y, a ∈ [0,n− 1];<br />

b =(y 2 − x 3 − ax) modn;<br />

g =gcd(4a 3 +27b 2 ,n);<br />

if(g == n) goto [Find curve ...];<br />

if(g >1) return g; // Factor is found.<br />

E = Ea,b(Zn); P =(x, y); // Elliptic pseudocurve and point on it.<br />

3. [<strong>Prime</strong>-power multipliers]<br />

for(1 ≤ i ≤ π(B1)) { // Loop over primes pi.<br />

Find largest integer ai such that p ai<br />

i ≤ B1;<br />

for(1 ≤ j ≤ ai) { // j is just a counter.<br />

P = [pi]P , halting the elliptic algebra if the computation of<br />

some d−1 for addition-slope denominator d signals a nontrivial<br />

g =gcd(n, d), in which case return g;<br />

// Factor is found.<br />

}<br />

}<br />

4. [Failure]<br />

Possibly increment B1; // See text.<br />

goto [Find curve ...];<br />

What we hope with basic ECM is that even though the composite n allows<br />

only a pseudocurve, an illegal elliptic operation—specifically the inversion<br />

required for slope calculation from Definition 7.1.2—is a signal that for some<br />

prime p|n we have<br />

[k]P = O, where k = <br />

p a i<br />

i ≤B1<br />

p ai<br />

i ,<br />

with this relation holding on the legitimate elliptic curve Ea,b(Fp). Furthermore,<br />

we know from the Hasse Theorem 7.3.1 that the order #Ea,b(Fp) isin<br />

the interval (p+1−2 √ p, p+1+2 √ p). Evidently, we can expect a factor if the<br />

multiplier k is divisible by #E(Fp), which should, in fact, happen if this order<br />

is B1-smooth. (This is not entirely precise, since for the order to be B1-smooth<br />

it is required only that each of its prime factors be at most B1, but in the<br />

above display, we have instead the stronger condition that each prime power<br />

divisor of the order is at most B1. We could change the inequality defining ai<br />

to p ai<br />

i ≤ n +1+2√n, but in practice the cost of doing so is too high for the<br />

meager benefit it may provide.) We shall thus think of the stage-one limit B1<br />

as a smoothness bound on actual curve orders in the group determined by the<br />

hidden prime factor p.<br />

It is instructive to compare ECM with the Pollard p−1 method (Algorithm<br />

5.4.1). In the p − 1 method one has only the one group Z∗ p (with order p − 1),<br />

and one is successful if this group order is B-smooth. With ECM one has

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!