Prime Numbers

7.4 Elliptic curve method 339
factorization attempt completely. When the B1 value is gradually increased
in ECM, one then expects success when B1 finally reaches the critical range
displayed above, and that the time spent unsuccessfully with smaller B1’s is
negligible in comparison.
So, in summary, the heuristic expected complexity of ECM to give a
nontrivial factorization of n with least prime factor p is L(p) √ 2+o(1) arithmetic
steps with integers the size of n, using the notation from (6.1). (Note that the
error expression “o(1)” tends to 0 as p tends to infinity.) Thus, the larger the
least prime factor of n, the more arithmetic steps are expected. The worst
case occurs when n is the product of two roughly equal primes, in which case
the expected number of steps can be expressed as L(n) 1+o(1) , which is exactly
the same as the heuristic complexity of the quadratic sieve; see Section 6.1.1.
However, due to the higher precision of a typical step in ECM, we generally
prefer to use the QS method, or the NFS method, for worst-case numbers. If
we are presented with a number n that is unknown to be in the worst case,
it is usually recommended to try ECM first, and only after a fair amount of
time is spent with this method should QS or NFS be initiated. But if the
number n is so large that we know beforehand that QS or NFS would be out
of the question, it leaves ECM as the only current option. Who knows, we
may get lucky! Here, “luck” can play either of two roles: The number under
consideration may indeed have a small enough prime factor to discover with
ECM, or upon implementing ECM, we may hit upon a fortunate choice of
parameters sooner than expected and find an impressive factor. In fact, one
interesting feature of ECM is that the variance in the expected number of
steps is large since we are counting on just one successful event to occur.
It is interesting that the heuristic complexity estimate for the ECM may
be made completely rigorous except for the one assumption we made that
integers in the Hasse interval are just as likely to be smooth as typical integers
in the larger interval (p/2, 3p/2); see [Lenstra 1987].
In the discussion following we describe some optimizations of ECM. These
improvements do not materially affect the complexity estimate. but they do
help considerably in practice.
7.4.2 Optimization of ECM
As with the Pollard (p − 1) method (Section 5.4), on which the ECM is
based, there is a natural, second stage continuation. In view of the remarks
following Algorithm 7.4.2, assume that the order #Ea,b(Fp) isnotB1-smooth
for whatever practical choice of B1 has been made, so that the basic algorithm
can be expected to fail to find a factor. But we might just happen to have
#E(Fp) =q
p a i
i ≤B1
p ai
i ,
where q is a prime exceeding B1. When such a single outlying prime is part
of the unknown factorization of the order, one need not have multiplied the