Prime Numbers

7.4 Elliptic curve method 343
As for enhancements (4) above, Montgomery’s polynomial-evaluation
scheme (sometimes called an “FFT extension” because of the details of how
one evaluates large polynomials via FFT) for stage two is basically to calculate
two sets of points
S = {[mi]P : i =1,...,d1}, T = {[nj]P : j =1,...,d2},
where P is the point surviving stage one of ECM, d1|d2, and the integers mi,nj
are carefully chosen so that some combination mi ± nj hopefully divides the
(single) outlying prime q. This happy circumstance is in turn detected by the
fact of some x-coordinate of the S list matching with some x-coordinate of the
T list, in the sense that the difference of said coordinates has a nontrivial gcd
with n. We will see this matching problem in another guise—in preparation
for Algorithm 7.5.1. Because Algorithm 7.5.1 may possibly involve too much
machine memory, for sorting and so on, one may proceed to define a degree-d1
polynomial
f(x) =
(x − X(s)) mod n,
s∈S
where the X( ) function returns the affine x-coordinate of a point. Then
one may evaluate this polynomial at the d2 points x ∈ {X(t) : t ∈ T }.
Alternatively, one may take the polynomial gcd of this f(x) andag(x) =
t (x − X(t)). In any case, one can seek matches between the S, T point sets
in O d 1+ɛ
2 ring operations, which is lucrative in view of the alternative of
actually doing d1d2 comparisons. Incidentally, Montgomery’s idea is predated
by an approach of [Montgomery and Silverman 1990] for extensions to the
Pollard (p − 1) method.
When we invoke some such means of highly efficient stage-two calculations,
a rule of thumb is that one should spend only a certain fraction (say 1/4 to
1/2, depending on many details) of one’s total time in stage two. This rule
has arisen within the culture of modern users of ECM, and the rule’s validity
can be traced to the machine-dependent complexities of the various per-stage
operations. In practice, this all means that the stage-two limit should be
roughly two orders of magnitude over the stage-one limit, or
B2 ≈ 100B1
This is a good practical rule, effectively reducing nicely the degrees of freedom
associated with ECM in general. Now, the time to resolve one curve—with
both stages in place—is a function only of B1. What is more, there are various
tabulations of what good B1 values might be, in terms of “suspected” sizes of
hidden factors of n [Silverman and Wagstaff 1993], [Zimmermann 2000].
We now exhibit a specific form of enhanced ECM, a form that has achieved
certain factoring milestones and that currently enjoys wide use. While not
every possible enhancement is presented here, we have endeavored to provide
many of the aforementioned manipulations; certainly enough to forge a
practical implementation. The following ECM variant incorporates various
enhancements of Brent, Crandall, Montgomery, Woltman, and Zimmermann: