UNIT - V

Number Theory and Algebraic Geometry:

Elliptic Curves:
– Basic Facts 5a
– Elliptic Curve Cryptosystems 5b
– Elliptic Curve Primality Test 5c
– Elliptic Curve Factorization 5d ←

1
 Unit - V

ECC Factorization

2
 Graphical Representation of EC

Y - axis

X - axis

Figure 1. Elliptic Curve

It is a single curve.
Curves of this nature are called ELLIPTIC CURVES.

3
 Elliptic Curve Factorization

Elliptic Curve Factorization Method (ECM)

• A key reason for the increasing interest in EC is the recent use of ECs by a new
factorization method, H W Lenstra.
• It is better in many respect than the earlier methods.

• Pollard’s (p - 1) method is a classical factoring technique analogues to Lenstra’s

factorization method.
• Lenstra’s ECM was inspired by Pollard’s (p - 1) method.

4
 Pollard’s p -1 Method

Pollard’s 𝒑 − 𝟏 Method

Suppose 𝒏 to be factored.
i.e., 𝒏 = 𝒑 × 𝒒 yet to compute .
If 𝒑 happens to have the property that 𝒑 − 𝟏 has no large prime divisor, then
Pollard’s 𝑝 − 1 method certainly finds 𝑝.

5
 Pollard’s p -1 Method
Pollard’s 𝒑 − 𝟏 Method
Suppose that to factor the composite number 𝑛, and 𝑝 is some (as yet unknown)
prime factor of 𝑛. If 𝑝 happens to have the property that 𝑝 − 1 has no large prime
divisor, then the Pollard’s 𝒑 − 𝟏 method certainly finds 𝑝.
Pollard’s 𝒑 − 𝟏 Algorithm
1. Choose an integer 𝒌 that is a multiple of all or most integers less than some bound 𝑩.
For example, 𝒌 might be 𝑩!, or the LCM of all integers ≤ 𝑩.
2. Choose an integer 𝒂 ∈ 𝟐, 𝒏 − 𝟐 . Eg: 𝑎 = 2 or 3, or a randomly chosen integer.
3. Compute 𝒂𝒌 𝐦𝐨𝐝 𝒏 by the repeated squaring method.
4. Compute 𝒅 = 𝐠𝐜𝐝(𝒂𝒌 − 𝟏, 𝒏) using the Euclidean algorithm and 𝑎𝑘 mod 𝑛 from step 3.
5. If 𝒅 is not a nontrivial divisor of 𝒏, start with a new choice of 𝑎 and/or a new choice of 𝑘.

6
 Pollard’s p -1 Method

When Pollard’s 𝒑 − 𝟏 Algorithm works?

Suppose that 𝑘 is divisible by all positive integers ≤ 𝐵, and further suppose that 𝑝
is a prime divisor of 𝑛 such that 𝑝 − 1 is a product of small prime powers, all less
than 𝐵.
Then it follows that 𝑘 is a multiple of 𝑝 − 1 (because it is a multiple of all of the
prime powers in the factorization of 𝑝 − 1), and so, by Fermat’s Little Theorem, we
have 𝑎𝑘 ≡ 1 𝑚𝑜𝑑 𝑝.
Then 𝑝|gcd(𝑎𝑘 − 1, 𝑛), and so the only way we could fail to get a nontrivial factor
of 𝑛 in step 4 is if it so happens that 𝑎𝑘 ≡ 1 𝑚𝑜𝑑 𝑛.

7
 Pollard’s p -1 Method

Problem: Factor 540143 using Pollard’s p – 1 method

Step 1 Given that n = 540143.
Choose a bound, B = 8.
Then k = LCM(1, 2, ..., 8) = 840.
Step 2 Choose a in [2, n – 2].
Let a = 2.
Step 3 Compute ak mod n by repeated squaring method.
2840 mod 540143 = 53047.
Step 4 gcd(𝑎𝑘 − 1, 𝑛) = gcd(53046, 540143) = 421.
∴ 540143 = 421 × 1283.

8
 Pollard’s p -1 Method

Pollard’s p -1 method…
The main weakness of the Pollard method is clear if we attempt to use it when all of
the prime divisors 𝑝 of 𝑛 have 𝑝 − 1 divisible by a relatively large prime (or prime
power).

9
 Pollard’s p -1 Method
Example: Factor n = 491389 with Pollard’s p – 1 method.
We would be unlikely to find a nontrivial divisor until we chose 𝐵 ≥ 191. This is
because 𝑛 = 383 . 1283. We have 383 − 1 = 2 . 191 and 1283 – 1 = 2 . 641 (both
191 and 641 are primes). Except for 𝑎 = 0, ±1 𝑚𝑜𝑑 383, all other 𝑎’s have order
modulo 1283 either 641 or 1282. So unless 𝑘 is divisible by 191 (or 641), we are likely
to find again and again that gcd 𝑎𝑘 − 1, 𝑛 = 1 in step 4.
Step 1 Given that n = 491389.
Choose B = 5.
Then k = LCM(1, 2, 3, 4, 5) = 60.
Step 2 Choose a in [2, n-2]. Let a = 2.
Step 3 Compute ak mod n by repeated squaring method.
260 mod 491389 = 97650.
Step 4 gcd(𝑎𝑘 − 1, 𝑛) = gcd(97649, 491389) = 1.
∴ continue with different 𝑎 and/or 𝐵.

10
 Pollard’s p -1 Method

Example: Factor n = 5917 with Pollard’s p – 1 method.

Step 1 Given that n = 5917.
Choose B = 5.
Then k = LCM(1, 2, 3, 4, 5) = 60.
Step 2 Choose a in [2, n-2]. Let a = 2.
Step 3 Compute ak mod n by repeated squaring method.
260 mod 5917 = 3417.
Step 4 gcd(𝑎𝑘 − 1, 𝑛) = gcd(3416, 5917) = 61.
∴ 5917 = 61 × 97.
Step 5 -

11
 Pollard’s p -1 Method
Example: Factor n = 779167 by Pollard’s p – 1 method
Given that n = 779167.
Step 1 Choose B = 5. Then k = the LCM(1, 2, 3, 4, 5) = 60.
Step 2 Let a = 2.
Step 3 Compute ak – 1 mod n.
260 – 1 mod 779167 = 710980.
Step 4 gcd(710980, 779167) = 1.
No prime divisor p of n has the property that p – 1 is 5-power-smooth.
Next try with B = 15.
Step 1 Choose B = 15. Then k = the LCM(1, 2, …, 15) = 360360.
Step 2 Let a = 2.
Step 3 Compute ak – 1 mod n.
2360360 – 1 mod 779167 = 584876.
Step 4 gcd(𝑎𝑘 − 1, 𝑛) = gcd(584876, 779167) = 2003.
∴ 779167 = 2003 × 389.
12
 Pollard’s p -1 method…

Power-Smoothness
Let 𝐵 be a positive integer. A positive integer 𝑛 is 𝑩-power-smooth if all prime
powers dividing 𝑛 are less than or equal to 𝐵.
The power-smoothness of 𝑛 is the largest 𝐵 such that 𝑛 is 𝐵-power-smooth.

Example
60 = 22 . 3 . 5
70 = 2 . 5 . 7
So, 60 and 70 are 7-power-smooth.
Here 𝑛 = 60, 70 and 𝐵 = 7.

13
Pollard’s p -1 method…

Since gcd(0, 𝑁) = 𝑁
∴ 4331 = 61 × 71

14
 Pollard’s p -1 Method

Problem: Factor the following numbers using Pollard’s p – 1 method.

a) 4331
b) 187 = 11 . 17
c) 5959

15
 Pollard’s p -1 Method

Pollard’s p -1 method…

16
 Pollard’s p -1 Method

Pollard’s p -1 method…

17
 Pollard’s p -1 Method

18
 Pollard’s p -1 Method

Pollard p -1 Algorithm

• For a fixed B, this algorithm works in splitting N when N is divisible by prime p such that p -1 is B-
power smooth.

19
 Elliptic Curve Factorization

Lenstra’s Factorization

• It is a probabilistic factoring method for integer.

• Lenstra’s ECM was inspired by Pollard’s (p ̶ 1) method.
• The Lenstra’s ECM is one of the fastest integer factorization methods
that is currently used in practice.
• The Quadratic Sieve algorithm still seems to perform better on
integers that are built up from two prime numbers of the same order
of magnitude – such integers are of interest in cryptography.

20
 Elliptic Curve Factorization

Similarity of Lenstra’s Factorization and Pollards’s 𝒑 − 𝟏 methods

• Instead of the group (Z/pZ)*, the group 𝑬 mod 𝒑 is used.

• If the EC 𝐸 to be a bad choice, throw it away and pick another elliptic curve 𝐸
together with a point P ϵ 𝐸. We did not have such an option in the Pollard methos.
Pollard’s p-1 Method ECM
(Z/pZ)* group E mod p

When E is a bad choice?

i.e., for each 𝑝|𝑛 the group 𝐸 mod 𝑝 has order divisible by a large prime (and so 𝑘𝑃
mod 𝑝 is not likely to equal 0 mod 𝑝 for 𝑘 given by (2))

21
 Elliptic Curve Factorization

Lenstra’s Factorization Algorithm

• Let n ne a positive odd composite integer.

1) Use a method for generating (E, P) pairs consisting of an elliptic curve
y2 = x3 + ax + b with a, b ϵ Z and a point P = (x, y) ϵ E.
2) Use another procedure to get a nontrivial factor of n. If the procedure
fails to yield a nontrivial factor of n, then generate a new pair (E, P) and
repeat the process.

22
 Elliptic Curve Factorization

Lenstra’s Factorization Algorithm … EC: y2 = x3 + ax + b

Before working with the 𝐸 modulo 𝑛, we must verify that it is an elliptic curve
modulo any 𝑝|𝑛, i.e., the cubic on the right has distinct roots modulo 𝑝.

This holds if and only if the discriminant 4𝑎3 + 27𝑏 2 is prime to 𝑛.

• If gcd(4𝑎3 + 27𝑏 2 , 𝑛) = 1, we may proceed.
• If gcd(4𝑎3 + 27𝑏 2 , 𝑛) = 𝑛, then choose a different elliptic curve.
• If gcd(4𝑎3 + 27𝑏 2 , 𝑛) ∈ 1, 𝑛 , we have a divisor of 𝑛 and stop.

23
 Elliptic Curve Factorization

Lenstra’s Factorization Algorithm 4𝑎3 + 27𝑏2

24
 Elliptic Curve Factorization

Lenstra’s Factorization Algorithm

In this equation, if 𝑥 = 0, then 𝑦 2 = 1,

=> 𝑦 = 1. So, the point is (0, 1)

25
 Elliptic Curve Factorization
Lenstra’s Factorization Algorithm

26
 Lenstra’s Elliptic Curve Factorization
Lenstra’s Factorization Algorithm …

• In order to describe Lenstra’s algorithm, we need to work with an elliptic curve

modulo N, where the integer N is not prime, so the ring Z/NZ is not a field.
• However, suppose that we start with an EC equation
E : Y 2 = X 3 + AX + B 4𝑎 3 + 27𝑏2 ≠0

and suppose that P = (a, b) is a point on E modulo N,

by which we mean that b2 ≡ a3 + A · a + B (mod N).
• Then we can apply the elliptic curve addition algorithm to compute 2P, 3P, 4P, …,
since the only operations required by that algorithm are addition, subtraction,
multiplication, and division (by numbers relatively prime to N).

27
 Lenstra’s Elliptic Curve Factorization
Lenstra’s Factorization Algorithm

Example 5.22: Factor N = 187 with the elliptic curve E: Y 2 ≡ X 3 + 3X + 7 mod 187 and
the point P = (38, 112) is on E mod 187. A=3
• In order to compute 2P mod 187, we follow the EC addition algorithm and compute
∵ 224−1 𝑚𝑜𝑑 187 ≡ 91

• Thus, 2P = (43, 126), a point on the curve E mod 187.

28
 Lenstra’s Elliptic Curve Factorization
Example 5.22 …

∵ 224−1 mod 187 ≡ 91

29
 Lenstra’s Elliptic Curve Factorization

Example 5.22 …

P = (38, 112)
2P = (43, 126)
3P = (54, 105)
4P = (93, 64).

30
 Lenstra’s Elliptic Curve Factorization

P = (38, 112) The Extended Euclidean Algorithm for finding the inverse of a
2P = (43, 126) number mod n.
3P = (54, 105)
4P = (93, 64).

31
 Lenstra’s Elliptic Curve Factorization
Example 5.23 …
We can find the reciprocal of 𝑥(3𝑃) – 𝑥(2𝑃) = 54 – 43 = 11 mod 187, or
11−1 𝑚𝑜𝑑 187 using the Extended Euclidean Algorithm.
WKT the Extended Euclidean Algorithm can be used to write the 𝑑 = gcd⁡(𝑎, 𝑏) as
a linear combination and then find the inverse of a number modulo another number.
We can find find 11−1 𝑚𝑜𝑑 187 if gcd(11, 187) = 1.
When we apply the Extended Euclidean algorithm to 11 mod 187, we find that
gcd(11, 187) = 11, so 11 does not have a reciprocal modulo 187 or 11−1 𝑚𝑜𝑑 187
does not have a solution.
Since 11 is a divisor of n = 187, we can get another divisor. So, 187 = 11 . 17.
So, the failure to compute 5P, tells us that 11 divides 187.
This is the idea of Lenstra’s elliptic curve factorization algorithm.
32
 Lenstra’s Elliptic Curve Factorization

Example 5.23 …

33
 Lenstra’s Elliptic Curve Factorization

Example 5.23 …

34
 Lenstra’s Elliptic Curve Factorization
Lenstra’s Elliptic Curve Factorization Algorithm b is taken from the EC
𝐸: 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏.
Input: Factor the given integer N.
1. Choose random values 𝑎 and 𝑏 mod N. Let 𝐸: 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 be the EC.
Set 𝑃 = (𝑥, 𝑦) and 𝑏 ≡ 𝑦2 – 𝑥3 – 𝑎 . 𝑥 (𝑚𝑜𝑑 𝑁) from the EC.
2. Loop j = 2, 3, 4, … up to a specified bound
• Compute Q ≡ j × P mod N, and
• Set P = Q.
3. In the computation of Q in Step 2, we have to find the λ
𝑦2 −𝑦1 3𝑥12 − 𝑎
(𝑖. 𝑒. , 𝜆 = , if 𝑃1
≠ 𝑃2 , or 𝜆 = , if 𝑃1 = 𝑃2 ),
𝑥2 −𝑥1 2𝑦1
1 1
That is, we need to compute mod N or mod N. For this, we have to check
𝑥2 −𝑥1 2𝑦1
𝑑 = gcd(𝑥2 − 𝑥1 , N) or d = gcd(2𝑦1 , N).
4. If 1 < 𝑑 < 𝑁, then it is success, return 𝑑 as a factor of 𝑁 and stop.
If 𝑑 = 1, increment j and loop again at Step 2.
If 𝑑 = 𝑁, go to Step 1 and choose a new EC and a point 𝑃 = (𝑥, 𝑦) and continue.
35
 Lenstra’s Elliptic Curve Factorization

Lenstra’s EC Factorization Algorithm

• In the Lenstra’s algorithm, the obvious method is to fix an equation for the EC E, plug
in values of X, and check whether the quantity X 3 + AX + B is a square mod N.
• For this,
• First: Choose the point P = (a, b) at random,
• Second: Choose a random value for A, and
• Third: Set B = b2 – a3 – A . a (mod N).
• Then the point P is automatically on the curve E: Y 2 = X 3 + AX + B mod N.

36
 Lenstra’s Elliptic Curve Factorization

Lenstra’s EC Factorization Algorithm

E: Y 2 = X 3 + AX + B mod N

B = b2 – a3 – A . a (mod N)

37
 Lenstra’s Elliptic Curve Factorization

Lenstra’s EC Factorization Algorithm

2! P = 2 . P
3! P = 3 (2! . P)
Let us assume that (2! P) = Q.
So, 3! P = 3 . Q

Table 5.8: Multiples of P = (1512, 3166) on

Y 2 ≡ X 3 + 14X + 19 (mod 6887).

38
 Lenstra’s Elliptic Curve Factorization

Lenstra’s EC Factorization Algorithm

• The values up to 6! P are listed in Table 5.8. These values are not interesting. It is
only when we try to compute 7! P, we fail that something interesting happens.
• In the Table 5.8, the last entry is 6! P. Next we have to compute 7! P.
• i.e, 7! P = 7 . (6! P)
• Let us assume that (6! P) = Q. So, 7! P = 7 . Q
Q = (6141, 5581), and we want to compute 7Q.
First we compute
2Q ≡ (5380, 174) mod 6887,
Table 5.8: Multiples of P = (1512, 3166) on Y 2 ≡ X3 + 14X + 19 (mod 6887).
4Q ≡ 2 . 2 Q ≡ (203, 2038).

39
 Lenstra’s Elliptic Curve Factorization

Lenstra’s EC Factorization Algorithm… Q = (6141, 5581)

2Q ≡ (5380, 174) mod 6887
4Q ≡ 2 . 2 Q ≡ (203, 2038).

40
 Elliptic Curve Factorization
Lenstra’s Elliptic Curve Method
Given an integer n, we use the following steps to find the factors of n.

1. Check that n is not divisible by 2 or 3, and that n is not a perfect power.

2. Choose random integers a, x, y between 1 and n.
3. Let b = y2 − x3 − ax (mod n).
4. Calculate d = gcd(4a3 + 27b2, n).
• If 1 < d < n, we are done.
• If d = 1, proceed to Step 5.
• If d = n, go back to Step 2 and choose a different a.

41
 Elliptic Curve Factorization

Lenstra’s Elliptic Curve Method

• Let E be the elliptic curve E : y2 = x3 + ax + b, and let

P = (x, y) ∈ E.
• Choose a number k which is a product of small primes raised to small powers.
For example, a good choice is
k = LCM(2, 3, …, B) for some integer B ≈ 100.
• Compute kP (mod n).
• If kP lies on E, go back to Step 2 and choose different values for a, x, y. Otherwise,
Step 7 yields a factor of n.

42
 Elliptic Curve Factorization
Lenstra’s Factorization Algorithm
Example: Factor n = 455839.
Let E : y2 = x3 + 5x − 5, P = (1, 1), k = 10!
• We begin by finding 2!P = 2P (mod n)
by using the algorithm of adding points on the elliptic curve
2P = (14, −53) (mod 455839)
4P = (259851, 116255) (mod 455839)
6P = (179685, 28708) (mod 455839)
Similarly, we find that 4!P, 5!P, 6!P, 7!P all lie on E, but computing 8!P requires
inverting 599 (mod n) which isn’t possible.
This is because 599 is a factor of n, and we conclude that
n = 455839 = 599 · 761.
43
 Lenstra’s Elliptic Curve Factorization

Lenstra’s EC Factorization Algorithm…

44