From msuinfo!uwm.edu!vixen.cso.uiuc.edu!howland.reston.ans.net!noc.near.net!uunet!utcsri!newsflash.concordia.ca!sifon!homer.cs.mcgill.ca!not-for-mail Fri Jul 30 12:47:55 1993
Path: msuinfo!uwm.edu!vixen.cso.uiuc.edu!howland.reston.ans.net!noc.near.net!uunet!utcsri!newsflash.concordia.ca!sifon!homer.cs.mcgill.ca!not-for-mail
From: jerry@binkley.cs.mcgill.ca (Jerry Kuch)
Newsgroups: sci.crypt,sci.math,sci.math.symbolic
Subject: Re: Looking for an article (factoring large numbers)
Date: 28 Jul 1993 18:00:24 -0400
Organization: SOCS - McGill University, Montreal, Canada
Lines: 87
Message-ID: <236sto$amq@binkley.cs.mcgill.ca>
References:
NNTP-Posting-Host: binkley.cs.mcgill.ca
Xref: msuinfo sci.crypt:18216 sci.math:48477 sci.math.symbolic:8362
In article freitag@elrond.toppoint.de (Claus Schoenleber) writes:
>Someone told me about a method for factoring large numbers
>using elliptic equations. I didn't find anything about that.
>Could someone give me a pointer?
I think you're talking about Lenstra's work. You can find it in:
Lenstra, H.W. Jr. "Factoring Integers with elliptic curves."
Annals of Mathematics, 126 (1987) 649-673.
Essentially the same text exists in a University of Amsterdam tech report
and also, I believe, in one from MSRI.
Lenstra's algorithm is based on the Pollard p-1 method for integer
factorization. In this scheme, given an integer, n, to be factored,
you:
1. Choose an integer k such that k is a multiple of all
(or most of the) integers less than some bound B where
B can be as simple as lcm(all ints <= B) or B!.
2. Choose an integer, a from the set {2, n-2}
3. Compute a^k mod n efficiently (there are easy tricks
for this that are better than multiplying a by itself
k times)
4. Compute d = gcd(a^k - 1, n) using the Euclidean algorithm
and the result from step 3.
5. If d isn't a nontrivial divisor of n then choose new
values for a and/or k. Then start over.
If p is an unknown prime factor of n, and p-1 has no large prime divisors
then the above method is quite likely to find the factor, p. To get
some idea of how it works, assume that k is divisible by all of the
positive integers less than or equal to the bound B, above. Suppose
as well that p is a prime divisor of n such that p-1 is the
product of small prime powers all less than B. If so, then k must be a
multiple of p-1 since it is a multiple of all the prime powers whose
product is p-1. By Fermat's Little Theorem a^k is congruent to 1 modulo
p. Because of this p divides gcd(a^k-1,n) and we only fail to produce
nontrivial factors of n (in step 4 of the above algo) if a^k happens
to be congruent to 1 mod n.
Lenstra's method remedies the following defect. The above method suffers
when all of n's prime divsiors, p are such that p-1 is divisible by a
relatively large prime, or, by a relatively large prime power. The problem
in essence is that we're relying on the group (Z/pZ)^* as p runs through
all of n's prime divisors. For a given n, these groups aare all fixed, and
if all of these groups have order divisible by a large prime they're next
to useless. The elliptic curve method overcomes the problem by using
elliptic curves over F_p = Z/pZ. These curves provide an easy source of
different groups to choose from while performing the factorization, enough
in fact that in practice we can typically expect to find one whose order
is not divisible by a large prime or prime power. If we end up choosing
a group over F_p that suffers from the problem described above, we toss
it out by randomly choosing the group corresponding to another elliptic curve
over F_p.
Maple's integer factorization package provides the option of using Lenstra's
elliptic curve method (as does Mathematica). It is interesting to note
that it seems to used a pre-fixed sequence of elliptic curves and thus,
the performance of the package on factoring a sequence of integers may vary
extremely widely depending on what order they are input in. I don't know
of a good way to intelligently feed Maple to avoid this situation; even
knowing in advance what sequence Maple tries, it's still probably a big
grind to test the suitability of a given group for a given problem (since
it amounts to trying to solve the problem anyway).
If you're really interested in integer factorization you might also
want to look into a couple of other algorithms:
- multiple polynomial quadratic sieve
- the number field sieve
The asymptotic performance of Lenstra's algo is of the same order as
the conjectured time estimates for some of today's best factoring
algorithms. It does have a couple of advantages though. One of concern
to implementors is the fact that is has a pretty small storage requirement.
Also, it is exceptionally fast when n is divisible by a prime much less than
n^(1/2). Also if the factors of n are relatively small, it tends to beat
its competitors whose runtimes tend to be moreorless independent of the
size of individual factors.
--
Jerry Kuch
jerry@cs.mcgill.ca