|
|
| Line 1: |
Line 1: |
| The '''Lenstra elliptic curve factorization''' or the '''elliptic curve factorization method''' ('''ECM''') is a fast, sub-[[exponential running time]] algorithm for [[integer factorization]] which employs [[elliptic curve]]s. For [[general purpose computer|general purpose]] factoring, ECM is the third-fastest known factoring method. The second fastest is the [[quadratic sieve|multiple polynomial quadratic sieve]] and the fastest is the [[general number field sieve]]. The Lenstra elliptic curve factorization is named after [[Hendrik Lenstra]].
| | There are also medicated shampoos created to remedy this kind of problem. About 80 percent people have this type of psoriasis. Juice fasting present adequate power to carry on the fasting at the very same time nourishes the entire body and eliminate harmful toxins. In the warmer months, we wear less clothing and this allows our skin to breath. This list will help you be educated when it comes to your beauty plan. <br><br>The normal cell growth of skin cells is twenty-eight days, which is how long it takes the skin to move from the bottom layer of skin to the top epidermis or outer layer of the skin. Thousands of years after this famous healing sea has become legendary, it continues to amaze and heal our skin, muscles, aches and pains and ease our respiratory system. Saturated fat contains the fat arachadonic acid which is associated with psoriasis. Due to the effectiveness of the product, the fantastic free bottle offer and money back gaurantee that revitol give you, we have decided that Dermasis psoriasis cream will be the only product we will actually actively promote on this website. Sometimes it will stay gone for a long long time, much longer than shaving or waxing. <br><br>Individuals who scratch one time too often in public are often viewed as people with embarrassing hygiene problems. Psoriasis is a disorder that causes red scaly patches to appear on the skin. Some behaviors put men at a greater risk, of course, but even those who are in monogamous, long-term relationships may be harboring infections that were contracted at some time in the past. He also observed that the affliction disappears for a quick while only to appear later. Moisturizers maintain skin supple, add water content to the surface of your skin and support you to maintain a youthful look. <br><br>For faster clearing of psoriasis, you may be prescribed a combination product, Taclonex which contains calcipotriol along with betamethasone dipropionate (a steroid). Light, hypoallergenic moisturisers, especially natural ones, seem to be effective in soothing both the symptoms of psoriasis and acne, without causing further complications. But lemon juice concentrate in a bottle works just as well. Psoriasis gets better and worse spontaneously and can have periodic remissions (clear epidermis). Olive oil itself contains oleocanthal, which is an anti-inflammatory agent that aides in softening lines and wrinkles. <br><br>Every segment of the health sector has benefited from the miraculous World Wide Web. Sadly 50-80% associated with psoriasis victims can get toe nail psoriasis. Of the 433 patients who entered into the study, 375 were treated over the planned period of 12 weeks, or dropped out of the study early because of total clearing of the skin, A modified PASI score fell significantly from 5. Psoriasis causes the rapid growth of skin cells and patient get red patches all over the body, which is painful and itchy. One can find numerous people who have psoriasis in their family that never have just one bout with the ailment and they can move through their lives without ever even realizing that they have the condition lurking underneath.<br><br>If you have any thoughts about where and how to use [http://www.dominionradio.info/sitemap/ diet for psoriasis], you can get hold of us at the web-page. |
| | |
| Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. {{As of|2006|alt=Currently}}, it is still the best algorithm for [[divisor]]s not greatly exceeding 20 to 25 [[decimal|digits]] (64 to 83 [[binary digit|bit]]s or so), as its running time is dominated by the size of the smallest factor ''p'' rather than by the size of the number ''n'' to be factored. Frequently, ECM is used to remove small factors from a very large integer with many factors; if the remaining integer is still composite, then it has only large factors and is factored using general purpose techniques. The largest factor found using ECM so far has 83 digits and was discovered on 7 September 2013 by R. Propper.<ref>[http://www.loria.fr/~zimmerma/records/top50.html 50 largest factors found by ECM]</ref> Increasing the number of curves tested improves the chances of finding a factor, but they are not [[linear]] with the increase in the number of digits.
| |
| | |
| ==Lenstra's elliptic curve factorization==
| |
| The Lenstra elliptic curve factorization method to find a factor of the given natural number <math>n</math> works as follows: | |
| <ol>
| |
| <li> Pick a random [[elliptic curve]] over <math>\mathbf{Z}/n\mathbf{Z}</math>, with equation of the form <math>y^2 = x^3 + ax + b\pmod n</math> together with a non-trivial [[Point (geometry)|point]] <math>P(x_0,y_0)</math> on it.
| |
| :This can be done by first picking random <math>x_0,y_0,a\in\mathbf{Z}/n\mathbf{Z}</math>, and then calculating <math>b = y_0^2 - x_0^3 - ax_0\pmod n</math>.
| |
| | |
| <li> 'Addition' of ''P'' and ''Q'' as points in general defines a group operation ''P'' ⊕ ''Q'' on the curve whose product can be computed from formulas given in the [[elliptic curve#The group law|article on elliptic curves]].
| |
| :Using this assumption, we can form repeated multiples of a point ''P'': ''kP'' = ''P'' ⊕ ... ⊕ ''P'' (''k'' times). The addition formulas involve the taking the modular slope of a chord joining ''P'' and ''Q'', and thus division between residue classes modulo ''n'', performed using the [[extended Euclidean algorithm]]. In particular, division by some ''v'' (mod ''n'') includes calculation of the [[greatest common divisor]] gcd(''v'', ''n'').
| |
| : If the slope is of the form ''u''/''v'' with gcd(''u'', ''n'') = 1, then ''v'' = 0 (mod ''n'') means that the result of the ⊕-addition will be <math>\infty</math>, the point 'at infinity' corresponding to the intersection of the 'vertical' line joining ''P'' (''x'', ''y''), ''P''' (''x'', −''y'') and the curve. However, if gcd(''v'', ''n'') is neither 1 nor ''n'', then the ⊕-addition will not produce a meaningful point on the curve, which shows that our elliptic curve is not a group (mod ''n''), but, more importantly for now, gcd(''v'', ''n'') is a non-trivial factor of ''n''.
| |
| | |
| <li> Compute ''eP'' on the elliptic curve (mod ''n''), where ''e'' is product of many small numbers: say, a product of small primes raised to small powers, as in the [[Pollard's p − 1 algorithm|''p'' − 1 algorithm]], or the [[factorial]] ''B''<nowiki>!</nowiki> for some not too large ''B''. This can be done efficiently, one small factor at a time. Say, to get ''B''!''P'', first compute 2''P'', then 3(2''P''), then 4(3!''P''), and so on. Of course, ''B'' should be small enough so that ''B''-wise ⊕-addition can be performed in reasonable time.
| |
| | |
| <li>
| |
| *If we were able to finish all the calculations above without encountering non-invertible elements (mod ''n''), then we need to try again with some other curve and starting point.
| |
| *If at some stage we found ''kP'' = ∞ (''infinity'' on the elliptic curve), we should start over with a new curve and starting point, since this point <math>\infty</math> is the group identity element, so is unchanged under any further addition operations.
| |
| *If we encountered a gcd(''v'', ''n'') at some stage that was neither 1 nor ''n'', then we are done: it is a non-trivial factor of ''n''.
| |
| </ol>
| |
| | |
| The time complexity depends on the size of the factor and can be represented by [[big O notation|O]]([[e (mathematical constant)|e]]<sup>(√2 + o(1)) √([[natural logarithm|ln]] ''p'' ln ln ''p'')</sup>), where ''p'' is the smallest factor of ''n'', or <math>L_p\left[\frac{1}{2},\sqrt{2}\right]</math>, in [[L-notation]].
| |
| | |
| ==Why does the algorithm work?==
| |
| | |
| If ''p'' and ''q'' are two prime divisors of ''n'', then ''y''<sup>2</sup> = ''x''<sup>3</sup> + ''ax'' + ''b'' (mod ''n'') implies the same equation also modulo ''p'' and modulo ''q''. These two smaller elliptic curves with the <math>\boxplus</math>-addition are now genuine [[group (mathematics)|groups]]. If these groups have ''N''<sub>''p''</sub> and ''N<sub>q</sub>'' elements, respectively, then for any point ''P'' on the original curve, by [[Lagrange's theorem (group theory)|Lagrange's theorem]], ''k'' > 0 is minimal such that <math>kP=\infty</math> on the curve modulo ''p'' implies that ''k'' divides ''N''<sub>''p''</sub>; moreover, <math>N_p P=\infty</math>. The analogous statement holds for the curve modulo ''q''. When the elliptic curve is chosen randomly, then ''N''<sub>''p''</sub> and ''N''<sub>''q''</sub> are random numbers close to ''p'' + 1 and ''q'' + 1, respectively (see below). Hence it is unlikely that most of the prime factors of ''N''<sub>''p''</sub> and ''N''<sub>''q''</sub> are the same, and it is quite likely that while computing ''eP'', we will encounter some ''kP'' that is ∞ modulo ''p'' but not modulo ''q'', or vice versa. When this is the case, ''kP'' does not exist on the original curve, and in the computations we found some ''v'' with either gcd(''v'',''p'') = ''p'' or gcd(''v'', ''q'') = ''q'', but not both. That is, gcd(''v'', ''n'') gave a non-trivial factor of ''n''.
| |
| | |
| ECM is at its core an improvement of the older [[Pollard's p − 1 algorithm|''p'' − 1 algorithm]]. The ''p'' − 1 algorithm finds prime factors ''p'' such that ''p'' − 1 is [[smooth number|b-powersmooth]] for small values of ''b''. For any ''e'', a multiple of ''p'' − 1, and any ''a'' [[relatively prime]] to ''p'', by [[Fermat's little theorem]] we have ''a''<sup>''e''</sup> ≡ ''1'' ([[modular arithmetic|mod]] ''p''). Then [[greatest common divisor|gcd]](''a''<sup>''e''</sup> − 1, ''n'') is likely to produce a factor of ''n''. However, the algorithm fails when ''p'' - 1 has large prime factors, as is the case for numbers containing [[strong prime]]s, for example.
| |
| | |
| ECM gets around this obstacle by considering the [[group (mathematics)|group]] of a random [[elliptic curve]] over the [[finite field]] '''Z'''<sub>''p''</sub>, rather than considering the [[multiplicative group]] of '''Z'''<sub>''p''</sub> which always has order ''p'' − 1.
| |
| | |
| The order of the group of an elliptic curve over '''Z'''<sub>''p''</sub> varies (quite randomly) between ''p'' + 1 − 2√''p'' and ''p'' + 1 + 2√''p'' by [[Hasse's theorem on elliptic curves|Hasse's theorem]], and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using [[heuristic]] probabilistic methods, the [[Canfield–Erdős–Pomerance theorem]] with suitably optimized parameter choices, and the [[L-notation]], we can expect to try '''[[L-notation|L]]'''<nowiki>[</nowiki>√2/2, √2<nowiki>]</nowiki> curves before getting a smooth group order. This heuristic estimate is very reliable in practice.
| |
| | |
| ==An example==
| |
| | |
| The following example is from {{harvtxt|Trappe|Washington|2006}}, with some details added.
| |
| | |
| We want to factor ''n'' = 455839. Let's choose the elliptic curve ''y''<sup>2</sup> = ''x''<sup>3</sup> + 5''x'' – 5, with the point ''P'' = (1, 1) on it, and let's try to compute (10!)''P''.
| |
| | |
| First we compute 2''P''. The slope of the tangent line at ''P'' is ''s'' = (3''x''<sup>2</sup> + 5)/(2''y'') = 4, and then the coordinates of 2''P'' = (''x′'', ''y′'') are {{nowrap|1=''x′'' = ''s''<sup>2</sup> – 2''x'' = 14}} and {{nowrap|1=''y′'' = ''s''(''x'' – ''x′'') – ''y''}} = 4(1 – 14) – 1 = –53, all numbers understood (mod ''n''). Just to check that this 2''P'' is indeed on the curve: (–53)<sup>2</sup> = 2809 = 14<sup>3</sup> + 5·14 – 5.
| |
| | |
| Then we compute 3(2''P''). The slope of the tangent line at 2''P'' is ''s'' = (3·14<sup>2</sup> + 5)/(2(–53)) = –593/106 (mod ''n''). Using the [[Euclidean algorithm]]: 455839 = 4300·106 + 39, then 106 = 2·39 + 28, then 39 = 28 + 11, then 28 = 2·11 + 6, then 11 = 6 + 5, then 6 = 5 + 1. Hence gcd(455839, 106) = 1, and working backwards (a version of the [[extended Euclidean algorithm]]): 1 = 6 – 5 = 2·6 – 11 = 2·28 – 5·11 = 7·28 – 5·39 = 7·106 – 19·39 = 81707·106 – 19·455839. Hence 106<sup>−1</sup> = 81707 (mod 455839), and –593/106 = –133317 (mod 455839). Given this ''s'', we can compute the coordinates of 2(2''P''), just as we did above: 4''P'' = (259851, 116255). Just to check that this is indeed a point on the curve: ''y''<sup>2</sup> = 54514 = ''x''<sup>3</sup> + 5''x'' – 5 (mod 455839). After this, we can compute <math>3(2P) = 4P \boxplus 2P</math>.
| |
| | |
| We can similarly compute 4!''P'', and so on, but 8!''P'' requires inverting 599 (mod 455839). The Euclidean algorithm gives that 455839 is divisible by 599, and we have found a factorization 455839 = 599·761.
| |
| | |
| The reason that this worked is that the curve (mod 599) has 640 = 2<sup>7</sup>·5 points, while (mod 761) it has 777 = 3·7·37 points. Moreover, 640 and 777 are the smallest positive integers ''k'' such that ''kP'' = ∞ on the curve (mod 599) and (mod 761), respectively. Since 8<nowiki>!</nowiki> is a multiple of 640 but not a multiple of 777, we have 8!''P'' = ∞ on the curve (mod 599), but not on the curve (mod 761), hence the repeated addition broke down here, yielding the factorization.
| |
| | |
| ==The algorithm with projective coordinates==
| |
| | |
| Before considering the projective plane over <math>(\mathbb{Z}/n\mathbb{Z})</math>/~, first consider a 'normal' [[projective space]] over ℝ: Instead of points, lines through the origin are studied. A line may be represented as a non-zero point <math>(x,y,z)</math>, under an equivalence relation ~ given by: <math>(x,y,z)</math>~<math>(x',y',z')</math> ⇔ ∃ '''''c''''' ≠ 0 such that ''x' = '''c'''x'', ''y' = '''c'''y'' and ''z' = '''c'''z''. Under this equivalence relation, the space is called '''the projective plane''' <math>(P^2)</math>; points, denoted by <math>(x:y:z)</math>, correspond to lines in a three dimensional space that pass through the origin. Note that the point <math>(0:0:0)</math> does not exist in this space since to draw a line in any possible direction requires at least one of x',y' or z' ≠ 0. Now observe that almost all lines go through any given reference plane - such as the (''X,Y'',1)-plane, whilst the lines precisely parallel to this plane, having coordinates (''X,Y'',0), specify directions uniquely, as 'points at infinity' that are used in the affine (''X,Y'')-plane it lies above.
| |
| | |
| In the algorithm, only the group structure of an elliptic curve over the field ℝ is used. Since we do not necessarily need the field ℝ, a finite field will also provide a group structure on an elliptic curve. However, considering the same curve and operation over <math>(\mathbb{Z}/n\mathbb{Z})</math>/~ with <math>n</math> not a prime does not give a group. The Elliptic Curve Method makes use of the failure cases of the addition law.
| |
| | |
| We now state the algorithm in projective coordinates. The neutral element is then given by the point at infinity <math>(0:1:0)</math>. Let <math>n</math> be a (positive) integer and consider the elliptic curve (a set of points with some structure on it) <math>E(Z/nZ)=\{(x:y:z) \in P^2\ |\ y^2z=x^3+axz^2+bz^3\}</math>.
| |
| | |
| # Pick <math>x_P,y_P,a</math> in <math>\mathbb{Z}/n\mathbb{Z}</math> (<math>a</math> ≠ 0).
| |
| # Calculate <math>b = y_P^2 - x_P^3 - ax_P</math>. The elliptic curve <math>E</math> is then in Weierstrass form given by <math>y^2 = x^3 + ax + b</math> and by using projective coordinates the elliptic curve is given by the homogenous equation <math>ZY^2=X^3+aZ^2X+bZ^3</math>. It has the point <math>P=(x_P:y_P:1)</math>.
| |
| # Choose an upperbound <math>B \in \mathbb{Z}</math> for this elliptic curve. Remark: You will only find factors <math>p</math> if the group order of the elliptic curve <math>E</math> over <math>\mathbb{Z}/p\mathbb{Z}</math> (denoted by #<math>E(\mathbb{Z}/p\mathbb{Z})</math>) is [[Smooth number|B-smooth]], which means that all prime factors of #<math>E(\mathbb{Z}/p\mathbb{Z})</math> have to be less or equal to <math>B</math>.
| |
| # Calculate <math>k={\rm lcm}(1,\dots ,B)</math>.
| |
| #Calculate <math>k P := P + P + \cdots + P </math> (k times) in the ring <math>E(\mathbb{Z}/n\mathbb{Z})</math>. Note that if #<math>E(\mathbb{Z}/n\mathbb{Z})</math> is <math>B</math>-smooth and <math>n</math> is prime (and therefore <math>\mathbb{Z}/n\mathbb{Z}</math> is a field) that <math>k P = (0:1:0)</math>. However, if only #<math>E(\mathbb{Z}/p\mathbb{Z})</math> is B-smooth for some divisor <math>p</math> of <math>n</math>, the product might not be (0:1:0) because addition and multiplication are not well-defined if <math>n</math> is not prime. In this case, a non-trivial divisor can be found.
| |
| # If not, then go back to step 2. If this does occur, then you will notice this when simplifying the product <math>kP </math>.
| |
| | |
| In point 5 it is said that under the right circumstances a non-trivial divisor can be found. As pointed out in Lenstra's article (Factoring Integers with Elliptic Curves) the addition needs the assumption <math>\gcd(x_1-x_2,n)=1</math>. If <math>P,Q</math> are not <math>(0:1:0)</math> and distinct (otherwise addition works similarly, but is a little different), then addition works as follows:
| |
| | |
| * To calculate: <math> R = P + Q;</math> <math>P = (x_1:y_1:1)</math>, <math>Q = (x_2:y_2:1)</math>,
| |
| * <math>\lambda =(y_1-y_2) (x_1-x_2)^{-1}</math>,
| |
| * <math> x_3 = \lambda^2 - x_1 - x_2</math>,
| |
| * <math> y_3 = \lambda(x_1-x_3) - y_1</math>,
| |
| * <math> R = P + Q = (x_3:y_3:1)</math>.
| |
| | |
| If addition fails, this will be due to a failure calculating <math>\lambda</math>. In particular, because <math>(x_1-x_2)^{-1}</math> can not always be calculated if <math>n</math> is not prime (and therefore <math>\mathbb{Z}/n\mathbb{Z}</math> is not a field). Without making use of <math>\mathbb{Z}/n\mathbb{Z}</math> being a field, one could calculate:
| |
| | |
| * <math>\lambda'=y_1-y_2</math>,
| |
| * <math> x_3' = {\lambda'}^2 - x_1(x_1-x_2)^2 - x_2(x_1-x_2)^2</math>,
| |
| * <math> y_3' = \lambda'(x_1(x_1-x_2)^2-x_3') - y_1(x_1-x_2)^3</math>,
| |
| * <math> R = P + Q = (x_3'(x_1-x_2):y_3':(x_1-x_2)^3)</math>, and simplify if possible.
| |
| | |
| This calculation is always legal and if the gcd of the <math>Z</math>-coordinate with <math>n</math> ≠ (1 or <math>n</math>), so when simplifying fails, a non-trivial divisor of <math>n</math> is found.
| |
| | |
| ==Twisted Edwards curves==
| |
| | |
| The use of [[Edwards curve]]s needs fewer modular multiplications and less time than the use of [[Montgomery curve]]s or Weierstrass curves (other used methods). Using Edwards curves you can also find more primes.
| |
| | |
| Definition:
| |
| Let <math> k</math> be a field in which <math>2 \neq 0</math>, and let <math> a,d \in k\setminus\{0\}</math> with <math> a\neq d</math>. Then the twisted Edwards curve <math>E_{E,a,d}</math> is given by <math>ax^2+y^2=1+dx^2y^2.</math>
| |
| An Edwards curve is a twisted Edwards curve in which <math>a=1</math>.
| |
| | |
| There are five known ways to build a set of point on an Edwards curve: the set of affine points, the set of projective points, the set of inverted points, the set of extended points and the set of completed points.
| |
| | |
| The set of affine points is given by: <math>\{(x,y)\in A^2 : ax^2+y^2=1+dx^2y^2\}</math>.
| |
| | |
| The addition law is given by <math> (e,f),(g,h) \mapsto \left(\frac{eh+fg}{1+ degfh},\frac{fh-aeg}{1-degfh}\right)</math>. The point (0,1) is its neutral element and the negative of <math>(e,f)</math> is <math>(-e,f)</math>.
| |
| The other representations are defined similar to how the projective Weierstrass curve follows from the affine.
| |
| | |
| Any [[elliptic curve]] in Edwards form has a point of order 4. So the [[torsion group]] of an Edwards curve over <math>\mathbb{Q} </math> is isomorphic to either <math> \mathbb{Z}/4\mathbb{Z}, \mathbb{Z}/8\mathbb{Z}, \mathbb{Z}/12\mathbb{Z}, \mathbb{Z}/2\mathbb{Z} \times \mathbb{Z}/4\mathbb{Z}</math> or <math> \mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}</math>.
| |
| | |
| The most interesting cases for ECM are <math> \mathbb{Z}/12\mathbb{Z}</math> and <math> \mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}</math>, since they force the group orders of the curve modulo primes to be divisible by 12 and 16 respectively.
| |
| The following curves have a torsion group isomorphic to <math> \mathbb{Z}/12\mathbb{Z}</math>:
| |
| | |
| * <math> x^2+y^2=1+dx^2y^2</math> with point <math> (a,b) </math> where <math>b \notin\{-2,-1/2,0,\pm1\}, a^2=-(b^2+2b) </math> and <math> d=-(2b+1)/(a^2b^2) </math>
| |
| * <math> x^2+y^2=1+dx^2y^2</math> with point <math> (a,b) </math> where <math> a=\frac{u^2-1}{u^2+1}, b=-\frac{(u-1)^2}{u^2+1}</math> and <math>d=\frac{(u^2+1)^3(u^2-4u+1)}{(u-1)^6(u+1)^2}, u\notin\{0,\pm1\}.</math>
| |
| | |
| Every Edwards curve with a point of order 3 can be written in the ways shown above.
| |
| Curves with torsion group isomorphic to <math> \mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/8\mathbb{Z}</math> and <math>\mathbb{Z}/2\mathbb{Z}\times \mathbb{Z}/4\mathbb{Z}</math> can be found on http://eprint.iacr.org/2008/016, top of page 30.
| |
| | |
| ==Stage 2==
| |
| | |
| The above text is about the first stage of elliptic curve factorisation. There one hopes to find a prime divisor <math>p</math> such that <math>sP</math> is the neutral element of <math>E(\mathbb{Z}/p\mathbb{Z})</math>.
| |
| In the second stage one hopes to have found a prime divisor <math>q</math> such that <math>sP</math> has small prime order in <math>E(\mathbb{Z}/q\mathbb{Z})</math>.
| |
| | |
| We hope the order to be between <math>B_1</math> and <math>B_2</math>, where <math>B_1</math> is determined in stage 1 and <math>B_2</math> is new stage 2 parameter.
| |
| Checking for a small order of <math>sP</math>, can be done by computing <math>(ls)P</math> modulo <math>n</math> for each prime <math>l</math>.
| |
| | |
| ==Success probability using EECM-MPFQ==
| |
| | |
| For speedup techniques using Edward curves and implementation results, see: http://eprint.iacr.org/2008/016 pages 30–32.
| |
| | |
| ==Hyperelliptic curve method (HECM)==
| |
| | |
| There are recent developments in using [[hyperelliptic curve]]s to factor integers. Cosset shows in his article (of 2010) that one can build a hyperelliptic curve with genus two (so a curve <math>y^2=f(x)</math> with
| |
| <math>f</math> of degree 5) which gives the same result as using two 'normal' elliptic curves at the same time. By making use of the Kummer Surface calculation is more efficient. The disadvantages of the hyperelliptic curve (versus an elliptic curve) are compensated by this alternative way of calculating. Therefore Cosset roughly claims that using hyperelliptic curves for factorization is no worse than using elliptic curves.
| |
| | |
| ==See also==
| |
| *[[UBASIC]] for practical program (ECMX).
| |
| | |
| ==References==
| |
| {{reflist}}
| |
| *{{cite paper |last=Bernstein |first=D. J. |last2=Birkner |first2=P. |last3=Lange |first3=T. |last4=Peters |first4=C. |title=ECM using Edwards curves |work=ePrint archive 2008/016 |year=2008 |url=http://eprint.iacr.org/2008/016 }}
| |
| *{{cite book |last=Bosma |first=W. |last2=Hulst |first2=M. P. M. van der |title=Primality proving with cyclotomy |publisher=Ph.D. Thesis, Universiteit van Amsterdam |year=1990 |isbn= |oclc=256778332 }}
| |
| *{{cite journal |last=Brent |first=Richard P. |title=Factorization of the tenth Fermat number |journal=Mathematics of Computation |volume=68 |issue=225 |year=1999 |pages=429–451 |doi=10.1090/S0025-5718-99-00992-8 }}
| |
| *{{cite book |last=Cohen |first=Henri |title=A Course in Computational Algebraic Number Theory |publisher=Springer-Verlag |location=New York, Berlin, Heidelberg |year=1996 |isbn=0-387-55640-0 }}
| |
| *{{cite journal |last=Cosset |first=R. |title=Factorization with genus 2 curves |journal=Mathematics of Computation |volume=79 |issue=270 |year=2010 |pages=1191–1208 |doi=10.1090/S0025-5718-09-02295-9 }}
| |
| *{{cite book |editor1-link=Arjen Lenstra |editor1-last=Lenstra |editor1-first=A. K. |editor2-last=Lenstra Jr. |editor2-first=H. W. |title=The development of the number field sieve |series=Lecture Notes in Mathematics |volume=1554 |publisher=Springer-Verlag |location=Berlin |year=1993 |mr=96m:11116 }}
| |
| *{{cite journal |last=Lenstra Jr. |first=H. W. |title=Factoring integers with elliptic curves |journal=[[Annals of Mathematics]] |volume=126 |year=1987 |issue=3 |pages=649–673 |mr=89g:11125 |doi= |jstor=1971363 }}
| |
| *{{cite book
| |
| | last = Pomerance
| |
| | first = Carl
| |
| | authorlink = Carl Pomerance
| |
| | coauthors = Richard Crandall
| |
| | year = 2001
| |
| | title = Prime Numbers: A Computational Perspective
| |
| | publisher = Springer
| |
| | edition = 1st
| |
| | chapter = Section 7.4: Elliptic curve method
| |
| | pages = 301–313
| |
| | isbn = 0-387-94777-9}}
| |
| *{{cite book |last=Pomerance |first=Carl |chapter=The quadratic sieve factoring algorithm |title=Advances in Cryptology, Proc. Eurocrypt '84 |series=Lecture Notes in Computer Science |volume=209 |publisher=Springer-Verlag |location=Berlin |year=1985 |pages=169–182 |mr=87d:11098 }}
| |
| *{{cite journal
| |
| |last=Pomerance
| |
| |first=Carl
| |
| |title=A Tale of Two Sieves
| |
| |journal=[[Notices of the American Mathematical Society]]
| |
| |pages=1473–1485
| |
| |volume=43
| |
| |year=1996
| |
| |issue=12
| |
| |url=http://www.ams.org/notices/199612/pomerance.pdf
| |
| |format = [[PDF]]
| |
| }}
| |
| *{{cite journal |last=Silverman |first=Robert D. |title=The Multiple Polynomial Quadratic Sieve |journal=[[Mathematics of Computation]] |volume=48 |issue=177 |year=1987 |pages=329–339 |doi=10.1090/S0025-5718-1987-0866119-8 |jstor= }}
| |
| *{{cite book | last1=Trappe | first1= W. | last2=Washington| first2=L. C. | title=Introduction to Cryptography with Coding Theory |edition=Second | publisher=Pearson Prentice Hall | year=2006| isbn=0-13-186239-1|ref=harv}}
| |
| *{{cite book |last=Watras |first=Marcin |title=Cryptography, Number Analysis, and Very Large Numbers |publisher=Wojciechowski-Steinhagen |location=Bydgoszcz |year=2008 |id=PL:5324564 }}
| |
| | |
| ==External links==
| |
| * [http://alpertron.com.ar/ECM.HTM Factorization using the Elliptic Curve Method], a Java applet which uses ECM and switches to the [[Quadratic sieve|Self-Initializing Quadratic Sieve]] when it is faster.
| |
| * [http://ecm.gforge.inria.fr/ GMP-ECM], an efficient implementation of ECM.
| |
| * [http://www.loria.fr/~zimmerma/records/ecmnet.html ECMNet], an easy client-server implementation that works with several factorization projects.
| |
| * [http://www.sourceforge.net/projects/pyecm pyecm], a python implementation of ECM. Much faster with psyco and/or gmpy.
| |
| * [http://www.rechenkraft.net/yoyo/ Distributed computing project yoyo@Home] Subproject ECM is a program for Elliptic Curve Factorization which is used by a couple of projects to find factors for different kind of numbers.
| |
| * [http://ardoino.com/2008/03/large-integers-factorization/ Lenstra Elliptic Curve Factorization algorithm source code] Simple C and GMP Elliptic Curve Factorization Algorithm source code
| |
| | |
| | |
| {{number theoretic algorithms}}
| |
| | |
| [[Category:Integer factorization algorithms]]
| |
| [[Category:Finite fields]]
| |