|
The Lenstra elliptic curve factorization or the elliptic curve factorization method (ECM) is a fast, sub-exponential running time, algorithm for integer factorization which employs elliptic curves. Technically the Lenstra elliptic curve factorization like Pollard's p-1 algorithm is classified as a deterministic algorithm as all "random steps" such as the choice of curves used can be derandomized and done in a deterministic way. (This is not to say that the algorithm can't be implemented in a probabilistic way, if one so chooses, provided one has a true source of randomness.) For general purpose factoring (on a general purpose computer) this method is the third-fastest factoring method. The second fastest is the multiple polynomial version of the quadratic sieve. The fastest general purpose factoring algorithm is the general number field sieve. Both the quadratic sieve and the general number field sieve are probabilistic algorithms. Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. Currently, it is still the best algorithm for factoring out divisors of size not greatly exceeding 20 to 25 digits (64 to 83 bits or so), as its running time is dominated by the size of a factor p rather than by the size of the number n to be factored. The largest factor found (the co-factor being larger) by ECM as of several years ago was around 50 digits. Increasing the number of curves tested improves the chances, but they are not linear with the increase in the number of digits. ECM is at its core an improvement of the older Pollard's p-1 algorithm. In that method, it is assumed that the given number n has a prime factor p such that p − 1 had only "small" prime factors (numbers whose prime factors are all "small" are informally called smooth numbers). Then, by Fermat's little theorem, whenever p − 1 divides e and p does not divide a. Taking e to be a product of small primes raised to small powers, and a to be a random residue mod n, we can hopefully factor n by computing the greatest common divisor of n and ae-1, as other divisors q of n are unlikely to have the property that q-1 divides e — smooth values are rare. However, we will not be able to factor n if n does not have a prime factor p with p-1 smooth. The Lenstra elliptic curve factorization gets around this obstacle by considering the group of a random elliptic curve over the finite field Zp, rather than considering the multiplicative group of Zp which always has order p-1. The order of the group of an elliptic curve over Zp varies between and by a theorem by Helmut Hasse, and randomly, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield-Erdös-Pomerance theorem with suitably optimized parameter choices, and the L-notation, we can expect to try curves before getting a smooth group order. This heuristic estimate is very reliable in practice. The Lenstra elliptic curve factorization method to find a factor of the given number n works as follows:
See also | ||||||||
|
| |||||||||
 |
|
| |