Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Lenstra elliptic-curve factorization
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Example usage== The following example is from {{harvtxt|Trappe|Washington|2006}}, with some details added. We want to factor {{math|1=''n'' = 455839.}} Let's choose the elliptic curve {{math|1=''y''<sup>2</sup> = ''x''<sup>3</sup> + 5''x'' β 5,}} with the point {{math|1=''P'' = (1, 1)}} on it, and let's try to compute {{math|1=(10!)''P''.}} The slope of the tangent line at some point ''A''=(''x'', ''y'') is {{math|1=''s'' = (3''x''<sup>2</sup> + 5)/(2''y'') (mod n)}}. Using ''s'' we can compute 2''A''. If the value of ''s'' is of the form ''a/b'' where ''b'' > 1 and gcd(''a'',''b'') = 1, we have to find the [[modular inverse]] of ''b''. If it does not exist, gcd(''n'',''b'') is a non-trivial factor of ''n''. First we [[Elliptic_curve_point_multiplication#Point_doubling|compute 2''P'']]. We have {{math|1=''s''(''P'') = ''s''(1,1) = 4,}} so the coordinates of {{math|1=2''P'' = (''{{prime|x}}'', ''{{prime|y}}'')}} are {{math|1=''{{prime|x}}'' = ''s''<sup>2</sup> β 2''x'' = 14}} and {{math|1=''{{prime|y}}'' = ''s''(''x'' β ''{{prime|x}}'') β ''y''}} {{math|1== 4(1 β 14) β 1 = β53,}} all numbers understood {{math|1=(mod ''n'').}} Just to check that this 2''P'' is indeed on the curve: {{nowrap|1=(β53)<sup>2</sup> = 2809 = 14<sup>3</sup> + 5Β·14 β 5.}} Then we compute 3(2''P''). We have {{math|1=''s''(2''P'') = ''s''(14, β53) = β593/106 (mod ''n'').}} Using the [[Euclidean algorithm]]: {{nowrap|1=455839 = 4300Β·106 + 39,}} then {{nowrap |1=106 = 2Β·39 + 28,}} then {{nowrap|1=39 = 28 + 11,}} then {{nowrap |1=28 = 2Β·11 + 6,}} then {{nowrap|1=11 = 6 + 5,}} then {{nowrap |1=6 = 5 + 1.}} Hence {{nowrap|1=gcd(455839, 106) = 1,}} and working backwards (a version of the [[extended Euclidean algorithm]]): {{nowrap |1=1 = 6 β 5 = 2Β·6 β 11 = 2Β·28 β 5Β·11}} {{nowrap |1== 7Β·28 β 5Β·39 = 7Β·106 β 19Β·39 = 81707Β·106 β 19Β·455839.}} Hence {{nowrap |1=106<sup>β1</sup> = 81707 (mod 455839),}} and {{nowrap |1=β593/106 = β133317 (mod 455839).}} Given this ''s'', we can compute the coordinates of 2(2''P''), just as we did above: {{math|1=4''P'' = (259851, 116255).}} Just to check that this is indeed a point on the curve: {{math|1=''y''<sup>2</sup> = 54514 = ''x''<sup>3</sup> + 5''x'' β 5 (mod 455839).}} After this, we can compute <math>3(2P) = 4P \boxplus 2P</math>. We can similarly compute 4!''P'', and so on, but 8!''P'' requires inverting {{nowrap|1=599 (mod 455839).}} The Euclidean algorithm gives that 455839 is divisible by 599, and we have found a {{nowrap|1=factorization 455839 = 599Β·761.}} The reason that this worked is that the curve {{nowrap|1=(mod 599)}} has {{nowrap|1=640 = 2<sup>7</sup>Β·5}} points, while {{nowrap|1=(mod 761)}} it has {{nowrap|1=777 = 3Β·7Β·37}} points. Moreover, 640 and 777 are the smallest positive integers ''k'' such that {{math|1=''kP'' = ∞}} on the curve {{nowrap|1=(mod 599)}} and {{math|1=(mod 761),}} respectively. Since {{nowrap|8!}} is a multiple of 640 but not a multiple of 777, we have {{math|1=8!''P'' = ∞}} on the curve {{nowrap|1=(mod 599),}} but not on the curve {{nowrap|1=(mod 761),}} hence the repeated addition broke down here, yielding the factorization.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)