The Elliptic Curve Method and Other Integer Factorization Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

The Elliptic Curve Method and Other Integer Factorization Algorithms The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic . 3 2.2 Basic definitions and theorems . 6 2.3 RSACryptosystem........................ 9 3 Factorization Algorithms 11 3.1 TheSieveofEratosthenes . 11 3.2 TrialDivision ........................... 12 3.3 Fermat’sLittleTheorem . 13 3.4 PseudoprimeTest......................... 14 3.5 StrongPseudoprimeTest . 16 3.6 AmethodofFermat ....................... 17 3.7 TheQuadraticSieve . 20 3.8 Pollard Rho Factorization Method . 22 4 Elliptic curves 24 4.1 Additiononanellipticcurve . 28 4.2 Reduction of elliptic curves defined modulo N ......... 31 4.3 Reduction of curves modulo p .................. 33 4.4 Lenstra’s Elliptic Curve Integer Factorization Method . 34 4.5 TheECMintheprojectiveplane . 36 5 Improving the Elliptic Curve Method 38 5.1 MontgomeryCurves . 38 5.2 Addition for elliptic curves in Montgomery form . 42 5.3 Montgomery multiplication . 47 5.4 Recentdevelopments . 49 5.5 Conclusion ............................ 50 1 Chapter 1 Introduction The Fundamental Theorem of Arithmetic, first proved by Gauss [2], states that every positive integer has a unique factorization into primes. That is, for every positive integer N, a1 a2 ak N = p1 p2 ...pk where the pi’s are distinct primes and each ai is a positive integer. This paper is motivated by a computational question: given an arbitrary integer N, how might we find a non-trivial factor of N? That is, a factor of N other than N and 1. ± ± While it is computationally easy to multiply numbers together, factor- ing a general integer is “generally believed to be hard” [4]. The security of RSA, the “most widely used public key cryptosystem in the world” [20], relies on this difficulty. Therefore, the study of integer factorization is of great practical importance. The goal of this paper is to describe the Elliptic Curve Method(ECM), an integer factorization algorithm first proposed by Lenstra in [21]. Before describing this algorithm, we first discuss some preliminaries. In Chapter 2, we prove some elementary results from number theory and explicitly describe the RSA algorithm. In Chapter 3, we describe several factorization algorithms, including Pollard’s Rho algorithm and the Quadratic Sieve. In Chapter 4, we discuss the algebraic properties of elliptic curves and the ECM. In Chapter 5, we discuss how performing the ECM with a curve in Montgomery form reduces computations. We conclude Chapter 5 by discussing some recent developments of the ECM. 2 Chapter 2 Preliminaries 2.1 Greatest common divisors and modular arith- metic Definition 2.1. Let a and b be positive integers. If gcd(a, b) = 1 then a is relatively prime to b. Definition 2.2. If a b is a multiple of m, then we write a b (mod m). − ≡ The following property is a basic property of division in the integers. For positive integers a and b with b<a and b = 0, there is a non-negative 6 integer r such that a = bk + r, where k is some positive integer and r < b. We will denote r as a mod b. We will need a way to compute greatest common divisors. The following algorithm, called the Euclidean Algorithm, finds gcd(x, y), where x and y are positive integers. Suppose y<x. Express x as x = m1y +r1, where m1 and r1 are integers with 0 r < y. If r = 0, then y divides x and gcd(x, y) = y. If r = 0, ≤ 1 1 1 6 dividing y by r yields y = m r + r with 0 r <r . If r = 0, we divide 1 2 1 2 ≤ 2 1 2 6 r by r to obtain r = m r + r where 0 r < r . Eventually some ri 1 2 1 3 2 3 ≤ 3 2 will be 0, as each ri is a non-negative integer strictly smaller than ri 1. The − process terminates when rk+1 = 0, for some k. Our last three equations are rk 3 = mk 1rk 2 + rk 1 − − − − rk 2 = mkrk 1 + rk − − rk 1 = mk+1rk + 0 − 3 with 0 < rk < rk 1. Since rk 1 = mk+1rk, rk divides rk 1. Since rk 2 = − − − − mkrk 1 + rk, rk divides rk 2. Since rk divides rk 2 and rk 1, rk divides − − − − rk 3. By working our way backwards through the equations in this manner − we see that rk divides both x and y. We will now show that rk = gcd(x, y). Suppose d is a divisor of both x and y. Since x = m1y + r1, d must divide r1. Since y = m2r1 + r2 and d divides y, if d divides r1 then d also divides r2. Continuing on, d must divide rk, making d less than or equal to rk. This proves that rk = gcd(a, b). Example 2.3. We use the Euclidean Algorithm to calculate gcd(45, 12). 45 = (3)(12) + 9 12 = (1)(9) + 3 9 = (3)(3) + 0 Thus, gcd(45, 12) = 3. We will use big O notation to describe the number of arithmetic in the Euclidean Algorithm. Later, we will use big O notation to describe other integer factorization algorithms. Definition 2.4. Let N(x) be the number of arithmetic operations it takes to factor the integer x using some factorization algorithm. We will write N(x)= O(g(x)) if for some function g(x) there exists a real number x0 and a positive real number M such that N(x) M g(x) for all x>x . ≤ | | 0 In [17](p.339), Knuth proves that the number of steps required to com- pute gcd(x, y) using the Euclidean Algorithm is O(ln N), where N = max(x, y). More precisely, Knuth proves that the number of steps is ln(√5N) 2 2.078 ln N + 1.672 &ln((1 + √5)/2)' − ≈ However, each step in the Euclidean Algorithm requires a long division. In [18](p.13), Cohen states that this long division takes O(ln2 N) operations. 4 In total, Cohen states that finding a greatest common divisor of a and b us- ing the Euclidean Algorithm takes O(ln2 N) operations, including the long division. Extending the Euclidean Algorithm allows us to compute the multi- plicative inverse of x modulo y, provided the inverse exists. In order for this inverse to exist, we require x and y to be relatively prime. Suppose we have integers a and b such that ax + by = gcd(x, y). If x and y are relatively prime, then ax + by = 1, and by considering both sides of this equation mod y, we obtain ax 1 (mod y). ≡ 1 Thus, a = x− mod y. The Extended Euclidean Algorithm finds the integers a and b in the relation ax + by = gcd(x, y), and hence can be used to calculate the mul- tiplicative inverse of x modulo y, provided x and y are relatively prime. The Extended Euclidean Algorithm operates as follows. We first perform the Euclidean Algorithm to find the greatest common divisor of x and y, storing the values ri, mi,ri 1 at each step. By substituting ri into ri 1 we − − can work in reverse to find a solution (a, b) to ax + by = gcd(x, y). Example 2.5. We calculate a solution to the equation 49a+15b = gcd(49, 15). In order to do this, we first calculate gcd(49, 15) using the Euclidean Algo- rithm 49 = (3)(15) + 4 15 = (3)(4) + 3 4 = (1)(3) + 1 3 = (3)(1) this shows that gcd(49, 15) = 1. We now work in reverse to calculate a solution to 49a + 15b = 1. 5 1 = 4 (1)(3) − = 4 (1) (15 (3)(4)) − − = (4)(4) 15 − = (4)(49 (3)(15)) 15 − − = (15)( 13) + (49)(4) − Thus, a = 13, b = 4 is a solution to our equation. Taking both sides of − 1 = (15)( 13) + (49)(4) modulo 49 shows that 13 26 (mod 49) is 1 − − ≡ (15)− mod 49. In [18](p.16), Cohen states that the Extended Euclidean Algorithm has the same run time as the Euclidean Algorithm. 2.2 Basic definitions and theorems Before discussing integer factorization, more preliminaries need to be dis- cussed. Proposition 2.6. If x and m are relatively prime and ax bx (mod m) ≡ then a b (mod m). ≡ Proof. If ax bx (mod m) then m divides ax bx = (a b)x. We will now ≡ − − show that m divides a b, which implies that a b (mod m). Since x and − ≡ m are relatively prime, we can use the Extended Euclidean Algorithm on x and m to find a c and an e such that cx + em = 1. Multiplying both sides of the above equation by (a b) yields − cx(a b)+ em(a b) = (a b). − − − Since m divides both cx(a b) and em(a b), m divides (a b). − − − Definition 2.7. The value of the Euler Phi function, denoted by φ(n), for n a positive integer, equals the number of positive integers less than or equal to n that are relatively prime to n. 6 For any prime p, every positive integer less than p is relatively prime to p. Thus, φ(p)= p 1. − Theorem 2.8. If n and b are positive, relatively prime integers then bφ(n) 1 (mod n). ≡ We will prove the above theorem momentarily. Theorem 2.9. (The Chinese Remainder Theorem) Suppose m1, m2,...,mr are positive, pairwise relatively prime integers. Let M = m1m2 ...mr. Let a1,a2,...,ar be arbitrary integers. Then there exists a unique integer a modulo M such that a ai (mod mi) for every i = 1,...,r.
Recommended publications
  • Primality Testing and Integer Factorisation
    Primality Testing and Integer Factorisation Richard P. Brent, FAA Computer Sciences Laboratory Australian National University Canberra, ACT 2601 Abstract The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several recent algorithms for primality testing and factorisation, give examples of their use and outline some applications. 1. Introduction It has been known since Euclid’s time (though first clearly stated and proved by Gauss in 1801) that any natural number N has a unique prime power decomposition α1 α2 αk N = p1 p2 ··· pk (1.1) αj (p1 < p2 < ··· < pk rational primes, αj > 0). The prime powers pj are called αj components of N, and we write pj kN. To compute the prime power decomposition we need – 1. An algorithm to test if an integer N is prime. 2. An algorithm to find a nontrivial factor f of a composite integer N. Given these there is a simple recursive algorithm to compute (1.1): if N is prime then stop, otherwise 1. find a nontrivial factor f of N; 2.
    [Show full text]
  • Computing Prime Divisors in an Interval
    MATHEMATICS OF COMPUTATION Volume 84, Number 291, January 2015, Pages 339–354 S 0025-5718(2014)02840-8 Article electronically published on May 28, 2014 COMPUTING PRIME DIVISORS IN AN INTERVAL MINKYU KIM AND JUNG HEE CHEON Abstract. We address the problem of finding a nontrivial divisor of a com- posite integer when it has a prime divisor in an interval. We show that this problem can be solved in time of the square root of the interval length with a similar amount of storage, by presenting two algorithms; one is probabilistic and the other is its derandomized version. 1. Introduction Integer factorization is one of the most challenging problems in computational number theory. It has been studied for centuries, and it has been intensively in- vestigated after introducing the RSA cryptosystem [18]. The difficulty of integer factorization has been examined not only in pure factoring situations but also in various modified situations. One such approach is to find a nontrivial divisor of a composite integer when it has prime divisors of special form. These include Pol- lard’s p − 1 algorithm [15], Williams’ p + 1 algorithm [20], and others. On the other hand, owing to the importance and the usage of integer factorization in cryptog- raphy, one needs to examine this problem when some partial information about divisors is revealed. This side information might be exposed through the proce- dures of generating prime numbers or through some attacks against crypto devices or protocols. This paper deals with integer factorization given the approximation of divisors, and it is motivated by the above mentioned research.
    [Show full text]
  • Elliptic Curve Arithmetic for Cryptography
    Elliptic Curve Arithmetic for Cryptography Srinivasa Rao Subramanya Rao August 2017 A Thesis submitted for the degree of Doctor of Philosophy of The Australian National University c Copyright by Srinivasa Rao Subramanya Rao 2017 All Rights Reserved Declaration I confirm that this thesis is a result of my own work, except as cited in the references. I also confirm that I have not previously submitted any part of this work for the purposes of an award of any degree or diploma from any University. Srinivasa Rao Subramanya Rao March 2017. Previously Published Content During the course of research contributing to this thesis, the following papers were published by the author of this thesis. This PhD thesis contains material from these papers: 1. Srinivasa Rao Subramanya Rao, A Note on Schoenmakers Algorithm for Multi Exponentiation, 12th International Conference on Security and Cryptography (Colmar, France), Proceedings of SECRYPT 2015, pages 384-391. 2. Srinivasa Rao Subramanya Rao, Interesting Results Arising from Karatsuba Multiplication - Montgomery family of formulae, in Proceedings of Sixth International Conference on Computer and Communication Technology 2015 (Allahabad, India), pages 317-322. 3. Srinivasa Rao Subramanya Rao, Three Dimensional Montgomery Ladder, Differential Point Tripling on Montgomery Curves and Point Quintupling on Weierstrass' and Edwards Curves, 8th International Conference on Cryptology in Africa, Proceedings of AFRICACRYPT 2016, (Fes, Morocco), LNCS 9646, Springer, pages 84-106. 4. Srinivasa Rao Subramanya Rao, Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form, 13th International Conference on Security and Cryptography (Lisbon, Portugal), Proceedings of SECRYPT 2016, pages 336-343 and 5.
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]
  • Integer Factorization with a Neuromorphic Sieve
    Integer Factorization with a Neuromorphic Sieve John V. Monaco and Manuel M. Vindiola U.S. Army Research Laboratory Aberdeen Proving Ground, MD 21005 Email: [email protected], [email protected] Abstract—The bound to factor large integers is dominated by to represent n, the computational effort to factor n by trial the computational effort to discover numbers that are smooth, division grows exponentially. typically performed by sieving a polynomial sequence. On a Dixon’s factorization method attempts to construct a con- von Neumann architecture, sieving has log-log amortized time 2 2 complexity to check each value for smoothness. This work gruence of squares, x ≡ y mod n. If such a congruence presents a neuromorphic sieve that achieves a constant time is found, and x 6≡ ±y mod n, then gcd (x − y; n) must be check for smoothness by exploiting two characteristic properties a nontrivial factor of n. A class of subexponential factoring of neuromorphic architectures: constant time synaptic integration algorithms, including the quadratic sieve, build on Dixon’s and massively parallel computation. The approach is validated method by specifying how to construct the congruence of by modifying msieve, one of the fastest publicly available integer factorization implementations, to use the IBM Neurosynaptic squares through a linear combination of smooth numbers [5]. System (NS1e) as a coprocessor for the sieving stage. Given smoothness bound B, a number is B-smooth if it does not contain any prime factors greater than B. Additionally, let I. INTRODUCTION v = e1; e2; : : : ; eπ(B) be the exponents vector of a smooth number s, where s = Q pvi , p is the ith prime, and A number is said to be smooth if it is an integer composed 1≤i≤π(B) i i π (B) is the number of primes not greater than B.
    [Show full text]
  • The Complete Cost of Cofactor H = 1
    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
    [Show full text]
  • Montgomery Curves and the Montgomery Ladder
    Montgomery curves and the Montgomery ladder Daniel J. Bernstein and Tanja Lange Technische Universiteit Eindhoven, The Netherlands University of Illinois at Chicago, USA Abstract. The Montgomery ladder is a remarkably simple method of computing scalar multiples of points on a broad class of elliptic curves. This article surveys a wide range of topics related to the Montgomery ladder, both from the historical perspective of Weierstrass curves and from the modern perspective of Edwards curves. New material includes a full proof of a complete constant-time ladder algorithm suitable for cryptographic applications. This article is planned to appear as Chapter 4 of the book Topics in Com- putational Number Theory inspired by Peter L. Montgomery, edited by Joppe W. Bos and Arjen K. Lenstra. Two cross-references are to de- scriptions of ECM in FFT extension for algebraic-group factorization algorithms, by Richard P. Brent, Alexander Kruppa, and Paul Zimmer- mann, which is planned to appear as Chapter 9 of the same book. Author list in alphabetical order; see https://www.ams.org/profession/ leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project ICT-645421 (ECRYPT-CSA), by the U.S. National Sci- ence Foundation under grants 1018836 and 1314919, and by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005. “Any opinions, findings, and conclusions or recommendations expressed in this ma- terial are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies).
    [Show full text]
  • 18.783 S17 Elliptic Curves Lecture 11: Index Calculus, Smooth Numbers, Factoring Integers
    18.783 Elliptic Curves Spring 2017 Lecture #11 03/15/2017 11 Index calculus, smooth numbers, and factoring integers Having explored generic algorithms for the discrete logarithm problem in some detail, we now consider a non-generic algorithm that uses index calculus. 1 This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard p − 1 method and the elliptic curve method (ECM). 11.1 Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. This might not seem directly relevant to the elliptic curve discrete logarithm problem, but aswe shall see whenwe discuss pairing-based cryptography, thesetwo problems are not unrelated. Moreover, the same approach can be applied to elliptic curves over non- prime finite fields, as well as abelian varieties of higher dimension [7, 8, 9].2 We will restrict our attention to the simplest case, a finite field of prime order p. Let us identify Fp ' Z=pZ with our usual choice of representatives for Z=pZ, integers in the interval [0;N], with N = p − 1. This innocent looking statement is precisely what will allow us to “cheat”, that is, to do something that a generic algorithm cannot. It lets us lift elements of Fp ' Z=pZ to the ring Z where we may consider their prime factorizations, something that makes no sense in a multiplicative group (every element is a unit) and is not available to a generic algorithm.
    [Show full text]
  • Cracking RSA with Various Factoring Algorithms Brian Holt
    Cracking RSA with Various Factoring Algorithms Brian Holt 1 Abstract For centuries, factoring products of large prime numbers has been recognized as a computationally difficult task by mathematicians. The modern encryption scheme RSA (short for Rivest, Shamir, and Adleman) uses products of large primes for secure communication protocols. In this paper, we analyze and compare four factorization algorithms which use elementary number theory to assess the safety of various RSA moduli. 2 Introduction The origins of prime factorization can be traced back to around 300 B.C. when Euclid's theorem and the unique factorization theorem were proved in his work El- ements [3]. For nearly two millenia, the simple trial division algorithm was used to factor numbers into primes. More efficient means were studied by mathemeticians during the seventeenth and eighteenth centuries. In the 1640s, Pierre de Fermat devised what is known as Fermat's factorization method. Over one century later, Leonhard Euler improved upon Fermat's factorization method for numbers that take specific forms. Around this time, Adrien-Marie Legendre and Carl Gauss also con- tributed crucial ideas used in modern factorization schemes [3]. Prime factorization's potential for secure communication was not recognized until the twentieth century. However, economist William Jevons antipicated the "one-way" or ”difficult-to-reverse" property of products of large primes in 1874. This crucial con- cept is the basis of modern public key cryptography. Decrypting information without access to the private key must be computationally complex to prevent malicious at- tacks. In his book The Principles of Science: A Treatise on Logic and Scientific Method, Jevons challenged the reader to factor a ten digit semiprime (now called Jevon's Number)[4].
    [Show full text]
  • Primality Testing and Integer Factorization in Public-Key Cryptography Pdf, Epub, Ebook
    PRIMALITY TESTING AND INTEGER FACTORIZATION IN PUBLIC-KEY CRYPTOGRAPHY PDF, EPUB, EBOOK Song Y. Yan | 371 pages | 29 Nov 2010 | Springer-Verlag New York Inc. | 9781441945860 | English | New York, NY, United States Primality Testing and Integer Factorization in Public-Key Cryptography PDF Book RA 39 math. Blog at WordPress. The two equations give. Book Description Condition: New. Stock Image. The square and multiply algorithm is equivalent to the Python one-liner pow x, k, p. One can use a crude version of the prime number theorem to get the upper bound on. Since has order greater than in , we see that the number of residue classes of the form is at least. Factoring integers with elliptic curves. HO 12 math. They matter because of an important class of cryptosystems, in a multibillion dollar industry. You have to search a smaller space until you brute force the key. View 2 excerpts, references background and methods. By Terence Tao. So to establish the proposition it suffices to show that all these products are distinct. View all copies of this ISBN edition:. Hello I think that binomial test is also suitable for factoring. View 9 excerpts, references background. Each shard is capable of processing transactions in parallel, yielding a high throughput for the network. Sorry, your blog cannot share posts by email. Updates on my research and expository papers, discussion of open problems, and other maths-related topics. Note that can be computed in time for any fixed by expressing in binary, and repeatedly squaring. I implemented those steps in the Python code below.
    [Show full text]
  • Primality Testing and Sub-Exponential Factorization
    Primality Testing and Sub-Exponential Factorization David Emerson Advisor: Howard Straubing Boston College Computer Science Senior Thesis May, 2009 Abstract This paper discusses the problems of primality testing and large number factorization. The first section is dedicated to a discussion of primality test- ing algorithms and their importance in real world applications. Over the course of the discussion the structure of the primality algorithms are devel- oped rigorously and demonstrated with examples. This section culminates in the presentation and proof of the modern deterministic polynomial-time Agrawal-Kayal-Saxena algorithm for deciding whether a given n is prime. The second section is dedicated to the process of factorization of large com- posite numbers. While primality and factorization are mathematically tied in principle they are very di⇥erent computationally. This fact is explored and current high powered factorization methods and the mathematical structures on which they are built are examined. 1 Introduction Factorization and primality testing are important concepts in mathematics. From a purely academic motivation it is an intriguing question to ask how we are to determine whether a number is prime or not. The next logical question to ask is, if the number is composite, can we calculate its factors. The two questions are invariably related. If we can factor a number into its pieces then it is obviously not prime, if we can’t then we know that it is prime. The definition of primality is very much derived from factorability. As we progress through the known and developed primality tests and factorization algorithms it will begin to become clear that while primality and factorization are intertwined they occupy two very di⇥erent levels of computational di⇧culty.
    [Show full text]
  • Twisted Edwards Curves
    Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography.
    [Show full text]