S S symmetry Article The Improvement of Elliptic Curve Factorization Method to Recover RSA’s Prime Factors Kritsanapong Somsuk Department of Computer and Communication Engineering, Faculty of Technology, Udon Thani Rajabhat University, UDRU, Udon Thani 41000, Thailand; [email protected] Abstract: Elliptic Curve Factorization Method (ECM) is the general-purpose factoring method used in the digital computer era. It is based on the medium length of the modulus; ECM is an efficient algorithm when the length of modulus is between 40 and 50 digits. In fact, the main costs for each iteration are modular inverse, modular multiplication, modular square and greatest common divisor. However, when compared to modular multiplication and modular square, the costs of modular inverse and greatest common divisor are very high. The aim of this paper is to improve ECM in order to reduce the costs to compute both of modular inverse and greatest common divisor. The proposed method is called Fast Elliptic Curve Factorization Method (F-ECM). For every two adjacent points on the curve, only one modular inverse and one greatest common divisor will be computed. That means it implies that the costs in both of them can be split in half. Furthermore, the length of modulus in the experiment spans from 30 to 65 bits. The experimental results show that F-ECM can finish the task faster than ECM for all cases of the modulus. Furthermore, the computation time is reduced by 30 to 38 percent. Keywords: ECM; F-ECM; computation time; RSA; modulus Citation: Somsuk, K. The Improvement of Elliptic Curve Factorization Method to Recover 1. Introduction RSA’s Prime Factors. Symmetry 2021, 13, 1314. https://doi.org/10.3390/ RSA [1] is one of the most well-known cryptography algorithms in the digital com- sym13081314 puter era. It is classified as asymmetric key cryptography or public key cryptography [2]. In fact, this algorithm which was proposed in 1977 by Ron Rivest, Adi Shamir and Leonard Academic Editor: Debiao He Adleman, can be used to secure secret information transferred via an unsecure channel as well as sign digital signatures. RSA algorithm, on the other hand, is based on the integer Received: 26 June 2021 factorization problem [3,4]. As a result, when one of the two prime factors is revealed, RSA Accepted: 20 July 2021 is broken. Furthermore, there are two types of integer factorization algorithms [5]. The Published: 21 July 2021 first category is known as special-purpose factoring. The efficiency of each algorithm in this group is determined by the properties of prime factors. The other group is known Publisher’s Note: MDPI stays neutral as general-purpose factoring, and the algorithms are based on the length of the modulus. with regard to jurisdictional claims in Assuming that two strong prime factors and 1024 bits of the modulus are selected, none of published maps and institutional affil- proposed integer factorization algorithms can break RSA in polynomial time by using the iations. digital computer. Elliptic Curve Cryptography (ECC) [6,7] is another public key cryptography that can be used for data security as well as digital signature. In addition, Neal Koblitz and Victor S. Miller proposed ECC in 1985. Despite the fact that the bit-length of ECC is shorter, the Copyright: © 2021 by the author. security level is the same as RSA. ECC, on the other hand, differs from RSA in which it Licensee MDPI, Basel, Switzerland. is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP) [8–10]. Moreover, This article is an open access article Elliptic Curve can be used to factor the composite number as well. That is, it is possible to distributed under the terms and break RSA. The Lenstra Elliptic Curve Factorization or Elliptic Curve Factorization Method conditions of the Creative Commons (ECM) is used for this task. However, ECM requires a large number of modular inverses Attribution (CC BY) license (https:// and greatest common divisors, which are known as the expensive costs. That is, it takes a creativecommons.org/licenses/by/ significant amount of time to finish the task. 4.0/). Symmetry 2021, 13, 1314. https://doi.org/10.3390/sym13081314 https://www.mdpi.com/journal/symmetry Symmetry 2021, 13, 1314 2 of 15 The modified method for speeding up ECM is proposed in this paper. In fact, the proposed method is known as the Fast Elliptic Curve Factorization Method (F-ECM). The main idea is to reduce the number of modular inverses and greatest common divisors in order to shorten the computation time. Even though the number of modular multiplications and modular squares are increased, these costs are very low when compared to modular inverse and greatest common divisor. In fact, every classical algorithm linked to the RSA and ECC algorithms is the digital computer-based. If the digital computer era is not disrupted, they are all still effective. Therefore, it implies that F-ECM is still an efficient method for the medium length of the modulus in the digital computer era. However, if the quantum computer that is being developed becomes practical, all algorithms pertaining to digital technology, including RSA, ECC and the block chain that is controlled by cryptography, will be insecure. For example, RSA may be easily broken by using Shor’s quantum algorithm [11] when the quantum computer is completely used. As a result, if such a scenario occurs, new security algorithms based on quantum computers may be devised in order to control all technology at the time. The rest of the paper is organized as follows. In Section2, RSA and ECC which are public key cryptography are reviewed. Some integer factorization algorithms will be mentioned in Section3. The overviews of quantum computing and Shor’s Factoring algorithm will be mentioned in Section4. The proposed method is presented in Section5. Loop analysis will be discussed in Section6. In Section7, the experimental results about the comparison between ECM and F-ECM are shown. The conclusion is discussed in the last section. 2. Overviews of RSA and ECC The idea behind public key cryptography is that the encryption and decryption processes necessitate the use of a pair of keys that are mathematically related to one another. The first key, named the public key, is made available to all group members. The owner keeps the other key, known as the private key, hidden. In fact, if one of the keys is chosen for encryption, the other must be chosen for decryption. Furthermore, for data security, the public key is used in the encryption process. In the case of digital signatures, however, the private key is used in this process. This section examines two types of public key cryptography algorithms, RSA and ECC. 2.1. RSA RSA algorithm is a type of public key cryptography. Its security is based on the integer factorization problem. As a result, it should be assigned at least 1024 bits to avoid intruders attacking rapidly. Furthermore, RSA can be used for a variety of tasks, including data security and digital signatures. For RSA, there are three processes: the key generation algorithm, the encryption and the decryption. However, the processes for data security are as follows: Process 1 (Key generation Algorithm): it is the algorithm to generate a pair of keys and the modulus. There are four steps as follows: Step 1: Choose two prime numbers randomly, p and q Step 2: Calculate the modulus, n = p ∗ q, and calculate the Euler totient function, F(n) = (p − 1) ∗ (q − 1), using the Extended Euclidean Algorithms [12–14] Step 3: Choose the public key (e) from the following conditions, 1 < e < F(n) and gcd (e, F(n)) = 1 Step 4: Compute the private key (d) from the following equation, e ∗ d mod F(n) = 1 Where, the public key is {e, n} and the private key is {d, n} Process 2 (Encryption): senders must convert the original plaintext (m) into the unreadable message or the ciphertext (c). There are three steps as follows: Step 1: Receive the receiver’s public key {e, n} Step 2: Represent m as the positive integer, M, where 1 < M < n Symmetry 2021, 13, 1314 3 of 15 Step 3: Encrypt M by using the Equation (1): c = Memod n (1) Step 4: Send c to receivers Process 3 (Decryption): After receiving c, receivers can recover m by using the following steps: Step 1: Use the private key {d, n} to decrypt c by using the Equation (2): M = cdmod n (2) Step 2: Transform M as the original plaintext, m For this system, p and q are the attackers’ target, because F(n) can be computed rapidly to recover d. 2.2. Elliptic Curve Cryptography Another type of public key cryptography is Elliptic Curve Cryptography (ECC). This method comes in a variety of forms, including ECC over Field of Characteristic Two, ECC over Field of Characteristic Three and ECC over Finite Field (Zp), where p is a prime number. However, only ECC over Finite Field (Zp) is focused in this paper. Assuming that p is a prime number, the ECC’s equation over Finite Field (Zp) is as follows: y2 = x3 + ax + b mod p (3) where, 4a3 + 27b2 mod p 6= 0. Assuming that P = (xp, yp) and Q = (xq, yq) are the points on the curve, the main processes for finding the new point on the curve are point addition and point doubling. In fact, there are two cases to find R = (xr, yr) = P + Q as follows: Case 1 (P = Q): Point doubling is required: 2 3xp + a m = mod p (4) 2yp 2 xr = m − 2xp mod p (5) yr = m(xp − xr) − yp mod p (6) Case 2 (P 6= Q): Point addition is required: yq − yp m = mod p (7) xq − xp 2 xr = m − xq − xp mod p (8) yr = m(xp − xr) − yp mod p (9) Assuming that I, M, S and G are represented as the number of modular inverses, number of modular multiplications, number of modular squares and number of greatest common divisor computations, point doubling requires 1I, 2M and 2S.