EDIC RESEARCH PROPOSAL 1 Elliptic Curve Method for Integer Factorization on Parallel Architectures Andrea Miele I&C, EPFL Abstract—The elliptic curve method (ECM) for integer fac- of n). However, ECM plays a relevant role in the NFS co- torization is an algorithm that uses the algebraic structure of factorization step in which many small composite integers the set of points of an elliptic curve for factoring integers. The (100 − 200 bits) need to be factored. This task can be off- running time of ECM depends on the size of the smallest prime divisor of the number to be factored. One of its main applications loaded on low-cost highly parallel devices like graphics cards. is the co-factorization step in the number field sieve algorithm ECM has also two applications for large integers which can that is used for assessing the security of the RSA cryptosystem. be accelerated on such devices. One is the factorization of The principal goal emphasized in this proposal is the efficient numbers whose size is out of reach for NFS. This application implementation of ECM on highly parallel low-cost devices, like is of interest only in the context of recreational mathematics. graphics cards. This requires theoretical and practical study of parallel algorithms for elliptic curve and finite field arithmetic. The second one is the factorization of RSA multiprime moduli. In this variant of the RSA, the modulus is built up from r > 2 Index Terms—ECM, finite field arithmetic, elliptic curves, primes of about the same size which allows to speed up the Edwards curves, integer factorization. decryption step when using the Chinese Remainder Theorem. The problem of implementing ECM efficiently on low-cost I. INTRODUCTION highly parallel devices is relevant not only in the context of integer factorization. Several cryptological applications other Implementation and study of algorithms for integer fac- than ECM are based on the implementation of finite field torization is crucial for the security assessment of several arithmetic and elliptic curve arithmetic, e.g., Elliptic Curve public-key cryptosystems. The Number Field Sieve (NFS) [1] Cryptography (ECC) based protocols. is the best known method for factoring integers with large Latest graphics processing units (GPUs) are an interesting prime factors (such as RSA moduli) which directly impacts the platform for the implementation of ECM and the underlying security of the RSA. The Elliptic Curve Method (ECM) [2] for arithmetic. In the last years they have evolved from simple integer factorization is expected to yield better performance parallel graphics pipelines to many-core architectures with full than NFS only if the composite integer n to be factored hardware/software support for general purpose computations. has some small size prime divisors (compared to the size This has led to the popular general-purpose computing on graphics processing units (GPGPU) concept. GPUs are suit- Proposal submitted to committee December 8th, 2011; Can- able for applications which involve many independent parallel didacy exam date: December 15th, 2011; Candidacy exam computations on different chunks of data, with little or no committee: Emre Telatar, Arjen Lenstra, Amin Shokrollahi. synchronization needed between such computations. This research plan has been approved: The papers described in this proposal cover the essential background related to ECM and its implementation. The classic “Factoring integers with elliptic curves” [2] by Hendrik Date: ———————————— Lenstra from 1987 introduced ECM. All the facts necessary to explain why and when it works are described along with two variants of the factoring algorithm and a conjecture on Doctoral candidate: ———————————— its expected running time. The second paper, “Speeding the (name and signature) Pollard and Elliptic Curve Methods of Factorization” [3], describes several improvements applicable to ECM and other factoring methods that must be taken into consideration in Thesis director: ———————————— view of implementing these algorithms efficiently. The last (name and signature) one, “Twisted Edwards Curves Revisited” [4], presents the fastest known algorithms for performing group operations Thesis co-director: ———————————— on elliptic curves that can speed up several cryptological (if applicable) (name and signature) applications including ECM [5]. In section II detailed descriptions of the papers will be given followed by the research proposal in section III. Doct. prog. director:———————————— (R. Urbanke) (signature) EDIC-ru/05.05.2009 EDIC RESEARCH PROPOSAL 2 II. SURVEY OF THE SELECTED PAPERS mentioned above and defines “pseudo-addition” on a subset of Notation E(Z=nZ). This operation can fail in some cases (that occur when one attempts to compute the multiplicative inverse of an The symbol log without explicit subscript for the base will element u 2 =n that is not a unit and so gcd(u; n) > 1) denote the natural logarithm throughout the paper. Z Z and such a failure can lead to finding a non-trivial divisor of n. Let O denote the point (0 : 1 : 0) of P2(Z=nZ), and let the A. Factoring integers with elliptic curves 2 subset Vn of P (Z=nZ) consist of the “finite” points together In this paper, Hendrik Lenstra proposes the elliptic curve with O: method (ECM) for factoring positive integers, that is obtained V = f(x : y : 1) : x; y 2 ( =n )g [ fOg: from Pollard’s (p − 1)-method by replacing the multiplicative n Z Z ∗ group of residues modulo p (Z=pZ) with the group of points For P 2 Vn and a prime p dividing n, Pp denotes the point 2 on a random elliptic curve modulo p. in P (Fp) that is obtained reducing the coordinates of P 1) Elliptic curves over finite fields: Let K be a field, the modulo p. Notice that Pp = Op , P = O. author focuses on the case that K = Fp for some prime Given n 2 Z>1, a 2 Z=nZ and P; Q 2 Vn the author number p > 3. designs an algorithm that either computes a non-trivial divisor 2 3 2 A pair (a; b) 2 K for which 4a + 27b 6= 0 defines an d of n, or determines a point R 2 Vn with the following elliptic curve over K corresponding to the short Weierstrass property: if p is any prime divisor of n for which there exists equation b 2 Fp such that y2 = x3 + ax + b: (1) 6(4a3 + 27b2) 6= 0 for a = a(mod p); The elliptic curve defined by (a; b) is denoted by Ea;b, or P 2 E ( ) Q 2 E ( ); by E. The set of points E(K) of Ea;b over K is defined by p a;b Fp p a;b Fp E(K) = f(x : y : z) 2 2(K): y2z = x3 + axz2 + bz3g: then Rp = Pp + Qp in the group Ea;b(Fp). P −1 The algorithm attempts to compute first (x1−x2) (mod n) 2 P (K) denotes the projective plane over K, i.e., the set of (see group law formulae in paragraph II-A1) using the Eu- 3 equivalence classes of triples (x; y; z) 2 K , (x; y; z) 6= clidean algorithm, which outputs d = gcd(x1 − x2; n). If 0 0 0 (0; 0; 0); two triples (x; y; z) and (x ; y ; z ) are equivalent 1 < d < n the addition fails and a non-trivial factor of ∗ 0 0 if there exists c 2 K such that cx = x , cy = y and n is found. If d = 1 the algorithm determines a point R 0 cz = z . The equivalence class containing (x; y; z) is denoted with the above property. If d = n it attempts to compute −1 by (x : y : z). Given an elliptic curve E over K, the point (y1 + y2) (mod n) (notice that in this case y1 = y2 and zero point (0 : 1 : 0) 2 E(K) is the of the curve; it is denoted P = Q) and the value e = gcd(y1 + y2; n) is used exactly as by O and it is the only point with z = 0. All the other points the value d except that if e = n the output is R = O (i.e., of E are of the form (x : y : 1), where x; y 2 K satisfy Eq. P = −Q in Vn). If the algorithm determines a point R, it will abelian group (1). The set E(K) has the structure of an with be denoted by P + Q and the partial binary operation on Vn the group law defined as follows (additive notation): will be called addition. If the ordinary Euclidean algorithm is • Identity element: O+P = P +O = P for all P 2 E(K). used, O((log n)2) bit operations are performed. • Given P = (x1 : y1 : 1) 6= O and Q = (x2 : y2 : 1) 6= O, Using a sequence of pseudo-additions an algorithm that then P + Q = O if and only if x1 = x2 and y1 = −y2; computes the following can be devised. Given k 2 Z>0; n 2 thus −(x : y : z) = (x : −y : z). Z>1; a 2 Z=nZ and P 2 Vn, it either calculates a non- • Otherwise, given λ 2 K such that λ = (y1 − y2)=(x1 − trivial divisor d of n, or determines a point R 2 Vn with 2 x2) if P 6= Q and λ = (3x1 + a)=(2y1) if P = Q. Rp = k · Pp in the group Ea;b(Fp), for suitable b and p as Then P + Q = R, where R = (x3 : y3 : 1) with x3 = for the pseudo-addition. If the algorithm determines such a 2 λ − x1 − x2 and y3 = −λx3 − y1 + λx1. point R, it will be denoted by kP and the partial operation 2) Elliptic curves modulo a composite n: Consider the set defined in this way multiplication.