## Elliptic Curve Factorization

### July 31, 2009

In the previous exercise we wrote a small library of functions on elliptic curves. Today we will use elliptic curves to perform integer factorization. The material in this exercise is based on a discussion in the second edition of the book *Introduction to Cryptography with Coding Theory* by Wade Trappe and Lawrence C. Washington.

It is easiest to explain the algorithm by an example. Consider the factorization of the number *n* = *pq* = 2773. To factor *n*, we choose an elliptic curve at random, let’s say *y*^{2} ≡ *x*^{3} + 4*x* + 4 (mod 2773), where the modulus is the number to be factored. Of course, this is not really an elliptic curve, because the modulus of a real elliptic curve must be prime in order for us to compute the modular inverse required to determine the slope of the line connecting two points on the curve. It is exactly that fact that the elliptic curve algorithm exploits.

Next we choose a point on the curve; in this case, the point *P* = (1,3) works fine. In practice, it is easier to choose the *a* parameter randomly on the range 0 ≤ *a* < *n*, let the point be (1,1), then the *b* parameter is just -*a*, but you can select the parameters any way you like as long as *a*, *b*, *x* and *y* are all on the range 0 ≤ *a* < *n* and the point (*x*,*y*) is on the curve.

Now we begin a series of elliptic additions. The point 2*P* is (1771,705). Next we try to calculate 3*P*, but fail. The line through the points 2*P* = (1771,705) and *P* = (1,3) is 705 – 3 divided by 1771 – 1, the rise over the run, but gcd(1770,2773) = 59, so we cannot invert 1770 to calculate the slope of the line. We have found a point that is not on the elliptic curve. Of course, that is exactly what we were trying to do; 59 is a factor of 2773 = 59 × 47.

By the Chinese remainder theorem, the curve *y*^{2} ≡ *x*^{3} + 4*x* + 4 (mod 2773) can be regarded as a pair of elliptic curves, one with modulus 59 and the other with modulus 47. Point 3*P* exists with modulus 47 but not with modulus 59. That’s how elliptic curve factorization works, allowing us to isolate the factor 59.

So the basic elliptic curve factorization algorithm is to choose a random elliptic curve (actually, a pseudo-elliptic curve) modulo the number to be factored, and a random point on the curve, then repeatedly build up multiples of the random point until the elliptic arithmetic fails, at which point the factor can be identified. The algorithm described here is a vastly simplified form of elliptic curve factorization, and is intended to teach the basic concepts rather than create a useful program; we’ll soon see a better version of the algorithm.

Your task is to write a function that performs integer factorization using the elliptic curve algorithm described above. Use your function to calculate the factors of 455839. When you are finished, you are welcome to read or run a suggested solution, or to post your solution or discuss the exercise in the comments below.