The Elliptic Curve Method (ECM)

The following description of the algorithm is taken from Lenstra's paper [Factoring Integers with Elliptic Curves, Annals of Mathematics, 126, 649-673], which you can download from the Math 124 web page.

Cohen and Lenstra

``The new method is obtained from Pollard's $(p-1)$-method by replacing the multiplicative group by the group of points on a random elliptic curve. To find a non-trivial divisor of an integer $n>1$, one begins by selecting an elliptic curve $E$ over $\mathbb{Z}/n\mathbb{Z}$, a point $P$ on $E$ with coordinates in $\mathbb{Z}/n\mathbb{Z}$, and an integer $k$ as above [ $k=\lcm(2,3,\ldots,B)$]. Using the addition law of the curve, one next calculates the multiple $k\cdot P$ of $P$. One now hopes that there is a prime divisor $p$ of $n$ for which $k\cdot P$ and the neutral element $\O$ of the curve become the same modulo $p$; if $E$ is given by a homogeneous Weierstrass equation $y^2 z = x^3 + axz^2 + bz^3$, with $\O =(0:1:0)$, then this is equivalent to the $z$-coordinate of $k\cdot P$ being divisible by $p$. Hence one hopes to find a non-trivial factor of $n$ by calculating the greatest common divisor of this $z$-coordinate with $n$.''

If the above algorithm fails with a specific elliptic curve $E$, there is an option that is unavailable with Pollard's $(p-1)$-method. We may repeat the above algorithm with a different choice of $E$. The number of points on $E$ over $\mathbb{Z}/p\mathbb{Z}$ is of the form $p+1-t$ for some $t$ with $\vert t\vert<2\sqrt{p}$, and the algorithm is likely to succeed if $p+1-t$ is $B$-power-smoth.

Suppose that $P=(x_1,y_1)$ and $Q=(x_2,y_2)$ are nonzero points on an elliptic curve $y^2 = x^3 + ax + b$ and that $P\neq \pm Q$. Let $\lambda = (y_1-y_2)/(x_1-x_2)$ and $\nu = y_1 - \lambda x_1$. Recall that $P+Q = (x_3,y_3)$ where

$$x_3 = \lambda^2 -x_1 - x_2$$   and$$\qquad y_3 = -\lambda x_3 - \nu.$$

If we do arithmetic on an elliptic curve modulo $N$ and at some point we can not compute $\lambda$ because we can not compute the inverse modulo $N$ of $x_1-x_2$, then we (usually) factor $N$.