Motivation for the Elliptic Curve Method

Fix an integer $B$. If $N=pq$ with $p$ and $q$ prime and neither $p-1$ nor $q-1$ a $B$-power-smooth number, then the Pollard $(p-1)$-method is extremely unlikely to work. For example, let $B=20$ and suppose that $N=59\cdot 101 = 5959$. Note that neither  $59-1=2\cdot29$ nor $107-1=2\cdot 53$ is $B$-power-smooth. With $m=\lcm(1,2,3,\ldots,20)=232792560$, we have

$$2^m - 1 \equiv 5944\pmod{N},$$

and $\gcd(2^m-1,N)=1$, so we get nothing.

As remarked above, the problem is that $p-1$ is not $20$-power-smooth for either $p=59$ or $p=101$. However, notice that $p-2=3\cdot 19$ is $20$-power-smooth! If we could somehow replace the group $(\mathbb{Z}/p\mathbb{Z})^*$, which has order $p-1$, by a group of order $p-2$, and compute $a^m$ for an element of this new group, then we might easily split $N$. Roughly speaking, this is what Lenstra's elliptic curve factorization method does; it replaces $(\mathbb{Z}/p\mathbb{Z})^*$ by an elliptic curve $E$ over $\mathbb{Z}/p\mathbb{Z}$. The order of the group $E(\mathbb{Z}/p\mathbb{Z})$ is $p+1\pm s$ for some nonnegative integer $s<2\sqrt{p}$ (any $s$ can occur). For example, if $E$ is the elliptic curve

$$y^2 = x^3 + x + 54$$

over $\mathbb{Z}/59\mathbb{Z}$ then $E(\mathbb{Z}/59\mathbb{Z})$ is cyclic of order $57$. The set of numbers $59+1\pm s$ for $s\leq 15$ contain numbers with very small power-smoothness.

I won't describe the elliptic curve factorization method until the next lecture. The basic idea is as follows. Suppose that we wish to factor $N$. Choose an integer $B$. Choose a random point $P$ and a random elliptic curve $y^2=x^3+ax+b$ ``over $\mathbb{Z}/N\mathbb{Z}$'' that goes through $P$. Let $m=\lcm(1,2,\ldots,B)$. Try to compute $mP$ working modulo $N$ and using the group law formulas. If at some point it is necessary to divide modulo $N$, but division is not possible, we (usually) find a nontrivial factor of $N$. Something going wrong and not being able to divide is analogous to $a^m$ being congruent to $1$ modulo $p$.

More details next time!