The Improvement of Elliptic Curve Factorization Method to Recover RSA’s Prime Factors

Abstract

Elliptic Curve Factorization Method (ECM) is the general-purpose factoring method used in the digital computer era. It is based on the medium length of the modulus; ECM is an efficient algorithm when the length of modulus is between 40 and 50 digits. In fact, the main costs for each iteration are modular inverse, modular multiplication, modular square and greatest common divisor. However, when compared to modular multiplication and modular square, the costs of modular inverse and greatest common divisor are very high. The aim of this paper is to improve ECM in order to reduce the costs to compute both of modular inverse and greatest common divisor. The proposed method is called Fast Elliptic Curve Factorization Method (F-ECM). For every two adjacent points on the curve, only one modular inverse and one greatest common divisor will be computed. That means it implies that the costs in both of them can be split in half. Furthermore, the length of modulus in the experiment spans from 30 to 65 bits. The experimental results show that F-ECM can finish the task faster than ECM for all cases of the modulus. Furthermore, the computation time is reduced by 30 to 38 percent.

1. Introduction

RSA [1] is one of the most well-known cryptography algorithms in the digital computer era. It is classified as asymmetric key cryptography or public key cryptography [2]. In fact, this algorithm which was proposed in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman, can be used to secure secret information transferred via an unsecure channel as well as sign digital signatures. RSA algorithm, on the other hand, is based on the integer factorization problem [3,4]. As a result, when one of the two prime factors is revealed, RSA is broken. Furthermore, there are two types of integer factorization algorithms [5]. The first category is known as special-purpose factoring. The efficiency of each algorithm in this group is determined by the properties of prime factors. The other group is known as general-purpose factoring, and the algorithms are based on the length of the modulus. Assuming that two strong prime factors and 1024 bits of the modulus are selected, none of proposed integer factorization algorithms can break RSA in polynomial time by using the digital computer.

Elliptic Curve Cryptography (ECC) [6,7] is another public key cryptography that can be used for data security as well as digital signature. In addition, Neal Koblitz and Victor S. Miller proposed ECC in 1985. Despite the fact that the bit-length of ECC is shorter, the security level is the same as RSA. ECC, on the other hand, differs from RSA in which it is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP) [8,9,10]. Moreover, Elliptic Curve can be used to factor the composite number as well. That is, it is possible to break RSA. The Lenstra Elliptic Curve Factorization or Elliptic Curve Factorization Method (ECM) is used for this task. However, ECM requires a large number of modular inverses and greatest common divisors, which are known as the expensive costs. That is, it takes a significant amount of time to finish the task.

The modified method for speeding up ECM is proposed in this paper. In fact, the proposed method is known as the Fast Elliptic Curve Factorization Method (F-ECM). The main idea is to reduce the number of modular inverses and greatest common divisors in order to shorten the computation time. Even though the number of modular multiplications and modular squares are increased, these costs are very low when compared to modular inverse and greatest common divisor.

In fact, every classical algorithm linked to the RSA and ECC algorithms is the digital computer-based. If the digital computer era is not disrupted, they are all still effective. Therefore, it implies that F-ECM is still an efficient method for the medium length of the modulus in the digital computer era.

However, if the quantum computer that is being developed becomes practical, all algorithms pertaining to digital technology, including RSA, ECC and the block chain that is controlled by cryptography, will be insecure. For example, RSA may be easily broken by using Shor’s quantum algorithm [11] when the quantum computer is completely used. As a result, if such a scenario occurs, new security algorithms based on quantum computers may be devised in order to control all technology at the time.

The rest of the paper is organized as follows. In Section 2, RSA and ECC which are public key cryptography are reviewed. Some integer factorization algorithms will be mentioned in Section 3. The overviews of quantum computing and Shor’s Factoring algorithm will be mentioned in Section 4. The proposed method is presented in Section 5. Loop analysis will be discussed in Section 6. In Section 7, the experimental results about the comparison between ECM and F-ECM are shown. The conclusion is discussed in the last section.

2. Overviews of RSA and ECC

The idea behind public key cryptography is that the encryption and decryption processes necessitate the use of a pair of keys that are mathematically related to one another. The first key, named the public key, is made available to all group members. The owner keeps the other key, known as the private key, hidden. In fact, if one of the keys is chosen for encryption, the other must be chosen for decryption. Furthermore, for data security, the public key is used in the encryption process. In the case of digital signatures, however, the private key is used in this process. This section examines two types of public key cryptography algorithms, RSA and ECC.

2.1. RSA

RSA algorithm is a type of public key cryptography. Its security is based on the integer factorization problem. As a result, it should be assigned at least 1024 bits to avoid intruders attacking rapidly. Furthermore, RSA can be used for a variety of tasks, including data security and digital signatures. For RSA, there are three processes: the key generation algorithm, the encryption and the decryption. However, the processes for data security are as follows:

Process 1 (Key generation Algorithm): it is the algorithm to generate a pair of keys and the modulus. There are four steps as follows:

Step 1: Choose two prime numbers randomly, p and q

Step 2: Calculate the modulus, n = p ∗ q, and calculate the Euler totient function, ${\Phi }\left(n\right)$ = (p − 1) ∗ (q − 1), using the Extended Euclidean Algorithms [12,13,14]

Step 3: Choose the public key (e) from the following conditions, 1 < e < ${\Phi }\left(n\right)$ and gcd (e, ${\Phi }\left(n\right)$) = 1

Step 4: Compute the private key (d) from the following equation, e ∗ d mod ${\Phi }\left(n\right)$ = 1

Where, the public key is {e, n} and the private key is {d, n}

Process 2 (Encryption): senders must convert the original plaintext (m) into the unreadable message or the ciphertext (c). There are three steps as follows:

Step 1: Receive the receiver’s public key {e, n}

Step 2: Represent m as the positive integer, M, where 1 < M < n

Step 3: Encrypt M by using the Equation (1):

$$c=M^e\mathrm{mod} n$$

(1)

Step 4: Send c to receivers

Process 3 (Decryption): After receiving c, receivers can recover m by using the following steps:

Step 1: Use the private key {d, n} to decrypt c by using the Equation (2):

$$M=c^d\mathrm{mod} n$$

(2)

Step 2: Transform M as the original plaintext, m

For this system, p and q are the attackers’ target, because ${\Phi }\left(n\right)$ can be computed rapidly to recover d.

2.2. Elliptic Curve Cryptography

Another type of public key cryptography is Elliptic Curve Cryptography (ECC). This method comes in a variety of forms, including ECC over Field of Characteristic Two, ECC over Field of Characteristic Three and ECC over Finite Field (${\mathbb{Z}}_p$), where p is a prime number. However, only ECC over Finite Field (${\mathbb{Z}}_p$) is focused in this paper. Assuming that p is a prime number, the ECC’s equation over Finite Field (${\mathbb{Z}}_p$) is as follows:

$$y^2=x^3+ax+b \mathrm{mod} p$$

(3)

where, 4a³ + 27b² mod $p\ne 0$.

Assuming that $P=(x_p,y_p)$ and $Q=(x_q,y_q)$ are the points on the curve, the main processes for finding the new point on the curve are point addition and point doubling. In fact, there are two cases to find $R=(x_r,y_r)=P+Q$ as follows:

Case 1 (P = Q): Point doubling is required:

$$m=\frac{3x_p{}^2+a}{2y_p} \mathrm{mod} p$$

(4)

$$x_r=m^2-2x_p \mathrm{mod} p$$

(5)

$$y_r=m(x_p-x_r)-y_p \mathrm{mod} p$$

(6)

Case 2 (P$\ne$Q): Point addition is required:

$$m=\frac{y_q-y_p}{x_q-x_p} \mathrm{mod} p$$

(7)

$$x_r=m^2-x_q-x_p \mathrm{mod} p$$

(8)

$$y_r=m(x_p-x_r)-y_p \mathrm{mod} p$$

(9)

Assuming that I, M, S and G are represented as the number of modular inverses, number of modular multiplications, number of modular squares and number of greatest common divisor computations, point doubling requires 1I, 2M and 2S. On the other hand, point addition requires 1I, 2M and 1S.

Assuming that 2P + Q must be calculated, there are two ways to complete this task. The first method is to compute 2P and then 2P + Q. It requires 2I, 4M and 3S. The second technique is to compute P + Q and then compute $(P+Q)+P=2P+Q$. It requires 2I, 4M and 2S. As a result, the total costs of the second method are lower than those of the first method. Therefore, choosing the best method to find the new point should also be taken into account.

In 2003, an improved technique for speeding up ECC was introduced [15]. However, only Equations (7) and (8) are computed, then y_r is not included. The next process is to compute S = (x_s, y_s) = R + P = 2P + Q from the following idea:

First, compute $m=\frac{y_r-y_p}{x_r-x_p} \mathrm{mod} p$

From (6),

$$\begin{gathered} m=\frac{m^{\prime }(x_p-x_r)-y_p-y_p}{x_r-x_p} \mathrm{mod} p \\ \frac{m^{\prime }(x_p-x_r)-2y_p-y_p}{x_r-x_p} \mathrm{mod} p \end{gathered}$$

Therefore,

$$m=-m^{\prime }-\frac{2y_p}{x_r-x_p} \mathrm{mod} p$$

(10)

where, m′ = $\frac{y_q-y_p}{x_q-x_p}$ mod p

Since y_r is not included to compute $R=P+Q$, this result requires 1I, 1M and 1S. However, the algorithm to compute $S=R+P=2P+Q$ requires 1I, 2M and 1S. Therefore, the total costs to compute 2P + Q are 2I, 3M and 2S.

Assuming that Q = kP, where both of Q and P are disclosed, k is the attackers’ target. This problem is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). In fact, many solutions to solve this problem have been proposed, including brute force attack [16], Baby-Step-Giant-Step [17] and Pohlig-Hellman attack [18]. In addition, the improved method to solve ECDLP [19] was proposed in 2018. This method is based on brute force attack. To reduce the number of modular inverses, every two adjacent points will be computed together. Furthermore, the y-coordinate is removed to decrease number of modular multiplications.

Assuming that $P=(x_1,y_1)$ and $2P=(x_2,y_2)$ are disclosed, there are two parts to find the new points.

Part 1: Algorithm to find the x-coordinate of $3P=(x_3,y_3)$ and the x-coordinate of $4P=(x_4,y_4)$,

$$I=\frac{1}{2y_2\ast (x_2-x_1)}$$

(11)

$$m_3=(y_2-y_1)\ast 2y_2\ast I$$

(12)

$$m_4=(x_2-x_1)\ast (3x_2^2+a)\ast I$$

(13)

Therefore, the x-coordinate of 3P and 4P can be computed from (14) and (15),

$$x_3=m_3^2-x_2-x_1$$

(14)

$$x_4=m_4^2-2x_2$$

(15)

Part 2: Algorithm to find the x-coordinate of aP = (x_a, y_a) and x-coordinate of (a + 1) P = (x_(a+1), y_(a+1)), where a > 4,

$$I=\frac{1}{(x_{(i-1)}-x_2)\ast (x_{(i-2)}-x_2)}$$

(16)

$$m_i=(m_{(i-2)}\ast (x_2-x_{(i-2)})-2y_2)\ast I\ast (x_{(i-1)}-x_2)$$

(17)

$$m_{(i+1)}=(m_{(i-1)}\ast (x_2-x_{(i-1)})-2y_2)\ast I\ast (x_{(i-2)}-x_2)$$

(18)

Therefore, the x-coordinate of aP and (a + 1)P can be computed from (19) and (20),

$$x_i=m_i^2-x_2-x_{(i-2)}$$

(19)

$$x_{(i+1)}=m_{(i+1)}^2-x_2-x_{(i-2)}$$

(20)

From the Equations (11)–(15) and the Equations (16)–(20), it implies that the modular inverse is shared by every two adjacent points. Furthermore, the y-coordinate is not taken into account in the calculation.

3. Overviews of Integer Factorization Algorithms

For RSA algorithm, d is easily recovered when both of p and q are found by using some integer factorization algorithms. Since at least 1024 bits of n are assigned and its prime factors are strong in practice, there is currently no efficient algorithm that can break RSA algorithm in polynomial time by using the digital computer. Several algorithms, however, are constantly being developed to solve this problem. Generally, factorization algorithms are classified into two types.

3.1. Special-Purpose Factoring

Assuming that some weak points of n or its prime factors are discovered, some algorithms that respond well to the weak point can factor n quickly, even if the length of n is large. These algorithms are organized into a category known as Special-purpose Factoring. The example of algorithms in this group are shown as below:

The simplest algorithm in this group is the trial division algorithm (TDA) [20,21]. For the division process, the initial integer is chosen as the divisor of n. If no remainder exists, this divisor is one of the two prime factors of n. The divisor, on the other hand, is changed until the target is found. In fact, there are two types of TDA. The first type is that the initial divisor is 3 and it is increased when the result has the remainder. The other is to choose $\lfloor \sqrt{n}\rfloor$ as the initial divisor [22] and it must be decreased when the result is not still the target.

In 1600, Pierre de Fermat proposed the factorization algorithm which is called Fermat’s Factorization Algorithm (FFA) [23]. In that time, he found that n = p ∗ q can be also rewritten as the following equation:

$$n={(\frac{p+q}{2})}^2-{(\frac{p-q}{2})}^2$$

(21)

In fact, FFA’s goal is to find two integers whose difference in perfect square numbers is equal to n. Even though both of p and q are large, this method is very efficient when p is very close to q. Furthermore, many FFA-modified algorithms, such as [24,25,26,27,28], were proposed to reduce computation time.

Pollard’s p − 1 algorithm [29] is another factorization algorithm in Special-purpose Factoring group. It was proposed by John Pollard in 1974. When all prime factors of p − 1 or all prime factors of q − 1 are small, this algorithm can recover p and q very quickly. Assuming that $k!=(p-1)\ast q$ and according to Fermat’s little theorem, a^p–1 mod p = 1 and gcd(a, p) = 1, therefore:

$$\begin{gathered} a^{k!}\equiv a^{(p-1)\ast q} \mathrm{mod} p \\ \mathrm{Or}, a^{k!}\equiv 1 \mathrm{mod} p \end{gathered}$$

(22)

Furthermore, p|a^k! − 1 and p | n, then gcd(a^k! − 1, n) = p

In 2011, Murat Sahin presented the factorization algorithm which is called Generalized Trial Division [30]. Assuming that a$\in {\mathbb{Z}}^{+}$, this method is very efficient when a ∗ p is very close to. $\sqrt{n}$ In fact, x =$\lfloor \sqrt{n}\rfloor$ is the initial value to compute gcd(x, n). If the result is not equal to 1, then it is one of two prime factors of n. On the other hand, a = x + 1 and b = x − 1 are chosen to compute gcd(a, n) and gcd(b, n) until one of the results which is not equal to 1 is found.

3.2. General-Purpose Factoring

General-purpose Factoring is a class of factorization algorithms whose performance is determined solely by the size of n. That is, the size of n is only a parameter that affects to time to finish the task. As a result, when the length of n is small, all algorithms in this group can factor n quickly. The example of algorithms in this group are shown as below:

The first algorithm is Lenstra elliptic-curve factorization or Elliptic-curve Factorization Method (ECM) [31]. In fact, this algorithm is applied from ECC over finite field (${\mathbb{Z}}_p$). However, for ECM, the finite field is changed from ${\mathbb{Z}}_p$ as ${\mathbb{Z}}_n$, where n = p ∗ q. Therefore, the ECM’ s equation is shown below:

$$y^2=x^3+ax+b \mathrm{mod} n$$

(23)

The idea behind ECM is to find the new point until it cannot be calculated, there is no modular inverse. The prime factor can be recovered from gcd(s, n), where $s\in \mathbb{Z}$.

Algorithm 1 is shown the steps to recover p and q by using ECM.

Algorithm 1 ECM

Input:n, P = (x1, y1)

Output:p, q 1. s ← 2 ∗ y1 mod n 2. t ← gcd(s, n) 3. IF t equals to 1 then 4. I ← s−1 mod n 5. m ← (3 ∗ $x_1^2$ + a) ∗ I mod n 6. xt ← m2 − 2 ∗ x1 mod n 7. yt ← m(x1 − xt) − y1 mod n 8. Else 9. Jumping to step 23 10. End IF 11. While True Do 12. s ← (xt − x1) mod n 13. t ← gcd(s, n) 14. IF t equals to 1 then 15. I ← s−1 mod n 16. m ← (yt − y1) ∗ I mod n 17. xt ← m2 − xt − x1 mod n 18. yt ← m(x1 − xt) − y1 mod n 19. Else 20. Jumping to Step 23 21. End IF 22. End While 23. p ← t 24. q ← n/p

In fact, ECM is suitable for the medium length of n which is between 40 and 50 digits.

The next algorithm in this group is Quadratic Sieve (QS) [32]. This algorithm is modified from FFA. In addition, QS is an efficient algorithm when size of n is less than 100 digits. Assuming that m = $\lfloor \sqrt{n}\rfloor$ and $f(a)={(a+m)}^2-n$, where a$\in \mathbb{Z}$. Then, it implies that $f(a)\equiv {(a+m)}^2 \mathrm{mod} n$. The main algorithm is to find $X^2=f(a_1)\ast f(a_2)\ast \dots \ast f(a_k)$, where k$\in \mathbb{Z}$, that the multiplication of their prime factors can be rewritten as the following form: $Y^2={(p_1\ast p_2\ast p_3\ast \dots \ast p_l)}^2$, where l$\in \mathbb{Z}$. Therefore,

$$X^2\equiv Y^2 \mathrm{mod} n$$

(24)

Therefore, the prime factor can be calculated from $p=\gcd (X-Y,n)$.

Number Field Sieve (NFS) [33] is known as the best integer factorization algorithm at present. This method is suitable for a large size of n. Even though the length of n is greater than 10¹⁰⁰, it is still efficient. In fact, NFS is also categorized into two types, General Number Field Sieve (GNFS) and Special Number Field Sieve (SNFS).

4. Overviews of Quantum Computer and Shor’s Factoring

In fact, all of algorithms that mentioned in the Section 2 and Section 3 are developed algorithms on a digital computer. At present, there is currently no method or procedure that can break 2048 bits of RSA in a polynomial time. However, RSA along with every other present cryptosystem, is no longer secure if the a fully efficient quantum computer is developed in that time.

The quantum computer is a new computer technology that processes data using quantum phenomena. The advantage of a quantum computer is that it can process data much faster. In general, bit is the smallest unit of data in a digital computer. Assuming that computer must evaluate 2-bit data consisting of 00, 01, 10 and 11, the digital computer can only evaluate one of the four conditions in any given time. The quantum computer’s processing unit, on the other hand, is known as a Quantum Bit or Qubit. The strength of this theory is that it gathers all potential conditions as well as the amount of qubits. For instance, a quantum computer with 2-qubit size will be able to divide as 4 conditions at the same time. Consequently, it indicates that the quantum computer can process data much quicker than the digital computer.

In 1994, Peter Shor presented integer factorization algorithm [11] that could be run on a quantum computer. Assuming that a quantum computer with various qubits is developed, Shor’s factorization algorithm can retrieve the prime factor of n within a polynomial time. In fact, Shor’s Factoring algorithm is divided into 2 sections as follows.

Part1 (A reduction): This part is performed on the digital computer. Assuming that the order-finding problem is solved, two prime factors of n are found. The process is as follows. First, choose $a\in \mathbb{Z}$ randomly and consider the sequence 1, $a \mathrm{mod} n$, $a^2 \mathrm{mod} n$, $a^3 \mathrm{mod} n$, ⋯. Assuming that $a^r\equiv 1 \mathrm{mod} n$ is found, it implies that the sequence repeats every r term. The reason is as follows:

$$a^{x+r} \mathrm{mod} n=a^x\ast a^r \mathrm{mod} n$$

Since $a^r \mathrm{mod} n=1$, then:

$$a^{x+r} \mathrm{mod} n=a^x \mathrm{mod} n$$

Assuming that r is an even number, then r can be rewritten as r = 2^i∗j, where j is an odd number, then the next step is to compute b₀ = a^j mod n. The next step is to square b₀ to acquire b₁, b₂, b₃, ⋯ until b_k is the last value that $b_k \mathrm{mod} n\ne 1$. As a result, one of two prime factors is computed from $p=\gcd (b_k-1,n)$.

Part 2 (A Quantum algorithm): The quantum computer’s algorithm in part 1 is to find r which is known as the period. In addition, quantum Fourier transform is required in this part. However, the algorithm explored in this section is extensively discussed in [11].

However, to solve factorization problem in RSA by using Shor’s factoring algorithm, huge amount of quantum gates is required. Assuming that 4096-bit RSA which is the most current software supports is selected to secure the information, 72 ∗ 4096³ or 4,947,802,324,992 quantum gates is required to recover two prime factors in polynomial time. Therefore, RSA is still secure at present. In addition, it is the reason that many factorization algorithms and the quantum computer are still continuously developed.

In fact, the aim of this paper is to reduce the expensive costs in ECM. Assuming that the quantum computer is perfectly developed, the time required to finish the procedure is certainly decreased if the proposed method is applied in this quantum computer.

5. The Proposed Method

In this paper, the new method based on ECM is proposed to speed up the task by using the digital computer. The proposed method is known as the Fast Elliptic Curve Factorization Method (F-ECM). The main idea behind F-ECM derives from integrating the method in [19] with ECC. As a result, three major tasks are limited in order to reduce computation time. In fact, all of them are modular inverse, greatest common divisor and the determining y-coordinate on the curve.

Let a = (x_(i−1) − x₂) ∗ (x_(i−2) − x₂), where i$\in {\mathbb{Z}}^{+}$ and i > 4, and P, 2P, 3P and 4P are disclosed, then p and q can be found when gcd(a, n) > 1. In fact, if this condition is found, both of p and q can be calculated by using the following equations: p = gcd(a, n) and q = n/p.

Before using F-ECM, one of several equations for ECC over Finite Field (${\mathbb{Z}}_n$) must be chosen at first. Therefore, two algorithms are presented in this section. The first algorithm is assigned for generating ECC over Finite Field (${\mathbb{Z}}_n$). For this algorithm, a and P = (x₁, y₁) are selected to find b to save the cost to find the new equation. Following that, this algorithm computes 2P = (x₂, y₂), 3P = (x₃, y₃) and 4P = (x₄, y₄). In fact, point doubling is selected to find 2P whereas the method in [19] is chosen to find 3P and 4P in order to reduce the cost to compute modular inverse without computing the y-coordinate. F-ECM is the other algorithm used to retrieve recover p and q.

Before using F-ECM to recover p and q, Algorithm 2 is chosen to generate the new ECC over Finite Field (${\mathbb{Z}}_n$). In this algorithm, two points on the curve must be also constructed, both of which are P and 2P. Furthermore, the x-coordinates of 3P and 4P are computed. However, F-ECM may not be implemented whenever gcd(g, n) $\ne 1$ or gcd(h, n) $\ne 1$.

Algorithm 2 Generating the ECC over Finite Field

Input:n

Output: P = (x1, y1), 2P = (x2, y2), a, b, x3 (3P = (x3, y3)), x4 (4P = (x4, y4)), m3, m4 1. Generating the point P = (x1, y1) randomly, where x1, y1$\in {\mathbb{Z}}_n$ 2. Generating a$\in {\mathbb{Z}}_n$ randomly 3. b ← ($y_1^2-x_1^3-ax$) mod n 4. t ← 4a3 + 27b2 mod n 5. IF t equals to 0 then 6. Back to Step 1 7. End IF 8. g ← 2y1 mod n 9. IF gcd(g, n) equals to 1 then 10. Computing 2P = (x2, y2) by using point doubling 11. h ← (2y2) ∗ (x2 − x1) mod n 12. IF gcd(h, n) equals to 1 then 13. m ← h−1 mod n 14. m3 ← (y2 − y1) ∗ m ∗ 2y2 mod n 15. x3 ← $m_3^2-x_2-x_1$ mod n 16. m4 ← (x2 − x1) ∗ m ∗ ($3x_2^2$ + a) mod n 17. x4 ← $m_4^2-2x_2$ mod n 18. End IF 19. EndIF

In fact, the time required to find p and q is also determined by using the ECC’s equation. That is, when the same value of n is used in different equations, the time may be very different. However, the purpose of this paper is not related to select the best equation. In fact, it compares the time required to finish between ECM and F-ECM (Algorithm 3), which both use the similar ECC’s equation.

Algorithm 3 F-ECM

Input:n, P = (x1, y1), 2P = (x2, y2), a, b, x3, x4, m3, m4

Output:p, q 1. Y2 ← 2 ∗ y2 mod n 2. x(i−2) ← x3 3. x(i−1) ← x4 4. m(i−2) ← m3 5. m(i−1) ← m4 6. While True Do 7. X1 ← x2 − x(i−1) mod n 8. X2 ← x2 − x(i−2) mod n 9. s ← X1 ∗ X2 mod n 10. t ← gcd(s, n) 11. IF t equals to 1 then 12. I ← s−1 mod n 13. mi ← (m(i−2) ∗ X2 − Y2) ∗ I ∗ (−X1) mod n 14. m(i+1) ← (m(i−1) ∗ X1− Y2) ∗ I ∗ (−X2) mod n 15. xi ← $m_i^2$ − x(i−2) − x2 mod n 16. x(i+1) ← $m_{(i+1)}^2$ − x(i−1) − x2 mod n 17. Else 18. Jumping to Step 25 19. End IF 20. m(i−2) ← mi 21. m(i−1) ← m(i+1) 22. x(i−2) ← xi 23. x(i−1) ← x(i+1) 24. End While 25. p ← t 26. q ← n/p

The key feature of F-ECM is that every two adjacent points are computed by using the same modular inverse in each iteration. Furthermore, F-ECM does not include the y-coordinate of the point on the curve. As a result, many computation costs are reduced.

While the processes in loop are considered, the number of M, S, I and G, when t = 1 are as follows:

Step 9: requiring 1 M

Step 10: requiring 1 G

Step 12: requiring 1 I

Step 13: requiring 3 M

Step 14: requiring 3 M

Step 15: requiring 1 S

Step 16: requiring 1 S

Therefore, each loop, F-ECM requires 1I, 7M, 2S and 1G

Example 1: Assuming that n = 33233, finding ECC’s equation over Finite Field (${\mathbb{Z}}_n$) by using Algorithm 2

Sol: From Algorithm 2,

Step 1: P = (241, 227), x₁ = 241, y₁ = 227

Step 2: a = 37

Step 3: b = (227² − 241³ − (37)(241)) mod 33,233 = 2951

Step 4: t = 4(37³) + 27(2951²) mod 33,233 = 6566

Step 5–7: Since t $\ne$ 0, continue to Step 8

Step 8: g = 2(227) mod 33,233 = 454

Step 9: Since gcd(454, 33233) = 1, continue to Step 10

 Step 10: 2P = (23,424, 10,611), x₂ = 23,424, y₂ = 10,611

 Step 11: h = 2(10,611)(23,424 − 241) mod 33,233 = 8294

 Step 12: Since gcd(8294, 33,233) = 1, continue to Step 13

  Step 13: m = 8294⁻¹ mod 33,233 = 1166

  Step 14: m₃ = (10,611 − 227) ∗ 1166 ∗ 2(10,611) mod 33,233 = 32,564

  Step 15: x₃ = (32,564² − 23,424 − 241) mod 33,233 = 25,100

  Step 16: m₄ = (23,424 − 241) ∗ 1166 ∗ (3(23,424)² + 37) mod 33,233 = 26,386

  Step 17: x₄ = (26,386² − 2(23,424)) mod 33,233 = 26,386 = 9264

Therefore, the equation is: y² = x³ + 37x + 2951 mod 33,233 where 2P = (23,424, 10,611) is the point on the curve, x₃ = 25,100 is the coordinate x of 3P and x₄ = 9264 is the coordinate x of 4P. In fact, once all of the output parameters in Algorithm 2 have been identified, they are used as input for F-ECM to recover p and q.

Example 2: Assuming that $P=(x_1,y_1)$, $2P=(x_2,y_2)$, x₃, x_4, m₃ and m₄ are disclosed (see in Example 1), factoring n = 33,233 by using F-ECM with the following ECC’s equation: y² = x³ + 37x + 2951 mod 33,233

Sol: From F-ECM,

 Step 1: Y₂ = 2 ∗ 10,611 mod 33,233 = 21,222

 Step 2: x_(i−2) = x₃ = 25,100

 Step 3: x_(i−1) = x₄ = 9264

 Step 4: m_(i−2) = m₃ = 32,564

 Step 5: m_(i−1) = m₄ = 26,386

 Steps 6–24: Process in Loop

 Loop 1:

Step 7: X₁ = 23,424 − 9264 mod 33,233 = 14,160

Step 8: X₂ = 23,424 − 25,100 mod 33,233 = 31,557

 Step 9: s = 14,160 ∗ 31,557 mod 33,233 = 29,435

 Step 10: t = gcd(29,435, 33,233) = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12: I = 29,435⁻¹ mod 33,233 = 16,634

 Step 13: m_i = (32,564 ∗ 31,557 − 21,222) ∗ 16,634 ∗ (−14,160) mod 33,233 = 22,349

 Step 14: m_(i+1) = (26,386 ∗ 14,160 − 21,222) ∗ 16,634 ∗ (−31,557) mod 33,233 = 19,677

 Step 15: x_i = 22,349² − 25,100 − 23,424 mod 33,233 = 3753

 Step 16: x_(i+1) = 19,677² − 9264 − 23,424 mod 33,233 = 20,424

Steps 20–23: m_(i−2) = 22,349, m_(i−1) = 19,677, x_(i−2) = 3753, x_(i−1) = 20,424

Loop 2:

Step 7: X₁ = 23,424 − 20,424 mod 33,233 = 3000

Step 8: X₂ = 23,424 − 3753 mod 33,233 = 19,671

 Step 9: s = 3000 ∗ 19,671 mod 33,233 = 24,425

 Step 10: t = gcd(24,425, 33,233) = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12: I = 24,425⁻¹ mod 33,233 = 21,978

 Step 13: m_i = (22,349 ∗ 19,671– 21,222) ∗ 21,978 ∗ (−3000) mod 33,233 = 21,042

 Step 14: m_(i+1) = (19,677 ∗ 3000 − 21,222) ∗ 21,978 ∗ (−19,671) mod 33,233 = 1001

 Step 15: x_i = 21,042² − 3753 − 23,424 mod 33,233 = 8561

 Step 16: x_(i+1) = 1001² − 20,424 − 23,424 mod 33,233 = 27,629

Steps 20–23: m_(i−2) = 21,042, m_(i−1) = 1001, x_(i−2) = 8561, x_(i−1) = 27,629

Loop 3:

Step 7:X₁ = 23,424 − 27,629 mod 33,233 = 29,028

Step 8:X₂ = 23,424 − 8561 mod 33,233 = 14,863

 Step 9: s = 29,028 ∗ 14,863 mod 33,233 = 12,358

 Step 10: t = gcd(12,358, 33,233) = 167

 Since t = 167, then jumping to Step 25

 Step 25: p = 167

 Step 26: q = 33,233/167 = 199

Therefore, 167 and 199 are two prime factors of n = 33,233.

Table 1. Comparison about costs in Example 2 between F-ECM and ECM.

Algorithm	Computation Costs
	I	M	S	G
F-ECM	2	15	4	3
ECM	5	10	5	6

displays the costs of Example 2. It is shown that t = 1 in the first and second iterations, and t = 167 in the third iteration. Therefore, total costs are 2I, 15M, 4S and 3G. However, if ECM is considered, where P, 2P, 3P and 4P are already disclosed, it requires 5I, 10M, 5S and 6G. Despite the fact that ECM has less M than F-ECM, F-ECM is quicker than ECM because the most expensive costs are modular inverse and greatest common divisor.

Example 3: Assuming that $P=(x_1,y_1)$= (179, 157), $2P=(x_2,y_2)$= (6910, 5868), x₃ = 13,813, x₄ = 1906 m₃ = 5659 and m₄ = 30,371 are disclosed, factoring n = 33,233 by using F-ECM with the following ECC’s equation: y² = x³ + 61x + 27,700 mod 33,233

Sol: From F-ECM,

 Step 1–5: Y₂ = 11,736, x_(i−2) = 13,813, x_(i−1) = 1906, m_(i−2) = 5659, m_(i−1) = 30,371

 Steps 6–24: Process in Loop

 Loop 1:

Step 7–10: X₁ = 5004, X₂ = 26,330, s = 19,708, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 19,957, m_i = 27,269, m_(i+1) = 1908, x_i = 22,496, x_(i+1) = 9251

  Steps 20–23: m_(i−2) = 27,269, m_(i−1) = 1908, x_(i−2) = 22,496, x_(i−1) = 9251

Loop 2:

Step 7–10: X₁ = 30,892, X₂ = 17,647, s = 30,225, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 22,461, m_i = 6701, m_(i+1) = 8876, x_i = 9445, x_(i+1) = 5005

  Steps 20–23: m_(i−2) = 6701, m_(i−1) = 8876, x_(i−2) = 9445, x_(i−1) = 5005

Loop 3:

Step 7–10: X₁ = 1905, X₂ = 30,698, s = 22,843, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 886, m_i = 2694, m_(i+1) = 3743, x_i = 29,720, x_(i+1) = 7041

  Steps 20–23: m_(i−2) = 2694, m_(i−1) = 2694, x_(i−2) = 29,720, x_(i−1) = 7041

Loop 4:

Step 7–10: X₁ = 33,102, X₂ = 10,423, s = 30,373, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 23,205, m_i = 17,458, m_(i+1) = 15,955, x_i = 31,757, x_(i+1) = 16,527

  Steps 20–23: m_(i−2) = 17,458, m_(i−1) = 15,955, x_(i−2) = 31,757, x_(i−1) = 16,527

Loop 5:

Step 7–10: X₁ = 23,616, X₂ = 8386, s = 8329, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 8008, m_i = 9087, m_(i+1) = 3195, x_i = 17,363, x_(i+1) = 15,290

  Steps 20–23: m_(i−2) = 9087, m_(i−1) = 3195, x_(i−2) = 17,363, x_(i−1) = 15,290

Loop 6:

Step 7–10: X₁ = 24,853, X₂ = 22,780, s = 27,185, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 5896, m_i = 27,747, m_(i+1) = 22,232, x_i = 29,291, x_(i+1) = 31,681

  Steps 20–23: m_(i−2) = 27,747, m_(i−1) = 22,232, x_(i−2) = 29,291, x_(i−1) = 31,681

Loop 7:

Step 7–10: X₁ = 8462, X₂ = 10,852, s = 6845, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 164,49, m_i = 20,946, m_(i+1) = 27,937, x_i = 23,115, x_(i+1) = 26,839

  Steps 20–23: m_(i−2) = 20,946, m_(i−1) = 27,937, x_(i−2) = 23,115, x_(i−1) = 26,839

Loop 8:

Step 7–10: X₁ = 13,304, X₂ = 17,028, s = 24,384, t = 1

 Since t = 1, the process is in the condition (Steps 11–16)

 Step 12–16: I = 24,967, m_i = 30,204, m_(i+1) = 28,538, x_i = 5741, x_(i+1) = 9030

  Steps 20–23: m_(i−2) = 30,204, m_(i−1) = 28,538, x_(i−2) = 5741, x_(i−1) = 9030

Loop 9:

Step 7–10: X₁ = 31113, X₂ = 1169, s = 14,195, t = 167

 Since t = 167, then jumping to Step 25

 Step 25: p = 167

 Step 26: q = 33,233/167 = 199

Therefore, 167 and 199 are two prime factors of n = 33,233.

Table 2. Comparison about costs in Example 3 between F-ECM and ECM.

Algorithm	Computation Costs
	I	M	S	G
F-ECM	8	57	16	9
ECM	16	32	16	17

displays the costs of Example 3. It is shown that t = 1 is between 1^st iteration to 8th iteration, and t = 167 in 9th iteration. Therefore, total costs are 8I, 57M, 16S and 9G. However, if ECM is considered, where P, 2P, 3P and 4P are already disclosed, it requires 16I, 32M, 16S and 17G. Despite the fact that ECM has less M than F-ECM, F-ECM is quicker than ECM because the most expensive expenses are modular inverse and greatest common divisor.

According to examples 2 and 3, even though the total costs from each example are different, the costs of F-ECM are always less than the costs of ECM.

6. Loop Analysis

Assuming that $y^2=x^3+ax+b \mathrm{mod} n$ is the proposed equation for recovering two prime factors of n, P is the revealed point on the curve and a prime factor is discovered in iP, where i$\in {\mathbb{Z}}_n$, the costs for both of ECM and F-ECM can be calculated as follows:

For ECM, to compute point addition or point doubling, i − 1 iterations are required. However, assuming that 2P, 3P and 4P have already been disclosed prior to using ECM, the total loops of ECM are i − 4.

Therefore,

$$T_{ECM\_i}=(i-4)-1$$

(25)

$$T_{ECM\_gcd}=i-4$$

(26)

where, T_{ECM_i} is numbers of modular inverse when ECM is performed.

T_{ECM_gcd} is numbers of computing greatest common divisor when ECM is performed.

For F-ECM, assuming that 2P, 3P and 4P have already been disclosed prior to use F-ECM, the total loops of F-ECM are (i − 4)/2. Therefore,

$$T_{F-ECM\_i}=\frac{(i-4)}{2}-1$$

(27)

$$T_{F-ECM\_gcd}=\frac{(i-4)}{2}$$

(28)

where, T_{F-ECM_i} is numbers of modular inverse when F-ECM is performed.

T_{F-ECM_gcd} is numbers of computing greatest common divisor when F-ECM is performed.

Therefore, the number of modular inverse and gcd computations is always reduced by twice when F-ECM is used in place of ECM for implementation.

7. Experimental Results

The average computation time for each length of n is shown in this section. In this section, the length of n is assigned from 30 to 65 bits. Furthermore, all experiments were performed on a 2.53 GHz Intel^® Core i5 with 8 GB memory to control the same resource. BigInteger class in Java is chosen for implementation because it can manage an infinite number of integers generated by the String class. For each length, 20 values of n are generated randomly. Moreover, 10 equations of ECC are generated to factor the same value of n in order to calculate the average computation time.

Figure 1 depicts a time comparison between ECM and F-ECM for completing the process. For all cases of n, the experimental results show that F-ECM can complete the task faster than ECM. When compared to ECM, the average computation time for each length using F-ECM is reduced by 30 to 38 percent. The greatest time decreased is actually 65 bits in length. When F-ECM is used, the task is completed in 3351 s. ECM, on the other hand, takes approximately 5420 s.

However, the information in Figure 1 is unclear because both ECM and F-ECM take only a short time when the length of n is between 30 and 55. Assuming that t is the time (in seconds) required to complete the task, Figure 2 shows log(t) for each bit to confirm that F-ECM is faster than ECM in all cases of n.

Figure 2 depicts a comparison of log(t) results for ECM and F-ECM. In fact, it is based on the results shown in Figure 1. For all cases of n, the results show that F-ECM is clearly faster than ECM. Based on the information in this figure, it can be confirmed that F-ECM is faster than ECM when the length of n is greater than 65 bits.

8. Conclusions

In this study, the improved method to find two large prime factors of RSA is proposed. The Fast Elliptic Curve Factorization Method (F-ECM) is a variant of the Elliptic-curve Factorization Method (ECM). The idea behind F-ECM is that every two adjacent points will be computed together in order to share a modular inverse computing and greatest common divisor computing to reduce computation costs. In general, the algorithm requires one modular inverse to find a new point. That is, this cost is cut in half. Even though number of modular multiplications are increased, the cost for this algorithm is very low when it is compared with the cost for modular inverse. Furthermore, the y-coordinate is removed from the process in order to reduce the cost of computing modular multiplication and the length of modulus spans from 30 to 65 bits. The experimental results show that F-ECM can finish the task faster than ECM for all cases of modulus. Furthermore, the computation time is reduced by 30 to 38 percent.