The Improvement of Elliptic Curve Factorization Method to Recover RSA’s Prime Factors

: Elliptic Curve Factorization Method (ECM) is the general ‐ purpose factoring method used in the digital computer era. It is based on the medium length of the modulus; ECM is an efficient algorithm when the length of modulus is between 40 and 50 digits. In fact, the main costs for each iteration are modular inverse, modular multiplication, modular square and greatest common divi ‐ sor. However, when compared to modular multiplication and modular square, the costs of modular inverse and greatest common divisor are very high. The aim of this paper is to improve ECM in order to reduce the costs to compute both of modular inverse and greatest common divisor. The proposed method is called Fast Elliptic Curve Factorization Method (F ‐ ECM). For every two adja ‐ cent points on the curve, only one modular inverse and one greatest common divisor will be com ‐ puted. That means it implies that the costs in both of them can be split in half. Furthermore, the length of modulus in the experiment spans from 30 to 65 bits. The experimental results show that F ‐ ECM can finish the task faster than ECM for all cases of the modulus. Furthermore, the computation time is reduced by 30 to 38 percent.


Introduction
RSA [1] is one of the most well-known cryptography algorithms in the digital computer era. It is classified as asymmetric key cryptography or public key cryptography [2]. In fact, this algorithm which was proposed in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman, can be used to secure secret information transferred via an unsecure channel as well as sign digital signatures. RSA algorithm, on the other hand, is based on the integer factorization problem [3,4]. As a result, when one of the two prime factors is revealed, RSA is broken. Furthermore, there are two types of integer factorization algorithms [5]. The first category is known as special-purpose factoring. The efficiency of each algorithm in this group is determined by the properties of prime factors. The other group is known as general-purpose factoring, and the algorithms are based on the length of the modulus. Assuming that two strong prime factors and 1024 bits of the modulus are selected, none of proposed integer factorization algorithms can break RSA in polynomial time by using the digital computer.
Elliptic Curve Cryptography (ECC) [6,7] is another public key cryptography that can be used for data security as well as digital signature. In addition, Neal Koblitz and Victor S. Miller proposed ECC in 1985. Despite the fact that the bit-length of ECC is shorter, the security level is the same as RSA. ECC, on the other hand, differs from RSA in which it is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP) [8][9][10]. Moreover, Elliptic Curve can be used to factor the composite number as well. That is, it is possible to break RSA. The Lenstra Elliptic Curve Factorization or Elliptic Curve Factorization Method (ECM) is used for this task. However, ECM requires a large number of modular inverses and greatest common divisors, which are known as the expensive costs. That is, it takes a significant amount of time to finish the task.
The modified method for speeding up ECM is proposed in this paper. In fact, the proposed method is known as the Fast Elliptic Curve Factorization Method (F-ECM). The main idea is to reduce the number of modular inverses and greatest common divisors in order to shorten the computation time. Even though the number of modular multiplications and modular squares are increased, these costs are very low when compared to modular inverse and greatest common divisor.
In fact, every classical algorithm linked to the RSA and ECC algorithms is the digital computer-based. If the digital computer era is not disrupted, they are all still effective. Therefore, it implies that F-ECM is still an efficient method for the medium length of the modulus in the digital computer era.
However, if the quantum computer that is being developed becomes practical, all algorithms pertaining to digital technology, including RSA, ECC and the block chain that is controlled by cryptography, will be insecure. For example, RSA may be easily broken by using Shor's quantum algorithm [11] when the quantum computer is completely used. As a result, if such a scenario occurs, new security algorithms based on quantum computers may be devised in order to control all technology at the time.
The rest of the paper is organized as follows. In Section 2, RSA and ECC which are public key cryptography are reviewed. Some integer factorization algorithms will be mentioned in Section 3. The overviews of quantum computing and Shor's Factoring algorithm will be mentioned in Section 4. The proposed method is presented in Section 5. Loop analysis will be discussed in Section 6. In Section 7, the experimental results about the comparison between ECM and F-ECM are shown. The conclusion is discussed in the last section.

Overviews of RSA and ECC
The idea behind public key cryptography is that the encryption and decryption processes necessitate the use of a pair of keys that are mathematically related to one another. The first key, named the public key, is made available to all group members. The owner keeps the other key, known as the private key, hidden. In fact, if one of the keys is chosen for encryption, the other must be chosen for decryption. Furthermore, for data security, the public key is used in the encryption process. In the case of digital signatures, however, the private key is used in this process. This section examines two types of public key cryptography algorithms, RSA and ECC.

RSA
RSA algorithm is a type of public key cryptography. Its security is based on the integer factorization problem. As a result, it should be assigned at least 1024 bits to avoid intruders attacking rapidly. Furthermore, RSA can be used for a variety of tasks, including data security and digital signatures. For RSA, there are three processes: the key generation algorithm, the encryption and the decryption. However, the processes for data security are as follows: Process 1 (Key generation Algorithm): it is the algorithm to generate a pair of keys and the modulus. There are four steps as follows: Step 1: Choose two prime numbers randomly, p and q Step 2: Calculate the modulus, n = p*q, and calculate the Euler totient function, ( ) n  = (p -1)*(q -1), using the Extended Euclidean Algorithms [12][13][14] Step 3: Choose the public key (e) from the following conditions, 1 < e < ( ) n and gcd(e, ( ) n  ) = 1 Step 4: Compute the private key (d) from the following equation, e*d mod ( ) Where, the public key is {e, n} and the private key is {d, n} Process 2 (Encryption): senders must convert the original plaintext (m) into the unreadable message or the ciphertext (c). There are three steps as follows: Step 1: Receive the receiver's public key {e, n} Step 2: Represent m as the positive integer, M, where 1 < M < n Step 3: Encrypt M by using the Equation (1): Step 4: Send c to receivers Process 3 (Decryption): After receiving c, receivers can recover m by using the following steps: Step 1: Use the private key {d, n} to decrypt c by using the Equation (2): Step 2: Transform M as the original plaintext, m For this system, p and q are the attackers' target, because ( ) n  can be computed rapidly to recover d.

Elliptic Curve Cryptography
Another type of public key cryptography is Elliptic Curve Cryptography (ECC). This method comes in a variety of forms, including ECC over Field of Characteristic Two, ECC over Field of Characteristic Three and ECC over Finite Field ( p  ), where p is a prime number. However, only ECC over Finite Field ( p  ) is focused in this paper. Assuming that p is a prime number, the ECC's equation over Finite Field ( p  ) is as follows: where, 4a 3 + 27b 2 mod p  0 Assuming that P = (xp, yp) and Q = (xq, yq) are the points on the curve, the main processes for finding the new point on the curve are point addition and point doubling. In fact, there are two cases to find R = (xr, yr) = P + Q as follows: Case 1 (P = Q): Point doubling is required: Case 2 (P  Q): Point addition is required: Assuming that I, M, S and G are represented as the number of modular inverses, number of modular multiplications, number of modular squares and number of greatest common divisor computations, point doubling requires 1I, 2M and 2S. On the other hand, point addition requires 1I, 2M and 1S.
Assuming that 2P + Q must be calculated, there are two ways to complete this task. The first method is to compute 2P and then 2P + Q. It requires 2I, 4M and 3S. The second technique is to compute P + Q and then compute (P + Q) + P = 2P + Q. It requires 2I, 4M and 2S. As a result, the total costs of the second method are lower than those of the first method. Therefore, choosing the best method to find the new point should also be taken into account.
In 2003, an improved technique for speeding up ECC was introduced [15]. However, only Equations (7) and (8) are computed, then yr is not included. The next process is to compute S = (xs, ys) = R + P = 2P + Q from the following idea: Since yr is not included to compute R = P + Q, this result requires 1I, 1M and 1S. However, the algorithm to compute S = R + P = 2P + Q requires 1I, 2M and 1S. Therefore, the total costs to compute 2P + Q are 2I, 3M and 2S.
Assuming that Q = kP, where both of Q and P are disclosed, k is the attackers' target. This problem is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). In fact, many solutions to solve this problem have been proposed, including brute force attack [16], Baby-Step-Giant-Step [17] and Pohlig-Hellman attack [18]. In addition, the improved method to solve ECDLP [19] was proposed in 2018. This method is based on brute force attack. To reduce the number of modular inverses, every two adjacent points will be computed together. Furthermore, the y-coordinate is removed to decrease number of modular multiplications.
Assuming that P = (x1, y1) and 2P = (x2, y2) are disclosed, there are two parts to find the new points.

Overviews of Integer Factorization Algorithms
For RSA algorithm, d is easily recovered when both of p and q are found by using some integer factorization algorithms. Since at least 1024 bits of n are assigned and its prime factors are strong in practice, there is currently no efficient algorithm that can break RSA algorithm in polynomial time by using the digital computer. Several algorithms, however, are constantly being developed to solve this problem. Generally, factorization algorithms are classified into two types.

Special-Purpose Factoring
Assuming that some weak points of n or its prime factors are discovered, some algorithms that respond well to the weak point can factor n quickly, even if the length of n is large. These algorithms are organized into a category known as Special-purpose Factoring. The example of algorithms in this group are shown as below: The simplest algorithm in this group is the trial division algorithm (TDA) [20,21]. For the division process, the initial integer is chosen as the divisor of n. If no remainder exists, this divisor is one of the two prime factors of n. The divisor, on the other hand, is changed until the target is found. In fact, there are two types of TDA. The first type is that the initial divisor is 3 and it is increased when the result has the remainder. The other is to choose n     as the initial divisor [22] and it must be decreased when the result is not still the target. In 1600, Pierre de Fermat proposed the factorization algorithm which is called Fermat's Factorization Algorithm (FFA) [23]. In that time, he found that n = p*q can be also rewritten as the following equation: In fact, FFA's goal is to find two integers whose difference in perfect square numbers is equal to n. Even though both of p and q are large, this method is very efficient when p is very close to q. Furthermore, many FFA-modified algorithms, such as [24][25][26][27][28], were proposed to reduce computation time.
Pollard's p − 1 algorithm [29] is another factorization algorithm in Special-purpose Factoring group. It was proposed by John Pollard in 1974. When all prime factors of p − 1 or all prime factors of q − 1 are small, this algorithm can recover p and q very quickly.
Assuming that k! = (p − 1)*q and according to Fermat's little theorem, a p-1 mod p = 1 and gcd(a, p) = 1, therefore: Or, a k!  1 mod p (22) Furthermore, p|a k! -1 and p | n, then gcd(a k! -1, n) = p In 2011, Murat Sahin presented the factorization algorithm which is called Generalized Trial Division [30]. Assuming that a    , this method is very efficient when a*p is very close to n . In fact, x =     n is the initial value to compute gcd(x, n). If the result is not equal to 1, then it is one of two prime factors of n. On the other hand, a = x + 1 and b = x − 1 are chosen to compute gcd(a, n) and gcd(b, n) until one of the results which is not equal to 1 is found.

General-Purpose Factoring
General-purpose Factoring is a class of factorization algorithms whose performance is determined solely by the size of n. That is, the size of n is only a parameter that affects to time to finish the task. As a result, when the length of n is small, all algorithms in this group can factor n quickly. The example of algorithms in this group are shown as below: The first algorithm is Lenstra elliptic-curve factorization or Elliptic-curve Factorization Method (ECM) [31]. In fact, this algorithm is applied from ECC over finite field ( p  ). However, for ECM, the finite field is changed from p  as n  , where n = p*q. Therefore, the ECM' s equation is shown below: The idea behind ECM is to find the new point until it cannot be calculated, there is no modular inverse. The prime factor can be recovered from gcd(s, n), where s   . Algorithm 3.1 is shown the steps to recover p and q by using ECM. In fact, ECM is suitable for the medium length of n which is between 40 and 50 digits. The next algorithm in this group is Quadratic Sieve (QS) [32]. This algorithm is modified from FFA. In addition, QS is an efficient algorithm when size of n is less than 100 digits. Assuming that m = n     and f(a) = (a + m) 2n, where a   . Then, it implies that f(a)  (a + m) 2 mod n. The main algorithm is to find that the multiplication of their prime factors can be rewritten as the following form: Y 2 = (p1*p2*p3*⋯ *pl) 2 , where l   . Therefore, Therefore, the prime factor can be calculated from p = gcd(X -Y, n). Number Field Sieve (NFS) [33] is known as the best integer factorization algorithm at present. This method is suitable for a large size of n. Even though the length of n is greater than 10 100 , it is still efficient. In fact, NFS is also categorized into two types, General Number Field Sieve (GNFS) and Special Number Field Sieve (SNFS).

Overviews of Quantum Computer and Shor's Factoring
In fact, all of algorithms that mentioned in the Sections 2 and 3 are developed algorithms on a digital computer. At present, there is currently no method or procedure that can break 2048 bits of RSA in a polynomial time. However, RSA along with every other present cryptosystem, is no longer secure if the a fully efficient quantum computer is developed in that time.
The quantum computer is a new computer technology that processes data using quantum phenomena. The advantage of a quantum computer is that it can process data much faster. In general, bit is the smallest unit of data in a digital computer. Assuming that computer must evaluate 2-bit data consisting of 00, 01, 10 and 11, the digital computer can only evaluate one of the four conditions in any given time. The quantum computer's processing unit, on the other hand, is known as a Quantum Bit or Qubit. The strength of this theory is that it gathers all potential conditions as well as the amount of qubits. For instance, a quantum computer with 2-qubit size will be able to divide as 4 conditions at the same time. Consequently, it indicates that the quantum computer can process data much quicker than the digital computer.
In 1994, Peter Shor presented integer factorization algorithm [11] that could be run on a quantum computer. Assuming that a quantum computer with various qubits is developed, Shor's factorization algorithm can retrieve the prime factor of n within a polynomial time. In fact, Shor's Factoring algorithm is divided into 2 sections as follows.
Part 1 (A reduction): This part is performed on the digital computer. Assuming that the order-finding problem is solved, two prime factors of n are found. The process is as follows. First, choose a   randomly and consider the sequence 1, a mod n, a 2 mod n, a 3 mod n, ⋯. Assuming that a r  1 mod n is found, it implies that the sequence repeats every r term. The reason is as follows: a x+r mod n a x a r mod n Since a r mod n 1, then: a x r mod n a x mod n Assuming that r is an even number, then r can be rewritten as r 2 i j , where j is an odd number, then the next step is to compute b0 a j mod n The next step is to square b0 to acquire b1, b2, b3, ⋯ until bk is the last value that bk mod n  1 As a result, one of two prime factors is computed from p gcd bk−1, n Part 2 (A Quantum algorithm): The quantum computer's algorithm in part 1 is to find r which is known as the period. In addition, quantum Fourier transform is required in this part. However, the algorithm explored in this section is extensively discussed in [11].
However, to solve factorization problem in RSA by using Shor's factoring algorithm, huge amount of quantum gates is required. Assuming that 4096-bit RSA which is the most current software supports is selected to secure the information, 72 * 4096 3 or 4,947,802,324,992 quantum gates is required to recover two prime factors in polynomial time. Therefore, RSA is still secure at present. In addition, it is the reason that many factorization algorithms and the quantum computer are still continuously developed.
In fact, the aim of this paper is to reduce the expensive costs in ECM. Assuming that the quantum computer is perfectly developed, the time required to finish the procedure is certainly decreased if the proposed method is applied in this quantum computer.

The Proposed Method
In this paper, the new method based on ECM is proposed to speed up the task by using the digital computer. The proposed method is known as the Fast Elliptic Curve Factorization Method (F-ECM). The main idea behind F-ECM derives from integrating the method in [19] with ECC. As a result, three major tasks are limited in order to reduce computation time. In fact, all of them are modular inverse, greatest common divisor and the determining y-coordinate on the curve.
where i    and i > 4, and P, 2P, 3P and 4P are disclosed, then p and q can be found when gcd(a, n) > 1. In fact, if this condition is found, both of p and q can be calculated by using the following equations: p = gcd(a, n) and q = n/p. Before using F-ECM, one of several equations for ECC over Finite Field ( n  ) must be chosen at first. Therefore, two algorithms are presented in this section. The first algorithm is assigned for generating ECC over Finite Field ( n  ). For this algorithm, a and P = (x1, y1) are selected to find b to save the cost to find the new equation. Following that, this algorithm computes 2P = (x2, y2), 3P = (x3, y3) and 4P = (x4, y4). In fact, point doubling is selected to find 2P whereas the method in [19] is chosen to find 3P and 4P in order to reduce the cost to compute modular inverse without computing the y-coordinate. F-ECM is the other algorithm used to retrieve recover p and q.

Algorithm 5.1 Generating the ECC over Finite Field
Input: n Output: P = (x1, y1), 2P = (x2, y2), a, b, x3 (3P = (x3, y3)), x4 (4P = (x4, y4) Before using F-ECM to recover p and q, Algorithm 5.1 is chosen to generate the new ECC over Finite Field ( n  ). In this algorithm, two points on the curve must be also constructed, both of which are P and 2P. Furthermore, the x-coordinates of 3P and 4P are computed. However, F-ECM may not be implemented whenever gcd(g, n)  1 or gcd(h, n) 

1.
In fact, the time required to find p and q is also determined by using the ECC's equation. That is, when the same value of n is used in different equations, the time may be very different. However, the purpose of this paper is not related to select the best equation. In fact, it compares the time required to finish between ECM and F-ECM, which both use the similar ECC's equation.
IF t equals to 1 then 12.
x(i-1)  x(i+1) 24. End While 25. p  t 26. q  n/p The key feature of F-ECM is that every two adjacent points are computed by using the same modular inverse in each iteration. Furthermore, F-ECM does not include the ycoordinate of the point on the curve. As a result, many computation costs are reduced.

Loop Analysis
Assuming that y 2 = x 3 + ax + b mod n is the proposed equation for recovering two prime factors of n, P is the revealed point on the curve and a prime factor is discovered in iP, where i n  , the costs for both of ECM and F-ECM can be calculated as follows: For ECM, to compute point addition or point doubling, i − 1 iterations are required. However, assuming that 2P, 3P and 4P have already been disclosed prior to using ECM, the total loops of ECM are i − 4. Therefore, where, TECM_i is numbers of modular inverse when ECM is performed TECM_gcd is numbers of computing greatest common divisor when ECM is performed For F-ECM, assuming that 2P, 3P and 4P have already been disclosed prior to use F-ECM, the total loops of F-ECM are (i -4)/2. Therefore, TF-ECM_gcd = (i − 4)/2 (28) where, TF-ECM_i is numbers of modular inverse when F-ECM is performed TF-ECM_gcd is numbers of computing greatest common divisor when F-ECM is performed Therefore, the number of modular inverse and gcd computations is always reduced by twice when F-ECM is used in place of ECM for implementation.

Experimental Results
The average computation time for each length of n is shown in this section. In this section, the length of n is assigned from 30 to 65 bits. Furthermore, all experiments were performed on a 2.53 GHz Intel ® Core i5 with 8 GB memory to control the same resource. BigInteger class in Java is chosen for implementation because it can manage an infinite number of integers generated by the String class. For each length, 20 values of n are generated randomly. Moreover, 10 equations of ECC are generated to factor the same value of n in order to calculate the average computation time. Figure 1 depicts a time comparison between ECM and F-ECM for completing the process. For all cases of n, the experimental results show that F-ECM can complete the task faster than ECM. When compared to ECM, the average computation time for each length using F-ECM is reduced by 30 to 38 percent. The greatest time decreased is actually 65 bits in length. When F-ECM is used, the task is completed in 3351 s. ECM, on the other hand, takes approximately 5420 s. However, the information in Figure 1 is unclear because both ECM and F-ECM take only a short time when the length of n is between 30 and 55. Assuming that t is the time (in seconds) required to complete the task, Figure 2 shows log(t) for each bit to confirm that F-ECM is faster than ECM in all cases of n.   Figure 1. For all cases of n, the results show that F-ECM is clearly faster than ECM. Based on the information in this figure, it can be confirmed that F-ECM is faster than ECM when the length of n is greater than 65 bits.

Conclusions
In this study, the improved method to find two large prime factors of RSA is proposed. The Fast Elliptic Curve Factorization Method (F-ECM) is a variant of the Ellipticcurve Factorization Method (ECM). The idea behind F-ECM is that every two adjacent points will be computed together in order to share a modular inverse computing and greatest common divisor computing to reduce computation costs. In general, the algorithm requires one modular inverse to find a new point. That is, this cost is cut in half. Even though number of modular multiplications are increased, the cost for this algorithm is very low when it is compared with the cost for modular inverse. Furthermore, the ycoordinate is removed from the process in order to reduce the cost of computing modular multiplication and the length of modulus spans from 30 to 65 bits. The experimental results show that F-ECM can finish the task faster than ECM for all cases of modulus. Furthermore, the computation time is reduced by 30 to 38 percent.