Improving Lenstra’s Elliptic Curve Methodpeople.oregonstate.edu/~swisherh/students/papers/masters/... · 2015. 8. 16. · Fermat’s Last Theorem. On the other hand, elliptic curves

Oregon State University

Masters Paper

Improving Lenstra’s Elliptic CurveMethod

Author:

Lukas Zeller

Advisor:

Holly Swisher

August 2015

http://math.oregonstate.edu/node/9843

http://people.oregonstate.edu/~swisherh/home/

Abstract

In this paper we study an important algorithm for integer factorization: Lenstra’s Elliptic

Curve Method. We first discuss how and why this method works and then draw from

various research papers to demonstrate how it can be improved. In order to achieve this,

we take a look at the torsion subgroup of elliptic curves and review methods for how to

generate elliptic curves with prescribed torsion.

Contents

Abstract i

Contents ii

1 Preface 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Elliptic Curves 4

2.1 Historical Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Basic Vocabulary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 The Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 Lenstra’s Elliptic Curve Method 14

3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.1.1 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1.2 Fermat’s Little Theorem . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.1.3 Fast Powering Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2 Pollard’s p− 1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.1 Why Pollard’s p− 1 Algorithm works . . . . . . . . . . . . . . . . . 21

3.3 Lenstra’s Elliptic Curve Method (ECM) . . . . . . . . . . . . . . . . . . . . 21

3.3.1 Why Lenstra’s ECM works . . . . . . . . . . . . . . . . . . . . . . . 25

3.4 Comparing Trial Division, Pollard’s p− 1, and Lenstra’s ECM . . . . . . . 26

4 The Torsion Subgroup 27

4.1 Nagell-Lutz Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.2 Mordell’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.3 Mazur’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.4 Generalizing Mordell’s and Mazur’s Theorem . . . . . . . . . . . . . . . . . 29

4.5 Hasse’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

ii

Contents iii

4.5.1 Why Lenstra’s ECM works (continued) . . . . . . . . . . . . . . . . 32

4.6 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Constructing Elliptic Curves with prescribed Torsion or larger Rank 38

5.1 Methods for finding curves with prescribed torsion . . . . . . . . . . . . . . 38

5.1.1 The method of Dujella and Najman . . . . . . . . . . . . . . . . . . 39

5.2 Ranks of Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6 Summary and Conclusion 42

Chapter 1

Preface

“Strong cryptography can resist an unlimited application of violence. No amount of coercive

force will ever solve a math problem.”

Julian Assagne, A Call to Cryptographic Arms

1.1 Introduction

Elliptic curves have wide applications in many areas, most notably cryptography and num-

ber theory. In number theory, for instance, they were used in Andrew Wiles’ proof of

Fermat’s Last Theorem. On the other hand, elliptic curves are used for a variant of public-

key cryptography, fittingly named Elliptic Curve Cryptography. Then again, an application

to both number theory and cryptography is Lenstra’s Elliptic Curve Method, one of the

fastest algorithms used to find prime factors of large integers.

Cryptography is the study of encrypting information. The goal is to transform the infor-

mation in such a way that it becomes unrecognizable, infeasible to decrypt by an adversary,

and easy to decrypt by the intended recipient. The significance of integer factorization in

the area of cryptography is that it is considered a “difficult” problem. To be more precise,

it is a prime example – pun intended – of a so-called one-way function. One-way functions

1

Contents 2

are easy to compute in one direction, in our case this would mean multiplying two integers,

and nearly impossible to reverse in reasonable time, in our case this would mean finding the

prime divisors of a random integer. This type of function is useful in cryptography, and in

fact the entirety of online-security is based on the difficulty of reversing one-way functions.

The most prominent algorithm in public-key cryptography is the RSA method, which can

be broken if the prime factors of the public key are known. The public key is a large

semi-prime, an integer with exactly two prime factors and of size 100 digits. If we tried

for all prime numbers up to 50 digits whether they divide the public key in means of

finding a prime factor, this would take us several billions of years – even using the fastest

computers available today. So next to a certain fascination with prime numbers there is a

strong incentive to study integer factorization in the modern day world: efficient factorizing

algorithms can compromise ones online-privacy, so it is important to know which algorithms

exist, how they work, and how well they perform.

One short example: given n = 8051, we could find prime factors of n by trying 2, 3, 5, etc.

In doing so, we would reach p = 83 after 23 steps and find that 8051 = 83 · 97. Notice that

83 · 97 = (90 − 7)(90 + 7) = 902 − 72 = 8051. We can generalize this insight by realizing

that in fact any odd integer can be written as the difference of squares1, that is for any odd

integer n we have that n = a2 − b2 for some integers a and b. Equivalently, n + b2 = a2.

This form suggests that if we can find an integer b such that n+ b2 is square, then we can

deduce two factors of n. With n = 8051, we try b = 1, 2, 3, ... until we reach b = 7 and find

8051 + 72 = 8100 = 902. This yields the factors 90−7 = 83 and 90 + 7 = 97 in only 7 steps.

The above method is called Fermat Factorization and works particularly well if n is semi-

prime with two factors near√n. Over the years, further algorithms and more general-

purpose methods have been developed, but they are too plentiful to mention, let alone

discuss. In this discussion, we focus on Lenstra’s Elliptic Curve Method (ECM). For this,

we first demonstrate how elliptic curves form additive groups, and later dive deeper into

the theory behind elliptic curves. We will see how the torsion subgroup of an elliptic curve

affects its usefulness for ECM, and how we can create elliptic curves with prescribed torsion.

1In the case of odd primes, p = p · 1 =

(p + 1

2+

p− 1

2

)(p + 1

2−

p− 1

2

)=

(p + 1

2

)2

−

(p− 1

2

)2

Contents 3

This paper is largely self-contained. Some basic understanding in ring theory as well as

some enthusiasm for the wonderful world of prime numbers, however, is required.

1.2 Acknowledgements

My greatest thanks go to my advisor Holly Swisher for her ongoing support and invaluable

feedback. She helped me stay focused and showed me numerous ways to improve the paper

beyond the scope of the initial draft. There is so much more to be said about this topic,

there are so many more research papers to be read and written, but with her help I feel like

I’ve created a nice window into the world of elliptic curves.

Special thanks go to my mother for the repeated spell checking and introducing me to

elliptic curves – I couldn’t and almost certainly wouldn’t have done it without you.

Not least, I want to thank my girlfriend for all her patience and love. As fascinating as the

abstract world of elliptic curves is, I wouldn’t have been able to see this through without

her keeping me connected to “the real world”.

Chapter 2

Elliptic Curves

This chapter gives a brief introduction into elliptic curves and illustrates how they form

additive groups. An illustrative way of doing this is by plotting the real points on an

elliptic curve and geometrically motivating the group law.

2.1 Historical Background

Even though their name might suggest otherwise, elliptic curves actually look nothing like

ellipses. They are, however, closely related to ellipses in that elliptic curves arose from

studying the arc length of ellipses. The arc length of an ellipse is computed by integrating

the square root of a cubic or quartic polynomial, f(x), so the integrand can be written as

y =√f(x). This yields our object of interest, a curve of the form y2 = f(x) where f(x) is

a cubic polynomial. We give a formal definition in Section 2.2.

To illustrate what these curves look like, the real values for four different curves of the form

y2 = x3 + ax + b are plotted in figure 2.1. Note that the first curve has a cusp and the

third curve has a self-intersection. These curves are called singular and will be excluded

from our formal definition later. Further, the non-singular curves have either one or two

components.

4

Chapter 2. Elliptic Curves 5

Figure 2.1: Elliptic curves with cusp, two components, a self intersection, one component.

2.2 Basic Vocabulary

Definition 2.1. Let R be a ring. The characteristic of R, denoted char(R), is the

smallest positive integer n such thatn∑i=1

1R = 0R. If there exists no such integer n, then

char(R) = 0.

Example 2.1.

• Any field K containing Q has char(K) = 0.

• For a finite field Fp with p prime, char(Fp) = p.

• The ring Z/nZ has characteristic n.

Remark 2.2. In fact, for any field K we have that char(K) = 0 or char(K) = p for some

prime p.

Definition 2.3. Let K be a field. We say that K is a perfect field, if either K has

characteristic 0, or, when K has characteristic p > 0, then Kp ≡ {xp | x ∈ K} = K.

Example 2.2. Any finite field or any infinite field K with char(K) = 0, such as Q,R,C,

is perfect. An imperfect field can be neither, so it must be an infinite field with positive

characteristic. For example, the field k(X) of all rational functions in X with char(k) > 0

is imperfect.

Definition 2.4. Let K be a perfect field. The projective n-space over K, denoted Pn(K),

is the set of all (n+1)-tuples (x0, ..., xn) ∈ Kn+1 such that at least one xi is non-zero, modulo

the equivalence relation given by


(x0, ..., xn) ∼ (y0, ..., yn) ⇔there exists a non-zero constant c ∈ Ksuch that for all indices i, we have xi = cyi.

In other words, x ∼ y when x and y are scalar multiples of one another.

In the following, we let n = 2, and call P2(K) the projective plane. Further, we write

(x : y : z) for the equivalence class of (x, y, z) ∈ P2(K). The colon suggests that only the

ratios between x, y, and z matter. To illustrate this, consider K = R. Any two points

P1 = (x1, y1, z1), P2 = (x2, y2, z2) on a line through the origin are scalar multiples of one

another, so P1 ∼ P2. That is, (x1, y1, z1) = c(x2, y2, z2) for some c 6= 0, so the ratio

(x1 : y1 : z1) is the same as (x2 : y2 : z2). Therefore, each equivalence class in P2(R) defines

a line through the origin, and conversely, for every line through the origin, any non-zero

point is in the same equivalence class. Note that there is no corresponding line for (0 : 0 : 0),

since (0 : 0 : 0) 6∈ P2(R) by our definition.

Definition 2.5. A projective plane curve CF over a field K is the set of solutions to

the polynomial equation CF : F (X,Y, Z) = 0, where F ∈ K[X,Y, Z] is a non-constant

polynomial with all terms having the same degree.

Example 2.3.

• The curve CF : X + Y + Z = 0 describes a plane in R3.

• The curve CG : XY + Y 2 − Y Z = 0 describes two intersecting planes, namely Y = 0

and X + Y − Z = 0, in R3.

• The curve CH : X3 +X2Z−XY Z+XZ2−Y 2Z−Y Z2 +Z3 = 0 describes an elliptic

curve (see below).

Definition 2.6. A point P = (a, b, c) on a projective plane curve CF is a singular point

if all partial derivatives of F vanish at P , i.e.

dF

dX(P ) =

dF

dY(P ) =

dF

dZ(P ) = 0.


A curve containing a singular point is called a singular curve , a curve containing no

singular points is called a non-singular curve .

Definition 2.7. An elliptic curve E is a nonsingular projective plane curve of degree 3

over a field K, denoted E/K. The curve is given by a Weierstrass equation of the form

E : Y 2Z + a1XY Z + a3Y Z2 = X3 + a2X

2Z + a4XZ2 + a6Z

3. (2.1)

The set of all points on E/K is denoted

E(K) = {(X : Y : Z) ∈ P2(K) | X,Y, Z satisfy (2.1)}.

Note that O = (0 : 1 : 0) is the only point on E/K with z = 0, so it is customary to set

z = 1 for all other points. The point O is called the point at infinity .

In the context of this paper, we will focus on the fields R and Q, as well as finite fields and

rings with large characteristic. In particular, the fields we consider don’t have characteristic

2 or 3. This allows us to rewrite (2.1) as follows:

Lemma 2.8. Let E be an elliptic curve over a field K with char(K) 6= 2, 3. Then E can

be written in the form

E : y2 = x3 +Ax+B, (2.2)

with A,B ∈ K.

Proof. From (2.1), we get

Y 2/Z2 + a1XY/Z2 + a3Y/Z = X3/Z3 + a2X

2/Z2 + a4X/Z + a6

by dividing through Z3. Since O is the only point on E for which Z = 0, we ignore this

point at the moment and include it again later. Let x = X/Z, y = Y/Z, then

y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6. (2.3)


Now, if char(K) 6= 2, then we may replace y in (2.3) by y = (y − a1x− a3)/2 (division by

2 isn’t possible when char(K) = 2) to complete the square. Then

y2 = 4x3 + b2x2 + 2b4x+ b6, (2.4)

where b2 = a21 + 4a2, b4 = 2a4 + a1a3, and b6 = a23 + 4a6.

Finally, if char(K) 6= 3, then we can replace x by (x− 3b2)/36 and y by y/108 (division by

36 = 22 · 32 or 108 = 22 · 33 isn’t possible if char(K) ∈ {2, 3}) to eliminate the x2 term and

obtain

y2 = x3 − 27c4x− 54c6, (2.5)

where c4 = b22 − 24b4 and c6 = −b32 + 36b2b4 − 216b6. Replacing A = −27c4 and B = −54c6

then yields (2.2).

For non-singularity of E, we need only check that the the discriminant ∆ = −16(4A3+27B2)

is nonzero. In this case, x3 +Ax+B has three distinct roots. This ensures that the curve

is non-singular and thus has no cusps, self-intersections, or isolated points.

Since for all K we consider char(K) 6= 2, 3, we may use the representations (2.1) and (2.2)

interchangeably – though it does involve quite a bit of algebra to transform the coefficients

from one representation to the other. For simplicity, most of our curves will be represented

in the form (2.2), for which E(K) now denotes the set

E(K) = {(x, y) ∈ K2 | x, y satisfy (2.2)} ∪ {O}.

Note that we needed to explicitly include O. This is because an elliptic curve E/K lies in

the projective plane P2(K), however, without O, E(K) contains only points in the affine

plane K2. The point O lies on the line at infinity (in projective coordinates the line Z = 0),

which can be thought of as a circle surrounding K2. Augmenting K2 with this line yields the

projective plane and, in a sense, completes the affine plane, as now parallel lines intersect

at a single point on the line at infinity. In this sense, diametrically opposite points on the

circle are equivalent, since parallel lines stretch in two directions. In particular, O = −O.

We will elaborate on the properties of O in the next section.


Remark 2.9. It also makes sense to define an elliptic curve over a ring R and then consider

E(R). However, the group law we are about to describe for elliptic curves over fields will

fail to work for those points or elements of rings that have no multiplicative inverses. We

will make use of this in Lenstra’s Elliptic Curve Algorithm (see Chapter 3.3).

2.3 The Group Law

Recall that a group is a set G, together with an operation ∗, which satisfies these properties:

• Associativity of ∗:For any a, b, c in G we have that a ∗ (b ∗ c) = (a ∗ b) ∗ c.

• Identity element of G:

In G there is an element e such that for any a ∈ G we have that a ∗ e = e ∗ a = a.

The element e is called the identity element of G.

• Inverse elments in G:

For each element a ∈ G there is an element a−1 ∈ G such that a ∗ a−1 = a−1 ∗ a = e.

The element a−1 is called the inverse element of a.

Further, an abelian group is a group that satisfies the following property.

• Commutativity of *: For any a, b ∈ G we have that a ∗ b = b ∗ a.

Let E : y2 = x3 + ax+ b be an elliptic curve. We show that the set of all real points on E,

that is E(R) = {(x, y) ∈ R2 | y2 = x3 + ax + b} ∪ {O}, forms an abelian group together

with an addition operation that we will define next. From this, inverse elements follow in a

natural way. Furthermore, the point at infinity, O, will be the identity element.

Let P , Q be points on E. The idea behind addition performed on points of elliptic curves

is a geometric one: in order to add P and Q, first draw a line through them. The line

intersects the curve in a third point, P ∗ Q. The sum of P and Q is now defined to be


Figure 2.2: Visualization of point addition on an elliptic curve.

P +Q := −(P ∗Q) (see Figure 2.2). This already gives us that P +Q = Q+ P , since the

line through P and Q is the same as the line through Q and P .

Here, if P = (x, y) is a point on E, then −P = (x,−y) results from reflecting P across the

x-axis. Since E is symmetric across the x-axis, −P is also on E. This allows us to define

point subtraction in a very simple way: P −Q = P + (−Q).

We claim that any line in the plane intersects E at three (not necessarily distinct) points.

Figure 2.3: Possible line intersections.

Perhaps the most obvious scenario is when the line intersects the curve in three distinct

points, as in the first image in Figure 2.3. In this case, P +Q = −R.


Similarly, we can draw a line tangent to a point on the curve that intersects the curve at

another point, as in the second image in Figure 2.3. Here, the line intersects the curve twice

at Q, so P +Q = −Q and Q+Q = −P .

We can also draw a vertical line that intersects the curve at seemingly only two points, as

in the third image in Figure 2.3. However, there is another intersection at O, so P + Q =

−O = O. Note that Q = −P , so P + Q = P + (−P ) = P − P = O works out nicely.

Similarly, P + O = −Q = −(−P ) = P , so we can use point addition, subtraction, and

O on elliptic curves just as we would use addition, subtraction, and 0 with integers. This

simultaneously covers the second and third property of the Group Law: there is an identity

element, O, and any point P ∈ E(K) has the inverse element −P ∈ E(K).

Remark 2.10. We won’t cover associativity, as it is much more elaborate to illustrate. A

proof can be found in [20], p. 18-21.

Finally, we can draw a vertical line that is tangent to a point on the curve, like in the

last image in Figure 2.3. This line intersects the curve twice at P and once at O, so

P + P = P − P = O.

We’ve illustrated point addition, the role of O as the identity element, inverse elements in

E(K), and our claim that any line intersects an elliptic curve at three points geometrically –

but in order to use this for Lenstra’s Elliptic Curve Method and our later discussion, we need

to develop formulas to compute the described addition both algebraically and efficiently.

We use the formulas given in [20], Chapter I Section 4. These formulas can be used for any

two points on an elliptic curve other than O or additive inverses. In this case, we just use

that P +O = P and P − P = O for any point P ∈ E(K).

Let E : y2 = x3 + ax+ b be an elliptic curve. Given two distinct points P1, P2 ∈ E(K), we

wish to find P1 + P2. We assume that P1 6= −P2 and that neither point is O. Let

P1 = (x1, y1), P2 = (x2, y2), P1 ∗ P2 = (x3, y3), P1 + P2 = (x3,−y3).

The line through P1 and P2 has the equation y = λx+ ν, where

λ =y2 − y1x2 − x1

and ν = y1 − λx1 = y2 − λx2. (2.6)


In order to find the third point of intersection, −P3 = (x3, y3), we note that

y3 = λx3 + ν and y23 = x33 + ax3 + b

must both hold. Thus, we consider the equation

y2 = (λx+ ν)2!

= x3 + ax+ b.

Then

0 = x3 − λ2x2 + (a− 2λν)x+ (b− ν2).

This is a cubic equation in x, and we know that its three roots x1, x2, x3 are precisely the

x-coordinates where the line through P1 and P2 intersects E. Thus,

(x− x1)(x− x2)(x− x3) = x3 − λ2x2 + (a− 2λν)x+ (b− ν2).

We now solve for x3 in terms of x1 and x2 by equating coefficients to obtain

x3 = λ2 − x1 − x2 and y3 = λx3 + ν.

We summarize our results:

Lemma 2.11. (Point Addition Formulas) Let E : y2 = x3 + ax+ b be an elliptic curve

over a field K, char(K) 6= 2, 3. Further, let P1 = (x1, y1), P2 = (x2, y2) ∈ E(K). Let λ and

ν be as in (2.6). Then

1. Pi = O ⇒ P1 + P2 = P3−i for i = 1, 2

2. P1 = −P2 ⇒ P1 + P2 = O

3. P1, P2 6= O, P1 6= ±P2 ⇒ P1 + P2 = (x3, y3) = (λ2 − x1 − x2, λx3 + ν)


Now, if P1 = P2, we compute the tangent line at P1 by observing that y2 = f(x) gives

2ydy

dx= f ′(x),

so then

λ =dy

dx=f ′(x)

2y=

3x2 + a

2y.

From this, we find

Lemma 2.12. (Duplication Formula) Let E/K be an elliptic curve like before with a

point P = (x, y). We denote the x and y coordinate of 2P as x(2P ) and y(2P ), respectively.

Then

x(2P ) =x4 − 2ax2 − 8bx+ a2

4x3 + 4ax+ 4band y(2P ) = λ(x− x(2P ))− y

Corollary 2.13. Let E/Q be an elliptic curve, then E(Q) is an abelian group.

Proof. By our discussion in this section, E(R) is an abelian group. Note that O ∈ E(Q), so

E(Q) 6= ∅. Further, let E : y2 = x3 + ax+ b be the representation of E and P = (c, d), Q =

(e, f) ∈ E(Q). Then −Q = (e,−f) ∈ E(Q), and in order to compute P −Q, let

λ =− f − de− c

and ν = d− λc.

Note that λ, ν ∈ Q. If P = Q, then P −Q = O ∈ E(Q). If P = −Q, then P −Q = 2P and

x(2P ) =c4 − 2ac2 − 8bc+ a2

4c3 + 4ac+ 4b∈ Q and y(2P ) = λ(c− c(2P ))− d ∈ Q,

so again P −Q ∈ E(Q). Finally, if P 6= ±Q, then

x(P +Q) = λ2 − c− e ∈ Q and y(P +Q) = λ · x(P +Q) + ν ∈ Q,

so P − Q ∈ E(Q) in either case. By the Subgroup Criterion, E(Q) is a subgroup of E(R)

and as such an abelian group.

Chapter 3

Lenstra’s Elliptic Curve Method

This chapter motivates the usage of elliptic curves for integer factorization. We first review

some preliminaries that we will use in the two factoring algorithms.

3.1 Preliminaries

The simplest method of finding the prime factors of a given integer n is the well known

Trial Division. We check for every prime p between 2 and√n whether p divides n. This is

fairly efficient if n < 1020 – but for larger n we need a more sophisticated approach. There

are numerous factorization methods with differing suitability for factoring certain integers.

For instance, Trial Division is efficient for integers with many small factors, the previously

mentioned Fermat Factorization is particularly efficient if an integer n has two factors near√n, and the so-called General Number Field Sieve is the currently best known method to

find factors of integers with more than 100 digits. Many of these methods make use of

the greatest common divisor, the largest integer that divides two given integers, in various

ways.

We discuss Pollard’s p−1 Algorithm as a warm-up before taking a look at Lenstra’s Elliptic

Curve Method. The algorithms are relatively similar, albeit the latter being much more

involved. Given an integer n, Pollard’s p−1 creates various integers m and finds gcd(n,m).

14

Chapter 3. Lenstra’s Elliptic Curve Method 15

The goal is to find one m so that gcd(n,m) yields a non-trivial factor (i.e. not 1 or n) of n.

Lenstra’s Algorithm uses the greatest common divisor of n and different integers d to find

the multiplicative inverse of d modulo n. Both algorithms rely on the efficiency of finding

the greatest common divisor of n and other integers.

So before we discuss either of the two algorithms, we first show how to find the greatest

common divisor of any two integers and how many steps it takes to do this.

3.1.1 Euclidean Algorithm

For positive integers a and b, our goal is to efficiently find gcd(a, b). By the Division

Algorithm, we can write a = b · q+ r for some integers q, r where 0 ≤ r < b. We claim that

gcd(a, b) = gcd(b, r).

Proof. Let c = gcd(a, b), then a = ck and b = cl for some integers k, l. Note that then

r = a − bq = ck − clq = c(k − lq), and since k − lq is an integer, gcd(a, b) divides r.

Therefore, gcd(a, b) ≤ gcd(b, r). Now, let c = gcd(b, r). Similar to before, b = ck and r = cl

for some integers k, l, so a = bq + r = ckq + cl = c(kq + l) gives us that gcd(b, r) divides a

and therefore gcd(b, r) ≤ gcd(a, b). In conclusion, gcd(a, b) = gcd(b, r).

Now, in order to find gcd(b, r), we write b = r · q1 + r2, where 0 ≤ r2 < r. This leads to the

following sequence of equations:

a = bq + r gcd(a, b) = gcd(b, r)

b = rq1 + r2 gcd(a, b) = gcd(r, r2)

r = r2q2 + r3 gcd(a, b) = gcd(r2, r3)

. . . . . .

rn−2 = rn−1qn−1 + rn gcd(a, b) = gcd(rn−1, rn)

rn−1 = rnqn + 0 gcd(a, b) = rn

The sequence of remainders decreases until it reaches 0. When this happens, we terminate

and find that the greatest common divisor of a and b is the previous remainder, denoted rn.

This method is called the Euclidean Algorithm and was first described by Euclid around

300 BC. The following Lemma demonstrates how efficient it is.


Lemma 3.1. For any integers a, b, computing gcd(a, b) takes at most 2 log2(min{a, b})steps.

Proof. We first claim that ri+1 <12 ri−1 for all i = 2, .., n− 1, that is, with every two steps

of the Euclidean Algorithm the remainder is more than halved. Recall that the sequence of

remainders decreases, so ri+1 < ri for all i.

Case 1: If ri ≤ 12 ri−i, then ri+1 < ri ≤ 1

2 ri−i and we are done.

Case 2: If ri >12 ri−i, then

ri+1 = ri−1 − riqi by definition

< ri−1 − 12 ri−1qi by assumption ri >

12 ri−i ⇔ −ri < −

12 ri−1

= ri−1(1− 12 qi) . . .

= 12 ri−1 qi ≥ 1 by Euclidean Algorithm,

qi ≤ 1 since ri+1 > 0, so qi = 1

Without loss of generality a ≥ b, and after the first step r < b. Thus,

r2 <1

2b, r4 <

1

2r2 <

1

4b, ... , r2i <

1

2ib.

As soon as 2i ≥ b, we get r2i < 1, which means that r2i = 0. By taking logarithms with

base 2 on both sides, this becomes

i ≥ log2 b⇒ r2i = 0.

We terminate the gcd-process once r2i = 0, which happens after at most 2 log2(b) steps.

The Euclidean Algorithm can be extended to express the greatest common divisor of any

two integers as a linear combination of those two integers. This expression is called Bezout’s

identity.

Proposition 3.2. (Bezout’s identity) For any integers a, b with gcd(a, b) = d, there exist

integers x, y such that d = ax+ by.


Proof. The idea is to run through the Euclidean Algorithm and then “reverse” it by it-

eratively expressing rn as linear combinations of the previous remainders. In order to do

this, we express the new remainder in each line as a linear combination of the previous two

remainders:

a = bq + r r = a− bqb = rq1 + r2 r2 = b− rq1

. . .

rn−3 = rn−2qn−2 + rn−1 rn−1 = rn−3 − rn−2qn−2rn−2 = rn−1qn−1 + rn rn = rn−2 − rn−1qn−1rn−1 = rnqn

We start with the final equation on the right side and use the equation above it to replace

rn−1 with its linear combination in terms of rn−3 and rn−2:

rn = rn−2 − rn−1qn−1= rn−2 − (rn−3 − rn−2qn−2)qn−1= rn−2(1 + qn−2qn−1)− rn−3qn−1

We’ve expressed rn as a linear combination of rn−2 and rn−3! In the next step, we replace

rn−2 with its linear combination in terms of rn−4 and rn−3 and collect terms. This lets us

express rn as a linear combination of rn−3 and rn−4. We continue doing this procedure until

we’ve expressed rn as a linear combination of a and b.

This algorithm is called the Extended Euclidean Algorithm and takes about twice as long

as the Euclidean Algorithm itself. As it turns out, we can use this to find modular multi-

plicative inverses:

Proposition 3.3. If gcd(a, b) = 1 for integers a and b, then Bezout’s identity 1 = ax+ by

yields the multiplicative inverse of a modulo b, namely x.

Proof. This can be easily seen from the definition of multiplicative inverses:

ax ≡ 1 (mod b) if and only if there exists an integer y such that ax = 1 + yb.


Rewriting the last equation gives exactly Bezout’s identity, 1 = ax− yb.

3.1.2 Fermat’s Little Theorem

Theorem 3.4. (Fermat) Let p be prime, then for any integer a, ap−1 ≡ 1 (mod p).

Remark 3.5. This is a very handy theorem. For one, it can be proved that an integer n is

composite by finding an integer a such that an−1 6≡ 1 (mod n). Next, if p is a prime factor

of n and a is coprime to n, then we have that aK(p−1) ≡ 1 (mod p) for any positive integer

K. If we now let k = K(p−1), we get that ak−1 ≡ 0 (mod p), so p|ak−1 for any exponent

k where k is a multiple of p− 1.

Proof. We prove the equivalent statement that for any prime p and integer a, we have that

ap ≡ a (mod p). We do this by induction on a. Fix any prime p. For the base case a = 1,

we have 1p ≡ 1 (mod p). Now suppose ap ≡ a (mod p) is true for some integer a. By the

Binomial Theorem,

(a+ 1)p = ap +(p1

)ap−1 + ...+

(pp−1)a+ 1 ≡ ap + 1 (mod p).

The last equality holds, since p |(pk

)for any 0 < k < p. Now, since ap ≡ a (mod p), we get

(a+ 1)p ≡ a+ 1 (mod p).

3.1.3 Fast Powering Algorithm

Pollard’s p − 1 algorithm, discussed in the next section, involves computing the greatest

common divisor of n, the integer we want to factorize, and ak−1, where a is any integer and

k is a fairly large exponent (up to 1010). While computing ak may seem computationally

expensive, we can use properties of the greatest common divisor to save a lot of work. For

example, applying the Division Algorithm gives ak − 1 = nq + r for some integers q and r.

Note that r ≡ ak − 1 (mod n), so gcd(n, ak − 1) = gcd(n, r) = gcd(n, ak − 1 (mod n)).

Instead of finding ak − 1, we now need to find ak − 1 (mod n). This may look like only a

minor improvement, however, modular exponentiation can be done very efficiently with a


method called the Fast Powering Algorithm. For instance, computing 3218 (mod 1000) in

a naive way would involve first computing 3218 and then looking at the last three digits.

This can be done much more quickly by first writing the exponent as the sum of powers of

2 and then using repeated modular squaring:

We have that 218 = 2+23+24+26+27, so then 3218 = 32+23+24+26+27 = 32 ·323 ·324 ·326 ·327 .

Below, we compute 32i

for i = 1, ..., 7.

i 1 2 3 4 5 6 7

32i

(mod 1000) 9 81 561 721 841 281 961

Once we compute 32i

(mod 1000), we can easily compute 32i+1

(mod 1000) = (32i)2 (mod 1000),

by a single modular squaring operation. We square 7 times in total and then perform an-

other 4 multiplications:

3218 (mod 1000) = 32 · 323 · 324 · 326 · 327 (mod 1000)

= 9 · 561 · 721 · 281 · 961 (mod 1000)

= 489 (mod 1000).

So we reduced our work to 11 modular multiplications, a significant improvement!

For computing ab (mod n) in general, these are the steps involved in the Fast Powering

Algorithm:

1. Express b as the sum of powers of 2, i.e. b =k∑i=0

αi2i with αi ∈ {0, 1} and 2k being

the highest power of 2 smaller than b.

2. Compute ci = a2i

(mod n) for i = 0, ..., k iteratively by repeated modular squaring

operations, i.e. a2i+1

(mod n) = (a2i)2 (mod n).

3. Now, ab (mod n) ≡k∏i=0

cαii (mod n).


3.2 Pollard’s p− 1 Algorithm

Given a composite (i.e. positive and non-prime) integer n, we want to find one of its factors.

Pollard’s p− 1 Algorithm is as follows.

Pollard’s p− 1 Algorithm

1. Choose any integer B.

2. Choose an integer k which is a product of small primes raised to small powers relative

to B. For example, a good choice is k = lcm(2, 3, ..., B).

3. Chose any integer a between 1 and n.

4. If gcd(a, n) > 1, we are done. Otherwise, proceed to the Step 5.

5. Let x = ak and calculate D = gcd(x− 1, n).

• If 1 < D < n, we are done.

• If D = 1, go back to Step 1 and choose a larger B.

• If D = n, go back to Step 1 and choose a smaller B.

Note that the majority of computations are done in step 5, where we compute gcd(x−1, n).

This can be done efficiently using the previously discussed Euclidean Algorithm and Fast

Powering methods. However, it isn’t entirely obvious what a good choice for B in Step

1 is. With lower values for B it becomes easier to compute the gcd in step 5, but if B

is too small the gcd will be 1. Higher values for B are more likely to yield a non-trivial

gcd, but computing the gcd in step 5 takes much longer. In practice, one chooses B ≈ 100

and increases the value until a non-trivial factor is found. For values higher than B = 106,

this process becomes infeasible with current day technology and more powerful factorizing

algorithms need to be used.

Example 3.2.1 Consider n = 5401431. Let B = 8, k =lcm(2, ..., 8) = 840, a = 2. Then

gcd(2840 − 1, n) = 421 immediately yields a non-trivial factor of n, so then n = 421 · 1283.

1We could find either factor very quickly using Trial Division, so these examples only serve to demonstratehow the algorithm works and not how efficient it is. In order to illustrate its efficiency, we would need tochoose much higher numbers, which in turn would make it difficult to understand how the algorithm works.


Example 3.2.2 Consider n = 491389. Let B = 8, k =lcm(2, ...8) = 840, a = 2. Then

gcd(2840, n) = 1, so we need to increase B. After increasing B to 191 we find the non-trivial

factor p = gcd(2lcm(2,...,B), n) = 383. This gives us n = 383 · 1283.

3.2.1 Why Pollard’s p− 1 Algorithm works

Definition 3.6. Let B be a positive integer. An integer n is called B-smooth , if all prime

factors of n are at most B.

This definition allows us to quantify more precisely for which integers n Pollard’s p − 1

Algorithm yields prime factors, namely exactly when n has prime factors p for which p− 1

is B-smooth for B < 106. In Example 3.2.1, p = 421 was a factor of n and we found it so

easily as p− 1 = 420 = 2 · 3 · 5 · 7 is 8-smooth. In Example 3.2.2, for the factor p = 383 we

have that p− 1 = 382 = 2 · 191 is 191-smooth, so we had to increase B accordingly high.

More specifically, let n have a prime factor p such that p− 1 is B-smooth for some integer

B. In the final step of the algorithm, we compute gcd(ak − 1, n), where a is coprime to n

(i.e. gcd(a, n) = 1) and k is B-smooth. Recall that Fermat’s Little Theorem tells us that

p|ak − 1 if k is a multiple of p − 1. We don’t know p or p − 1 to begin with, but if we’ve

chosen a large enough B so that p − 1 and k are B-smooth, then k is likely a multiple of

p−1. If not, then gcd(ak−1, n) = 1 and we need to increase B further. Increasing B should

be done liberally until either B > 106, in which case we abandon the process altogether,

or until gcd(ak − 1, n) > 1. In this case k is a multiple of p − 1, so gcd(ak − 1, n) is a

multiple of p. Of course, gcd(ak − 1, n) ≤ n, and if equality holds we need to decrease B.

Decreasing B should be done more gradually until gcd(ak − 1, n) < n in which case we’ve

found a non-trivial factor of n.

3.3 Lenstra’s Elliptic Curve Method (ECM)

Again, let n be an integer for which we wish to find one of its factors. In order to use ECM

efficiently, we require that n isn’t divisible by 2 or 3 and that n isn’t a perfect power. If n is

divisible by 2 or 3 (which is easily checked by looking at the last digit and the cross-sum of


n), then we already have found a factor, and in order to proceed with ECM we repeatedly

divide n by 2 and 3 until we can’t do this anymore. If on the other hand n is a perfect

power, that is n = mk where m > 1 and k ≥ 2, then the only factor of n is m. One way

to check this is to approximate k√n for k = 2, ..., log10 n (e.g. with Newton’s Method) and

test whether the closest integers raised to the power of k equal n. If this procedure yields

that factor m, there is no need to use ECM.

Lenstra’s Elliptic Curve Method Given an integer n, we use the following steps to find

factors of n.

1. Check that n isn’t divisible by 2 or 3, and that n isn’t a perfect power.

2. Choose random integers a, x, y between 1 and n.

3. Let b = y2 − x3 − ax (mod n).

4. Calculate D = gcd(4a3 + 27b2, n).

• If 1 < D < n, we are done.

• If D = 1, proceed to Step 5.

• If D = n, go back to Step 2 and choose a different a.

5. Let E be the elliptic curve E : y2 = x3 + ax+ b, and let P = (x, y) ∈ E.

6. Choose a number k which is a product of small primes raised to small powers.

For example, a good choice is k = lcm(2, 3, ..., B) for some integer B ≈ 100.

7. Compute kP (mod n).

8. If kP lies on E, go back to Step 2 and choose different values for a, x, and y.

Otherwise, Step 7 yields a factor of n (see Chapter 3.3.1).

Note that Steps 2 and 3 produce coefficients for an elliptic curve E for which we know

that P lies on E. In this description of the algorithm, there isn’t a systematic way of

choosing “good” values for a, x, and y – but heuristically speaking, choosing random values

is sufficient to eventually find a non-trivial factor. Improvements on this aspect of the

algorithm will be discussed in more depth in Chapter 5.


When computing kP in Step 7, we can use a variant of the Fast Powering Algorithm. For

instance, 6P = P+...+P = 2P+4P = 2P+2∗(2P ), so we can use the Duplication Formula

from Lemma 2.10 to save expensive computation time. Recall that, given P = (x, y), we

have that

x(2P ) =x4 − 2ax2 − 8bx+ a2

4x3 + 4ax+ 4b.

To compute 2P (mod n), we need to find the multiplicative inverse of the denominator

modulo n.

x(2P ) (mod n) = (x4 − 2ax2 − 8bx+ a2) · (4x3 + 4ax+ 4b)−1 (mod n) .

If we denote the denominator as d = 4x3 + 4ax + 4b and gcd(d, n) = 1, then we can find

Bezout’s identity 1 = αd + βn for some integers α, β. Recall that α is the multiplicative

inverse of d modulo n. We then obtain

x(2P ) (mod n) =x4 − 2ax2 − 8bx+ a2

4x3 + 4ax+ 4b(mod n) = (x4 − 2ax2 − 8bx+ a2) · α (mod n) .

In a similar fashion, we find y(2P ):

y(2P ) (mod n) =3x2 + a

2y· (x(2P )− x) + y (mod n).

If gcd(2y, n) = 1, we can find integers γ, δ such that 1 = γ(2y) + δn. Then

y(2P ) (mod n) = (3x2 + a) · γ · (x(2P )− x) + y (mod n).

From this, we find (4P = 2(2P )) (mod n) using the Duplication Formula on 2P (mod n).

Finally, 6P (mod n) = 2P + 4P (mod n) using the Point Addition Formulas provided in

Lemma 2.9.

In general, the following steps allow us to efficiently compute kP (mod n):


1. Express k as the sum of powers of 2, i.e. k =k∑i=0

αi2i with αi ∈ {0, 1} and 2k being

the highest power of 2 smaller than k.

2. Compute 2iP (mod n) for i = 0, ..., k iteratively by repeatedly using the Duplication

Formula, i.e. 2i+1P (mod n) ≡ 2(2iP ) (mod n).

3. Now, kP (mod n) =k∑i=0

αi2iP (mod n).

Example 3.3.1 Consider n = 455839. Let E : y2 = x3 + 5x− 5, P = (1, 1), k = 10!

We begin by finding 2!P = 2P (mod n) by using the Duplication Formula.

x(2P ) = 56/4 = 14

y(2P ) =3 + 5

2· (1− 14)− 1 = −53

⇒ 2P = (14,−53)

The x- and y-coordinates of 2P are integers, so we didn’t need to find any multiplicative

inverses. Next, we find 3!P = 2P + 4P modulo n by using the Duplication Formula on 2P .

x(4P ) ≡ 37041/11236 (mod n)

≡ 37041 · 271694 (mod n)

≡ 259851 (mod n)

y(4P ) ≡ 593/(−106) · (−259837) + 53 (mod n)

≡ 593 · 81707 · 259837 + 53 (mod n)

≡ 116255 (mod n)

⇒ 4P = (259851, 116255) (mod n)

Now, x(6P ) ≡ λ2 − 14− 259851 (mod n) and y(6P ) ≡ λx(6P ) + y(2P )− λx(2P ), where

λ ≡116255 + 53

259851− 14(mod n)

≡ 116308/259837 (mod n)

≡ 116308 · 215705 (mod n)

≡ 206097 (mod n)


So then

x(6P ) ≡ 2060972 − 14− 259851 (mod n) ≡ 179685 (mod n)

y(6P ) ≡ 206097 · 179685− 53− 206097 · 14 (mod n) ≡ 28708 (mod n)

⇒ 6P = (179685, 28708)

Similarly, we find that 4!P, 5!P, ..., 7!P all lie on E, but computing 8!P requires inverting

599 modulo n which isn’t possible. This is because 599 is a factor of n, and we conclude

that n = 599 · 761.

3.3.1 Why Lenstra’s ECM works

As we’ve mentioned before, elliptic curves are defined over fields. Yet in Lenstra’s ECM we

consider a curve defined over the ring Z/nZ, where n is the integer we wish to factorize. For

almost all elements x ∈ Z/nZ, x has a multiplicative inverse, so Z/nZ is “almost” a field.

The only elements y ∈ Z/nZ that don’t have a multiplicative inverse are those for which

gcd(y, n) > 1. We call these elements zero divisors of Z/nZ. Lenstra’s ECM attempts to

find these zero divisors by systematically adding rational points on the curve, anticipating

that eventually one point addition will fail.

When performing ECM, all denominators D involved in the process of computing kP

(mod n) must have a multiplicative inverse modulo n. This is the case if and only if

gcd(D,n) = 1, since otherwise D · n/ gcd(n,D) ≡ 0 (mod n). Therefore, as long as

gcd(D,n) = 1 holds we can continue finding kP (mod n). However, once gcd(D,n) > 1,

we’ve found a divisor of n – exactly what we were after!

This explanation still doesn’t cover why Example 3.3.1 worked out nicely, that is why the

curve we chose yielded a factor of n. The following two chapters explain in depth which

kind of curves are most useful for integer factorization and how to find them.


3.4 Comparing Trial Division, Pollard’s p− 1, and Lenstra’s

ECM

With Trial Division we can easily find factors with up to 10 digits with modern computing

power. For this we keep a list of all prime numbers with up to 10 digits and check the

integer we wish to factorize for divisibility by each prime in our list. We could extend this

list to find even larger factors, but it is preferable to have a more efficient algorithm that

requires no such list (or perhaps a very small list). Trial Division requires π(2n/2) ≈ 21+n/2

n ln 2

steps to determine whether or not n has a prime factor, where π(x) counts the number of

primes that are at most x.

Pollard’s p−1 algorithm only finds certain prime factors efficiently, namely B-smooth factors

for B ≤ 106. The range of this algorithm is with prime factors up to 18 digits, which is well

beyond Trial Division, however, Pollard’s p− 1 algorithm doesn’t find many prime factors

larger than 10 digits. Only about 1/4 of all 12 digit primes and about 1/27 of all 18 digit

primes p are such that p−1 is 106-smooth [18]. Increasing B increases the number of prime

factors this algorithm can find, but as the time complexity of O(B · logB · log2 n) depends

heavily on the size of B, Lenstra’s ECM performs much better in practice.

Lenstra’s ECM is known to reliably find factors with up to 25 digits, and there has even

been found a prime factor with 83 digits using ECM [6]. The algorithm is, however, much

more difficult to implement as the point addition is a more complicated procedure and it

isn’t quite clear which elliptic curve should be chosen. It is not clear when we should stop

using Lenstra’s ECM to find factors. In fact, the success of Lenstra’s ECM is somewhat

random (if we choose random curves), but even so its average success rate is so high that

in practice one typically uses Lenstra’s ECM after using Trial Division to “filter out” more

small factors before moving on to more general purpose factoring algorithms.

Chapter 4

The Torsion Subgroup

Recall that the points of an elliptic curve form an additive group. As with any group, we

can define the order of an element:

Definition 4.1. Let E be an elliptic curve over a field K with char(K) 6= 2, 3. A point

P ∈ E(K) has finite order if there exists a positive integer k such that kP = O. We call

the least such k the order of P . The set of all points of finite order is called the torsion

subgroup of E(K), denoted E(K)tors. Points of finite order are also called torsion points.

Remark 4.2. For any field K, O ∈ E(K)tors since 1 · O = O.

The significance of the torsion subgroup is that Lenstra’s ECM is particularly likely to find

a prime factor when the torsion subgroup of the chosen elliptic curve is large.

Before we talk about how to find elliptic curves with large torsion subgroup, we first discuss

the properties of torsion points, which torsion subgroups we can expect and why a large

torsion subgroup increases our chances of success. We will see that an elliptic curve can

have different torsion subgroups over different fields and illustrate this with an example.

27

Chapter 4. The Torsion Subgroup 28

4.1 Nagell-Lutz Theorem

If an elliptic curve is defined over Z (which it always is with ECM), then we can characterize

all torsion points with the following theroem.

Theorem 4.3. (Nagell-Lutz) Let y2 = x3+ax+b be an elliptic curve with integer coefficients

a and b. Let D = −4a3 − 27b2. If P = (x, y) is a rational torsion point, then

1. x and y are integers

2. either y = 0, in which case P has order 2, or y|D

The first result tells us that all torsion points are in fact integer points. The converse

is not true, as there may be integer points of infinite order. The second result helps us

find all torsion points by finding all divisors d of D and then checking whether solving

d2 = x3 + ax+ b for x yields an integer point.

4.2 Mordell’s Theorem

Recall that the set of rational points on E, E(Q), forms an abelian group by Corollary 2.13.

The following theorem gives us an even better understanding of this set.

Theorem 4.4. (Mordell’s Theorem)[15] Let E/Q be an elliptic curve. Then E(Q) is finitely

generated.

A proof of Mordell’s Theorem can be found in [20], Chapter III.

Corollary 4.5. Let E/Q be an elliptic curve. Then E(Q) ∼= Zr × E(Q)tors with r ≥ 0.

Proof. Since E(Q) is an abelian group, we can apply the Fundamental Theorem For Finitely

Generated Abelian Groups:

E(Q) ∼= Zr × Z/n1Z× Z/n2Z× ...× Z/nsZ,


where ni+1|ni for 1 ≤ i < s. Now, Zr makes up the points of infinite order, whereas the tail

Z/n1Z× ...× Z/nsZ is exactly the set of points of finite order, E(Q)tors.

Remark 4.6. The quantity r in Corollary 4.3 is called the rank of the curve. One important

property of the rank is that it needs to be strictly positive in order for ECM to work. We

will discuss the rank more thoroughly in Chapter 5.2.

4.3 Mazur’s Theorem

Due to the following theorem we know that only a few torsion subgroups are possible for

elliptic curves defined over Q:

Theorem 4.7. (Mazur’s Theorem)[13] E(Q)tors is isomorphic to one of the following 15

groups:

• Z/mZ for 1 ≤ m ≤ 10,m = 12

• Z/2Z× Z/2mZ for 1 ≤ m ≤ 4

Note that Mazur’s and Mordell’s Theorem characterize only E(Q) and its torsion subgroup.

It is possible and reasonable to look for similar results with other number fields.

4.4 Generalizing Mordell’s and Mazur’s Theorem

Definition 4.8. A field K containing Q may be considered a vector space over Q, with

dimension d = dimQ(K). We call d the degree of K over Q, denoted [K : Q]. If

[K : Q] <∞, then we call K a number field .

As it turns out, Mordell’s Theorem and Mazur’s Theorem can be generalized for general

number fields.

Theorem 4.9. (Mordell-Weil Theorem)[22] Let E be an elliptic curve defined over a number

field K. Then E(K) is a finitely generated abelian group.


Theorem 4.10. (Kamienny-Kenku-Momose, 1992)[9, 11] Let E be an elliptic curve over

a number field K, [K : Q] = 2. Then the torsion subgroup E(K)tors is isomorphic to one

of the following 26 groups:

• Z/mZ for 1 ≤ m ≤ 16,m = 18

• Z/2Z× Z/2mZ for 1 ≤ m ≤ 6

• Z/3Z× Z/3mZ for 1 ≤ m ≤ 2

• Z/4Z× Z/4Z

As with Mazur’s Theorem, this is a complete list of all possible torsion subgroups over

quadratic fields. There are similar results for higher degree number fields, but they have

not been completed yet.

Theorem 4.11. (Jeon-Kim-Schweizer, 2006) [8] Let E be an elliptic curve over a number

field K, [K : Q] = 3. For an infinite number of non-isomorphic elliptic curves, the following

torsion subgroups arise:

• Z/mZ for 1 ≤ m ≤ 16,m = 18, 20

• Z/2Z× Z/2mZ for 1 ≤ m ≤ 7

Now, let E be an elliptic curve over a number field K, [K : Q] = 4. For an infinite number

of non-isomorphic elliptic curves, the following torsion subgroups arise:

• Z/mZ for 1 ≤ m ≤ 18,m = 20, 21, 22, 24

• Z/2Z× Z/2mZ for 1 ≤ m ≤ 9

• Z/3Z× Z/3mZ for 1 ≤ m ≤ 3

• Z/4Z× Z/4mZ for 1 ≤ m ≤ 2

• Z/5Z× Z/5Z

• Z/6Z× Z/6Z


This list isn’t exhaustive, since the elliptic curve

E : y2 + xy + y = x3 − x2 + 5x+ 5

has torsion subgroup Z/21Z over the cubic subfield of Q(η9), as shown by Najman in [17].

Najman continues to prove that there are no other elliptic curves defined over Q that don’t

fit on the list, but there still may be similar elliptic curves defined over cubic or quartic

fields – whether they exist is still an open question [21].

The list of torsion subgroups that can arise infinitely often over quintic or higher degree

number fields has yet to be determined. However, it is known that there is an upper bound

on the size of the torsion subgroup of elliptic curves:

Theorem 4.12. (Merel, 1994)[14] For every positive integer d there is a constant B(D)

such that for every elliptic curve E/K with [K : Q] = d we have

|E(K)tors| ≤ B(d).

The currently best known bound B(d) = (1 + 3d/2)2 (for d > 2) was found by Oesterle in

1994, but not published [21].

Once we have developed methods for creating specific elliptic curves, we can use these lists

of possible torsion subgroups to specify which torsion subgroup our elliptic curve in the

ECM should have. Heuristically speaking, a large torsion subgroup increases the success

chances for ECM , which we will illustrate in section 5. Recall that in the version of ECM

presented in 3.3 we first selected a random integer point and constructed an elliptic curve

around that point, so we didn’t have any control over the the torsion subgroup (over any

number field). A few recently developed methods for creating elliptic curves with prescribed

torsion subgroup are covered in Chapter 5.

Before moving on to these methods, we first explain why a large torsion subgroup of E(Q)

over different number fields helps us factor an integer and show an example how this plays

out in practice.


4.5 Hasse’s Theorem

Recall that in Pollard’s p− 1 algorithm, we found a factor p of n if p− 1 was smooth, i.e.

the product of small primes. This algorithm becomes infeasible when n has no factor p such

that p − 1 is B-smooth for B ≤ 106. With Lenstra’s algorithm, however, we instead need

|E(Fp)| to be smooth, where p is the smallest factor of n. By the following theorem the

size of this group is flexible: Choosing different curves E1 and E2 gives different results for

|Ei(Fp)|, but they are within a certain range, depending on the value of p.

Theorem 4.13. (Hasse)[5] Let E be an elliptic curve over the finite field Fp, where p is

prime. Then

p+ 1− 2√p < |E(Fp)| < p+ 1 + 2

√p.

A proof for Hasse’s Theorem can be found in [19], p.131.

Hasse’s Theorem allows us now to explain exactly why we were able to use ECM in Example

3.3.1, and why we seek elliptic curves with large torsion subgroups.

4.5.1 Why Lenstra’s ECM works (continued)

In Example 3.3.1, we found that n = 455839 = 599 · 761 by choosing the elliptic curve

E : y2 = x3 + 5x − 5 and computing 8!P , where P = (1, 1). This is because |E(F599)| =

640 = 27 · 5 is 5-smooth, whereas |E(F761)| = 777 = 3 · 7 · 37 isn’t. On a side note, the size

of the torsion group is rather large: |E(Qtors)| = 9.

Generally speaking, if p and q are prime factors of n, then a point P = (x, y) on E : y2 =

x3 + ax+ b (mod n) lies on both E (mod p) and E (mod q). Since p and q are prime, the

“smaller” sets of points E(Z/pZ) and E(Z/qZ) form genuine additive groups (because Z/pZand Z/qZ are fields). Since Z/pZ and Z/qZ are isomorphic to Fp and Fq, respectively, we

instead consider E(Fp) and E(Fq). By Hasse’s Theorem, |E(Fp)| and |E(Fq)| are “flexible”,

so for different curves these sizes vary.

Now, the algorithm only yields a factor p of n if we choose a curve E with the property that

|E(Fp)| is smooth and |E(Fq)| isn’t for all other factors q, and that only |E(Fp)| divides the


integer k chosen in Step 6 of the algorithm. The process of finding the right curve is similar

to breaking a safe lock – we carefully turn the lock until it clicks, at which point everything

unravels nicely and we’re rewarded with a prime factor. Once we find this curve, then

kP ≡ O (mod p), because P is an integer point and as such a torsion point (by Mordell’s

Theorem), and because the order of P modulo p divides |E(Fp)|, so kP = l ∗ |E(Fp)P ≡ O(mod p) for some integer l. However, kP 6≡ O (mod q) for other factors q of n, since |E(Fq)|doesn’t divide k. We don’t see any of this happening, since we compute kP (mod n), but

in the process of doing so the algorithm yields the factor p.

In Example 3.3.1, our curve E and value k = 8! were chosen so that |E599(Z/599Z)| = 640

divided k, but |E761(Z/761Z)| = 777 didn’t. So then 8!P = O (mod 599), but 8!P 6= O(mod 761). When we tried computing 8!P 6= O (mod n), we failed to find the multiplicative

inverse of p = 599 modulo n and had found a factor.

Remark 4.14. Note that this argument still works when n has more than two factors. The

important factor is usually the smallest, since |E(Fp)| is more likely to be smooth for smaller

p. However, it suffices to find a curve with coefficients so that |E(Fp)| is smooth for any of

the prime factors p of n – as long as |E(Fq)| isn’t smooth for all other factors q of n.

Ideally, as in Example 3.3.1, we’ve already chosen E so that only the order of Ep(Z/pZ)

is smooth. But even if we just pick a curve E at random, then the order of the groups

Ep(Z/pZ) is within a certain interval determined by Hasse’s Theorem. In Example 3.3.1,

|E(F599)| ∈ [551, 649] and |E(F761)| ∈ [707, 817].

Of course we don’t know this in the beginning, but since |E(Fp)| is so flexible, Lenstra’s

ECM is much more powerful than Pollard’s p− 1 Algorithm. To reiterate: Lenstra’s ECM

finds a factor p of n if for the chosen curve E we have that |E(Fp)| is smooth for only p,

whereas Pollard’s p− 1 Algorithm finds this factor only if p− 1 is smooth.

One final remark: while we had to abandon Pollard’s p − 1 Algorithm once B > 106, the

smoothness-bound is of little to no concern for Lenstra’s ECM. In fact, state-of-the-art

implementations (see [1]) fix a moderately large B (say B = 100) and frequently switch

curves rather than choosing a curve and increase B up to 106 before switching curves. If

ECM yields no factors for a fixed B after trying numerous (ca. 50) different curves, B is

increased by several magnitudes of 10 before trying further curves.


4.6 Example

Let’s take a look at the smoothness of |E(Fp)| for different elliptic curves and different sets

of primes. The reason why we consider different sets of primes is to show that a large torsion

subgroup over Q doesn’t always help us find prime factors.

The entire following example is taken from [4]. We use the following elliptic curves.

E1 : y2 = x3 + 3

E7 : y2 − 55xy − 448y = x3 − 448x2

E9 : y2 − 47xy − 624y = x3 − 624x2

E12 : y2 + 19/40xy − 273/400y = x3 − 273/400x2

E2×8 : y2 = x3 + 54271/225x2 + 4096x

E4×8 : y2 + xy + y = x3 + x2 − 52431x− 2731947

E5×5 : y2 + y = x3 + x2 − 5092900x+ 709824595630

E6×6 : y2 + xy + y = x3 − 371066x− 47384980

Some curves aren’t in our standard form y2 = x3 + ax + b, but since char(K) 6= 2, 3 for

all number fields K, we can transform each of these representations into standard form by

variable substitution (as seen in Chapter 2). These curves have the following properties.

• Ek(Q)tors = Z/kZ for k ∈ {1, 7, 9, 12}1

• E2×8(Q)tors = Z/2Z× Z/8Z

• E4×8(Q)tors = Z/2Z× Z/2Z

• E5×5(Q)tors = Z/5Z

• E6×6(Q)tors = Z/6Z

• E12(K)tors = Z/2Z× Z/12Z for K = Q(√−143)

• E4×8(K)tors = Z/4Z× Z/8Z for K = Q(√−1,√−7)

1Here, E1(Q)tors = Z/Z means E1(Q)tors = {O}.


• E5×5(K)tors = Z/5Z× Z/5Z for K = Q(ζ5)

• E6×6(K)tors = Z/6Z× Z/6Z for K = Q(√−3,√

217)

The different sets of primes we consider are as follows.

A = {pn | 50 ≤ n ≤ 10050}B = {p ∈ A | p− 143 ≡ a2 (mod p) for some a ∈ Z}

C = A\B

D = {p ∈ A | p ≡ 1 (mod 5)}

E = {p ∈ A | p− 3 ≡ a2 (mod p) and 217 ≡ b2 (mod p) for some integers a, b}

F = {p ∈ A | p− 1 ≡ a2 (mod p) and p− 7 ≡ b2 (mod p) for some integers a, b}

These sets may seem cryptic and arbitrarily chosen, but they have been constructed very

carefully. The simplest set is A, containing the 50th − 10, 050th primes. Each following set

is some subset, chosen to fit a certain curve.

For instance, Dujella and Najman expect E12 to be more likely smooth over Fp where p

splits in Q(√−143) [4]. This occurs exactly when p ∈ B, and it doesn’t occur exactly when

p ∈ C. Similarly, they expect |E4×8(Fp)| to be more likely smooth for p ∈ E, and |E6×6(Fp)|to be more likely smooth for p ∈ F . Finally, p splits completely in Q(ζ5) if and only if p ≡ 1

(mod 5), so |E5×5(F9)| is expected to be more likely smooth for p ∈ D. The results fit these

expectations:

el. curve A B C D E F

E0 2822 1453 1369 643 522 633

E7 4275 2155 2160 1020 1014 1066

E9 4635 2306 2329 1110 1226 1125

E12 5133 2852 2281 1290 1302 1288

E2×8 5110 2587 2523 1245 1206 1295

E4×8 4317 2141 2176 1059 1098 1440

E5×5 4376 2137 2239 1448 1047 1074

E6×6 4817 2396 2421 1201 1505 1138


In each column we check how many primes p in the respective set give that |E(Fp)| is

100-smooth for the curves in each row.

It is immediately apparent that the curves E0 and E7 consistently have the lowest entries,

and E9 is only slightly ahead of them. This supports the claim that elliptic curves with

large torsion are more likely to produce smooth values of |E(Fp)|.

If we consider the set of all primes, A, then the curves with largest torsion over Q, namely

E12 and E2×8, have the highest number of primes that result in |E(Fp)| being 100-smooth.

However, once we look at only a specific portion of primes, then the elliptic curves with

corresponding torsion subgroups give better results.

We see that for primes p ∈ B the curve E12 has the most entries, and that for p ∈ C

the curve E12 has almost the lowest entries. This is precisely what Dujella and Najman

expected.

Once we move to the sets D, E, and F , however, neither E12 nor E2×8 have above-average

entries. Instead, we see the curves with the most entries are E5×5, E6×6, and E4×8, respec-

tively – again, as expected.

We conclude that elliptic curves with large torsion over a number field other than Q can

yield better results, if we know a priori which primes we would expect to find. In practice,

this is difficult to determine – for a given integer n, we rarely know more about its prime

factors other than in which range they might lie. Nevertheless, we’ve seen that these new

types of elliptic curves can be very useful, and ideally we would like to have an elliptic curve

with large torsion over as many number fields as possible.

Chapter 5

Constructing Elliptic Curves with

prescribed Torsion or larger Rank

In the first part of this chapter, we give an overview of various methods and approaches for

creating elliptic curves with prescribed torsion over particular number fields. This is not an

extensive list, but it covers most types of number fields for which there currently are known

methods to create the desired elliptic curves. We close with a short discussion about the

ranks of elliptic curves.

5.1 Methods for finding curves with prescribed torsion

In [12], Kubert discusses the bound for the size of the torsion subgroup of elliptic curves

over general number fields. The most significant part of Kubert’s discussion for us is a

complete list of parameterizations for elliptic curves with desired torsion over the rationals.

This means we can create an elliptic curve with any of the torsion subgroups described in

Mazur’s Theorem!

In [21], Sutherland summarizes work on generalizing Mazur’s theorem, in particular dis-

cussing the possible torsion subgroups over quadratic, cubic, quartic, and quintic fields

(number fields of degree 2, 3, 4, and 5). For higher degrees only the existence of a bound

37

Chapter 5. Constructing Elliptic Curves with prescribed Torsion or larger Rank 38

on the size of the torsion subgroup is known(Theorem 4.11), but not its exact value. In

addition to listing the results of these works, Sutherland also gives proof sketches and an

example of how to construct certain curves with a desired torsion over quadratic fields.

However, these methods involve modular curves whose discussion is not within the scope of

this paper.

Najman and Kamienny take a different approach [10] – instead of finding elliptic curves with

prescribed torsion, they fix one of the possible torsion subgroups listed in Theorem 4.9 and

find quadratic number fields over which elliptic curves can have this particular torsion. In

an earlier paper by Najman, he proves that, other than the ones listed in Mazur’s Theorem,

the only possible torsion subgroup over Q(i) is Z/4Z × Z/4Z, and over Q(√−3) they are

Z/3Z× Z/6Z and Z/3Z× Z/3Z [16].

In [8] and [7], Jeon, Kim, Park, and Lee discuss which torsion subgroups arise infinitely

often over quartic number fields (Theorem 4.10), and describe methods for finding elliptic

curves with prescribed torsion over quadratic and quartic number fields.

The result of Dujella and Najman in regards to finding elliptic curves with prescribed torsion

is twofold [4]:

1. There exists a method to find elliptic curves with torsions Z/4Z×Z/8Z,Z/5Z×Z/5Z,

and Z/6Z× Z/6Z over biquadratic fields1 (without the use of modular curves).

2. If we already have a family of curves, we can find a subfamily with larger rank.

We present the first method of Dujella and Najman in section 5.1.1 and come back to their

second method in section 5.2.1.

5.1.1 The method of Dujella and Najman

To construct individual elliptic curves with torsion subgroup Z/6Z×Z/6Z, we can take an

elliptic curve E from the following family of elliptic curves.

Y 2 = X3 + (108 + T 6)X2 + (144T 6 + 3888)X + 64T 12 + 3456T 6 + 46656 (5.1)

1A biquadratic field is the smallest number field containing two square roots,√a and

√b for a, b ∈ Q.


This family has Etors = Z/3Z× Z/3Z over Q(√−3, T ), where T ∈ C can be freely chosen.

Then E has torsion Z/3Z× Z/3Z over Q(√−3) and the desired torsion Z/6Z× Z/6Z over

Q(√−3,√

∆), where ∆ is the discriminant of E. Each curve constructed this way will have

rank at least 2.

For elliptic curves with torsion subgroup Z/4Z×Z/8Z or Z/5Z×Z/5Z, Dujella and Najman

build on the results of Jeon, Kim, and Park [8]. Discussing this method is outside the scope

of this paper, but the basic strategy is to first use the methods presented in [8] to find

elliptic curves with desired torsion subgroup and then “filter” out the curves with rank 0.

5.2 Ranks of Elliptic Curves

There are several aspects to the rank of an elliptic curve. Most notably, for any given elliptic

curve there is next to nothing we can say about the rank – it could be 0, or it could be

anything higher. There is an ongoing discussion about an upper bound of the rank of an

elliptic curve, the currently highest known overall rank is 28 for a curve with trivial torsion

subgroup [3].

Interestingly, the size of the rank seems to depend on the size of the torsion subgroup – the

highest ranks are found for elliptic curves with small torsion subgroup, and as the size of the

torsion subgroup grows the highest known rank drops. The following table is taken from

[3]. B denotes the best known lower bound for B(T ) = sup{rank(E(Q) : E(Q)tors = T}.

E(Q)tors 0 Z/2Z Z/3Z Z/4Z Z/5Z Z/6Z Z/7Z Z/8 Z/9Z Z/10ZB 28 19 13 12 8 8 5 6 4 4

E(Q)tors Z/12Z Z/2Z× Z/2Z Z/2Z× Z/4Z Z/2Z× Z/6Z Z/2Z× Z/8ZB 4 15 9 6 3

As mentioned before, for ECM we need the rank to be strictly positive. Otherwise E(Q) ∼=E(Q)tors, so every rational point on E has finite order. Then, by Nagell-Lutz Theorem, the

only rational points on E are integer points. Adding integer points now gives other integer


points or O, so point addition now does not require finding gcd’s anymore. Therefore, ECM

won’t yield any prime factors.

It is unclear whether curves with higher ranks are more useful. In [4], Dujella and Najman

present a method that translates a family of elliptic curves into a subfamily with larger

rank. Dujella and Najman also co-authored another paper on elliptic curves with prescribed

torsion with more focus on the possible ranks and its importance [2]. The fact that the

rank of the subfamily we find through this process is larger than before does not necessarily

increase our chances of success for the ECM. However, this allows us to find more curves

with the same torsion, which is helpful if we want to keep on using different, but similar

curves over whose torsion we now have some control.

Chapter 6

Summary and Conclusion

The way in which we introduced elliptic curves in Chapter 2 was fairly abstract and how

we motivated point addition may have seemed somewhat arbitrary. However, this allows

us to see all forms of elliptic curves as essentially the same, since we can transform any

elliptic curve into the form E : y2 = ax3 + bx + c – as long as the curve E is defined over

a perfect field K with char(K) 6= 2, 3. Further, seeing how elliptic curves form additive

groups explains why ECM yields factors of a composite integer n when we perform the

point addition modulo n, as seen in Chapter 3. The point addition in ECM fails exactly

when the point addition formulas involve a denominator that happens to be a zero divisor

of Z/nZ. This means the denominator has no multiplicative inverse modulo n, so gcd(n,m)

gives us the sought after factor of n.

To understand why we sometimes encounter such denominators we considered the torsion

subgroup in Chapter 4. As it turned out, elliptic curves have only a few possible torsion

subgroups over Q and small degree field extensions, and using elliptic curves with large tor-

sion subgroup we are more likely to encounter denominators with no multiplicative inverse

modulo n. Hence, in order to improve ECM we need a way to construct curves with large

torsion subgroup.

In Chapter 5, we saw various results of different research papers on this topic, first and

foremost a complete list of parameterizations for elliptic curves with prescribed torsion over

Q by Kubert. More recent results showed that elliptic curves with large torsion subgroup

41

Chapter 6. Summary and Conclusion 42

over other number fields are useful for ECM as well, in particular when we have specific

information about the prime factors we expect to find. Since we may not always have enough

information about the prime factors we seek, this approach will not always be practicable.

However, there are methods to construct elliptic curves withprescribed torsion over small

degree field extensions of Q, and combining this with Kubert’s list of parameterizations

should allow for the construction of elliptic curves with large torsion subgroup over Q as

well as over some small degree field extensions.

The development of such a curve was outside the scope of this paper and unfortunately

cannot yet be found in the relevant literature. In fact, it seems that the main motivation

behind the research being done is a certain fascination with elliptic curves and the curiosity

about what can be said about them in general. The actual implications for ECM or other

applications are rather convenient side effects.

Nevertheless, the discussion of elliptic curves showed us a new and even quite unconventional

kind of group structure. Moreover, it is interesting to see how much of the theory behind

elliptic curves was developed until close to 100 years ago, to be then picked up again 60 years

later by cryptographers once computers had enabled practical use of elliptic curves. During

the past 40 years of research, beginning with Mazur in 1972, much more light has been shed

on the properties of elliptic curves – but it is still unclear which torsion subgroups we can

expect over number fields with degree higher than 5 over Q, and which ranks are possible.

For improving ECM, however, this research has already provided insights and methods to

significantly improve the algorithm, many of which were exposed in our discussion. For the

interested reader, a highly optimized implementation can be found online at [1].

Bibliography

[1] D. Alpern, Factorization using the elliptic curve method.

[2] Bosman, Bruin, Dujella, and Najman, Ranks of elliptic curves with prescribed

torsion over number fields, (2011).

[3] A. Dujella, High rank elliptic curves with prescribed torsion.

[4] A. Dujella and F. Najman, Elliptic curves with large torsion and positive rank over

number fields of small degree and ecm factorization, (2011).

[5] H. Hasse, Zur theorie der abstrakten elliptischen funktionenkorper, Crelle’s Journal,

175 (1936).

[6] http://www.loria.fr/ zimmerma/records/top50.html.

[7] D. Jeon, C. Kim, and Y. Lee, Families of elliptic curves over quartic number fields

with prescribed torsion subgroups, Mathematics of Computation, 80 (2011), pp. 2395–

2410.

[8] D. Jeon, C. Kim, and E. Park, On the torsion of elliptic curves over quartic number

fields, J. London Math. Soc., 74 (2006), pp. 1–12.

[9] S. Kamienny, Torsion points on elliptic curves and q-coefficients of modular forms,

Invent. Math. J., 49 (1992), pp. 221–229.

[10] S. Kamienny and F. Najman, Torsion groups of elliptic curves over quadratic fields,

Acta Arith., 152 (2012), pp. 291–305.

43

Bibliography 44

[11] M. A. Kenku and F. Momose, Torsion points on elliptic curves defined over

quadratic fields, Nagoya Math. J., 109 (1988), pp. 125–149.

[12] D. Kubert, Universal bounds on the torsion of elliptic curves, Proc. London Math.

Sec., 3 (1975), pp. 193–237.

[13] B. Mazur, Rational points of abelia varieties with values in towers of number fields,

Invent. Math., 18 (1972), pp. 183–266.

[14] L. Merel, Bornes pour la torsion des courbes elliptiques sur les corps de nombres,

Invent. Math., 24 (1996), pp. 437–449.

[15] L. Mordell, On the rational solutions of the indeterminate equations of the third and

fourth degrees, Proc. Cambridge Philos. Soc., 21 (1922-23), pp. 179–192.

[16] F. Najman, Complete classification of torsion of elliptic curves over quadratic cyclo-

tomic fields, Math J. Okayama U., 53 (2011), pp. 75–82.

[17] , Torsion of rational elliptic curves over cubic fields and sporadic points on x1(n),

(2012).

[18] J. Pollard, Theorems of factorization and primality testing, Proceedings of the Cam-

bridge Philosophical Society, 76 (1974), p. 521–528.

[19] J. H. Silverman, The arithmetic of elliptic curves, (1986).

[20] J. H. Silverman and J. Tate, Rational points on elliptic curves, (1992).

[21] A. Sutherland, Torsion subgroups of elliptic curves over number fields, (2012).

[22] A. Weil, L’arithmetique sur les courbes algebriques, Acta Math, 52 (1928), pp. 281–

315.

Documents

Improving Lenstra’s Elliptic Curve Methodpeople.oregonstate.edu/~swisherh/students/papers/masters/... · 2015. 8. 16. · Fermat’s Last Theorem. On the other hand, elliptic curves