The Mathematics of Public-Key Cryptography, Lecture 22

November 30, 2000

Summary of material covered in lecture 22

• Pollard's p-1 factoring algorithm
  • assumptions: for specified bounds B and C, n has a prime divisor p such that p-1 <= C; and for all prime divisors q of p-1, q <= B
  • definition of an integer K, that depends on B and C, such that a^K = 1 mod p for all a with gcd(a,n) = 1
  • gcd(a^K - 1 mod n, n) yields a nontrivial factor unless a^K = 1 mod n
• Lenstra's elliptic curve factoring algorithm
  • elliptic curves defined over Z_n for n composite
  • discussion of when the addition law breaks down
  • modification of the p-1 algorithm to the setting of elliptic curves
  • conditions on B, C,and K where the group Z_p* is replaced by an elliptic curve E defined over Z_p
  • computation of KP, where P is a point on the curve E defined over Z_n
  • the addition law breaks down iff a factor of n is found