The aim of this paper is to describe the theory and implementation of the Elliptic Curve Primality Proving algorithm.

We show how to compute x k using multiplications and divisions. We use this method in the context of elliptic curves for which a law exists with the property that division has the same cost as multiplication. Our best algorithm is 11.11% faster than the ordinary binary algorithm and speeds up accordingly the factorization and primality testing algorithms using elliptic curves. 1. Introduction. Recent algorithms used in primality testing and integer factorization make use of elliptic curves defined over finite fields or Artinian rings (cf. Section 2). One can define over these sets an abelian law. As a consequence, one can transpose over the corresponding groups all the classical algorithms that were designed over Z/NZ. In particular, one has the analogue of the p \Gamma 1 factorization algorithm of Pollard [29, 5, 20, 22], the Fermat-like primality testing algorithms [1, 14, 21, 26] and the public key cryptosystems based on RSA [30, 17, 19]. The basic operation performed on an elli...

The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiple-polynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617-decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.

We describe the complete factorization of the tenth Fermat number F 10 by the elliptic curve method (ECM). F 10 is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The 40-digit factor was found after about 140 Mflop-years of computation. We also discuss the complete factorization of other Fermat numbers by ECM, and summarize the factorizations of F 5 ; : : : ; F 11 .

. We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a new 27-decimal digit factor of the thirteenth Fermat number. This number has four known prime factors and a 2391-decimal digit composite factor. All the new factors reported here were found by the elliptic curve method (ECM). The 40-digit factor of the tenth Fermat number was found after about 140 Mflop-years of computation. We discuss aspects of the practical implementation of ECM, including the use of special-purpose hardware, and note several other large factors found recently by ECM. 1. Introduction For a nonnegative integer n, the n-th Fermat number is F n = 2 2 n + 1. It is known that F n is prime for 0 n 4, and composite for 5 n 23. Also, for n 2, the factors of F n are of th...

Finitely generated Z-modules have canonical decompositions. When such modules are given in a finitely presented form there is a classical algorithm for computing a canonical decomposition. This is the algorithm for computing the Smith normal form of an integer matrix. We discuss algorithms for Smith normal form computation, and present practical algorithms which give excellent performance for modules arising from badly presented abelian groups. We investigate such issues as congruential techniques, sparsity considerations, pivoting strategies for Gauss-Jordan elimination, lattice basis reduction and computational complexity. Our results, which are primarily empirical, show dramatically improved performance on previous methods. 1

. We describe a primality testing algorithm, due essentially to Atkin, that uses elliptic curves over finite fields and the theory of complex multiplication. In particular, we explain how the use of class fields and genus fields can speed up certain phases of the algorithm. We sketch the actual implementation of this test and its use on testing large primes, the records being two numbers of more than 550 decimal digits. Finally, we give a precise answer to the question of the reliability of our computations, providing a certificate of primality for a prime number. IMPLEMENTATION DU TEST DE PRIMALITE D' ATKIN, GOLDWASSER, ET KILIAN R'esum'e. Nous d'ecrivons un algorithme de primalit'e, principalement du `a Atkin, qui utilise les propri'et'es des courbes elliptiques sur les corps finis et la th'eorie de la multiplication complexe. En particulier, nous expliquons comment l'utilisation du corps de classe et du corps de genre permet d'acc'el'erer les calculs. Nous esquissons l'impl'ementati...

Cohen, Lewin and Zagier found four ladders that entail the polylogarithms

The security of the most popular asymmetric cryptographic scheme RSA depends on the hardness of factoring large numbers. The best known method for this integer factorization is the General Number Field Sieve (GNFS). One important step within the GNFS is the factorization of mid-size numbers without small prime divisors. This can be done efficiently by the Elliptic Curve Method (ECM), e.g. in special hardware. In this work, we present an efficient hardware implementation of ECM to factor numbers up to 200 bit, which is also scalable to other bit lengths. For proof-of-concept purposes, ECM is realized as a software-hardware co-design on an FPGA and an embedded microcontroller. This appears to be the first publication of a realized hardware implementation of ECM. We adapted ECM for the requirements of efficient special hardware and provide estimates for a state-of-the-art CMOS implementation of the design and for the application of massive parallel ECM engines to the GNFS. The factorization of large integers such as RSA moduli can be improved considerably by using the ECM hardware presented.

A novel portable hardware architecture of the Elliptic Curve Method of factoring, designed and optimized for application in the relation collection step of the Number Field Sieve, is described and analyzed. A comparison with an earlier proof-of-concept design by Pelzl, Simka, et al. has been performed, and a substantial improvement has been demonstrated in terms of both the execution time and the area-time product. The ECM architecture has been ported across five different families of FPGA devices in order to select the family with the best performance to cost ratio. A timing comparison with the highly optimized software implementation, GMP-ECM, has been performed. Our results indicate that low-cost families of FPGAs, such as Spartan-3 and Spartan-3E, offer at least an order of magnitude improvement over the same generation of microprocessors in terms of the performance to cost ratio. 1.