The security of the most popular asymmetric cryptographic scheme RSA depends on the hardness of factoring large numbers. The best known method for factorization large integers is the General Number Field Sieve (GNFS). Recently, architectures for special purpose hardware for the GNFS have been proposed [5, 12]. One important step within the GNFS is the factorization of mid-size numbers for smoothness testing, an efficient algorithm for which is the Elliptic Curve Method (ECM). Since the smoothness testing is also suitable for parallelization, it is promising to improve ECM via special-purpose hardware. We show that massive parallel and cost efficient ECM hardware engines can improve the cost-time product of the RSA moduli factorization via the GNFS considerably. The computation of ECM is a classical example for an algorithm that can be significantly accelerated through special-purpose hardware. In this work, we present an efficient hardware implementation of ECM to factor numbers up to 200 bits, which is also scalable to other bit lengths. For proof-ofconcept purposes, ECM is realized as a softwarehardware co-design on an FPGA and an embedded microcontroller. This appears to be the first pub-

Abstract. We report the discovery of new 27-decimal digit factors of the thirteenth and sixteenth Fermat numbers. Each of the new factors was found by the elliptic curve method. After division by the new factors and other known factors, the quotients are seen to be composite numbers with 2391 and 19694 decimal digits respectively. 1.

Abstract. The Elliptic Curve Method for integer factorization (ECM) was invented by H. W. Lenstra, Jr., in 1985 [14]. In the past 20 years, many improvements of ECM were proposed on the mathematical, algorithmic, and implementation sides. This paper summarizes the current state-of-the-art, as implemented in the GMP-ECM software.

We propose an elliptic curve scheme over the ring Z n 2, which is efficient and semantically secure in the standard model. There appears to be no previous elliptic curve cryptosystem based on factoring that enjoys both of these properties. KMOV scheme has been used as an underlying primitive to obtain efficiency and probabilistic encryption. Semantic security of the scheme is based on a new decisional assumption, namely, the Decisional Small-x e-Multiples Assumption. Confidence on this assumption is also discussed.

We report the discovery of a new factor for each of the Fermat numbers F 13 ,F 15 ,F 16 . These new factors have 27, 33 and 27 decimal digits respectively. Each factor was found by the elliptic curve method. After division by the new factors and previously known factors, the remaining cofactors are seen to be composite numbers with 2391, 9808 and 19694 decimal digits respectively. 1.

Factor is a program which accesses a large database of factors of integers of the form a n ±1. As of March 1994 the database contains more than 175,000 factors of size at least 10 4. The program factor implements a simple version of the Elliptic Curve algorithm if it is unable to complete a factorization using trial division and the factor database. Factor is written in Turbo Pascal and runs on IBM PC or compatible computers. This report describes factor and various related programs. The programs and the factor database are available from the author. 1.

. Let N = P R where P is a prime not dividing R. We show how a special class of functions f : ZN ! Z can be used to help obtain P given N . The requirements of f are that it be non-trivial and that f(x) = f(x mod P ). Such a function does not \see" R. Hence the name partially oblivious. 1. Introduction It is not known how to eciently factor a large integer N . Currently, the algorithm with best asymptotic complexity is the Number Field Sieve (see [6] ). For numbers below a certain size (currently believed to be about 100 decimal digits), either the Quadratic Sieve [12] or Lenstra's Elliptic Curve Method (ECM) [7] are faster. Which of these algorithms to use depends on the size of N and of the smallest prime factor of N . When the size of the smallest factor is suciently smaller than p N , ECM is the fastest of the three. This note describes a speedup of ECM under special conditions. Suppose N = P R, where P is a prime not dividing R. We assume the size, in bits, of P is know...

In [1], Vanstone and Zuccherato proposed a public-key elliptic curve cryptosystem in which the public key consists of an integer N and an elliptic curve E defined over the ring Z=NZ. Here N is a product of two secret primes p and q, each of special form, and the order of E modulo N is smooth. We present three attacks, each of which factors the modulus N and hence breaks the cryptosystem. The first attack exploits the special form of p and q; the second exploits the smoothness of the elliptic curve; and the third attack breaks a proposed application of the system to user authentication. For parameters as in [1], the modulus can be factored within a fraction of a second. Keywords Cryptography, public key, authentication, discrete logarithm, elliptic curves, factoring. I. The proposed cryptosystem In a recent cryptosystem proposed by Vanstone and Zuccherato [1], part of the public key is an integer N which is a product of two secret primes p and q. An elliptic curve E over Z=NZ is ch...

Abstract. This paper introduces GMP-EECM, a fast implementation of the elliptic-curve method of factoring integers. GMP-EECM is based on, but faster than, the well-known GMP-ECM software. The main changes are as follows: (1) use Edwards curves instead of Montgomery curves; (2) use twisted inverted Edwards coordinates; (3) use signedsliding-window addition chains; (4) batch primes to increase the window size; (5) choose curves with small parameters a, d, X1, Y1, Z1; (6) choose curves with larger torsion.

We compare implementations of two integer factorisation algorithms, the elliptic curve method (ECM) and a variant of the Pollard "rho " method, on three machines (the Fujitsu AP1000, VP2200 and VPP500) with parallel and/or vector architectures. ECM is scalable and well suited for both vector and parallel architectures.