Decomposition of RSA modulus applying even order elliptic curves
Jacek Pomykała, Mariusz Jurkiewicz
TL;DR
This work proposes a novel factoring approach for RSA moduli based on even-order elliptic curves over $ obracket\mathbb{Z}_N\nobracket$, leveraging separating and non-separating decompositions via pairs $(E,Q)$. It introduces decomposition multipliers $M_t$, defines $l_{\min}$ and $t_{\min}$, and develops an elliptic-curve framework that includes 2-adic separation within the ${\mathcal{E}}_2$ family, aided by twists $E^{\tau}$ to adjust Frobenius traces. The main results establish deterministic runtimes for separating decompositions with $t_{\min}$ or $l_{\min}\le t$, and show that non-separating (but $B$-consistent) cases can also be solved in polynomial time under GRH with a suitable conjecture on order distributions. An explicit algorithm $\mathcal{A}$ combines random triple generation, $t_{\min}$ evaluation, base-$d$ reconstruction, and occasional Coppersmith refinements to factor $N=pq$; the approach highlights the potential subexponential or polylogarithmic behaviors under standing conjectures and provides concrete numerical examples. The work thus contributes a theoretically rich pathway toward RSA-modulus decomposition through elliptic-curve witnesses with both separating and non-separating scenarios, potentially impacting factoring hardness assumptions under specific hypotheses.
Abstract
An efficient integer factorization algorithm would reduce the security of all variants of the RSA cryptographic scheme to zero. Despite the passage of years, no method for efficiently factoring large semiprime numbers in a classical computational model has been discovered. In this paper, we demonstrate how a natural extension of the generalized approach to smoothness, combined with the separation of $2$-adic point orders, leads us to propose a factoring algorithm that finds (conjecturally) the prime decomposition $N = pq$ in subexponential time $L(\sqrt 2+o(1), \min(p,q))$. This approach motivated by the papers \cite{Len}, \cite{MMV} and \cite{PoZo} is based on a more careful investigation of pairs $(E,Q)$, where $Q$ is a point on an elliptic curve $E$ over $\Z _N$. Specifically, in contrast to the familiar condition that the largest prime divisor $P^+(\ord Q_p)$ of the reduced order $\ord Q_p$ does not divide $\#E(\F_q)$ we focus on the relation between $P^+(\ord Q_r)$ and the smallest prime number $l_{\min}(E,Q)$ separating the orders $\ord Q_p$ and $\ord Q_q$. We focus on the ${\calE}_2$ family of even order elliptic curves over $\Z_N$ since then the condition $l_{\min}(E,Q)\le 2$ holds true for large fraction of points $(x,y)\in E(\Z_N)$. Moreover if we know the pair $(E,Q)$ such that $P^+(\ord Q_r)\le t<l_{\min}(E,Q)$ and $d=\max_{r\in \{p,q\}}(\ord Q_r)$ is large in comparison to $\min_{r\in \{p,q\}}|a_r(E)|\neq 0$ then we can decompose $N$ in deterministic time $t^{1+o(1)}$ by representing $N$ in base $d$.