Re: Mersenne: ECM Question...

2001-05-22 Thread Alexander Kruppa 

Alexander Kruppa wrote:
 

 gp_p(x) | go_p, and p+1-sqrt(p) = go_p = p+1+sqrt(p) . Since go_p(x)

Correction: I have taken the limits above from my memory which has once
again proved itself untrustworthy. The correct limits are
p+1-2*sqrt(p)  go_p = p+1+2*sqrt(p) , a theorem by Haase, which I
found in O. Forster, Algorithmische Zahlentheorie.

Ciao,
  Alex.
_
Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ  -- http://www.tasam.com/~lrwiman/FAQ-mers

Re: Mersenne: ECM Question...

2001-05-21 Thread Alexander Kruppa 

Steve Phipps wrote:
 
 While we're on the subject, can someone explain how to derive the group
 order for factors found using ECM? I've been carrying out ECM on an old PC
 for almost a year now, and I'd like to be able to derive, and factorise,
 the group orders for the factors that I've found.
 
 I've been making an effort to understand the maths, and I'm getting there
 slowly, but I've found nothing yet that explains how to derive the group
 orders. If my understanding is correct, you would need to know the
 equations used by mprime to derive the co-ordinates of the starting point
 for each curve.
 
 Anyway, if someone could explain how to derive the group order, or point
 me in the right direction, I'd be very grateful.
 
 Regards,
 Steve

I'm by no means an expert on ECM, but let me try..

There seems to be a formula to compute the order of an elliptic curve
over Z/p*Z, p prime, but that formula is afaik rather complicated to
compute.
What you can do when you want the order of a successful ECM curve is
this:
p is the factor of N that was found by the curve, go_p is the order of
the curve and go_p(x) is the order of x in that curve.
If a!=0 but a*q=0, q prime, then q is the group order of a and a factor
of the order of the group. (0 is the neutral element here).
You can run the sucessful ECM curve normally, but test for a factor
after every multiplication with a prime q and see if the factor p is now
found - if so, then q is a factor of the group order. Remember the q's
and restart the curve, but multipliying the initial point x with all the
q's to find smaller factors of the group order.
A very informal algorithm might look like this:

known_go = 1
restart:
set x to the initial point
x = x*known_go
if gcd(x_z, N)  1 print known_go, exit
for all primes and prime powers q below bound B
  x = x * q
  if gcd(x_z, N)  1 then known_go *= q, goto restart

This will reveal the order of the initial point x. But we want the order
of the group (go_p), not that of x (go_p(x)). However we know that that
gp_p(x) | go_p, and p+1-sqrt(p) = go_p = p+1+sqrt(p) . Since go_p(x)
is usually much larger than 2*sqrt(p), the second equation has only one
solution in integer k if you replace go_p by k*go_p(x). Find the correct
k, i.e. by trunc((p+1+sqrt(p)) / go_p(x)), and k*go_p(x) is the group
order you wanted.

I once tried this with the mprime ecm code and actually were able to
verify the known group orders of some factors, but I never really
cleaned up and debugged the code - for example, you cant stop and
restart the go run, and after the run all the internal variables are
probably not restored cleanly enough to continue with regular curves,
etc. If there is interest in this code, I'll try to clean it up enough
to make it more or less suitable for public display - provided George
has no objection to spreading a modified version of his code.

Ciao,
  Alex.
_
Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ  -- http://www.tasam.com/~lrwiman/FAQ-mers

Re: Mersenne: ECM Question...

2001-05-17 Thread Steve Phipps 

While we're on the subject, can someone explain how to derive the group
order for factors found using ECM? I've been carrying out ECM on an old PC
for almost a year now, and I'd like to be able to derive, and factorise,
the group orders for the factors that I've found.

I've been making an effort to understand the maths, and I'm getting there
slowly, but I've found nothing yet that explains how to derive the group
orders. If my understanding is correct, you would need to know the
equations used by mprime to derive the co-ordinates of the starting point
for each curve.

Anyway, if someone could explain how to derive the group order, or point
me in the right direction, I'd be very grateful.

Regards,
Steve 

 If the sigma is the same, then a curve with B1=25 will find any
 factor that a curve with B1=5 finds.
 When you run 700 random curves at B1=25, you might theoretically
 miss a factor that someone else finds with B1=5, if he gets a lucky
 sigma so that the group order is very smooth. But in general, using the
 same number of curves, the higher bound should find all the factors that
 the lower bound can find.
 But dont be tempted into running only a few curves at very high bounds.
 The strength of ECM is that you can try curves with different group
 orders until a sufficiently smooth one comes along. So skipping bound
 levels is usually not a good idea unless you have reason to believe the
 the number unter attack has only large factors which call for a higher
 bound.

_
Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ  -- http://www.tasam.com/~lrwiman/FAQ-mers

Re: Mersenne: ECM Question...

2001-05-16 Thread Alexander Kruppa 

Eric Hahn wrote:
 
   If a person runs an ECM test using a B1 of 250,000 with 700
 curves (for up to 30 digits), will they also find any factors
 that they would have found if they had used a B1 of 50,000 with
 300 curves (for up to 25 digits) ?!?
 
 Eric

If the sigma is the same, then a curve with B1=25 will find any
factor that a curve with B1=5 finds.
When you run 700 random curves at B1=25, you might theoretically
miss a factor that someone else finds with B1=5, if he gets a lucky
sigma so that the group order is very smooth. But in general, using the
same number of curves, the higher bound should find all the factors that
the lower bound can find.
But dont be tempted into running only a few curves at very high bounds.
The strength of ECM is that you can try curves with different group
orders until a sufficiently smooth one comes along. So skipping bound
levels is usually not a good idea unless you have reason to believe the
the number unter attack has only large factors which call for a higher
bound.

Ciao,
  Alex.
_
Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ  -- http://www.tasam.com/~lrwiman/FAQ-mers

Re: Mersenne: ECM question

1999-05-12 Thread Alex Kruppa 

Hi all,

I have a different question concerning P-1 and ECM.
Some time ago I asked which power to put small primes
into when multiplying them into E ( factor = gcd(a^E-1,N) ).

Paul Leyland, I believe, replied that the power for prime p should
be trunc( ln(B1) / ln(p) ) ( log(B1) with base p ),
where B1 is the bound up to which we put primes into E.

But what if there is a stage 2 with a higher bound B2?
Should it be trunc( ln(B2) / ln(p) ) then? Or still the stage 1 bound?
In his Diplomarbeit about ECM
( see ftp://ftp.informatik.tu-darmstadt.de/pub/TI/reports/berger.diplom.ps.gz ),
Franz-Dieter Berger mentiones on page 40f that his experience
shows that it is better to use the stage 2 bound.

Any opinion from the factoring gurus here on the list?

Ciao,
  Alex.


Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm

RE: Mersenne: ECM question

1999-05-07 Thread Paul Leyland 

 The function being minimized, namely
 
 probability of finding a 50-digit factor on one curve
 -
time per curve
 
 is flat near its minimum.  Implementation and platform differences 
 can obviously affect the denominator (time per curve).
 The stage-2 strategy affects the numerator.  The two optimal B1's
 are close enough to be considered the same.


Umm.   I think you want to maximize the probability.

Minimizing it is easy.


Paul

Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm

RE: Mersenne: ECM question

1999-05-06 Thread Paul Leyland 

 At Paul Zimmerman's ECM page,
http://www.loria.fr/~zimmerma/records/ecmnet.html
 the optimal B1 value listed for finding 50-digit factors is 
 4300, but 
 George's ECM factoring page uses 4400 for the same 
 purpose. Is one of 
 them wrong, or is there a reason for the difference?

No, neither is "wrong", for at least two reasons.

First, ECM is a probabalistic algorithm.  Each run chooses a random elliptic
curve and has a certain chance to find a factor of a particular size.   When
enough curves have been run, there is particular probability of finding a
factor of that size, assuming that one exists.  If one choose 50% as the
desired probability, the number of curves required will obviously be fewer
than if one chooses 60%, say.  A similar choice can be made for trading off
B1 value against probability, as long as the trade isn't pushed too far.

Another reason is that the B1 value is only one quantity of importance.
Even if the probability mentioned above is fixed, the optimal number of
curves depends on the value of B2.  Different implementations of ECM (or
even different runs of the same implementation) are free to choose different
values of B2 for a given B1.


A non-reason, but still of interest, is that the maximum in the probability
agains B1 curve is really rather flat, and it doesn't matter too much if
parameters are chosen which are not strictly optimum.


Paul

Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm

Mersenne: ECM question

1999-05-05 Thread Foghorn Leghorn 

At Paul Zimmerman's ECM page,
   http://www.loria.fr/~zimmerma/records/ecmnet.html
the optimal B1 value listed for finding 50-digit factors is 4300, but 
George's ECM factoring page uses 4400 for the same purpose. Is one of 
them wrong, or is there a reason for the difference?


___
Get Free Email and Do More On The Web. Visit http://www.msn.com

Unsubscribe  list info -- http://www.scruz.net/~luke/signup.htm