|
The following example is from {{harvtxt|Trappe|Washington|2006}}, with some details added.
We want to factor {{math|1=''n'' = 455839.}} Let's choose the elliptic curve {{math|1=''y''<sup>2</sup> = ''x''<sup>3</sup> + 5''x'' – 5,}} with the point {{math|1=''P'' = (1, 1)}} on it, and let's try to compute {{math|1=(10!)''P''.}}
The slope of the tangent line at some point ''A''=(''x'', ''y'') is {{math|1=''s'' = (3''x''<sup>2</sup> + 5)/(2''y'') (mod n)}}. Using ''s'' we can compute 2''A''. If the value of ''s'' is of the form ''a/b'' where ''b'' > 1 and gcd(''a'',''b'') = 1, we have to find the [[modular inverse]] of ''b''. If it does not exist, gcd(''n'',''b'') is a non-trivial factor of ''n''.
First we compute 2''P''. We have {{math|1=''s''(''P'') = ''s''(1,1) = 4,}} so the coordinates of {{math|1=2''P'' = (''x′'', ''y′'')}} are {{nowrapmath|1=''x′'' = ''s''<sup>2</sup> – 2''x'' = 14}} and {{nowrapmath|1=''y′'' = ''s''(''x'' – ''x′'') – ''y''}} {{math|1== 4(1 – 14) – 1 = –53,}} all numbers {{math|1=understood (mod ''n'').}} Just to check that this 2''P'' is indeed on the curve: {{mathnowrap|1=(–53)<sup>2</sup> = 2809 = 14<sup>3</sup> + 5·14 – 5.}}
Then we compute 3(2''P''). We have {{math|1=''s''(2''P'') = ''s''(14,-53) = –593/106 (mod ''n'').}} Using the [[Euclidean algorithm]]: {{mathnowrap|1=455839 = 4300·106 + 39,}} then {{mathnowrap |1=106 = 2·39 + 28,}} then {{mathnowrap|1=39 = 28 + 11,}} then {{mathnowrap |1=28 = 2·11 + 6,}} then {{mathnowrap|1=11 = 6 + 5,}} then {{mathnowrap |1=6 = 5 + 1.}} Hence {{mathnowrap|1=gcd(455839, 106) = 1,}} and working backwards (a version of the [[extended Euclidean algorithm]]): {{mathnowrap |1=1 = 6 – 5 = 2·6 – 11 = 2·28 – 5·11}} {{mathnowrap |1== 7·28 – 5·39 = 7·106 – 19·39 = 81707·106 – 19·455839.}} Hence {{mathnowrap |1=106<sup>−1</sup> = 81707 (mod 455839),}} and {{mathnowrap |1=–593/106 = –133317 (mod 455839).}} Given this ''s'', we can compute the coordinates of 2(2''P''), just as we did above: {{math|1=4''P'' = (259851, 116255).}} Just to check that this is indeed a point on the curve: {{math|1=''y''<sup>2</sup> = 54514 = ''x''<sup>3</sup> + 5''x'' – 5 (mod 455839).}} After this, we can compute <math>3(2P) = 4P \boxplus 2P</math>.
We can similarly compute 4!''P'', and so on, but 8!''P'' requires inverting {{mathnowrap|1=599 (mod 455839).}} The Euclidean algorithm gives that 455839 is divisible by 599, and we have found a {{mathnowrap|1=factorization 455839 = 599·761.}}
The reason that this worked is that the curve {{mathnowrap|1=(mod 599)}} has {{mathnowrap|1=640 = 2<sup>7</sup>·5}} points, while {{mathnowrap|1=(mod 761)}} it has {{mathnowrap|1=777 = 3·7·37}} points. Moreover, 640 and 777 are the smallest positive integers ''k'' such that {{math|1=''kP'' = ∞}} on the curve {{mathnowrap|1=(mod 599)}} and {{math|1=(mod 761),}} respectively. Since {{mathnowrap|8!}} is a multiple of 640 but not a multiple of 777, we have {{math|1=8!''P'' = ∞}} on the curve {{mathnowrap|1=(mod 599),}} but not on the curve {{mathnowrap|1=(mod 761),}} hence the repeated addition broke down here, yielding the factorization.
==The algorithm with projective coordinates==
|
