Lenstra elliptic curve factorization[6]

Lenstra elliptic curve factorization or the elliptic curve factorization method (ECM) is a fast, sub-exponential running time algorithm for integer factorization which employs elliptic curves. Technically, the ECM is classified as a deterministic algorithm as all "random" steps (such as the choice of curves) used can be de-randomized and done in a deterministic way. (This is not to say that the algorithm can't be implemented in a probabilistic way, if one so chooses, provided one has a true source of randomness.)

For factoring ECM is the third-fastest known factoring method. The second fastest is the multiple polynomial quadratic sieve and the fastest is the general number field sieve; both are probabilistic algorithms.

Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. Currently, it is still the best algorithm for divisors not greatly exceeding 20 to 25 digits (64 to 83 bits or so), as its running time is
dominated by the size of the smallest factor p rather than by the size of the number n to be factored. The largest factor found using ECM so far was discovered on August 24, 2006 by B. Dodson and has 67 digits[7]. Increasing the number of curves tested improves the chances of finding a factor, but they are not linear with the increase in the number of digits.

Derivation

ECM is at its core an improvement of the older p-1 algorithm. The p-1 algorithm finds prime factors p such that p-1 is B-powersmooth for small values of b. For any e, a multiple of p-1, and any a relatively prime to p, by Fermat's little theorem we have a ^e ≡ 1
(mod p). Then gcd(a ^e-1, n) is likely to produce a factor of n. However, the algorithm fails when p-1 has large prime factors, as is the case for numbers containing strong primes, for
example.

ECM gets around this obstacle by considering the group of a random elliptic curve over the finite field Z_p, rather than considering the multiplicative group of Z_p  which always has order p-1.

The order of the group of an elliptic curve over Z_p  varies (randomly) between p + 1 - 2√p and p + 1 + 2√p by Hasse's theorem, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield-Erdös-Pomerance theorem with suitably optimized parameter choices, and the L-notation, we can expect to try L[√2 / 2, √2] curves before getting a smooth group order. This heuristic estimate is very reliable in practice.