Documentation

We use the Montgomery form of elliptic curve: b Y² = X³ + a X² + X (mod n). See Eq. (10.3.1.1) at p. 260 of Speeding the Pollard and Elliptic Curve Methods of Factorization by P. L. Montgomery.

Switching to projective space by substitutions Y = y / z, X = x / z, we get b y² z = x³ + a x² z + x z² (mod n). The point on projective elliptic curve is characterized by three coordinates, but it appears that only x- and z-components matter for computations. By the same reason there is no need to store coefficient b.

That said, the chosen curve is represented by a24 = (a + 2) / 4 and modulo n at type level, making points on different curves incompatible.

Extract x-coordinate.

Extract z-coordinate.

Extract modulo of the curve.

Extract (a + 2) / 4, where a is a coefficient in curve's equation.

Point on unknown curve.

newPoint s n creates a point on an elliptic curve modulo n, uniquely determined by seed s. Some choices of s and n produce ill-parametrized curves, which is reflected by return value Nothing.

We choose a curve by Suyama's parametrization. See Eq. (3)-(4) at p. 4 of Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware by K. Gaj, S. Kwon et al.

If p0 + p1 = p2, then add p0 p1 p2 equals to p1 + p2. It is also required that z-coordinates of p0, p1 and p2 are coprime with modulo of elliptic curve; and x-coordinate of p0 is non-zero. If preconditions do not hold, return value is undefined.

Remarkably such addition does not require KnownNat a24 constraint.

Computations follow Algorithm 3 at p. 4 of Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware by K. Gaj, S. Kwon et al.

Multiply by 2.

Computations follow Algorithm 3 at p. 4 of Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware by K. Gaj, S. Kwon et al.

Multiply by given number, using binary algorithm.