FACTORING INTEGERS USING ELLIPTIC CURVES OVER Q XIUMEILI,JINXIANGZENG Abstract. FortheintegerD=pqoftheproductoftwodistinctoddprimes,weconstructanellipticcurve E2rD :y2 =x3−2rDxoverQ,wherer isaparameter dependent ontheclasses ofpandq modulo8,and show, under the parity conjecture, that the elliptic curve has rank one and vp(x([k]Q)) 6= vq(x([k]Q)) for 2 odd k and a generator Q of the free part of E2rD(Q). Thus we can recover p and q from the data D and 1 x([k]Q)). Furthermore,undertheGeneralizedRiemannhypothesis,weprovethatonecantaker<clog4D 0 suchthattheellipticcurveE2rD hastheseproperties,wherecisanabsoluteconstant. 2 l u J 7 1 1. Introduction and Main Results ] It is a basic problem in coding theory to search for methods to factor the integers of the form T D = pq, where p = q are odd primes, as fast as possible. Recently Burhanuddin and Huang [5] N 6 introduce a new method to factor the integer D = pq with p q 3 mod 16, by computing a h. rationalpointoftheellipticcurveED : y2 = x3 Dx. Theyprov≡etha≡t,undertheparityconjecture, − t the elliptic curve has rank one and the x-coordinate x(Q) of a generator Q of the free part of the a m rational points E (Q) has unequal valuations at p and q, and thus one can recover p and q from D the data D and x(Q). Furthermore, they conjecture that factoring D is polynomial time equivalent [ to calculating the generator Q. 2 Following the idea, in this paper, we factor the general D of the form D = pq with odd primes v 4 p = q, by computing a rational point of some elliptic curve attached to D and some parameters, 6 7 for which we need to construct an elliptic curve over Q which has rank one and the valuations at 2 p and q of the x-coordinate of the generator of the free part of the rational points of the elliptic 0 . curve are not equal. For the symmetry of p and q, we always assume the least residue of p modulo 7 8 is less than or equal to that of q modulo 8. If D 1 and p 1 mod 8, the construction of the 0 6≡ 6≡ 2 elliptic curve is easily. If D 1 but p 1 mod 8 (resp. D 1 but p 1 mod 8) , we need ≡ 6≡ 6≡ ≡ 1 to introduce a parameter of prime l in some class of integers modulo 8 which satisfies (D) = 1 : l − v (resp. (D) = (p)= 1) to construct the elliptic curve. If D p 1 mod 8, the most complicated i l l − ≡ ≡ X case, we need to introduce two parameters of primes l1 and l2 in some different classes of integers r modulo 8 which satisfy (D) = (D) = 1 and (l1)(l2) = 1 to construct the elliptic curve. So in a l1 l2 − p p − the case p 1 mod 8, we could factor D probably with probability of success at least 1. The ≡ 2 detailed construction of the elliptic curves and the main results of the paper are as follows. For simplicity, we always denote E the elliptic curve y2 = x3 mx for the integer m, and m¯ m the class of m in (Z/8Z)∗ for odd m. We define a = a =¯5 and a−= ¯3. ¯3 ¯7 ¯5 Theorem 1.1. Let D = pq, where p and q are distinct odd primes and p 1 mod 8. We consider 6≡ the elliptic curve E if D 1 mod 8 and the elliptic curve E if D 1 mod 8, where l is a 2D 2lD 6≡ ≡ prime in the class a satisfying (D) = 1. Then, under the parity conjecture, these elliptic curves q¯ l − have rank one and the valuations at p and q of x-coordinate x([k]Q) are not equal for any odd k, where Q is a generator of the free part of the rational points E (Q) or E (Q). Thus we can 2D 2lD recover primes p and q from the data D and x([k]Q). 2010 Mathematics Subject Classification. Primary11Y05, 11Y11,11Y40: Secondary11G05, 14G50. Keywords and phrases. integerfactoring,ellipticcurve,Selmergroup. 1 2 XIUMEILI,JINXIANGZENG Notice that in the case D 1 but p 1 mod 8, we must have p q mod 8. For even k we may ≡ 6≡ ≡ not get v (x([k]Q)) = v (x([k]Q)). The construction of the elliptic curve in the case p 1 mod 8 p q 6 ≡ is more complicated. Theorem 1.2. Let D = pq, where p and q are distinct odd primes and p 1 mod 8. If D 1 mod 8, we consider the elliptic curve E , where l is a prime in a and sat≡isfies (D) = (p) =6≡1. 2lD q¯ l l − If D 1 mod 8, we consider the elliptic curve E , where l and l are primes in ¯3 and ¯7 ≡ 2l1l2D 1 2 respectively, and satisfy (D)= (D) = 1 and (l1)(l2) = 1. Then, under the parity conjecture, we l1 l2 − p p − have the same result for these elliptic curves as that in Theorem 1.1 above. It is well known that the least quadratic non-residue of a prime p is O(log2p), under the Gener- alized Riemann Hypothesis (GRH). Using the result in [11], we further show that the parameters l and l l in the theorems above can be taken small, relative to D. Namely we have 1 2 Corollary 1.3. Given D, a product of two distinct odd primes. Assume the parity conjecture and GRH. There exists an odd integer r such that (1) r clog4D, where c is an absolute constant; ≤ (2) the elliptic curve E has rank one; 2rD (3) Let Q be a generator of E (Q)/E (Q) , then ord (x([k]Q)) = ord (x([k]Q)) for any 2rD 2rD tors p q 6 odd integer k. To show the elliptic curves in theorems 1.1 and 1.2 have rank one under the parity conjecture and to calculate the valuations of x(Q) at p and q, we need first compute the Selmer groups of these elliptic curves, for which we use the homogeneous spaces of the corresponding elliptic curves. The paper is organized as follows. In section two we compute the Selmer groups of these elliptic curves, which is a little bit tedious due to the extra parameter r. In section three we calculate the ranks of these elliptic curves under the parity conjecture. In the last section we compute the valuations of thex-coordinate of thegenerator of thefreepartof therational points of theseelliptic curves, and prove the three results above. 2. Computation of the Selmer groups In this section we determine the Selmer groups of the elliptic curves appeared in our theorems in the introduction, for which we first show two lemmas that give a sufficient and necessary condition when an element is in the Selmer group for a family of elliptic curves which are more general than those appeared in our theorems. 2.1. Two lemmas. As in the introduction, D = pq is a product of two distinct odd primes. Let r be a positive integer such that 2rD is squarefree. Then the elliptic curve E over Q has 2rD an isogenous curve E′ : y2 = x3 + 8rDx, and the two isogenies are φ : E E′ and 2rD 2Dr −→ 2Dr φ: E′ E defined by 2Dr −→ 2Dr b y2 y(2rD+x2) y2 y(8rD x2) φ((x,y)) = ,− and φ((x,y)) = , − (cid:18)x2 x2 (cid:19) (cid:18)4x2 8x2 (cid:19) b respectively, see the example 4.5 in [7] Chap. III. Let S = 2 S with S = primes dividing Dr , and Q(S,2) the subgroup of Q∗/Q∗2 0 0 {∞} { } { } generated by thSe elemSents in 1 2 S0. For d Q(S,2), the corresponding homogeneous {− } { } ∈ spaces are defined to be the curves S S C : dw2 = d2+8Drz4 and C′ : dw2 = d2 2Drz4. d d − By [7] Chap. X, Prop. 4.9, the Selmer groups have the following identifications: S(φ)(E /Q)= d Q(S,2) : C (Q ) = for all v S , 2Dr ∼ d v { ∈ 6 ∅ ∈ } FACTORING INTEGERS USING ELLIPTIC CURVES OVER Q 3 S(φb)(E′ /Q)= d Q(S,2) : C′(Q ) = for all v S , 2Dr ∼ { ∈ d v 6 ∅ ∈ } b and forthermore 2Dr S(φ)(E /Q) and 2Dr S(φ)(E′ /Q). ∈ 2Dr − ∈ 2Dr Lemma 2.1. About the elements of the φ-Selmer group S(φ)(E /Q) Q(S,2), we have 2Dr ⊆ (1) Let d Q(S,2). If d< 0, then d / S(φ)(E /Q). 2Dr ∈ ∈ Dr 1 mod 8 (2) 2∈ S(φ)(E2Dr/Q) ⇐⇒ (cid:26) (2t)≡= 1,t ∈ S0 (3) For 2k Q(S,2) with k S , 0 ∈ ∈ (k)= 1,t S k t ∈ 0\{ } k S(φ)(E2Dr/Q)  (2Dr/k) = 1 ∈ ⇐⇒  k k 1 mod 8 ≡  (2k) = 1,t S k t ∈ 0\{ } 2k S(φ)(E2Dr/Q)  (Dr/k)= 1 ∈ ⇐⇒  k Dr/k 1 mod 8 ≡ (4) For distinct k ,k S ,  1 2 0 ∈ 2Dr (k1k2) = 1,t = k ,k k1k2 S(φ)(E2Dr/Q)  (k1tk2)= 1,t S1 2k ,k ∈ ⇐⇒ t ∈ 0\{ 1 2} k k 1 mod 8 1 2 ≡   Proof. (1) It is clearly C (R) = if d < 0 and C (R)= if d > 0. d d ∅ 6 ∅ (2) For d = 2, the curve C is W2 = 2+4DrZ4. Write f (Z,W) = W2 4DrZ4 2. 2 2 − − = As 2 S(φ)(E /Q), we see C (Q ) = (t 2 S ). For t = 2, take (z,w) C (Q ). 2Dr 2 t 0 2 2 ⇒ ∈ 6 ∅ ∈ { } ∈ Then v2(z) < 0 and v2(w) = 1+2v2(z). Put z = 2−iz0,w =S21−2iw0, where i > 0, and z0,w0 ∈ Z∗2 satisfy w2 = 24i−1+Drz4, and thus Dr 1 mod 8. 0 0 ≡ For t S , take (z,w) C (Q ). Then v (z) 0,v (w) = 0 and w2 = 2+4Drz4, so we have 0 2 t t t ∈ ∈ ≥ (2)= 1. t = Obviously C (R) = . For t = 2, put f (Z,W;i) = W2 DrZ4 24i−1, where i 1, then 2 2 ⇐ 6 ′ ∅ − − ≥ v (f (1,1;i)) 3 > 2v (f (1,1;i)) = 2, by Hensel Lemma [7] Exercise 10.12, f (Z,W;i) = 0 has 2 2 ≥ 2 2,w 2 a solution, say (z ,w ), in Z2. Note that (2−iz ,21−2iw ) C (Q ). 0 0 2 0 0 ∈ 2 2 For t S , as (2) = 1, there exists a Z such that a2 2 mod t, and so v (f (0,a)) 1 > ′ ∈ 0 t ∈ ≡ t 2 ≥ 2v (f (0,a)) = 0. By Hensel Lemma, we have C (Q )= . t 2,w 2 t 6 ∅ (3) For k S , we have 2k Q(S,2). We only show the second. The proof of the first is similar. 0 ∈ ∈ Let d= 2k. Write f (Z,W) = W2 4DrZ4/k 2k. 2k − − = Since 2k S(φ)(E /Q), we see C (Q ) = (t 2 S ). For t = 2, take (z,w) 2Dr 2k t 0 ⇒ ∈ 6 ∅ ∈ { } ∈ C2k(Q2). Then v2(z) < 0,v2(w) < 0, and v2(w) = 1+2v2(z). PuSt z = 2−iz0,w = 21−2iw0, where i > 0, and z ,w Z∗ satisfy w2 = 24i−1k+Drz4/k, so we get Dr/k 1 mod 8. 0 0 ∈ 2 0 0 ≡ For t = k, take (z,w) C (Q ). Then v (z) 0,v (w) 0 and v (w) = 2v (z). Put z = 2k k k k k k ∈ ≤ ≤ k−iz ,w = k−2iw , where i > 0, and z ,w Z∗ satisfy w2 = 2k4i+1 + 4Dr/kz4. So we have 0 0 0 0 ∈ k 0 0 Dr/k ( )= 1. k For t S k , take (z,w) C (Q ). Then v (z) 0,v (w) = 0 and w2 = 2k+4Drz4/k, we 0 2k t t t ∈ \{ } ∈ ≥ see (2k) = 1. t = Obviously C (R) = . For t = 2, put f (Z,W;i) = W2 4DrZ4/k 24i−1k, where 2k 2k,2 ⇐ 6 ∅ ′ − − i Z , then v (f (1,1;i)) 3 > 2v (f (1,1;i)) = 2, by Hensel Lemma, f (Z,W;i) = 0 ∈ ≥1 2 2k,2 ≥ 2 2k,2,w 2k,2 has a solution (z ,w ) in Z2. Note that (2−iz ,21−2iw ) is a solution of f (Z,W) = 0, and so 0 0 2 0 0 2k C (Q ) = . 2k 2 6 ∅ 4 XIUMEILI,JINXIANGZENG For t = k, put f (Z,W;i) = W2 4DrZ4/k 2k4i+1, where i 0, since (Dr/k) = 1, there exists a Z such th2ka,tka2 4Dr/k mo−d k, and so−v (f (1,a;i)) ≥1 > 2v (f′ k (1,a;i)) = 0. ∈ ≡ k 2k,k ≥ k 2k,k,w By Hensel Lemma, f (Z,W;i) = 0 has a solution (z ,w ) Q2. Note that (k−iz ,k−2iw ) is a 2k,k 0 0 ∈ k 0 0 solution of f (Z,W) = 0, and thus C (Q )= . 2k 2k k 6 ∅ For t S k , there exists b Z such that b2 2k mod t, and thus v (f (0,b)) 1 > 0 t 2k ′ ∈ \ { } ∈ ≡ ≥ 2v (f (0,b)) = 0. By Hensel Lemma, we have C (Q )= . t 2k,w 2k t 6 ∅ (4) Consider d= k k with k ,k S . Write f (Z,W) = W2 8DrZ4 k k . 1 2 1 2 ∈ 0 k1k2 − k1k2 − 1 2 = Since k k S(φ)(E /Q), we have C (Q ) = (t 2 S ). For t = 2, we take ⇒ 1 2 ∈ 2Dr k1k2 t 6 ∅ ∈ { } 0 (z,w) ∈ Ck1k2(Q2). Then v2(z) ≥ 0,v2(w) = 0 satisfy w2 = k1k2 +Sk81Dkr2z4, and thus k1k2 ≡ 1 mod 8. For t = k , take (z,w) C (Q ). Then v (z) 0,v (w) 0 and v (w) = 2v (z). Put z = 1 ∈ k1k2 k1 k1 ≤ k1 ≤ k1 k1 k−iz ,w = k−2iw , where i = v (z) > 0,v (z ) = v (w ) = 0, we have w2 = k4i+1k + 8Drz4, 1 0 1 0 − k1 k1 0 k1 0 0 1 2 k1k2 0 2Dr and thus (k1k2) = 1. The case t = k is similar. k1 2 For t S k ,k , take (z,w) C (Q ). Then v (z) 0,v (w) = 0 and satisfy w2 = ∈ 0 \ { 1 2} ∈ k1k2 t t ≥ t k k + 8Drz4, which implies (k1k2) = 1. 1 2 k1k2 t = Obviously C (R) = . For t = 2, since k k 1 mod 8, we see v (f (0,1)) 3 > ⇐ ′ k1k2 6 ∅ 1 2 ≡ 2 k1k2 ≥ 2v (f (0,1)) = 0, and by Hensel Lemma, C (Q ) = . 2 k1k2,w k1k2 2 6 ∅ 2Dr Fort = k (i = 1,2),setf (Z,W;i) = W2 8DrZ4 k4i+1k withi 0.As(k1k2)= 1,there 1 k1k2,k1 −k1k2 − 1 2 ≥ k1 existsa Zsuchthata2 8Dr mod k ,andsov (f (1,a;i)) 1 > 2v (f′ (1,a;i)) = ∈ ≡ k1k2 1 k1 k1k2,k1 ≥ k1 k1k2,k1,w 0. By Hensel Lemma, f (Z,W;i) = 0 has a solution (z ,w ) Q2 . Note that (k−iz ,k−2iw ) k1k2,k1 0 0 ∈ k1 1 0 1 0 is a solution of f (Z,W) = 0, that is C (Q ) = . The case t = k is similar. k1k2 k1k2 k1 6 ∅ 2 For t S k ,k , as (k1k2) = 1, there exists b Z such that b2 k k mod t, and thus v (f (0∈,b))0 \ {11> 22v}(f′ t(0,b)) = 0. By Hensel L∈emma, we see C ≡(Q1)2= . (cid:3) t k1k2 ≥ t k1k2,w k1k2 t 6 ∅ Lemma 2.2. About the elements of the φ-Selmer group S(φb)(E′ /Q) Q(S,2), we have 2Dr ⊆ (1) 1 S(φb)(E′ /Q) Dr ≡ 1b mod 4 − ∈ 2Dr ⇐⇒(cid:26) t 1 mod 4,t S0 ≡ ∈ (2) For 2 Q(S,2) ∈ 2 S(φb)(E′ /Q) Dr ≡ ±1 mod 8 ∈ 2Dr ⇐⇒ (cid:26) (2t) = 1,t ∈ S0 2 S(φb)(E′ /Q) Dr ≡ 1,3 mod 8 − ∈ 2Dr ⇐⇒ (cid:26) (−t2) =1,t ∈ S0 (3) For 2ǫk Q(S,2) with k S and ǫ = 1, 0 ∈ ∈ ± (ǫk)= 1,t S k εk S(φb)(E′ /Q)  (−t2ǫDr/k) =∈10\{ } ∈ 2Dr ⇐⇒  k k 2Dr/k ǫ mod 8 or k ǫ mod 8 − ≡ ≡  (2ǫk) = 1,t S k 2ǫk S(φb)(E′ /Q)  (−tǫDr/k)=∈1 0\{ } ∈ 2Dr ⇐⇒  k 2k Dr/k ǫ mod 8 or Dr/k ǫ mod 8 − ≡ − ≡ (4) For ǫk k Q(S,2) with k =k S and ǫ = 1, 1 2 1 2 0 ∈ 6 ∈ ± −2ǫDr ( k1k2 ) = 1,t = k ,k ǫk1k2 ∈S(φb)(E2′Dr/Q) ⇐⇒  (ǫk1ttk2) = 1,t ∈ S01\{k21,k2} k k 2Dr ǫ mod 8 or k k ǫ mod 8 1 2− k1k2 ≡ 1 2 ≡   FACTORING INTEGERS USING ELLIPTIC CURVES OVER Q 5 Proof. (1) For d = 1, write f (Z,W) = W2+2DrZ4 1. −1 = Since 1 −S(φb)(E′ /Q), we have−C′ (Q ) = (−t 2 S ). For t = 2, take (z,w) ′ ⇒ − ∈ 2Dr −1 t 6 ∅ ∈ { } 0 ∈ C (Q ). Then v (z) = 0,v (w) = 0, and 1 1 2Dr mod 8, thSat is Dr 1 mod 4. −F1or t2 S , take2 (z,w) C2 ′ (Q ). Then−v (≡z) −0,v (w) = 0, and thus (−1≡) = 1. ∈ 0 ′ ∈ −1 t t ≥ t t = Obviously C (R) = . For t = 2, since Dr 1 mod 4, we have v (f (1,1)) ⇐3 > 2v (f′ (1,−1)1) = 62.∅By Hensel Lemma, we≡see C′ (Q ) = . Fo2r t−1S , since (−1) = 1, ≥ 2 −1,w −1 2 6 ∅ ∈ 0 t there exists a Z such that a2 1 mod t, and so v (f (0,a)) 1 > 2v (f′ (0,a)) = 0. By ∈ ≡ − t −1 ≥ t −1,w ′ Hensel Lemma, we get C (Q ) = . −1 p 6 ∅ (2) We only show the case d =2. The case d= 2 is similar. Write f (Z,W) = W2+DrZ4 2. 2 = Since 2 S(φb)(E′ /Q), we see C′(Q )= −(t 2 S ). For t = 2, take (z,w) C′(Q−). ⇒ ∈ 2Dr 2 t 6 ∅ ∈ { } 0 ∈ 2 2 Then v2(z) 0,v2(w) 0 and w2 = 2 Drz4. If v2(z) = 0,Sthen Dr 1 mod 8; if v2(z) <0, then ≤ ≤ − ≡ v (w) = 2v (z). Put z = 2−iz ,w = 2−2iw , where i > 0,z ,w Z∗ and w2 = 24i+1 Drz4, and 2 2 0 0 0 0 ∈ 2 0 − 0 so Dr 1 mod 8. For ≡t −S , take (z,w) C′(Q ). Then v (z) 0,v (w) = 0 and satisfy w2 = 2 Dz4. Thus ∈ 0 ∈ 2 t t ≥ t − (2)= 1. t ′ ′ = Obviously C (R) = . For t = 2, if Dr 1 mod 8, then v (f (1,1)) 3> 2v (f (1,1)) = ⇐ 2 6 ∅ ≡ 2 2 ≥ 2 2,w 2. ByHenselLemma,weseeC′(Q )= ;ifDr 1 mod 8,putf (Z,W;i) = W2+DrZ4 24i+1, 2 2 6 ∅ ′ ≡ − 2 ′ − where i 1, then v (f (1,1;i)) 3 > 2v (f (1,1;i)) = 2. By Hensel Lemma, C (Q ) = . For ≥ 2 2 ≥ 2 2,w 2 2 6 ∅ t S , since (2) = 1, there exists a Z such that a2 2 mod t, and so v (f (0,a)) 1 > ∈ ′0 t ∈ ′ ≡ t 2 ≥ 2v (f (0,a)) = 0. By Hensel Lemma, we have C (Q )= . t 2,w 2 t 6 ∅ (3) We only consider d = 2ǫk. Write f (Z,W) = ǫW2+Dr/kZ4 2k. 2ǫk = Since 2ǫk S(φb)(E′ /Q), we have C′ (Q ) = (t 2 S−). For t = 2, take (z,w) C′ ⇒(Q ). Then v∈(z) 02,Dvr(w) 0 and ǫw22ǫk= t2k6 ∅Drz4∈. {If}vS(z)0= 0, then 2k Dr/k ∈ǫ 2ǫk 2 2 ≤ 2 ≤ − k 2 − ≡ mod 8, and if v (z) < 0, then Dr/k ǫ mod 8. 2 −′ ≡ For t = k, take (z,w) C (Q ). Then v (z) 0,v (w) 0 and v (w) = 2v (z). Put ∈ 2ǫk k k ≤ k ≤ k k z = k−iz ,w = k−2iw , where i > 0, and z ,w Z∗ satisfy ǫw2 = 2k4i+1 Drz4/k. Thus 0 0 0 0 ∈ k 0 − 0 −ǫDr/k ( ) = 1. k For t S k , take (z,w) C′ (Q ). Then v (z) 0,v (w) = 0 and ǫw2 = 2k Dr/kz4. So ∈ 0\{ } ∈ 2ǫk t t ≥ t − (2ǫk)= 1. t ′ = Obviously C (R) = . For t = 2, if 2k Dr/k ǫ mod 8, then v (f (1,1)) 3 > 2v⇐(f′ (1,1)) = 22;ǫkif D6r/∅k ǫ mod 8, put f− (Z,W≡;i) = ǫW2 +Dr/k2Z42ǫk24i+1k,≥where 2 2ǫk,w − ≡ 2ǫk,2 − ′ i 1, then v (f (1,1;i)) 3 > 2v (f (1,1;i)) = 2. In any case, by Hensel Lemma, ≥ 2 2ǫk,2 ≥ 2 2ǫk,2,w ′ C (Q ) = . 2ǫk 2 6 ∅ For t = k, put f (Z,W;i) = ǫW2+Dr/kZ4 2k4i+1, where i 0, since (−ǫDr/k) = 1, there exists a Z such t2hǫak,tka2 ǫDr/k mod k, and s−o v (f (1,a;i))≥ 1 > 2v (f′k (1,a;i)) = ∈ ≡ − k 2ǫk,k ≥ k 2ǫk,k,w 0, by Hensel Lemma, f (Z,W;i) = 0 has a solution (z ,w ) Q2. Note that (k−iz ,k−2iw ) ′ 2ǫk,k 0 0 ∈ k 0 0 ∈ C (Q ). 2ǫk k For t S k , since (2ǫk) = 1, there exists b Z such that b2 2ǫk mod t, and so ∈ 0 \ { } ′ t ∈ ′ ≡ v (f (0,b)) 1 > 2v (f (0,b)) = 0. By Hensel Lemma, we have C (Q )= . t 2ǫk ≥ t 2ǫk,w 2ǫk t 6 ∅ (4) For ǫk k Q(S,2) with k ,k S distinct and ǫ = 1. Write f (Z,W) = ǫW2 + 1 2 ∈ 1 2 ∈ 0 ± ǫk1k2 2DrZ4 k k . k1k2 − 1 2 = Since ǫk k S(φb)(E′ /Q), then C′ (Q ) = (t 2 S ). For t = 2, take (z,w) ⇒ 1 2 ∈ 2Dr ǫk1k2 t 6 ∅ ∈ { } 0 ∈ C′ (Q ). Then v (z) 0,v (w) = 0 and ǫw2 = k k 2Drz4, ifSv (z) = 0, then k k 2Dr ǫ ǫk1k2 2 2 ≥ 2 1 2− k1k2 2 1 2− k1k2 ≡ mod 8; if v (z) > 0, then k k ǫ mod 8. 2 1 2 ≡ 6 XIUMEILI,JINXIANGZENG ′ Fort = k ,take(z,w) C (Q ). Thenv (z) 0,v (w) 0andv (w) = 2v (z).Putz = 1 ∈ ǫk1k2 k1 k1 ≤ k1 ≤ k1 k1 k−iz ,w = k−2iw , where i = v (z) 0,v (z ) = v (w ) = 0, we have ǫw2 = k4i+1k + 8Drz4, 1 0 1 0 − k1 ≥ k1 0 k1 0 0 1 2 k1k2 0 2ǫDr and so (k1k2 ) =1. The case t = k is similar. k1 2 Fort S k ,k ,take(z,w) C′ (Q ). Thenv (z) 0,v (w) = 0andǫw2 = k k +8Drz4, ∈ 0\{ 1 2} ∈ ǫk1k2 t t ≥ t 1 2 k1k2 which implies (ǫk1k2) = 1. t ′ = Obviously C (R) = . For t = 2, if k k ǫ mod 8, we have v (f (0,1)) 3 > ⇐ ǫk1k2 6 ∅ 1 2 ≡ 2 ǫk1k2 ≥ 2v (f′ (0,1)) = 0; if k k 2Dr ǫ mod 8, then v (f (1,1)) 3 > 2v (f′ (1,1)) = 0. 2 ǫk1k2,w 1 2−k1k2 ≡ 2 ǫk1k2 ≥ 2 ǫk1k2,w By Hensel Lemma, C (Q ) = in any case. ǫk1k2 2 6 ∅ 2ǫDr For t = k , put f (Z,W;i) = ǫW2 8DrZ4 k4i+1k , where i 0. Since (k1k2 ) = 1, there 1 ǫk1k2 − k1k2 − 1 2 ≥ k1 existsa Zsuchthata2 8ǫDr mod k ,andsov (f (1,a;i)) 1 > 2v (f′ (1,a;i)) = 0. ∈ ≡ k1k2 1 k1 ǫk1k2 ≥ k1 ǫk1k2,w By Hensel Lemma, f (Z,W;i) = 0 has a solution (z ,w ) Z2 . Note that (k−iz ,k−2iw ) ǫk1k2 0 0 ∈ k1 1 0 1 0 ∈ ′ C (Q ). The case t = k is similar. ǫk1k2 k1 2 For t S k ,k , Since (ǫk1k2) = 1, there exists b Z such that b2 ǫk k mod t, and thus v (f ∈(0,b0)\) { 11 >2}2v (f′ (t0,b)) = 0. By Hensel L∈emma, we see C≡′ (1Q2)= . (cid:3) t ǫk1k2 ≥ t ǫk1k2,w ǫk1k2 t 6 ∅ 2.2. The Selmer groups. We now determine the Selmer groups of the elliptic curves appeared in our theorems in the introduction, by the lemmas above. We first recall the notations. For odd integer m we always write m¯ for the class of m in Z/8Z, and define a = a = ¯5 and a = ¯3. When ¯3 ¯7 ¯5 p 1 and D 1 mod 8, we consider theelliptic curve E . When p 1 butD 1 mod 8 taking 2D 6≡ 6≡ 6≡ ≡ a prime l in a satisfying (D) = 1, or when p 1 but D 1 mod 8, taking a prime l in a q¯ l − ≡ 6≡ q¯ satisfying (D) = (p) = 1, we consider the elliptic curve E . When p D 1 mod 8, taking l l − 2lD ≡ ≡ a prime l in ¯3 and a prime l in ¯7 satisfying (D) = (D) = 1 and (l1)(l2) = 1, we consider the 1 2 l1 l2 − p p − elliptic curve E . We can state our result now. 2l1l2D Proposition 2.3. Let D = pq be the product of two distinct odd primes p,q. Then for r = 1,l, and l l , where l,l ,l are defined as above, we always have 1 2 1 2 S(φ)(E /Q) = Z/2Z and S(φb)(E′ /Q) = (Z/2Z)2. 2rD ∼ 2rD ∼ Proof. By the two lemmas above, we can determine the elements in Selmer groups of E easily, 2rD where r = 1,l,l l . We only consider r = l l as an example. 1 2 1 2 Inthiscase,S = 2 p,q,l ,l andQ(S,2) =< 1,2,p,q,l ,l >,wherep q 1,l 1 2 1 2 1 {∞}∪{ }∪{ } − ≡ ≡ ≡ 3,l 7 mod 8 and they satisfy (D) = (D) = 1 and (l1)(l2) = 1. Without loss of generality, 2 ≡ l1 l2 − p p − we can assume (l1) = 1,(l2) = 1 and (l1) = 1. By Lemma 2.1, one can check all the elements in p p − l2 Q(S,2), exceptfor1and2pql l ,arenotinS(φ)(E /Q). SoS(φ)(E /Q) = 1,2pql l = Z/2Z. For S(φb)(E′ /Q), by Lem1m2a 2.2, one can chec2krD 2rD { 1 2} ∼ 2rD S(φb)(E′ /Q)= {1,−pl2,2ql1,−2Dr}, if (pq)= 1 2rD (cid:26) {1,−2pl1,ql2,−2Dr}, if (pq)= −1. Thus we have S(φb)(E′ /Q) = (Z/2Z)2. (cid:3) 2rD ∼ 3. Computation of the conjectural rank Let E be an elliptic curve over Q with conductor N . By the Modularity Theorem [1], the L- E function attached to E is theMellin transform of a normalized Hecke eigenform for Γ (N) and thus 0 admits an analytic continuation to entire function satisfying the functional equation Λ (2 s)= W(E)Λ (s), where Λ (s)= fs/2(2π)−sΓ(s)L (s), E − E E E E FACTORING INTEGERS USING ELLIPTIC CURVES OVER Q 7 and W(E) = 1 is called the global root number. ± Letran andr betheanalytic rank andarithmetic rankof E, whereran is theorderof vanishing E E E of L (s) at s = 1 and r is the abelian group rank of E(Q). Up to r , there is a famous conjecture: E E E Conjecture 3.1. ( Parity Conjecture ) ( 1)rE = W(E). − ByConjecture3.1,togettheparityoftherankofellipticcurveE,weneedtocalculatetheglobal root number W(E). In fact, W(E) = W (E), where W (E) is the local root number. For − v|fE v v the local root number W (E), there areQrichly good conclusions such as [6]. However, due to the v special choice of our elliptic curve, the global root number equals to 1 by the following lemma, − Lemma 3.2. Let E : y2 = x3 2Nx be an elliptic curve over Q with 2N square-free, then 2N − W(E ) = 1. 2N − Proof. By [10], for any integer d such that d 0 mod 4, the global root number of the elliptic 6≡ curve E : y2 =x3 dx, has the following formula, d − 1 W(E ) = sgn( d) ǫ(d) − d − · · (cid:18) p (cid:19) p2|Y|d,p≥3 where 1 if d 1, 3, 11, 13(mod 16) ǫ(d) = − ≡ (cid:26) 1 if d 2, 5, 6, 7, 9, 10, 14, 15( mod 16), ≡ which tell us W(E )= 1. (cid:3) 2N − In the following, we denote dim the Z/2Z-dimension of a Z/2Z-vector space. 2 Corollary 3.3. Let E be the elliptic curve in Prop. 2.3. Assume that Parity conjecture holds, 2Dr we have ′ r = 1 and TS((E /Q)[φ]) = 0. E2Dr 2Dr Proof. Since E (Q)[2] = O,(0,0) = Z/2Z, and φ(E (Q)b[2]) = O , by the exact sequences 2Dr { } ∼ 2Dr { } [7] P.298, 314, 301 ′ 0 E2Dr(Q) S(φ)(E /Q) TS(E /Q)[φ] 0 −→ φ(E2Dr(Q)) −→ 2Dr −→ 2Dr −→ 0 E2Dr(Q) S(φb)(E′ /Q) TS(E′ /Q)[φ] 0 −→ φb(E′ (Q)) −→ 2Dr −→ 2Dr −→ ′2Dr b ′ 0 E2Dr(Q)[φ] E2Dr(Q) E2Dr(Q) E2bDr(Q) 0 −→ φ(E2Dr(Q)[2]) −→ φ(E2Dr(Q) −→ 2E2Dr(Q) −→ φb(E2′Dr(Q)) −→ we get the following equality ′ r +dim (TS(E /Q)[φ])+dim (TS(E /Q)[φ]) E2Dr 2 2Dr 2 2Dr = dim (S(φ)(E /Q))+dim (S(φb)(E′ /Q)) 2b. (3.1) 2 2Dr 2 2Dr − Since dim (S(φ)(E /Q)) = 1 and dim (S(φb)(E′ /Q)) = 2 by Prop. 2.3, we have 2 2Dr 2 2Dr ′ r +dim (TS(E /Q)[φ])+dim (TS(E /Q)[φ]) = 1. E2Dr 2 2Dr 2 2Dr Lemma 3.2 gives us the result. b (cid:3) Remark 3.4. In fact, we only need the weak form of the parity conjecture: W(E) = 1= r 1. E − ⇒ ≥ About the parity conjecture, one can refer to [4], which is the recent work by Tim Dokchiter. 8 XIUMEILI,JINXIANGZENG 4. Proof of the main results Inthissection weshowthetheoremsandthecorollary intheintroduction. Wehave provedthese elliptic curves in our theorems have rank one under the parity conjecture. It is easy to show that the torsion part of E (Q) is generated by T := (0,0), see [7] Chap. X, Prop. 6.1. Let r = 1,l or 2rD l l as in Prop. 2.3, and let Q E (Q) satisfy E (Q) =< T > +ZQ. To complete the proofs 1 2 2Dr 2Dr ∈ of Theorem 1.1 and Theorem 1.2, we need yet to show v (x([k]Q)) = v (x([k]Q)) for odd k. p q 6 We recall some standard notations. For an elliptic curve E over a local field K with residue field k, we denote E˜ the reduction of E over k, E˜ (k) the set of non-singular points of E˜(k), E (K) the ns 0 set of points with non-singular reduction, E (K) the set of kernel of reduction, Eˆ the formal group 1 associated to E. We first give the upper and lower bounds and parity of the valuations at p and q of the x-coordinate of any rational points of E . Fix t = p or q once for all. We consider the 2Dr question in the following four cases according to the value of v (x(Q)). The following discussion t holds for any E which has rank one and has only two torsion points. 2rD Case I. v (x(Q)) = a 3 (note that a is odd) : Using Tate’s algorithm [8] Chap.IV, 9,, we t ≥ § know that the Tamagawa number c equal to 2, that means E (Q )/E (Q ) = Z/2Z. Since t 2Dr t 2Dr,0 t ∼ Q / E (Q ), we see 2Dr,0 t ∈ [2k]Q E (Q ),[2k+1]Q E (Q ) E (Q ). 2Dr,0 t 2Dr t 2Dr,0 t ∈ ∈ \ By the duplication formula, x(Q)4+4Dx(Q)2+4D2 x([2]Q) = 4x(Q)3 8Dx(Q) − we get v (x([2]Q)) = 2 (1 + a) = (a 1) < 0, then [2]Q E (Q ). By E (Q ) = t − − − ∈ 2Dr,1 t 2Dr,1 t ∼ E[(tZ ) = tZ ,(x,y) (z(x) = x,w(z)) z(x) = x, where v (x) = 2v (z(x)) and [7] 2Dr t ∼ t 7→ −y 7→ −y t − t Chap.IV, Prop.2.3, we have the equality a 1 v (z([2k]Q)) = v ([k]z([2]Q)) = v (2k)+ − . t t t 2 Now we get the result v (x([2k]Q)) = 2v (2k) (a 1), t t − − − which implies v (x([2(2k+1)]Q)) = 2v (2(2k+1)) (a 1) = 2v (2k+1) (a 1), t t t − − − − − − again by the duplication formula, we have the relationship v (x([2(2k +1)]Q)) = 2 (1+v (x([2k+1]Q))) = 1 v (x([2k+1]Q)), t t t − − and so we get v (x([2k+1]Q)) = 2v (2k+1)+a. t t On the other hand, by the chord and tangent principal, we have the relationship x(R) x(R+T)= 2Dr,R E (Q) O,T 2Dr · − ∈ \{ } so v (x([2k]Q+T)) = 2v (2k)+a, t t v (x([2k+1]Q+T)) = 2v (2k+1) (a 1). t t − − − By the above analysis, we have 2 v (x([2k]Q)) 0 mod 2 t − ≥ ≡  3 v (x([2k+1]Q)) 1 mod 2 t  3 ≤ v (x([2k]Q+T))≡ 1 mod 2  t ≤ ≡ 2 v (x([2k+1]Q+T)) 0 mod 2. t − ≥ ≡    FACTORING INTEGERS USING ELLIPTIC CURVES OVER Q 9 Case II. v (x(Q)) = 1 : by the duplication formula, v (x([2]Q)) = 0, then E (F ) =< [2]Q >, t t ns t ] where[2]Qisthereductionof[2]Qattheplacet. But E (F ) = t,so[2t]Q = [t]([2]Q)= O. Write ns t e g | | b := v (x([2t]Q), then b 2 and even. By the duplication formula again, we have v (x([t]Q) = −gt ≥ e g t 1+b. As E (F )=< [2]Q >, we see ns t e g vt(x([k]([2]Q)) = 0, for t k. † If t k, similarly to the Case I, we have | v (x([2k]Q) = 2v (2k) (b 2). t t − − − Thus for any non-zero integer k, we have 0 if t k vt(x([2k]Q) = (cid:26) 2vt(2k) (b 2) if t†k, − − − | 1 if t 2k+1 vt(x([2k+1]Q) = (cid:26) 2vt(2k+1)+(b 1) if t†2k+1, − | 1 if t k vt(x([2k]Q+T)= (cid:26) 2vt(2k)+(b 1) if t†k, − | and 0 if t 2k+1 vt(x([2k+1]Q+T) = (cid:26) 2vt(2k+1) (b 2) if t†2k+1. − − − | By the analysis of parity and symbol further, we get ± 0 v (x([2k]Q)) 0 mod 2 t ≥ ≡  1 v (x([2k+1]Q)) 1 mod 2 t  1 ≤ v (x([2k]Q+T))≡ 1 mod 2  t ≤ ≡ 2 v (x([2k+1]Q+T)) 0 mod 2. t − ≥ ≡   From Case I and Case II, we know that if v (x(Q)) 1, then t ≥ 0 v (x([2k]Q)) 0 mod 2 t ≥ ≡  1 v (x([2k+1]Q)) 1 mod 2  1≤ vtt(x([2k]Q+T))≡ 1 mod 2 (4.1) ≤ ≡ 2 v (x([2k+1]Q+T)) 0 mod 2. t − ≥ ≡   Case III. v (x(Q)) = 0 :we have E (F ) =< Q >, where Q is the reduction of Q at the place t ns t t. Similarly to the discussion in the Case II, we have for any non-zero integer k, e e e 0 if t k vt(x([2k]Q) = (cid:26) 2vt(2k) (c 2) if t†k, − − − | 0 if t 2k+1 vt(x([2k+1]Q) = (cid:26) 2vt(2k+1) (c 2) if t†2k+1, − − − | 1 if t k vt(x([2k]Q+T)= (cid:26) 2vt(2k)+(c 1) if t†k, − | and 1 if t 2k+1 vt(x([2k+1]Q+T)= (cid:26) 2vt(2k+1)+(c 1) if t†2k+1, − | here c:= v (x([t]Q), by the group law, we know that c 2 and is even. By the analysis of parity t − ≥ and symbol further, we have ± 0 v (x([2k]Q)) 0 mod 2 t ≥ ≡  0 v (x([2k+1]Q)) 0 mod 2 t  1 ≥ v (x([2k]Q+T))≡ 1 mod 2  t ≤ ≡ 1 v (x([2k+1]Q+T)) 1 mod 2. t ≤ ≡    10 XIUMEILI,JINXIANGZENG Case IV. v (x(Q)) 2 : Write n := v (x(Q)). Then n is even. By the formal group, we have t t ≤ − − for any non-zero integer k v (x([k]Q)) = 2v (k) n. t t − − Furthermore by the relationship x(R) x(R+T) = 2Dr, R E (Q) O,T 2Dr · − ∈ \{ } we have v (x([k]Q+T)) = 2v (k)+(n+1). t t Finally we get the following result: 2 v (x([2k]Q)) 0 mod 2 t − ≥ ≡  2 v (x([2k+1]Q)) 0 mod 2 t  −3 ≥v (x([2k]Q+T)) ≡1 mod 2  t ≤ ≡ 3 v (x([2k+1]Q+T)) 1 mod 2. t ≤ ≡   From Case III and Case IV,we know that if v (x(Q)) 0, then t ≤ 0 v (x([2k]Q)) 0 mod 2 t ≥ ≡  0 v (x([2k+1]Q)) 0 mod 2  1 ≥ vt(x([2k]Q+T))≡ 1 mod 2 (4.2)  t ≤ ≡ 1 v (x([2k+1]Q+T)) 1 mod 2. t ≤ ≡   Now we can show theorem1.1 and theorem 1.2. Proof of theorem 1.1 and theorem 1.2. Let r = 1,l and l l be the same as theorem 1.1 and 1 2 theorem 1.2. We only need to show the part about the valuations. First we claim that there exist R ,R E (Q) such that for i= 1,2 1 2 2rD ∈ v (x(R ))+1 v (x(R )) mod 2 and v (x(R )) v (x(R )) 0. (4.3) p i q i p i q i ≡ · ≤ We only show the claim in the case (p,q) (5,5) mod 8 and (q) = 1. The proofs in other cases ≡ p are similar. In this case, the prime l is in the class a = ¯3 and satisfies (D)= 1. For the elliptic curve E , q¯ l − 2lD we have TS(E′ /Q)[φ]) = 0 and S(φb)(E′ /Q)= 1, q,2pl, 2Dl . ThusC′ (Q) = ,C′ (Q)= 2lD 2lD { − − } −q 6 ∅ 2pl 6 ′ ′ . Take (z ,w ) C (Q) and (z ,w ) C (Q). One can see v (z ) 0,v (z ) 0 and ∅ 1 1 ∈ b2pl 2 2 ∈ −q p 1 ≤ q 1 ≥ v (z ) 0,v (z ) 0. Denote the images of (z ,w ) and (z ,w ) under the following isomorphism p 2 q 2 1 1 2 2 ≥ ≤ ′ d dw C E , (z,w) ( , ), d −→ 2Dr 7−→ z2 z3 by R and R respectively. Namely R := (2pl,2plw1) and R := (−q,−qw2). Then R ,R satisfy 1 2 1 z12 z13 2 z22 z23 1 2 the relations (4.3). By (4.1), (4.2) and the claim, we see v (x(Q)) and v (x(Q)) are impossible to satisfy simultane- p q ously 1 or 0. Thus we have v (x(Q)) 1,v (x(Q)) 0 or v (x(Q)) 0,v (x(Q)) 1. By the p q p q ≥ ≤ ≥ ≤ ≤ ≥ parity in (4.1) and (4.2), we have for k Z ∈ v (x([2k+1]Q)) = v (x([2k+1]Q)) p q 6 and v (x([2k+1]Q+T)) = v (x([2k+1]Q+T)). p q 6 (cid:3) Remark 4.1. By analyzing the elliptic curve y2 = x3 rDx for some proper parameter r, one can − also get thesame results as those in our theorem 1.1 and theorem 1.2. But now one shouldconsider all possibilities of (p,q) as elements of (Z/16Z)∗2.