ECM 1 April 22, 2003 ecm integer factorization using ECM, P-1 or P+1 ecm options B1 B2min-B2maxB2 ecm is an integer factoring program using the Elliptic Curve Method (ECM), the P-1 method, or the P+1 method. The following sections describe parameters relevant to these algorithms. B1 B1 is the step 1 bound. It is a mandatory parameter. It can be given either in integer format (for example 3000000) or in floating-point format (3000000.0 or 3e6). The largest possible B1 value is 9007199254740996 for P-1, ULONG_MAX for ECM and P+1. All primes 2 <= p <= B1 are processed in step 1. B2 B2 is the step 2 bound. It is optional: if omitted, a default value is computed from B1, which should be close to optimal. Like B1, it can be given either in integer or in floating-point format. The largest possible value of B2 is approximately 9e23, but depends on the number of blocks k if you specify the -k option. All primes B1 <= p <= B2 are processed in step 2. If B2 < B1, no step 2 is performed. B2min-B2max alternatively one may use the B2min-B2max form, which means that all primes B2min <= p <= B2max should be processed. Thus specifying B2 only corresponds to B1-B2. The values of B2min and B2max may be arbitrarily large, but their difference must not exceed approximately 9e23, subject to the number of blocks k. -pm1 Perform P-1 instead of the default method (ECM). -pp1 Perform P+1 instead of the default method (ECM). -t n Perform trial division up to n, before P-1, P+1 or ECM. In loop mode (see option -c), trial division is only performed in the first run. -x0 x [ECM, P-1, P+1] Use x (arbitrary-precision integer or rational) as initial point. For example, -x0 1/3 is valid. If not given, x is generated from the sigma value for ECM, or at random for P-1 and P+1. -sigma s [ECM] Use s (arbitrary-precision integer) as curve generator. If omitted, s is generated at random. -A a [ECM] Use a (arbitrary-precision integer) as curve parameter. If omitted, is it generated from the sigma value. -go val [ECM, P-1, P+1] Multiply the initial point by val, which can any valid expression, possibly containing the special character N as place holder for the current input number. Example: ecm -pp1 -go "N^2-1" 1e6 < composite2000 -k k [ECM, P-1, P+1] Perform k blocks in step 2. For a given B2 value, increasing k decreases the memory usage of step 2, at the expense of more cpu time. -treefile file Stores some tables of data in disk files to reduce the amount of memory occupied in step 2, at the expense of disk I/O. Data will be written to files file.1, file.2 etc. -power n [ECM, P-1] Use x^n for Brent-Suyama's extension (-power 1 disables Brent-Suyama's extension). The default polynomial is chosen depending on the method and B2. For P-1, n must be even. -dickson n [ECM, P-1] Use degree-n Dickson's polynomial for Brent-Suyama's extension. Like for -power, n must be even for P-1. -q Quiet mode. Found factorizations are printed on standard output, with factors separated by white spaces, one line per input number (if no factor was found, the input number is simply copied). -v Verbose mode. More information is printed, more -v options increase verbosity. With one -v, the kind of modular multiplication used, initial x0 value, step 2 parameters and progress, and expected curves and time to find factors of different sizes for ECM are printed. With -v -v, the A value for ECM and residues at the end of step 1 and step 2 are printed. More -v print internal data for debugging. -timestamp Print a time stamp whenever a new input number is processed. Several algorithms are available for modular multiplication. The program tries to find the best one for each input; one can force a given method with the following options. -mpzmod Use GMP's mpz_mod function (sub-quadratic for large inputs, but induces some overhead for small ones). -modmuln Use Montgomery's multiplication (quadratic version). Usually best method for small input. -redc Use Montgomery's multiplication (sub-quadratic version). Theoretically optimal for large input. -nobase2 Disable special base-2 code (which is used when the input number is a large factor of 2^n+1 or 2^n-1, see -v). -base2 n Force use of special base-2 code, input number must divide 2^n+1 if n > 0, or 2^|n|-1 if n < 0. The following options enable one to perform step 1 and step 2 separately, either on different machines, at different times, or using different software (in particular, George Woltman's Prime95/mprime program can produce step 1 output suitable for resuming with GMP-ECM). It can also be useful to split step 2 into several runs, using the B2min-B2max option. -inp file Take input from file file instead of from standard input. -save file Save result of step 1 in file. If file exists, an error is raised. Example: to perform only step 1 with B1=1000000 on the composite number in the file "c155" and save its result in file "foo", use ecm -save foo 1e6 1 < c155 -savea file Like -save, but appends to existing files. -resume file Resume residues from file, reads from standard input if file is "-". Example: to perform step 2 following the above step 1 computation, use ecm -resume foo 1e6 The loop mode (option -c n) enables one to run several curves on each input number. The following options control its behavior. -c n Perform n runs on each input number (default is one). This option is mainly useful for P+1 (for example with n=3) or for ECM, where n could be set to the expected number of curves to find a d-digit factor with a given step 1 bound. This option is incompatible with -resume, -sigma, -x0. Giving -c 0 produces an infinite loop until a factor is found. -one In loop mode, stop when a factor is found; the default is to continue until the cofactor is prime or the specified number of runs are done. -b Breadth-first processing: in loop mode, run one curve for each input number, then a second curve for each one, and so on. This is the default mode with -inp. -d Depth-first processing: in loop mode, run n curves for the first number, then n curves for the second one and so on. This is the default mode with standard input. -ve n In loop mode, in the second and following runs, output only expressions that have at most n characters. Default is -ve 0. -i n In loop mode, increment B1 by n after each curve. -I n In loop mode, multiply B1 by a factor depending on n after each curve. Default is one which should be optimal on one machine, while -I 10 could be used when trying to factor the same number simultaneously on 10 identical machines. The following options are useful for primality testing using external programs (e.g. OpenPFGW). -primetest Perform a primality test on the input number. If the input number is probable prime, no further computation is done, and the program skips to the next number, or exits if this was the last one. The primality test is not done by default since it may be expensive, especially for large input. -prp cmd Use the shell command cmd for primality tests. Within cmd, %n will be replaced by the decimal number to be checked, %l will be replaced by the file name corresponding to -prplog, and %t will be replaced by the file name corresponding to -prplog. Also any possible character can be output using the escape command %x[0-9a-f][0-9a-f], thus special characters that some broken shells do not allow can be used. All other characters within cmd will be replaced verbatim, and a system call will be made to execute the command. Example: -prp "pfgw -q%n > /dev/null 2> /dev/null -b139" -prplen n The external primality-test will be called only when candidate numbers are longer than this number of digits. The default is 800 digits. -prpval n Return code which indicates the primality-test command found the number to be pseudo-prime. If this option is not used, the prplog and prpyes/prpno values will be used instead. -prplog file If not using prpval, get primality results from file, which is deleted after the test. -prptmp file Write the number to be tested to file before running the primality test (useful for numbers larger than what the command line can support). -prpyes str Indicate the string to be found in prplog file when the number is probably prime. Default is "-PRP!". -prpno str Indicate the string to be found in prplog file when the number is composite. Default is "is composite". -n Run the program in nice mode (below normal priority). -nn Run the program in very nice mode (idle priority). -B2scale f Multiply the default step 2 bound B2 by the floating-point value f. Example: -B2scale 0.5 divides the default B2 by 2. -cofdec Force cofactor output in decimal (even if expressions are used). -h, --help Display a short description of ecm usage, parameters and command line options. The input numbers can have several forms: Raw decimal numbers like 123456789. Comments can be placed in the file: everything after // is ignored, up to the end of line. Line continuation. If a line ends with a backslash character \, it is considered to continue on the next line. Common arithmetic expressions can be used. Example: 3*5+2^10. Factorial: example 53!. Multi-factorial: example 15!3 means 15*12*9*6*3. Primorial: example 11# means 2*3*5*7*11. Reduced primorial: example 17#5 means 5*7*11*13*17. Functions: currently, the only available function is Phi(x,n). Report bugs to <ecm-dev@lists.fousse.info>, after checking <http://www.loria.fr/~zimmerma/records/ecmnet.html> for bug fixes or new versions. Jim Fougeron <jfoug at cox dot net> contributed the expression parser and several command-line options; Laurent Fousse <laurent at komite dot net> contributed the middle product code, the autoconf/automake tools, and is the maintainer of the Debian package; Alexander Kruppa <firstname.lastname@mytum.de> contributed the Toom-Cook multiplication code, the special code for Fermat numbers, and many other nice things; Dave Newman <david.lastname@jesus.ox.ac.uk> contributed the Kronecker-Schoenhage multiplication code; Paul Zimmermann <zimmerma at loria dot fr> is the author of the first version of the program. Note: email addresses have been obscured, the required substitutions should be obvious.