The significance of the field of the factor in Lenstra’s ECM

The quote invites computing $5\,P$ on the Elliptic Curve of equation $E:\ Y^2\equiv X^3+3X+7\pmod{11}$ in order to experimentally come to the realization this is the point at infinity $\mathcal O$ (the neutral of point addition), and get the intuition that's why the computation of $5\,P$ on the Elliptic Curve of equation $E:\ Y^2\equiv X^3+3X+7\pmod{187}$ (as performed by the algorithm) yields a value that can't be inverted modulo $187$.

This all comes from the Chinese Remainder Theorem. Possible statements and consequences of that are: for $n=p\,q$ with $\gcd(p,q)=1$ (including $n=187$ , $p=11$ , $q=17$ as in the example)

• Any quantity modulo $n$ can be equivalently computed modulo $p$ and modulo $q$.
• The ring of integers modulo $n$, noted $\mathbb Z_n$, has a canonical isomorphism with $\mathbb Z_p\times\mathbb Z_q$.
• For any integer $z$ in $[0,n)$ we can uniquely define $z_p=z\bmod p$ and $z_q=z\bmod q$, and then it holds $z=\left((q^{-1}\bmod p)\,(z_p-z_q)\bmod p\right)\,q+z_q$.
• For a given Elliptic Curve of equation taken modulo $n$, and points $U$ and $V$ on that curve, if we can compute $U+V$ per the equations of point addition of an Elliptic Curve in a field, yielding $(X,Y)$ ; then we can equivalently do the same for the curves with the same equation taken modulo $p$ and modulo $q$ yielding coordinates $(X_p,Y_p)$ and $(X_q,Y_q)$ , then obtain $(X,Y)$ by twice applying the method in the above bullet point.
• The above for point addition extends to point multiplication by an integer.

What insight does this give us?

We get the insight that by computing on an Elliptic Curve in the ring $\mathbb Z_n$ for $n$ of (initially) unknown factorization as if it was a field (it's not), we also managed to compute on an Elliptic Curve in the ring $\mathbb Z_p$ where $p$ is an (initially) unknown factor of $n$. And (still without a formal proof, but with an enlightening example) the reason the computation on a curve in $\mathbb Z_n$ hit a non-computable inverse is that the point at infinity $\mathcal O$ was reached on the curve in one of $\mathbb Z_p$ or $\mathbb Z_q$ (assuming $p$ and $q$ are prime, making $\mathbb Z_p$ and $\mathbb Z_p$ fields, and $\mathcal O$ on the corresponding curve well-defined).

This let us understand why the algorithm works, which in turn allows to reason about it and evaluate it's probability of success (that is of uncovering a non-trivial factor of $n$). When $n$ is the product of distinct primes $p_i$, that probability is the sum of the probabilities that the point at infinity is reached for one the curves for each of the $p_j$, minus the (very low) probability that it's hit simultaneously on all curves.