Combining these solutions yields
(
x
2
, x
3
, x
5
)
≡
(5733
,
15750
,
6277)
(mod 18442)
.
We check the solutions by computing
37
5733
≡
2 (mod 18443)
,
37
15750
≡
3 (mod 18443)
,
37
6277
≡
5 (mod 18443)
.
Recall that our ultimate goal is to solve the discrete logarithm problem
37
x
≡
211
(mod 18443)
.
We compute the value of 211
·
37
−
k
(mod 18443) for random values of
k
until
we find a value that is
B
-smooth. After a few attempts we find that
211
·
37
−
9549
≡
2
5
·
3
2
·
5
2
(mod 18443)
.
Using the values of the discrete logs of 2, 3, and 5 from above, this yields
log
g
(211) = 9549 + 5 log
g
(2) + 2 log
g
(3) + 2 log
g
(5)
= 9549 + 5
·
5733 + 2
·
15750 + 2
·
6277
≡
8500
(mod 18442)
.
Finally, we check our answer log
g
(211) = 8500 by computing
37
8500
≡
211
(mod 18443)
.

3.9. Quadratic Residues and Quadratic Reciprocity
169
Remark
3.59
.
We can roughly estimate the running time of the index calculus
as follows. Using a factor base consisting of primes less than
B
, we need to
find approximately
π
(
B
) numbers of the form
g
i
(mod
p
) that are
B
-smooth.
Proposition
3.48
suggests that we should take
B
=
L
(
p
)
1
/
√
2
, and then we
will have to check approximately
L
(
p
)
√
2
values of
i
. There is also the issue
of checking each value to see whether it is
B
-smooth, but sieve-type methods
can be used to speed the process. Further, using ideas based on the number
field sieve, the running time can be further reduced to a small power
L
1
/
3
(
p
).
In any case, the index calculus is a subexponential algorithm for solving the
discrete logarithm problem in
F
∗
p
. This stands in marked contrast to the dis-
crete logarithm problem in elliptic curve groups, which we study in Chap.
6
.
Currently, the best known algorithms to solve the general discrete logarithm
problem in elliptic curve groups are fully exponential.
3.9
Quadratic Residues and Quadratic
Reciprocity
Let
p
be a prime number. Here is a simple mathematical question:
How can Bob tell whether a given number
a
is
equal to a square modulo
p
?
For example, suppose that Alice asks Bob whether 181 is a square mod-
ulo 1223. One way for Bob to answer Alice’s question is by constructing a table
of squares modulo 1223 as illustrated in Table
3.8
, but this is a lot of work,
so he gave up after computing 96
2
mod 1223. Alice picked up the computa-
tion where Bob stopped and eventually found that 437
2
≡
181 (mod 1223).
Thus the answer to her question is that 181 is indeed a square modulo 1223.
Similarly, if Alice is su
ﬃ
ciently motivated to continue the table all the way
up to 1222
2
mod 1223, she can verify that the number 385 is not a square
modulo 1223, because it does not appear in her table. (In fact, Alice can save
half her time by computing only up to 611
2
mod 1223, since
a
2
and (
p
−
a
)
2
have the same values modulo
p
.)
Our goal in this section is to describe a more much e
ﬃ
cient way to check
if a number is a square modulo a prime. We begin with a definition.
Definition.
Let
p
be an odd prime number and let
a
be a number with
p
a
.