# Combining these solutions yields x 2 x 3 x 5 5733

• Notes
• 64

This preview shows page 52 - 54 out of 64 pages.

Combining these solutions yields ( x 2 , x 3 , x 5 ) (5733 , 15750 , 6277) (mod 18442) . We check the solutions by computing 37 5733 2 (mod 18443) , 37 15750 3 (mod 18443) , 37 6277 5 (mod 18443) . Recall that our ultimate goal is to solve the discrete logarithm problem 37 x 211 (mod 18443) . We compute the value of 211 · 37 k (mod 18443) for random values of k until we find a value that is B -smooth. After a few attempts we find that 211 · 37 9549 2 5 · 3 2 · 5 2 (mod 18443) . Using the values of the discrete logs of 2, 3, and 5 from above, this yields log g (211) = 9549 + 5 log g (2) + 2 log g (3) + 2 log g (5) = 9549 + 5 · 5733 + 2 · 15750 + 2 · 6277 8500 (mod 18442) . Finally, we check our answer log g (211) = 8500 by computing 37 8500 211 (mod 18443) .
3.9. Quadratic Residues and Quadratic Reciprocity 169 Remark 3.59 . We can roughly estimate the running time of the index calculus as follows. Using a factor base consisting of primes less than B , we need to find approximately π ( B ) numbers of the form g i (mod p ) that are B -smooth. Proposition 3.48 suggests that we should take B = L ( p ) 1 / 2 , and then we will have to check approximately L ( p ) 2 values of i . There is also the issue of checking each value to see whether it is B -smooth, but sieve-type methods can be used to speed the process. Further, using ideas based on the number field sieve, the running time can be further reduced to a small power L 1 / 3 ( p ). In any case, the index calculus is a subexponential algorithm for solving the discrete logarithm problem in F p . This stands in marked contrast to the dis- crete logarithm problem in elliptic curve groups, which we study in Chap. 6 . Currently, the best known algorithms to solve the general discrete logarithm problem in elliptic curve groups are fully exponential. 3.9 Quadratic Residues and Quadratic Reciprocity Let p be a prime number. Here is a simple mathematical question: How can Bob tell whether a given number a is equal to a square modulo p ? For example, suppose that Alice asks Bob whether 181 is a square mod- ulo 1223. One way for Bob to answer Alice’s question is by constructing a table of squares modulo 1223 as illustrated in Table 3.8 , but this is a lot of work, so he gave up after computing 96 2 mod 1223. Alice picked up the computa- tion where Bob stopped and eventually found that 437 2 181 (mod 1223). Thus the answer to her question is that 181 is indeed a square modulo 1223. Similarly, if Alice is su ciently motivated to continue the table all the way up to 1222 2 mod 1223, she can verify that the number 385 is not a square modulo 1223, because it does not appear in her table. (In fact, Alice can save half her time by computing only up to 611 2 mod 1223, since a 2 and ( p a ) 2 have the same values modulo p .) Our goal in this section is to describe a more much e cient way to check if a number is a square modulo a prime. We begin with a definition. Definition. Let p be an odd prime number and let a be a number with p a .