Prime Numbers

6.4 Index-calculus method for discrete logarithms 305
algebra, which is the primary goal, or one gets a factorization of the modulus,
and so can restart the matrix algebra with the finer factors one has found.
Regarding question (3), it is likely that with somewhat more than π(B)
relations of the form g r ≡ p r1
1 ···prk
k (mod p), where p1,...,pk are all of the
primes in [1,B], that the various exponent vectors (r1,...,rk) found span the
module Z k p−1. So obtaining B of these vectors is a bit of overkill. In addition,
it is not even necessary that the vectors span the complete module, but only
that the vector corresponding to the relation found in step [Search for a special
relation] be in the submodule generated by them. This idea, then, would make
the separate solutions for log g pi in Step [Linear algebra] unnecessary; namely,
one would do the linear algebra only after the special relation is found.
The final two questions above can be answered together. Just as with the
analysis of some of the factorization methods, we find that an asymptotically
optimal choice for B is of the shape L(p) c ,whereL(p) is defined in (6.1). If
a fast smoothness test is used, such as the elliptic curve method, we would
choose c =1/ √ 2, and end up with a total complexity of L(p) √ 2+o(1) .Ifa
slow smoothness test is used, such as trial division, a smaller value of c should
be chosen, namely c =1/2, leading to a total complexity of L(p) 2+o(1) .Ifa
smoothness test is used that is of intermediate complexity, one is led to an
intermediate value of c and an intermediate total complexity.
At finite levels, the asymptotic analysis is only a rough guide, and good
choices should be chosen by the implementer following some trial runs. For
details on the index-calculus method for prime finite fields, see [Pomerance
1987b].
6.4.2 Discrete logarithms via smooth polynomials and
smooth algebraic integers
What makes the index-calculus method successful, or even possible, for Fp
is that we may think of Fp as Zp, and thus represent group elements with
integers. It is not true that F p d is isomorphic to Z p d when d>1, and so
there is no convenient way to represent elements of nonprime finite fields with
integers. As we saw in Section 2.2.2, we may view F p d as the quotient ring
Zp[x]/(f(x)), where f(x) is an irreducible polynomial in Zp[x] ofdegreed.
Thus, we may identify to each member of F ∗
p d a nonzero polynomial in Zp[x]
of degree less than d.
The polynomial ring Zp[x] is like the ring of integers Z in many ways.
Both are unique factorization domains, where the “primes” of Zp[x] are the
monic irreducible polynomials of positive degree. Both have only finitely many
invertible elements (the residues 1, 2,...,p− 1 modulo p in the former case,
and the integers ±1 in the latter case), and both rings have a concept of
size. Indeed, though Zp[x] is not an ordered ring, we nevertheless have a
rudimentary concept of size via the degree of a polynomial. And so, we have
a concept of “smoothness” for a polynomial: We say that a polynomial is bsmooth
if each of its irreducible factors has degree at most b. Weevenhave
a theorem analogous to (1.44): The fraction of b-smooth polynomials in Zp[x]