Prime Numbers

306 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
of degree less than d is about u−u ,whereu = d/b, for a wide range of the
variables p, d, b.
Now obviously, this does not make too much sense when d is small.
For example, when d = 2, everything is 1-smooth, and about 1/p of the
polynomials are 0-smooth. However, when d is large the index-calculus
method does work for discrete logarithms in Z∗ pd, giving a method that is
subexponential; see [Lovorn Bender and Pomerance 1998].
What, then, of the cases when d>1, but d is not large. There is an
alternative representation of Fpd that is useful in these cases. Suppose K is
an algebraic number field of degree d over the field of rational numbers. Let
OK denote the ring of algebraic integers in K. Ifpis a prime number that
is inert in K, that is, the ideal (p) inOk is a prime ideal, then the quotient
structure OK/(p) isisomorphictoFpd.Thuswemaythinkofmembersof the finite field as algebraic integers. And as we saw with the NFS factoring
algorithm, it makes sense to talk of when an algebraic integer is smooth:
Namely, it is y-smooth if all of the prime factors of its norm to the rationals
are at most y.
Let us illustrate in the case d =2wherepis a prime that is 3 (mod 4).
We take K = Q[i], the field of Gaussian rationals, namely {a + bi : a, b ∈ Q}.
Then OK is Z[i] ={a + bi : a, b ∈ Z}, the ring of Gaussian integers. We
have that Z[i]/(p) is isomorphic to the finite field Fp2. So, the index-calculus
method will still work, but now we are dealing with Gaussian integers a + bi
instead of ordinary integers.
In the case d = 2, the index-calculus method via a quadratic imaginary
field can be made completely rigorous; see [Lovorn 1992]. The use of other
fields are conjecturally acceptable, but the analysis of the index calculus
method in these cases remains heuristic.
There are heuristic methods analogous to the NFS factoring algorithm to
do discrete logs in any finite field Fpd, including the case d = 1. For a wide
range of cases, the
complexity is heuristically brought down to functions of
the shape exp c log pd1/3
d log log p 2/3
; see [Gordon 1993], [Schirokauer
et al. 1996], and [Adleman 1994]. These methods may be thought of as grand
generalizations of the index-calculus method, and what makes them work is a
representation of group elements that allows the notion of smoothness. It is for
this reason that cryptographers tend to eschew the full multiplicative group
of a finite field in favor of elliptic-curve groups. With elliptic-curve groups
we have no convenient notion of smoothness, and the index-calculus method
appears to be useless. For these groups, the best DL methods that universally
work all take exponential time.
6.5 Exercises
6.1. You are given a composite number n that is not a power, and a
nontrivial factorization n = ab. Describe an efficient algorithm for finding