Index calculus algorithm

In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms.Dedicated to the discrete logarithm in ( Z / q Z ) ∗ {displaystyle (mathbb {Z} /qmathbb {Z} )^{*}} where q {displaystyle q} is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes. In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms.Dedicated to the discrete logarithm in ( Z / q Z ) ∗ {displaystyle (mathbb {Z} /qmathbb {Z} )^{*}} where q {displaystyle q} is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes. Roughly speaking, the discrete log problem asks us to find an x such that g x ≡ h ( mod n ) {displaystyle g^{x}equiv h{pmod {n}}} , where g, h, and the modulus n are given. The algorithm (described in detail below) applies to the group ( Z / q Z ) ∗ {displaystyle (mathbb {Z} /qmathbb {Z} )^{*}} where q is prime. It requires a factor base as input. This factor base is usually chosen to be the number −1 and the first r primes starting with 2. From the point of view of efficiency, we want this factor base to be small, but in order to solve the discrete log for a large group we require the factor base to be (relatively) large. In practical implementations of the algorithm, those conflicting objectives are compromised one way or another. The algorithm is performed in three stages. The first two stages depend only on the generator g and prime modulus q, and find the discrete logarithms of a factor base of r small primes. The third stage finds the discrete log of the desired number h in terms of the discrete logs of the factor base. The first stage consists of searching for a set of r linearly independent relations between the factor base and power of the generator g. Each relation contributes one equation to a system of linear equations in r unknowns, namely the discrete logarithms of the r primes in the factor base. This stage is embarrassingly parallel and easy to divide among many computers. The second stage solves the system of linear equations to compute the discrete logs of the factor base. Although a minor computation compared to the other stages, a system of hundreds of thousands or millions of equations is a significant computation requiring large amounts of memory, and it is not embarrassingly parallel, so a supercomputer is typically used. The third stage searches for a power s of the generator g which, when multiplied by the argument h, may be factored in terms of the factor base gsh = (−1)f0 2f1 3f2···prfr. Finally, in an operation too simple to really be called a fourth stage, the results of the second and third stages can be rearranged by simple algebraic manipulation to work out the desired discrete logarithm x = f0logg(−1) + f1logg2 + f2logg3 + ··· + frloggpr − s.