Pohlig-Hellman algorithm

From Wikipedia, the free encyclopedia

In mathematics, the Pohlig-Hellman algorithm is an algorithm for the computation of discrete logarithms in a multiplicative group whose order is a smooth integer. The algorithm is based on the Chinese remainder theorem and runs in polynomial time.

We will explain the algorithm in terms of the group formed by taking all the elements of Zp which are coprime to p, and leave it to the advanced reader to extend the algorithm to other groups.

Input Integers p, g, e.
Output Integer x, such that e ≡ gx (mod p).
  1. Use Euler's totient function to determine the prime factorization of the order of the group :
    \varphi(p)= p_0\cdot p_1 \cdot \ldots \cdot p_n
  2. From the remainder theorem we know that x = a1 p1 + b1. We now find the value of b1 for which the following equation holds using a fast algorithm such as Baby-step giant-step :
    \begin{matrix}e^{\varphi(p)/p_1} & \equiv & (g^x)^{\varphi(p)/p_1} \pmod{p} \\                               & \equiv & (g^{\varphi(p)})^{a_1}g^{b_1\varphi(p)/p_1} \pmod{p} \\                               & \equiv & (g^{\varphi(p)/p_1})^{b_1} \pmod{p} \end{matrix} (using Euler's theorem)

    Note that if g^{\varphi(p)/p_1} \equiv 1 \pmod{p} then the order of g is less than φ(p) and e^{\varphi(p)/p_1} \mod p must be 1 for a solution to exist. In this case there will be more than one solution for x less than φ(p), but since we are not looking for the whole set, we can require that b1=0.

    The same operation is now performed for p2 up to pn.

    A minor modification is needed where a prime number is repeated. Suppose we are seeing pi for the k+1-th time. Then we already know ci in the equation x = ai pik+1 + bi pik+ci, and we find bi the same way as before.
  3. We end up with enough simultaneous congruences so that x can be solved using the Chinese remainder theorem.
 This number theory-related article is a stub. You can help Wikipedia by expanding it.
In other languages