The Pohlig-Hellman Algorithm

In [PohH78], Pohlig and Hellman demonstrate that discrete logarithms can be taken much faster than in operations, if has only small prime divisors. We shall first demonstrate this method for two special cases.

Special Case:

Examples of prime numbers that are a power of 2 plus one are given by and

So, let be a primitive element in a finite field GF (q). The problem is to find satisfying (8.1) for given value of c.

Let be the binary representation of the unknown m, i.e.

Of course, it suffices to compute the unknown Since is a primitive element of GF(q) we know (see also Theorem B.21) that and

It also follows that because the square of while (We also use here that by Theorem B.15 the quadratic equation has as only roots.) Hence

Therefore, the evaluation of in GF(q), which takes at most 2. multiplications, as we have seen in Subsection 8.1.1), yields

Compute Now can be determined in the same way as above from

Compute and determine from Repeat this process until also (and thus m) has been determined.

The above algorithm finds m from c in at most

operations, where the term +2 comes from the evaluation of the (in the i-th step has to be squared and the outcome may or may not have to be multiplied to ).

Comparing with Table 8.1, we observe that in the current case (i.e. the discrepancy between the computational complexity of using the Diffie-Hellman scheme (one exponentiation involving 2n multiplications) and breaking it ( multiplications) is quadratic, which is not significant enough to make the system secure.

Remark:

Note that when odd, the t least significant bits of m can be found in exactly the same way.

Example 8.6

Consider the equation So, and Note that Writing we find mo by evaluating

Since this is –1 we know that Compute Then can be found from

Since the outcome is 1, we have _ So, and can be found from

We now also have and thus We can check this with:

General Case: has only small prime factors

Let where the are different primes and the exponents are strictly positive (see the Fundamental Theorem in Number Theory, Thm. A.6). We assume that all are small. Later we shall say precisely what we mean by that.

Instead of solving m from (8.1) directly, we shall determine

With the Chinese Remainder Theorem (Thm. A. 19) one can compute m efficiently from these

To determine (the others can be found in the same way) we write it in its -ary representation. For the sake of convenience we drop all the sub- and superscripts referring to the

case.

Similarly to the Special Case we will find the coefficients by single exponentiations.

Coefficient can be found by evaluating From Theorem B.21 it follows that which implies that is a p-th root of unity.

Define the primitive p-th root of unity by and make a table of Then, because mod and we have

So, a simple table lookup of will yield

To determine we first compute and then evaluate etc., until has been determined. Similar calculations have to be made to determine the other

For this algorithm, we have to make tables of the powers of the primitive p-th roots of unity for all the prime factors of

The values of these factors have to be small enough to be able to store them.

Each time that we want to take a logarithm the algorithm will have to take exponentiations, therefore, the algorithm involves

operations, if we forget about the lower order terms. Again we have a quadratic relation between using the Diffie-Hellman key-exchange system and breaking it.

An Example of the Pohlig-Hellman Algorithm Example 8.7

Consider Equation (8.1) with primitive element Note that q is a prime number, so

Preliminary Calculations.

First of all we factor and compute the multiplicative inverse of 6 modulo 8101 with the Mathematica functions Factor Integer andPowerMod.

So, and

Next we use the PowerMod function again to calculate the primitive 2-nd, 3-rd and 5-th roots of unity: and

So, and With the Table function we make the following three tables:

The preliminary work for the Chinese Remainder Theorem consists of solving the following three systems of linear congruence relations:

These three systems can be solved with the Mathematica function Chinese Remainder Theorem for which we first have to load the package

Number Theory 'NumberTheoryFunctions'

So,

This concludes the preliminary work.

Solving Equation (8.1) for:

We first determine as defined in (8.2), with the method explained above. Of course, the tables that we just made have to be consulted at each step.

First prime factor.

Hence

Hence

Third prime factor:

Hence

The final solution m is given by:

This can easily be checked.

In Mathematica, the precalculation of a, b, and c is not really necessary, because m can be computed directly from and with the Chinese Remainder Theorem function:

If has large prime factors, the dominant term in the workload of the Pohlig-Hellman algorithm will be the exponentiations necessary for the generation of the tables and the number of exponentiations, necessary to determine the

In the next subsection, we shall explain a method to take logarithms if one (or more) of the prime power factors of is too large to store the tables in the Pohlig-Hellman method.