Pohlig-Hellman Algorithm

The Pohlig-Hellman algorithm is useful in finding the discrete logarithm ${\displaystyle L_{\alpha }}$ of a number and modulus. In other words, we wish to solve the following expression for ${\displaystyle x}$.

${\displaystyle \beta \equiv \alpha ^{x}\quad \iff \quad x\equiv L_{\alpha }\left(\beta \right){\pmod {p}}\,\!}$

We'll use the ${\displaystyle L_{\alpha }(\beta )}$ notation to represent this solution. Given the prime factorization of ${\displaystyle p-1}$,

${\displaystyle p-1=\prod _{i}{q_{i}}^{r_{i}}}$

We can solve ${\displaystyle L_{\alpha }(\beta ){\pmod {q^{r}}}}$ for each ${\displaystyle {q_{i}}^{r_{i}}}$ (in other words, calculate ${\displaystyle x{\pmod {q^{r}}}}$ for each factor) and then recombine them using the Chinese remainder theorem to find ${\displaystyle x}$. Let's start by finding the base-${\displaystyle q}$ expansion of ${\displaystyle x}$:

${\displaystyle x=d_{0}+d_{1}\,q+d_{2}\,q^{2}+\dots \,\!}$

where each ${\displaystyle d_{i}}$ is an integer digit between 0 and ${\displaystyle q-1}$. We can find the digits ${\displaystyle d_{0}}$ through ${\displaystyle d_{r-1}}$ successively to find ${\displaystyle x{\pmod {q^{r}}}}$. Let's multiply both sides of the equation above by ${\displaystyle {\tfrac {p-1}{q}}}$:

${\displaystyle {\begin{aligned}x\,\left({\frac {p-1}{q}}\right)&=d_{0}\,\left({\frac {p-1}{q}}\right)+\left(p-1\right)\,\left(d_{1}+d_{2}\,q+d_{3}q^{2}+\dots \right)\\&=d_{0}\left({\frac {p-1}{q}}\right)+(p-1)\,N\end{aligned}}}$

Where ${\displaystyle N}$ is some integer. Let's raise each side of our original problem statement ${\displaystyle \beta \equiv \alpha ^{x}{\pmod {p}}}$ to the same ${\displaystyle {\tfrac {p-1}{q}}}$ power:

${\displaystyle {\begin{aligned}\beta ^{\frac {p-1}{q}}&\equiv \left(\alpha ^{x}\right)^{\frac {p-1}{q}}{\pmod {p}}\\&\equiv \alpha ^{x\left({\frac {p-1}{q}}\right)}{\pmod {p}}\\&\equiv \alpha ^{d_{0}\,\left({\frac {p-1}{q}}\right)+\left(p-1\right)\,N}{\pmod {p}}\\&\equiv \alpha ^{d_{0}\,\left({\frac {p-1}{q}}\right)}\,{\cancel {\alpha ^{(p-1)N}}}{\pmod {p}}\\&\equiv \alpha ^{d_{0}\,\left({\frac {p-1}{q}}\right)}{\pmod {p}}\\\end{aligned}}}$

Now we just have to try possible values for ${\displaystyle d_{0}}$ until the following congruence works out:

${\displaystyle \beta ^{\frac {p-1}{q}}\equiv \left(\alpha ^{\frac {p-1}{q}}\right)^{d_{0}}{\pmod {p}}\quad \quad d_{0}\in \{0,1,2,\dots ,q-1\}}$

Now that we know ${\displaystyle d_{0}}$, we can find remaining digits (up to ${\displaystyle d_{r-1}}$) in succession. Notice by our original problem and our base expansion for ${\displaystyle x}$ that we have

${\displaystyle {\begin{aligned}\beta &\equiv \alpha ^{x}{\pmod {p}}\\&\equiv \alpha ^{d_{0}+d_{1}\,q+d_{2}\,q^{2}+\dots }{\pmod {p}}\\&\equiv \alpha ^{d_{0}}\,\alpha ^{q\,(d_{1}+d_{2}\,q+d_{3}\,q^{2}+\dots )}{\pmod {p}}\\\beta \,\alpha ^{-d_{0}}&\equiv \alpha ^{q\,(d_{1}+d_{2}\,q+d_{3}\,q^{2}+\dots )}{\pmod {p}}\end{aligned}}}$

Now similar to what we did above, we can raise both sides to the ${\displaystyle {\tfrac {p-1}{q^{k}}}}$ power (notice ${\displaystyle k=1}$ in the first step) for ${\displaystyle k}$ up to ${\displaystyle r}$ (as ${\displaystyle q^{r}}$ is the highest prime power that divides ${\displaystyle p-1}$). In this case, we'll take ${\displaystyle k=2}$:

${\displaystyle {\begin{aligned}\left(\beta \,\alpha ^{-d_{0}}\right)^{\frac {p-1}{q^{2}}}&\equiv \left(\alpha ^{q\,(d_{1}+d_{2}\,q+d_{3}\,q^{2}+\dots )}\right)^{\frac {p-1}{q^{2}}}\\&\equiv \alpha ^{{\frac {p-1}{q}}\,(d_{1}+d_{2}\,q+d_{3}\,q^{2}+\dots )}{\pmod {p}}\\&\equiv \alpha ^{d_{1}\,\left({\frac {p-1}{q}}\right)+(p-1)\,(d_{2}+d_{3}\,q+d_{4}\,q^{2}+\dots )}{\pmod {p}}\\&\equiv \alpha ^{d_{1}\,\left({\frac {p-1}{q}}\right)+(p-1)\,N}{\pmod {p}}\\&\equiv \alpha ^{d_{1}\,\left({\frac {p-1}{q}}\right)}\,{\cancel {\alpha ^{(p-1)\,N}}}{\pmod {p}}\end{aligned}}}$

Once again, we reduced by Fermat's little theorem, and now we can try values for ${\displaystyle d_{1}}$ until we find the one that makes the equivalence work.

${\displaystyle \left(\beta \,\alpha ^{-d_{0}}\right)^{\frac {p-1}{q^{2}}}\equiv \left(\alpha ^{\frac {p-1}{q}}\right)^{d_{1}}{\pmod {p}}\quad \quad d_{1}\in \{0,1,2,\dots ,q-1\}}$

Continue this process until we have all base ${\displaystyle q_{r}}$ digits ${\displaystyle d_{i}}$ for ${\displaystyle x}$.

${\displaystyle \left(\beta \,\prod _{i=0}^{\text{known}}\alpha ^{-d_{i}\,q^{i}}\right)^{\frac {p-1}{q^{k}}}\equiv \left(\alpha ^{\frac {p-1}{q}}\right)^{d_{k-1}}{\pmod {p}}\quad \quad d_{k-1}\in \{1,2,\ldots ,q-1\}}$

Now we know ${\displaystyle x}$ mod ${\displaystyle q^{r}}$.

Repeat this process for all prime factors ${\displaystyle {q_{i}}^{r_{i}}}$ dividing ${\displaystyle p-1}$, and then combine them with the Chinese remainder theorem.