Wikipedia

Pohlig–Hellman algorithm: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
J.Dong820 (talk | contribs)
266 edits
No edit summary
Exponents are reduced mod p_1, elements of the ring are reduced mod p
Line 11:
:#Determine the prime factorization of the order of the group : <br><center><math>\varphi(p)= p_1\cdot p_2 \cdots p_n</math></center> (All the ''p''<sub>''i''</sub> are considered small since the group order is smooth.)
:#From the [[Chinese remainder theorem]] it will be sufficient to determine the values of ''x'' modulo each prime power dividing the group order. Suppose for illustration that ''p''<sub>1</sub> divides this order but ''p''<sub>1</sub><sup>2</sup> does not. Then we need to determine ''x'' mod ''p''<sub>1</sub>, that is, we need to know the ending coefficient ''b''<sub>1</sub> in the base-''p<sub>1</sub>'' expansion of ''x'', i.e. in the expansion ''x'' = ''a''<sub>1</sub> ''p''<sub>1</sub> + ''b''<sub>1</sub>. We can find the value of ''b<sub>1</sub>'' by examining all the possible values between 0 and ''p''<sub>1</sub>-1. (We may also use a faster algorithm such as [[baby-step giant-step]] when the order of the group is prime.<ref name="Menezes97p109">[[#Menezes97|Menezes, et. al 1997]], pg. 109</ref>) The key behind the examination is that:<br> <center><math>
\begin{align}e^{\varphi(p)/p_1} & \equiv (g^x)^{\varphi(p)/p_1} \pmod{p_1p} \\
& \equiv (g^{\varphi(p)})^{a_1}g^{b_1\varphi(p)/p_1} \pmod{p_1p} \\
& \equiv (g^{\varphi(p)/p_1})^{b_1} \pmod{p_1p}
\end{align}
</math></center><br> (using [[Euler's theorem]]). With everything else now known, we may try each value of ''b''<sub>1</sub> to see which makes the equation be true. If <math>g^{\varphi(p)/p_1} \not\equiv 1 \pmod{p_1p}</math>, then there is exactly one ''b''<sub>1</sub>, and that ''b''<sub>1</sub> is the value of ''x'' modulo ''p''<sub>1</sub>. (An exception arises if <math>g^{\varphi(p)/p_1} \equiv 1 \pmod{p_1p}</math> since then the order of ''g'' is less than φ(''p''). The conclusion in this case depends on the value of <math>e^{\varphi(p)/p_1} \mod p_1p</math> on the left: if this quantity is not 1, then no solution ''x'' exists; if instead this quantity is also equal to 1, there will be more than one solution for ''x'' less than φ(''p''), but since we are attempting to return only one solution ''x'', we may use ''b''<sub>1</sub>=0.)
:#The same operation is now performed for ''p''<sub>2</sub> through ''p<sub>n</sub>''.<br>A minor modification is needed where a prime number is repeated. Suppose we are seeing ''p<sub>i</sub>'' for the (''k''&nbsp;+&nbsp;1)st time. Then we already know ''c<sub>i</sub>'' in the equation ''x'' = ''a''<sub>''i''</sub> ''p''<sub>''i''</sub><sup>''k''+1</sup> + ''b''<sub>''i''</sub> ''p''<sub>''i''</sub><sup>''k''</sup> + ''c''<sub>''i''</sub>, and we find either ''b''<sub>''i''</sub> or ''c''<sub>''i''</sub> the same way as before, depending on whether <math>g^{\varphi(p)/p_i} \equiv 1 \pmod{p_ip}</math>.
:# With all the ''b''<sub>''i''</sub> known, we have enough simultaneous [[congruence relation|congruence]]s to determine ''x'' using the [[Chinese remainder theorem]].
 
Retrieved from "https://en.wikipedia.org/wiki/Pohlig–Hellman_algorithm"