# >Basic Fact

If $p$ is a prime number, and if $\alpha$ a primitive root $(\!\!\!\mod p)$, then

$\alpha^n \equiv \alpha^m (\!\!\!\mod p) \iff n \equiv m (\!\!\!\mod p-1)$

This will assure that there is a unique solution $(\!\!\!\mod p-1)$ to the equation

$\alpha^x \equiv \beta (\!\!\!\mod p)$

We call that unique soluiton, $L_\alpha(\beta)$, the discrete log base $\alpha$ of $\beta$ $\!\!\!\mod p$.

NOTE: That $\alpha$ is a primitive root assures there is a solution.  It is essential Fermat's theorem that assures the soluiton is unique.

###### Pohlig-Hellman, 7.2.1 page 203 ff

Pohlig-Hellman is an algorithm that works to find discrete logarithms when $p-1$ is a product of small primes.

('Small' is defined by the power of your computional machinery to compute discrete logs.

>>Set up

We are solving for $\alpha^x \equiv \beta (\!\!\!\mod p)$.
where $p-1={q_0}^{r_0} \cdot {q_1}^{r_1} \cdot {q_2}^{r_2} \cdot {q_3}^{r_3} \cdots$

There are three loops:

Outside loop: we find $L_{\alpha}(\beta) (\!\!\!\mod q^r)$.  Once done the Chinese remainder thoerem gives  $L_{\alpha}(\beta) (\!\!\!\mod p-1)$ 

For each $q$, we represent $x = x_0 + x_1 \cdot q + x_2 \cdot q^2 + \cdots $, where $0 \le x_i < q$ 

The innermost loop finds $x_0, x_1, x_2, \cdots x_{r-1}$  This is gives $L_{\alpha}(\beta) (\!\!\!\mod q^r)$


In [2]:
from matmod import *
from cypari.gen import pari as pari


In [3]:
p =pari(601)
phi = p-1
phi.factor()

[2, 3; 3, 1; 5, 2]

For a given $q^r$:  First find $x_0$

We know $x \equiv x_0(\!\!\!\mod q) \implies x\cdot{\frac{p-1}{q}} \equiv {x_0}\cdot{\frac{p-1}{q}} (\!\!\!\mod p-1)$

and, so by the BASIC FACT, $\alpha^{x\cdot{\frac{p-1}{q}}} \equiv \alpha^{{x_0}\cdot{\frac{p-1}{q}}} (\!\!\!\mod p)$

of course, $\alpha^x$ is $\beta$, so we solve (the shorter log problem) for $x_0$: $\beta^{\frac{p-1}{q}} \equiv \alpha^{{x_0}\cdot{\frac{p-1}{q}}} (\!\!\!\mod p)$  NOTE: just check $x_0 = 0, 1, \cdots q-1$

In [48]:
q = 3

In [47]:
beta = 412 |mod| p
lhs = beta**(200)
lhs

(576 mod 601)

In [49]:
alpha = 7 |mod| 601
rhs = [ alpha**(x0*200) for x0 in range(3) ]
rhs

[(1 mod 601), (576 mod 601), (24 mod 601)]

In [41]:
x0 = 1

For the next and subsequent steps, find $x_1$

We know $\frac{x - x_0}{q} \equiv x_1(\!\!\!\mod q) \implies \frac{x - x_0}{q} \cdot{\frac{p-1}{q}} \equiv {x_1}\cdot{\frac{p-1}{q}} (\!\!\!\mod p-1)$

and, so by the BASIC FACT, $\alpha^{(x - x_0) \cdot{\frac{p-1}{q^2}}} \equiv \alpha^{{x_1}\cdot{\frac{p-1}{q}}} (\!\!\!\mod p)$

of course, $\alpha^{(x - x_0)} $ is $\beta_1 = \beta \cdot \alpha^{-x_0}$, so we solve (the shorter log problem) for $x_1$: $\beta_1^{\frac{p-1}{q^2}} \equiv \alpha^{{x_1}\cdot{\frac{p-1}{q}}} (\!\!\!\mod p)$  NOTE: just check $x_1 = 0, 1, \cdots q-1$

NOTE: similarity to previous step.

In [42]:
beta1 = beta*alpha**(-x0)
lhs = beta1**(24)
lhs

(432 mod 601)

In [43]:
rhs = [ alpha**(x1*120) for x1 in range(5)]
rhs

[(1 mod 601), (423 mod 601), (432 mod 601), (32 mod 601), (314 mod 601)]

In [45]:
x1 = 2
x = x0+x1*5 |mod| 25

In [46]:
x

(13 mod 25)

Next step: $\beta_2 = \beta_1 \cdot \alpha^{-x_1\cdot  q}$

In [25]:
beta2 = beta1*alpha**(-x1*q)
lhs = beta2**(75)
lhs

(600 mod 601)

In [26]:
rhs = [ alpha**(x2*300) for x2 in range(2)]
rhs

[(1 mod 601), (600 mod 601)]

In [27]:
x2 = 1
x = x0 + x1*q + x2*q**2 |mod| 2**3

In [28]:
x

(5 mod 8)

In [82]:
A = 5 |mod| 8

In [84]:
B = 3 |mod| 5

In [None]:
z2 = 

In [None]:
x, z2

In [85]:
chinese(A,B)

(13 mod 40)

In [86]:
a**13

(12 mod 41)