# Discret Logarithm Problem
Given $p$ a large prime, and $\langle g\rangle=(\mathbb{Z}/p\mathbb{Z})^*$ un générateur, for any $y\in\mathbb{Z}/p\mathbb{Z}$, find $x$ such that $y=g^x\pmod{p}$. We call $x$ the logarithm of $y$ in base $g$, written $x=\log_g(y)$.

## Polhig-Hellman
We suppose that we already know the decomposition of $p$, with a website such as dCode.

In [1]:
import gmpy2
from gmpy2 import mpz, powmod, gcd, invert

#The inputs of the challenge
p = 7863166752583943287208453249445887802885958578827520225154826621191353388988908983484279021978114049838254701703424499688950361788140197906625796305008451719
y = 6289736695712027841545587266292164172813699099085672937550442102159309081155467550411414088175729823598108452032137447608687929628597035278365152781494883808
g = 2862392356922936880157505726961027620297475166595443090826668842052108260396755078180089295033677131286733784955854335672518017968622162153227778875458650593

#The factorisation of (p-1)
factors = [(2,1), (131, 5), (173, 1), (181, 5), (347, 5), (353, 5), (379, 5), (461, 2), (487, 2), (491, 2), (547, 5), (727, 2), (751, 3), (769, 3), (887, 5), (907, 5), (911, 4)]

In [2]:
def discrete_logarithm(base, result, mod):
    # Baby-step Giant-step algorithm
    m = int(gmpy2.sqrt(mod) + 1)
    base = mpz(base)
    result = mpz(result)
    mod = mpz(mod)

    # Precomputation: base^j mod p for j in [0, m)
    value = {}
    current = mpz(1)
    print(f"Précalcul: base^j mod {mod} pour j dans [0, {m})")
    for j in range(m):
        value[current] = j
        current = (current * base) % mod

    # Compute base^(-m) mod p
    try:
        base_m = invert(pow(base, m, mod), mod)  # Inverse de base^m mod p
    except ZeroDivisionError:
        print(f"L'inverse de base^m mod {mod} n'existe pas.")
        return None

    current = result
    for i in range(m):
        if current in value:
            return i * m + value[current]
        current = (current * base_m) % mod

    return None


def pohlig_hellman_prime_power(y,g,p,e):
    print(f"y: {y}, g: {g}, p: {p}, e: {e}")
    #try to solve DLP y=g^x mod p^e
    order = p**e
    print(order)
    xk = 0
    pe_k = order//p #p^{e-1}, and p^{e-1-k} after
    gamma = powmod(g,pe_k,order) #element of order p, thanks to Lagrange
    for k in range(e):
        g_xk = powmod(g, -xk, order)
        yk = powmod(g_xk*y,pe_k, order) #this element divide p
        print(f"Compute x such as {yk}={gamma}^x mod {order}")
        dk = discrete_logarithm(yk, gamma, order)
        if dk == None:
            print(f"{yk}={gamma}^x mod {order} doesn't exist")
        xk += dk*p**k
    return xk

def pohlig_hellman_general(y, g, p, factors):
    moduli = []
    remainders = []

    for q, e in factors:
        if q==2:
            x_qe = ph_q_2(y, g, p, e)
            q_e = q**e
        else:
            q_e = q**e
            subgroup_order = (p-1) // q_e
            g_qe = powmod(g, subgroup_order, p)
            y_qe = powmod(y, subgroup_order, p)

            #Solve DLP modulo q^e
            x_qe = pohlig_hellman_prime_power(y_qe,g_qe,q,e)
        if x_qe is not None:
            moduli.append(q_e)
            remainders.append(x_qe)
        else:
            print(f"Error.")
    
    #CRT final computation
    if moduli and remainders:
        x = crt(remainders, moduli)
        return x
    else:
        print("No solutions founded.")
        return None

def ph_q_2(y, g, p, e):
    x = 0
    g_inv = invert(g, p)

    for i in range(e):
        y_i = (y * powmod(g_inv, x, p)) % p
        y_i = powmod(y_i, (p - 1) // (2 ** (i + 1)), p)
        g_i = powmod(g, (p - 1) // (2 ** (i + 1)), p)
        if y_i == 1:
            x_i = 0
        else:
            x_i = 1
        x += x_i * (2 ** i)
    return x


def crt(a, n):
    total = 0
    prod = 1
    for ni in n:
        prod *= ni
    for ai, ni in zip(a, n):
        p = prod // ni
        try:
            total += ai * invmod(p, ni) * p
        except ZeroDivisionError:
            print(f"Inversion error for p = {p} et ni = {ni}.")
            continue
    return total % prod

def invmod(a, b):
    #Extended euclidian
    x0, x1, y0, y1 = 1, 0, 0, 1
    while b != 0:
        q = a // b
        a, b = b, a % b
        x0, x1 = x1, x0 - q * x1
        y0, y1 = y1, y0 - q * y1
    return x0
    

In [3]:
x = pohlig_hellman_general(y,g,p,factors)
x

NameError: name 'pohlig_hellman_general' is not defined

In [None]:
##Verification##
powmod(g,x,p)==y