In [1]:
from math116 import factor, crt
from random import randint

<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>


# A first example

Here we're working modulo $p = 3001$. So we can say that we're working in the field $\mathbb{F}_p$. Therefore in everything below, I'll just write $? = {}?$ instead of $? \equiv {}? \pmod{p}$. 

Our generator $g$ is a primitive root modulo $p = 3001$, so its order is exactly $p - 1 = 3000$. We'll call this order $n$ throughout this whole example. 

(The reason for writing $n$ here instead of $p-1$ is because the whole algorithm works for discrete logarithms with any base $g$, not just a primitive root. In other words, the order of $g$ in $F$ can be any number $n$, not just $1$ less than the size of the field $F$.) 

In [2]:
p = 3001
n = p - 1
factor(n)

Counter({2: 3, 5: 3, 3: 1})

In [3]:
# If you've written a function to find a primitive root, you can use the line below. 
# But for now, I'll just tell you that 14 is a primitive root modulo 3001. 
#g = find_primitive_root(p) 
g = 14
g

14

In [4]:
x = randint(1, n)
y = pow(g, x, p)
del x
y

2264

We know that $g^{\frac{n}{2}} = -1$ in $F$. So 
$$ y^{\frac{n}{2}} = (g^x)^{\frac{n}{2}} = (g^{\frac{n}{2}})^x = (-1)^x = \pm 1 $$

So the following computation will come out to $1$ or $3000$ (which is equal to $-1$ in $F$). If it's $1$, then we know $x$ is even, and if it's $3000$, we know $x$ is odd. In other words, if we write $x$ in base $2$, like 
$$ x = a_0 + a_1 \cdot 2 + a_2 \cdot 2^2 + a_3 \cdot 2^3 + a_4 \cdot 2^4 + \dots $$
then this tells us $a_0$. 

In [5]:
pow(y, n // 2, p) # Remember to use the integer division operator // !!!

3000

So far, from the previous step, we know $a_0$. That is, we know $x \equiv a_0 \pmod{2}$. 

In the first line below, replace the $-1$ with $-a_0$. 

In [6]:
y1 = (y * pow(g, -1, p)) % p # You may need to change the -1 here

# Again, the next line will give us 1 or 3000 ( == -1 mod p)
# If it's 1, a1 = 0, if it's 3000, a1 = 1
pow(y1, n // 4, p)

1

So far, from the previous *two* steps, we know $a_0$ and $a_1$. That is, we know $x \equiv a_0 + a_1 \cdot 2 \pmod{4}$. 

In the first line below, replace the $-3$ with $-(a_0 + a_1 \cdot 2)$. 

In [7]:
y2 = (y * pow(g, -3, p)) % p # You may need to change the -3 here

# Again, the next line will give us 1 or 3000 ( == -1 mod p)
# If it's 1, a2 = 0, if it's 3000, a2 = 1
pow(y2, n // 8, p)

1648

You should now know $a_0$, $a_1$, and $a_2$, so you know $x \equiv a_0 + a_1 \cdot 2 + a_2 \cdot 4 \pmod{8}$. 

Since $2^3 \mid n$, and that's the largest power of $2$ that divides $n$, this is as far as we can hope to go with powers of $2$. (Note that we just did $y_2^{\frac{n}{8}}$. We couldn't do something like $y_3^{\frac{n}{16}}$, because $\frac{n}{16}$ isn't an integer!) 

So let's move on to the prime $3$, which also divides $n$. 

To start, we calculate $h = g^{\frac{n}{3}}$, and then compute all $3$ powers of $h$: 
$$ \{ h^0, h^1, h^2 \} $$
(We don't need to do any more than this, because we know $h^3 = g^n = 1 = h^0$, so after this the values will just wrap around and repeat.) 

In [8]:
h = pow(g, n // 3, p)
h

934

In [9]:
[pow(h, i, p) for i in range(3)]

[1, 934, 2066]

In [10]:
pow(y, n // 3, p)

934

The above two lines will tell you whether $x \equiv 0, 1, \text{ or } 2 \pmod{3}$. 

Since $3^2$ does not divide $n$, this is as far as we can go with the prime $3$. So we move on to the next prime in the factorization of $n$, which is $5$. 

Here, we have $5^3 \mid n$, so we can do three steps of this, just like we did with $2$ earlier. 

To start, we calculate $h = g^{\frac{n}{5}}$, and then compute all $5$ powers of $h$: 
$$ \{ h^0, h^1, h^2, h^3, h^4 \} $$
(As before, we don't need to do more, because after this the values will just wrap around and repeat.) 

In [11]:
h = pow(g, n // 5, p)
h

1998

In [12]:
[pow(h, i, p) for i in range(5)]

[1, 1998, 674, 2204, 1125]

In [13]:
pow(y, n // 5, p)

1

The above two lines will tell you whether $x \equiv 0, 1, 2, 3 \text{ or } 4 \pmod{5}$. 

In other words, if we write $x$ in base $5$, like 
$$ x = a_0 + a_1 \cdot 5 + a_2 \cdot 5^2 + a_3 \cdot 5^3 + a_4 \cdot 5^4 + \dots $$
then this tells us $a_0$. 

In the first line below, replace the $-1$ with $-a_0$. 

In [14]:
y1 = (y * pow(g, -1, p)) % p
pow(y1, n // 25, p)

1637

So far, from the previous *two* steps, we know $a_0$ and $a_1$. That is, we know $x \equiv a_0 + a_1 \cdot 5 \pmod{25}$. 

In the first line below, replace the $-21$ with $-(a_0 + a_1 \cdot 5)$. 

In [15]:
y2 = (y * pow(g, -21, p)) % p
pow(y2, n // 125, p)

320

Now, from the previous *three* steps, we know $a_0$, $a_1$, and $a_2$. That is, we know $x \equiv a_0 + a_1 \cdot 5 + a_2 \cdot 25 \pmod{125}$. 

Now, combining our final results from all three primes, we have some congruences of the form 
$$ \begin{cases} x \equiv ? \pmod{8} \\ x \equiv ? \pmod{3} \\ x \equiv ? \pmod{125} \end{cases} $$
Use the Chinese Remainder Theorem to solve this, and find $x$!!! 

In [16]:
crt([3, 2, 46], [8, 3, 125])

(2171, 3000)

In [17]:
pow(g, 2171, p) == y

False

<br>
<br>
<br>
<br>
<br>

<br>
<br>
<br>
<br>
<br>

# A much bigger example

If you want a programming challenge, see if you can code up the whole Pohlig–Hellman algorithm into a Python function. You can use the `factor` function in the `math116.py` module for the factorization, and of course the `crt` function for the Chinese Remainder Theorem. Or write your own versions of those, if you want! Overall, it's a somewhat complicated algorithm, but it's possible to code it up into only about 12-15 lines, excluding the code for those two functions (`factor` and `crt`). 

In [18]:
p = 9619207468653175616759436902665163751180382507782917509520588830058222330474585636366562773782928141958216061564951460490000000000001
p

9619207468653175616759436902665163751180382507782917509520588830058222330474585636366562773782928141958216061564951460490000000000001

In [19]:
factor(p - 1)

Counter({3: 17,
         2: 13,
         5: 13,
         7: 13,
         11: 9,
         13: 8,
         19: 3,
         23: 2,
         3541: 2,
         17: 1,
         383: 1,
         877: 1,
         1013: 1,
         2347: 1,
         3079: 1,
         3163: 1,
         3631: 1,
         3797: 1,
         3877: 1,
         4507: 1,
         5689: 1,
         6073: 1,
         6133: 1,
         6163: 1,
         6199: 1,
         6379: 1,
         6733: 1,
         8053: 1,
         9851: 1})

In [20]:
# g = find_primitive_root(p)
g = 41 # This is a primitive root modulo p
g

41

In [21]:
y = pow(g, randint(p // 10, p - 1), p)
y

6308014813266195218738389462809295677566031527021904881328710254007888226772719990687055547481896175554374271917342091978164710744915

In [22]:
# This will probably take millions of years to produce a result, if not longer. 
m = 1
for i in range(p - 1):
    if m == y:
        break
    m = (m * g) % p


KeyboardInterrupt: 

In [23]:
i

96685724

In [None]:
# You'll have to code this yourself! 
x = pohlig_hellman(g, y, p)
x

In [None]:
# If you did it right, this should return True! 
pow(g, x, p) == y