The Pohlig-Hellman Algorithm

D. R. Stinson

We provide here a bit of further explanation concerning the workings of

the Pohlig-Hellman algorithm. We use the same notation as in the text: p is
prime,  is a primitive element in Zp , and  2 Zp  . Our goal is to determine
a = log  , where, without loss of generality, 0  a  p 2.
The prime power factorization of p 1 is
p 1 = p1 c p2 c : : : pk ck ;
where the pi 's are distinct primes. The main step is to compute a mod pi ci ,
1  i  k. So suppose that q = pi and c = ci for some i, 1  i  k. We will
show how to compute x = a mod qc.
First, x is expressed as
cX1
x = ai q i ;
1

i=0

where 0  ai  q 1 (0  i  c 1). From this it follows that

a = a0 + a1 q + : : : + ac 1 qc 1 + sqc;
for some integer s.
The computation of a0 follows from the fact that
p

a0 (p
q

1)

mod p:
(1)
Here is a proof of Equation (1) that is simpler than the one given in the
text:
p
p
 q  (a ) q mod p


 a


a q :::+ac 1 qc

0+ 1 +

p

sqc

1+

pq 1

mod p

 a Kq q mod p (where K is an integer)

a p
  q K p mod p
a p
  q mod p:
0+

0(

1)

0(

1)

1)

From this, it is a simple matter to determine a0 .

The next step would be to compute a1 ; : : : ; ac 1 (if c > 1). These computations can be done from a suitable generalization of Equation (1).
First, dene 0 =  , and
j = 

a q :::+aj 1 qj

( 0+ 1 +

1)

mod p;

for 0  j  c 1. We make use of the following generalization of Equation

(1):
aj p
p
(2)
(j ) qj   q mod p:
(Observe that when j = 0, Equation (2) reduces to Equation (1).)
The proof of Equation (2) is much the same as that of Equation (1):
(

1
+1

(j )

p 1
qj +1




(a +a q+:::+aj
0

 aj qj

 aj qj

aj (p

1)

:::+ac 1 qc

Kj qj +1

sqc

 pj +11
q

qj

1)

)  qj mod p
p

 pj +11
q

mod p

1
+1

mod p
(where Kj is an integer)

  q Kj p mod p
aj p
  q mod p:
(

1)

1)

Hence, given j , it is straightforward to compute aj from Equation (2).

To complete the description of the algorithm, it suces to observe that
j +1 can be computed from j by means of a simple recurence relation, once
aj is known. This follows from the following relation, which is proved easily:
j +1 = j 

aj qj

mod p:

Now, we can compute a0 , 1 , a1 , 2 , : : : , c 1 , ac

applying Equations (2) and (3).

(3)
1

by alternately