Been reading about Pohlig Hellman algo to solve DLP. But can't seem to get an example based on the following:
So if modulus, n is composite (i.e. non-prime) and the base is NOT a generator of Zn. Will PH algo still work and if so, why?
Asked
Active
Viewed 59 times
1 Answers
1
So if modulus, n is composite (i.e. non-prime) and the base is NOT a generator of Zn.
Actually, if $n$ is has two distinct odd primes as factors, there will never be a generator; that is, there will never be a value $g$ where $g^x \bmod n$ takes on all values in $\mathbb{Z}_n^*$
Will PH algo still work and if so, why?
If you know the factorization of $n$, well, you can solve the DLP with respect to all the prime-power factors of $n$, and then use CRT to combine them. Of course, you might be able to use PH to solve the DLP with respect to the prime-power factors.
Now, you could attempt to use PH to attack the problem modulo $n$ directly; however, that would be strictly harder, and so there appears to be little reason to use that strategy.
On the other hand, if you don't know the factorization of $n$, well, you're out of luck. PH needs to know the order of the group, and if you don't know the factorization of $n$, you don't know that.
In addition, an oracle that solves the DLP modulo a composite allows you to factor the modulus. Hence, in this case, the most direct way to solve the DLP would be to factor $n$ first (and then use the above method).
poncho
- 147,019
- 11
- 229
- 360
-
Thanks poncho! I had the impression that g needed to cover all values in Zn for the algo to work. So suppose n=9821 (composite) And we can factor n as pxqxr=72361 And the "generator", g chosen is 20. So if we need to solve for x such that g^x mod (n) = 3303, would PH be useful and work in this case? – clueless Feb 28 '18 at 04:01