Diffie Hellman unsafe prime vulnerability

Question

I have done some research about how the DH key exchange is unsafe if an unsafe prime p is used (that is, $p-1$ has a lot of small factors). Many answers here on StackExchange claim that for any factor $r$ where $g^{\frac{p-1}{r}}\neq1$, if given $g$ and $g^x \bmod p$, one can determine the value of $x \bmod r$ in $O(\sqrt{r})$ time (See this and this answer).

The latter of the two answers even includes an outline of a way to do this. However, this requires $A^{\frac{p-1}{r}}$ with $A$ being the public key to be calculated. For a large $A$ and $p$ (say 4096 bits for both) and a small $r$ (8 bits or less), for me this does not seem to be computationally possible. Therefore, I was wondering how one would write a solution to this problem which is possible to execute with finite time and memory.

Answer 1

For a large $A$ and $p$ (say 4096 bits for both) and a small $r$ (8 bits or less), for me this does not seem to be computationally possible.

Actually, it's straightforward to compute $A^{\frac{p-1}{r}} \bmod p$; one straightforward way is to use the binary exponentiation algorithm.

If $\frac{p-1}{r} < 2^n$, then this will take no more than $2n$ modular multiplications (and so, in your example, fewer than 8184 modular multiplications); one could do somewhat better, but this is good enough to show that it is practical.

Note: you use those same algorithms to make the computations within DH (computing $g^x \bmod p$ for large $x$) feasible.

---

Note on the notation (which might be what is confusing you): sometimes, we leave off the $\bmod p$; at those times, we assume that the reader will understand that we are not working in $\mathbb{Z}$, but instead in the field $\mathbb{Z}/p$, and hence the $\bmod p$ operations are implicit. This is similar to how, in other branches of math, you are assumed to know whether we're working in $\mathbb{Z}$ or $\mathbb{R}$ or $\mathbb{C}$...