Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics

DOI: 10.54254/2753-8818/13/20240801

Discrete logarithms and primitive roots: Algorithms,

properties, and typical solution methods

Junchi Yang
University of Waterloo, Ontario, Waterloo, Canada

j647yang@uwaterloo.ca

Abstract. In mathematics, the logarithm, log 𝑎 𝑏, where a∈ (0,1) ∪ (1, ∞) and b>0, is always
defined as the real number x, such that 𝑎 𝑥 =b. Moreover, in the field of number theory, a similar
concept called the discrete logarithm can be defined as follows: For a given positive integer
m(m≥ 2), let a∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1 , and r is the primitive root of m, x=𝑖𝑛𝑑𝑟 𝑎 if 𝑟 𝑥 ≡
𝑎 (𝑚𝑜𝑑 𝑚) . Here, x is the discrete logarithm. The Discrete Logarithm Problem, which is a
famous problem in number theory, is formulized as: For a positive integer b and a prime number
p, and a is the primitive root of p, the goal is to find the exact value of i, such that 𝑎𝑖 ≡
𝑏 (𝑚𝑜𝑑 𝑝), in other words, it is targeted at finding the exact value of 𝑖𝑛𝑑𝑎 𝑏. The goal of this
research is to give several solutions to the Discrete Logarithm Problem, so firstly, some
background concept like order and primitive root will be introduced with the proof of some
foundational theories of these two concepts, then this essay will give two methods that can solve
the Discrete Logarithm Problem called Shanks' Babystep-Giantstep Algorithm and Pohlig-
Hellman Discrete Logarithm Algorithm.

Keywords: Discrete Logarithm, The Discrete Logarithm Problem, Order, Primitive Root.

1. Introduction
In cryptographic circles, the discrete logarithm remains a topic of intrigue. Although the discrete
logarithm can be computed in specific scenarios, finding efficient solutions for general cases remains a
formidable challenge. Notably, some algorithms tackle this problem and hold paramount significance in
public-key cryptography, exemplified by systems like Elgamal [1]. This research endeavors to illuminate
the intricacies of the Shanks' Babystep-Giantstep Algorithm and the Pohlig-Hellman Discrete Logarithm
Algorithm. Both stand as robust solutions to the Discrete Logarithm Problem. To lay a foundation, it's
imperative first to delve into fundamental concepts such as order and primitive root. By understanding
these, one can better appreciate their applications to the focal problem. The crux of this study revolves
around the operational mechanics of these two algorithms, exploring their methodologies in solving the
Discrete Logarithm Problem, and discerning their connections to foundational tenets of elementary
number theory.

© 2023 The Authors. This is an open access article distributed under the terms of the Creative Commons Attribution License 4.0
(https://creativecommons.org/licenses/by/4.0/).

95
 Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics
DOI: 10.54254/2753-8818/13/20240801

2. Foundational Theories of Orders and Primitive Roots

2.1. Order
Definition 1: Let 𝑚 ∈ 𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, the order (or the multiplicative order) of a
modulo m is the smallest positive integer r satisfying 𝑎𝑟 ≡ 1 (𝑚𝑜𝑑 𝑚) [2].
The order of a modulo m is always written as 𝛿𝑚 (𝑎) or 𝑜𝑟𝑑𝑚 (𝑎) [3]. Also, order always exists due
to the Euler’s Theorem: Let 𝑚 ∈ 𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1 , then 𝑎𝜑(𝑚) ≡ 1 (𝑚𝑜𝑑 𝑚) [4].
Euler’s Theorem is too basic so the proof is skipped here. The Euler’s Theorem says that for 𝑚 ∈
𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, the set {r∈ 𝑁 + | 𝑎𝑟 ≡ 1(𝑚𝑜𝑑 𝑚)} is not empty so this set must have
the smallest element, which is the (multiplicative) order, due to the Well-Ordering Principle.
Proposition 1: Let 𝑚 ∈ 𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, 𝑘 ∈ 𝑁 + , then 𝑎𝑘 ≡ 1 (𝑚𝑜𝑑 𝑚) if and
only if 𝛿𝑚 (𝑎) | 𝑘 [5].
Proof: If 𝑎𝑘 ≡ 1(𝑚𝑜𝑑 𝑚), let, then 𝑎𝑟 ≡ 1 (𝑚𝑜𝑑 𝑚).
By Division Algorithm, there exists q, t∈ 𝑁 + with 0≤ 𝑡<r-1 such that k=qr+t.
This means t=k-qr.
Also, notice that 𝑎𝑞𝑟 ≡ 1 (𝑚𝑜𝑑𝑚).
Thus, 𝑎𝑡 = 𝑎𝑘−𝑞𝑟 ≡ 𝑎𝑘−𝑞𝑟 𝑎𝑞𝑟 = 𝑎𝑘 ≡ 1(𝑚𝑜𝑑𝑚).
But r is the smallest positive integer satisfying 𝑎𝑟 ≡ 1 (𝑚𝑜𝑑 𝑚) and t<r, so it means t=0
So k=qr, which means r|k.
Therefore, 𝛿𝑚 (a)|k.
On the other hand, if 𝛿𝑚 (𝑎) | 𝑘, so r |k, thus there exists 𝑙 ∈ 𝑁 + , such that k= lr.
Since 𝑎𝑟 ≡ 1 (𝑚𝑜𝑑 𝑚), thus, 𝑎𝑘 = 𝑎𝑙𝑟 = (𝑎𝑟 )𝑙 ≡ 1 (𝑚𝑜𝑑 𝑚).
Hence, 𝑎𝑘 ≡ 1 (𝑚𝑜𝑑 𝑚) if and only if 𝛿𝑚 (𝑎) | 𝑘.
By Proposition1 and Euler’s Theorem, a result can be got easily:
Corollary 1: Let 𝑚 ∈ 𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, then 𝛿𝑚 (𝑎) | 𝜑(𝑚).
Proof: By Euler’s Theorem, 𝑎𝜑(𝑚) ≡ 1 (𝑚𝑜𝑑 𝑚).
By Proposition1 and let k= 𝜑(𝑚), 𝛿𝑚 (𝑎) | 𝜑(𝑚).
So the Corollary1 holds.
Next, another important result about (multiplicative) order will be introduced.
Proposition 2: Let 𝑚 ∈ 𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, then a, 𝑎2 , … , 𝑎𝑟 are distinct modulo m,
where r= 𝛿𝑚 (a) [6].
Proof: Suppose ∃1 ≤ 𝑖 < 𝑗 ≤ 𝑟, 𝑠. 𝑡. 𝑎𝑖 ≡ 𝑎 𝑗 (𝑚𝑜𝑑 𝑚), 𝑡ℎ𝑒𝑛 𝑎𝑖 (𝑎 𝑗−𝑖 − 1) ≡ 0(𝑚𝑜𝑑 𝑚).
This means m | 𝑎𝑖 (𝑎 𝑗−𝑖 − 1).
Since (a, m) =1, so (𝑎𝑖 , m) =1.
Thus, m | 𝑎 𝑗−𝑖 − 1, which means 𝑎 𝑗−𝑖 ≡ 1(𝑚𝑜𝑑 𝑚).
Hence, r | j-i, so j-i ≥ 𝑟.
But 1 ≤ 𝑖 < 𝑗 ≤ 𝑟, which says j-i<r, it is a contradiction.
Hence, a, 𝑎2 , … , 𝑎𝑟 are distinct modulo m.
𝑟
Proposition 2: Let 𝑚 ∈ 𝑁 + , 𝑎𝑛𝑑 𝑎 ∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, let 𝛿𝑚 (a) = r, then 𝛿𝑚 (𝑎𝑛 ) =(𝑟,𝑛) (𝑛 ∈
𝑁 + ) [7].
Proof: Let 𝛿𝑚 (𝑎𝑛 )= 𝑙, then 𝑎𝑛𝑙 ≡ 1(𝑚𝑜𝑑 𝑚).
By Proposition1, r | 𝑙n, so ∃ 𝑞 ∈ 𝑁 + , 𝑠. 𝑡. 𝑛𝑙 = 𝑟𝑞
𝑙𝑛 𝑟
Thus, (𝑟,𝑛) = (𝑟,𝑛) 𝑞.
𝑟 𝑙𝑛
So (𝑟,𝑛)
| (𝑟,𝑛)
.
𝑟 𝑛
Notice that ((𝑟,𝑛) , (𝑟,𝑛)
) = 1.
𝑟 𝑙 𝑟
Hence, (𝑟,𝑛)
| (𝑟,𝑛)
., so (𝑟,𝑛) | 𝑙.
𝑟 𝑛
On the other hand, notice that (𝑎𝑛 )(𝑟,𝑛) = (𝑎𝑟 )(𝑟,𝑛) ≡ 1(𝑚𝑜𝑑 𝑚).

96
 Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics
DOI: 10.54254/2753-8818/13/20240801

𝑟
By Proposition1, 𝑙| (𝑟,𝑛)
.
𝑟
Therefore, 𝑙 = (𝑟,𝑛) .
𝑟
Hence, 𝛿𝑚 (𝑎𝑛 )=(𝑟,𝑛) .

2.2. Primitive root

Definition 2: Let m ∈ 𝑁 + (𝑚 ≥ 2). The primitive root mod m is an integer g, such that 𝛿𝑚 (g)
=𝜑(𝑚) 𝑎𝑛𝑑 (𝑔, 𝑚) = 1 [8].
By Definition 2 and Proposition2, it is easy to get the following corollary.
Corollary 2: Let m∈ 𝑁 + (𝑚 ≥ 2), a be an primitive root of m, then the list a,𝑎2 , … , 𝑎𝜑(𝑚) picks up
∗
every element of 𝑍𝑚 .
What is worth saying is that the corollary2 is also another version of the definition of primitive root
[7].
The most important result about primitive root is the Primitive Root Theorem.
Theorem 1(Primitive Root Theorem): Let p be a prime number, then 𝑍𝑝∗ has a primitive root.
Proof: [Lemma]: Let p be a prime number and a, b ∈ 𝑍𝑝∗ , denote 𝛿𝑝 (𝑎) = 𝑘, 𝑎𝑛𝑑 𝛿𝑝 (𝑏) =
𝑙. 𝐼𝑓 (𝑘, 𝑙) = 1 , 𝑡ℎ𝑒𝑛 𝛿𝑝 (𝑎𝑏) = 𝑘𝑙.
[Proof of Lemma]: Let 𝛿𝑝 (𝑎𝑏) = 𝑟.
Since (𝑎𝑏)𝑘𝑙 = 𝑎𝑘𝑙 𝑏𝑘𝑙 = (𝑎𝑘 )𝑙 (𝑏𝑙 )𝑘 ≡ 1 (𝑚𝑜𝑑 𝑝).
By Proposition 1, 𝑟|𝑘𝑙.
The following is to prove 𝑘|𝑟 𝑎𝑛𝑑 𝑙|𝑟.
Because (𝑎𝑟 )𝑘 = 𝑎𝑟𝑘 = (𝑎𝑘 )𝑟 ≡ 1(𝑚𝑜𝑑𝑝), 𝑎𝑛𝑑 (𝑏 𝑟 )𝑙 = 𝑏 𝑟𝑙 = (𝑏 𝑙 )𝑟 ≡ 1 (𝑚𝑜𝑑𝑝).
Also, notice that (𝑎𝑟 )𝑙 ≡ (𝑎𝑟 )𝑙 (𝑏 𝑟 )𝑙 = (𝑎𝑏 𝑟 )𝑙 ≡ 1 (𝑚𝑜𝑑 𝑝).
Thus, 𝑘|𝑟𝑙, combined with (𝑘, 𝑙) = 1, 𝑠𝑜 𝑘|𝑟.
Similarly, 𝑙|𝑟.
Since (𝑘, 𝑙) = 1, 𝑡ℎ𝑖𝑠 𝑙𝑒𝑎𝑑𝑠 𝑡𝑜 𝑘𝑙 | 𝑟.
Hence, 𝑘𝑙 = 𝑟.
Therefore, 𝛿𝑝 (𝑎𝑏) = 𝑘𝑙.
[Back to Primitive Root Theorem]: For any a in 𝑍𝑝∗ , then (a, p) =1.
By Fermart’s Little Theorem, 𝑎𝑝−1 ≡ 1 (𝑚𝑜𝑑 𝑝).
By Proposition 1, 𝛿𝑝 (𝑎)|𝑝 − 1.
If 𝛿𝑝 (𝑎) = 𝑝 − 1 = 𝜑(𝑝), then a is the primitive root of p, the Primitive Root Theorem holds.
If 𝛿𝑝 (𝑎) < 𝑝 − 1, let 𝛿𝑝 (𝑎) = 𝑘 , the main idea of the following part is to find some b in 𝑍𝑝∗ , such
that the order of b modulo p is greater than the order of a.
By Proposition 2 (or Corollary 2), the list a, 𝑎2 , … , 𝑎𝑘 can pick up all the roots of the polynomial
f(x)=𝑥 𝑘 − 1 𝑖𝑛 𝑍𝑝∗ , since k < p-1, so there exists c in 𝑍𝑝∗ and c is not in the list above.
Let 𝛿𝑝 (𝑐) = 𝑙, 𝑖𝑓 𝑙 | 𝑘 , 𝑡ℎ𝑒𝑛 𝑐 𝑘 ≡ 1(𝑚𝑜𝑑 𝑝) , thus
𝑙 𝑑𝑜𝑒𝑠 𝑛𝑜𝑡 𝑑𝑖𝑣𝑖𝑑𝑒 𝑘 𝑠𝑖𝑛𝑐𝑒 𝑐 𝑖𝑠 𝑛𝑜𝑡 𝑡ℎ𝑒 𝑟𝑜𝑜𝑡 𝑜𝑓 𝑓
Consider the prime factorization of 𝑘 𝑎𝑛𝑑 𝑙, there must be an unique prime number q who appears
more often in 𝑙 than it appears in k, in other words, 𝑣𝑞 (𝑙) > 𝑣𝑞 (𝑘), here 𝑣𝑞 (𝑥) represents the power
of q in the prime factorization of the positive integer 𝑥.
Let k=𝑞 𝑑 𝑘1 and 𝑙 = 𝑞 𝑒 𝑙1 , 𝑤ℎ𝑒𝑟𝑒 0 ≤ 𝑑 < 𝑒 and both 𝑘1 𝑎𝑛𝑑 𝑙1 does not contain the prime factor
q.
𝑑 𝑑 𝑘 𝑘 𝑙
Pick b = 𝑎𝑞 𝑐 𝑙1 , By Proposition 2, it tells that 𝛿𝑝 (𝑎𝑞 ) = 𝑙1
𝑑 = 𝑑 =𝑘1 and 𝛿𝑝 (𝑐 ) = )=
(𝑘,𝑞 ) 𝑞 (𝑙,𝑙1
𝑙 𝑒
=𝑞 .
𝑙1
Now, notice that (𝑘1 , 𝑞 𝑒 ) = 1.

97
 Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics
DOI: 10.54254/2753-8818/13/20240801

𝑑 𝑑
By Lemma, 𝛿𝑝 (𝑏) = 𝛿𝑝 (𝑎𝑞 𝑐 𝑙1 ) = 𝛿𝑝 (𝑎𝑞 ) 𝛿𝑝 (𝑐 𝑙1 ) = 𝑘1 𝑞𝑒 > 𝑞 𝑑 𝑘1 = 𝑘 = 𝛿𝑝 (𝑎).
Thus, an element b in 𝑍𝑝∗ with greater order than a is found.
Following this way, new elements in 𝑍𝑝∗ with strictly increasing order can be found until find an
element with the order p-1 and that element is just the primitive root.
In general, 𝑍𝑝∗ has a primitive root.
The Primitive Root Theorem tells that every prime number has its own primitive root but there are
still many problems about primitive root cannot be solved by this theorem although it has already been
an amazing result. Also, the Primitive Root Theorem can describe why the assumption of Discrete
Logarithm Problem always holds and this point will be discussed in the following session of this essay.
The following is to introduce several results of primitive roots without proof since it does not have a
close relation to the main topic of this research.
Theorem 2: Let m∈ 𝑁 + (𝑚 ≥ 2). If 𝑍𝑚 ∗
has primitive roots, then the number of primitive roots in
∗
𝑍𝑚 is 𝜑(𝜑(𝑚)) [8].
In particular, if m = p is a prime number, then 𝜑(𝜑(𝑚)) = 𝜑(𝑝 − 1), so it can tell that for any prime
number p, the total number of primitive roots of p is 𝜑(𝑝 − 1).
Theorem 3: Let m ∈ 𝑁 + (𝑚 ≥ 2) . Then 𝑍𝑚 ∗
has primitive roots if and only if m ∈
𝑘 𝑘 +
{2,4, 𝑝 ,2𝑝 | 𝑝 𝑖𝑠 𝑎𝑛 𝑜𝑑𝑑 𝑝𝑟𝑖𝑚𝑒 𝑎𝑛𝑑 𝑘 ∈ 𝑁 } [9].
This result tells the structure of m that has primitive roots of m.

3. Definition and Properties of Discrete Logarithms

3.1. Discrete Logarithms and its properties

Definition 3: For a given positive integer m (m≥ 2), let a∈ 𝑁 + 𝑤𝑖𝑡ℎ (𝑎, 𝑚) = 1, and r is the primitive
root of m, x=𝑖𝑛𝑑𝑟 𝑎 if 𝑟 𝑥 ≡ 𝑎 (𝑚𝑜𝑑 𝑚).
The discrete logarithms have the following 5 properties:
Proposition 3: Let p be a prime number, and a is the primitive root of p, then: 𝑥 ≡
𝑦 (𝑚𝑜𝑑 𝑝) 𝑖𝑓 𝑎𝑛𝑑 𝑜𝑛𝑙𝑦 𝑖𝑓 𝑖𝑛𝑑𝑎 𝑥 ≡ 𝑖𝑛𝑑𝑎 𝑦 (𝑚𝑜𝑑 𝑝 − 1);
𝑖𝑛𝑑𝑎 𝑎𝑘 ≡ 𝑘 (𝑚𝑜𝑑 𝑝 − 1);
𝑖𝑛𝑑𝑎 𝑎 = 1;
𝑖𝑛𝑑𝑎 𝑥𝑦 ≡ 𝑖𝑛𝑑𝑎 𝑥 + 𝑖𝑛𝑑𝑎 𝑦 ( 𝑚𝑜𝑑 𝑝 − 1);
𝑖𝑛𝑑𝑎 𝑥 𝑘 ≡ 𝑘𝑖𝑛𝑑𝑎 𝑥 (𝑚𝑜𝑑 𝑝 − 1).
To prove these properties, an easy lemma should be used:
[Lemma]: Let p be an prime number and a is the primitive root of p. Let b, c be positive integers,
then 𝑏 ≡ 𝑐 (𝑚𝑜𝑑 𝑝 − 1) 𝑖𝑓 𝑎𝑛𝑑 𝑜𝑛𝑙𝑦 𝑖𝑓 𝑎𝑏 ≡ 𝑎𝑐 (𝑚𝑜𝑑 𝑝).
[Proof of Lemma]: Since p is a prime number and a is primitive root of p, so 𝛿𝑝 (𝑎) = 𝑝 − 1
Also, By Fermat’s Little Theorem, 𝑎𝑝−1 ≡ 1 (𝑚𝑜𝑑 𝑝) (Also this holds since its order is p-1).
If 𝑏 ≡ 𝑐 (𝑚𝑜𝑑 𝑝 − 1), then there exists positive integers k, such that b-c =k(p-1)
Thus, 𝑎𝑏−𝑐 ≡ 𝑎𝑘(𝑝−1) ≡ 1(𝑚𝑜𝑑 𝑝), so 𝑎𝑏 ≡ 𝑎𝑐 (𝑚𝑜𝑑 𝑝).
On the other hand, if 𝑎𝑏 ≡ 𝑎𝑐 (𝑚𝑜𝑑 𝑝), since (a, p) =1, so (p, 𝑎𝑐 ) = 1.
Therefore, 𝑎𝑏−𝑐 ≡ 1(𝑚𝑜𝑑 𝑝).
Since 𝛿𝑝 (𝑎) = 𝑝 − 1, By Proposition 1, p-1 | b-c.
Hence, 𝑏 ≡ 𝑐 (𝑚𝑜𝑑 𝑝 − 1).
In general, 𝑏 ≡ 𝑐 (𝑚𝑜𝑑 𝑝 − 1) 𝑖𝑓 𝑎𝑛𝑑 𝑜𝑛𝑙𝑦 𝑖𝑓 𝑎𝑏 ≡ 𝑎𝑐 (𝑚𝑜𝑑 𝑝).
This Lemma is proved.
By using this lemma, it is not difficult to prove the above five properties and here only the property
iv) will be proved. The rest of them can just be showed by the similar way of using lemma and the direct
use of definition of the discrete logarithm.
Proof of iv): Let 𝑙 = 𝑖𝑛𝑑𝑎 𝑥𝑦, 𝑙1 = 𝑖𝑛𝑑𝑎 𝑥, 𝑙2 = 𝑖𝑛𝑑𝑎 𝑦.
By definition, 𝑎𝑙 ≡ 𝑥𝑦 (𝑚𝑜𝑑 𝑝), 𝑎𝑙1 ≡ 𝑥 (𝑚𝑜𝑑 𝑝), 𝑎𝑙2 ≡ 𝑦 (𝑚𝑜𝑑 𝑝)

98
 Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics
DOI: 10.54254/2753-8818/13/20240801

Thus, 𝑎𝑙 ≡ 𝑥𝑦 ≡ 𝑎𝑙1 𝑎𝑙2 = 𝑎𝑙1 +𝑙2 (𝑚𝑜𝑑 𝑝).

By the Lemma above, 𝑙1 + 𝑙2 ≡ 𝑙 (𝑚𝑜𝑑 𝑝 − 1).
Hence, 𝑖𝑛𝑑𝑎 𝑥𝑦 ≡ 𝑖𝑛𝑑𝑎 𝑥 + 𝑖𝑛𝑑𝑎 𝑦 ( 𝑚𝑜𝑑 𝑝 − 1).

4. Solution Methods for the Discrete Logarithm Problem

4.1. The Discrete Logarithm Problem

The main idea of this session is to introduce the Discrete Logarithm Problem and its solutions including.
The two main algorithms mentioned before. Firstly, the target is seeing what is Discrete Logarithm
Problem.
Definition 4: The Discrete Logarithm Problem can be formulized as follows:
Given a positive integer b, and a large prime number p, let a be a primitive root of p, there exists an.
unique index i (0 ≤ 𝑖 ≤ 𝑝 − 1), such that 𝑏 ≡ 𝑎𝑖 (𝑚𝑜𝑑 𝑝). The problem is targeted at finding the
exact value of this i.
The assumption of this problem holds because such a must exist by Theorem 1 (Primitive Root
Theorem). Also the index i satisfying such property must be unique since by the congruence 𝑏 ≡
𝑎𝑖 (𝑚𝑜𝑑 𝑝), it is clear that (b, p) = (a, p) =1, so the remainder of b divides p is not 0 so the remainder,
called r, is in 𝑍𝑝∗ .
By Corollary 2, the list a, 𝑎2 , … , 𝑎𝑝−1 picks up every element of 𝑍𝑝∗ = {1,2, … , 𝑝 − 1}. This means
that there must exists an unique i, such that 𝑟 ≡ 𝑏 ≡ 𝑎𝑖 (𝑚𝑜𝑑 𝑝). Also, from the argument above, it
is clear that there exists a bijection between two sets 𝑍𝑝∗ and the set {a, 𝑎2 , … , 𝑎𝑝−1 } under modulo p.
Moreover, it is necessary that a should be the primitive root of p, otherwise, the set {a, 𝑎2 , … , 𝑎𝑝−1 }
under modulo p has the competitive element so that it is impossible to encrypt it.
Another problem is that why this problem should need a big prime number. This is because if just
take a small prime number, it is very easy to encrypt it so the large prime ensures the difficulty of this
problem. Then, this essay will discuss about two algorithms to solve this problem: Shanks' Babystep-
Giantstep Algorithm and Pohlig-Hellman Discrete Logarithm Algorithm.

4.2. Shanks' Babystep-Giantstep Algorithm

Algorithm 1(Shanks' Babystep-Giantstep Algorithm): Consider the given congruence 𝑏 ≡ 𝑎 𝑥 (𝑚𝑜𝑑 𝑝),
where p is a large prime number. Let N = p-1. The process of the algorithm is as follows:
i) Calculate 𝑛 = [√𝑁]+1;
2
ii) Construct the two sets A = {1, a, 𝑎2 , … , 𝑎𝑛 } 𝑎𝑛𝑑 𝐵 = {𝑏, 𝑏𝑎−𝑛 , 𝑏𝑎−2𝑛 , … , 𝑏𝑎−𝑛 };
iii) A and B actually have the same element, so there exists i, j ∈ {0,1,2, … , 𝑛}, 𝑠𝑢𝑐ℎ 𝑡ℎ𝑎𝑡 𝑎𝑖 ≡
𝑏𝑎−𝑗𝑛 (𝑚𝑜𝑑 𝑝);
iv) Let x = i + jn, then, x is the solution to the congruence 𝑏 ≡ 𝑎 𝑥 (𝑚𝑜𝑑 𝑝).
v) It is very clear that this algorithm works and its run time is O (√𝑁), which greatly decreases the
run time compared with calculating each value [10].

4.3. Pohlig-Hellman Discrete Logarithm Algorithm

To introduce the Pohlig-Hellman Discrete Logarithm Algorithm, firstly, the Chinese Remainder
Theorem should be reviewed.
Theorem 4 (Chinese Remainder Theorem): Let 𝑚1 , 𝑚2 , … , 𝑚𝑘 ∈ 𝑁 + (𝑘 ≥ 2, 𝑘 ∈ 𝑁 + ) and they
are pairwise coprime. (That is, ( 𝑚𝑖 , 𝑚𝑗 ) = 1 𝑓𝑜𝑟 𝑎𝑙𝑙 1 < 𝑖 ≤ 𝑗 ≤ 𝑘) . If 𝑎1 , 𝑎2 , … , 𝑎𝑘 ∈ 𝑍 , and
consider the system of congruences:
𝑥 ≡ 𝑎1 (𝑚𝑜𝑑 𝑚1 )
𝑥 ≡ 𝑎2 (𝑚𝑜𝑑 𝑚2 ) (1)
…
𝑥 ≡ 𝑎𝑘 (𝑚𝑜𝑑 𝑚𝑘 )

99
 Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics
DOI: 10.54254/2753-8818/13/20240801

This system of congruences has an unique solution modulo 𝑚1 𝑚2 … 𝑚𝑘 . In other words, if 𝑥 =𝑥0
is a particular solution of this system, then all the solutions are given by all the integers
𝑥 𝑠𝑎𝑡𝑖𝑠𝑓𝑦𝑖𝑛𝑔 𝑥 ≡ 𝑥0 (𝑚𝑜𝑑 𝑚1 𝑚2 … 𝑚𝑘 ) [7].
This theorem is a very basic result in number theory so the proof does not present in this essay but
the proof can tell the algorithm to solve the system of congruences by using Chinese Remainder
Theorem.
The solutions can be given by the formula:
𝑥 ≡ 𝑎1 𝑀1 𝑦1 + 𝑎2 𝑀2 𝑦2 + ⋯ + 𝑎𝑛 𝑀𝑛 𝑦𝑛 (mod 𝑚1 𝑚2 … 𝑚𝑘 ) (2)
𝑀
Where, 𝑀𝑖 = 𝑚𝑖
, 𝑀 = 𝑚1 𝑚2 … 𝑚𝑘 , 𝑦𝑖 = (𝑀𝑖 )−1 (𝑚𝑜𝑑 𝑚𝑖 ) , 𝑖 = 1,2, … , 𝑘.
Now, it is the time to present the Pohlig-Hellman Discrete Logarithm Algorithm [11]:
Algorithm 2(Pohlig-Hellman Discrete Logarithm Algorithm):
Consider the prime factorization of p-1 = 𝑝1 𝑘1 𝑝2 𝑘2 … 𝑝𝑚 𝑘𝑚 ;
For each prime factor 𝑝𝑖 (1 ≤ 𝑖 ≤ 𝑚), let x = 𝑎0 + 𝑎1 𝑝𝑖 + ⋯ + 𝑎𝑘𝑖−1 𝑝𝑖 𝑘𝑖−1 (𝑚𝑜𝑑 𝑝𝑖 𝑘𝑖 );
𝑝−1 𝑝−1
𝑟 𝑟
Let r =1, compute (𝑎 𝑥 ) 𝑝𝑖 ≡ 𝑏 𝑝𝑖 (𝑚𝑜𝑑 𝑝); Substitute x, and expand it, notice that from the
𝑝−1
𝑎0
second term, all the values are since due to the Fermat’s Little Theorem, so it leads to 𝑎 𝑝𝑖
≡
𝑝−1
𝑝𝑖 𝑟
𝑏 (𝑚𝑜𝑑 𝑝); By the former steps, 𝑎0 can be computed in the run-time of O (𝑝𝑖 ), then let 𝑟1 = 𝑟 + 1,
and go back to the third step; Continue the operation above until all the 𝑎𝑖 (1 ≤ 𝑖 ≤ 𝑚) are computed;
For each i, a congruence can be got in the form of second step, then use the Chinese Remainder Theorem
to solve x. The above two algorithms are the two main effective algorithms to solve the Discrete
Logarithm Problem.

5. Conclusion
This research targeted at solving the Discrete Logarithm Problem so to introduce the algorithm to solve
this famous problem, first of all, several important concepts in the field of Elementary Number Theory
are introduced, including the multiplicative order and the primitive root. In addition, several important
theorems are given the rigorous proof like the Primitive Root Theorem, and then this essay turn to focus
on the discrete logarithm, which is the base of the Discrete Logarithm Problem, and the most important
properties of discrete logarithm are introduced. Finally, this research starts to give the solutions to the
Discrete Logarithm Problem but before this, it discusses about why such this problem is designed in
such way and how the previous concept and theories in number theory play an important role in this
problem. Then, the two main algorithms are demonstrated including the Shanks' Babystep-Giantstep
Algorithm and Pohlig-Hellman Discrete Logarithm Algorithm. This research gives the effective
solutions to the Discrete Logarithm Problem and they can work much more efficiently than compute
each value of power, which greatly reduce the run-time of solving this problem.

References
[1] Menezes, A.J., van Oorschot, P.C., Vanstone, S.A. Handbook of Applied Cryptography. CRC
Press.
[2] Burton, D.M. (1989). The Order of an Integer Modulo n. Elementary Number Theory, 4th ed.
[3] Von zur Gathen, J., Jurgen, G. (2013). Modern Computer Algebra. Cambridge University Press.
[4] Gauss, C.F., Clarke, A.A. (translated into English) (1986). Disquisitiones Arithemeticae (Second,
corrected edition), New York: Springer.
[5] Davidson, K.R. (2012). Integers, Polynomials and Finite Fields. University of Waterloo.
[6] Davidson, K.R. (1994). Integer and Polynomial Algebra. University of Waterloo.
[7] Zorzitto, F. (2016). A Taste of Number Theory.
[8] Stromquist, W. (2017). What are Primitive Roots? Mathematics. Bryn Mawr College.
[9] Gauss & Clarke. (1986). Arts 92.

100
 Proceedings of the 3rd International Conference on Computing Innovation and Applied Physics
DOI: 10.54254/2753-8818/13/20240801

[10] Shanks, D. (1971). Class number, a theory of factorization and genera. In Proc. Symp. Pure Math.,
Providence, R.I.: American Mathematical Society, vol. 20, pp. 415–440.
[11] Mollin, R. (2006). An Introduction to Cryptography. Chapman and Hall/CRC.p.344.

101