To the authors' knowledge, there are not many cryptosystems proven to be as difficult as or more difficult than the discrete logarithm problem. Concerning problems related to the discrete logarithm problem, there are problems called the double discrete logarithm problem and the e-th root of the discrete logarithm problem. These two problems are likely to be difficult and they have been utilized in cryptographic protocols such as verifiable secret sharing scheme and group signature scheme. However, their exact complexity has not been clarified, yet. Related to the e-th root of the discrete logarithm problem, we can consider a square root of the discrete logarithm problem. Again, the exact complexity of this problem has not been clarified, yet. The security of cryptosystems using these underlying problems deeply depends on the difficulty of these underlying problems. Hence it is important to clarify their difficulty. In this paper we prove reductions among these fundamental problems and show that under certain conditions, these problems are as difficult as or more difficult than the discrete logarithm problem modulo a prime.

To examine the computational complexity of cryptographic primitives such as the discrete logarithm problem, the factoring problem and the Diffie-Hellman problem, we define a new problem called square-root exponent, which is a problem to compute a value whose discrete logarithm is a square root of the discrete logarithm of a given value. We analyze reduction between the discrete logarithm problem modulo a prime and the factoring problem through the square-root exponent. We also examine reductions among the computational version and the decisional version of the square-root exponent and the Diffie-Hellman problem and show that the gap between the computational square-root exponent and the decisional square-root exponent partially overlaps with the gap between the computational Diffie-Hellman and the decisional Diffie-Hellman under some condition.