Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan

Introduction One-way function –Easy to compute, hard to invert Trapdoor function –One-way function –Hard to invert; but with trapdoor, easy to invert. –Injective (one-to-one) trapdoor function suffices for a public key cryptosystem. (Proved by Yao) Injectivity can guarantee the unique decryption

Several questions arise What’s the relationship between one-way function and trapdoor function? –Does one-way function imply trapdoor function? Does a public key cryptosystem requires an injective trapdoor function? –Is a non-injective trapdoor function able to construct a public key cryptosystem? –If yes, what is the domain size of such a non-injective trapdoor function?

Definitions: PPT: –Probabilistic, polynomial time x||y: –Concatenation of two strings x and y x  S: –Select an element from the set S. Pre-images of y under a function f: –f -1 (y) = { x  Dom(f): f(x) = y}. Injective: –A function is said to be injective if Dom(f) = Range(f). One-wayness: –An function is said to be on-way if InvProb f (I,k) is negligible for any PPT algorithm I.

Trapdoorness: –A function f is said to be trapdoor if with knowing “trapdoor information” tp, one can invert f. –Formally, there exists a PPT algorithm F– Inv (f, tp, y) for all y  Range(f), which outputs an element of f -1 (y) with probability 1. Predicate: –A probabilistic function with domain {0,1}, p, takes a bit b and flips coins r to generate some output y = p(b:r). Decryption error  (k) of a predicate: –If there exists a PPT algorithm P-Inv, which with knowing trapdoor fails to decrypt only with probability: – is at most  (k)

From on-way function to trapdoor functions Theorem: Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions. –Proof: Given a family of one-way functions, construct a family of trapdoor one-way functions. –Given f, we construct a g which “mimics” f but embeds a trapdoor.  = f(  ), where  is trapdoor of g, and  is the image of the trapdoor  under f. –Is g a one-way trapdoor function? If knowing , a pre-image of z under g is (z, ,  ). So knowing trapdoor, one can invert g. g is a trapdoor function. Without knowing , can we invert g? –If g(y,x, v) = z then either f(v) = z or f(x) = . To calculate g -1 (z) requires inverting f at either z or , both of which are hard by one- wayness of f. –g is one-way function. g is one-way trapdoor function.

Does a public key cryptosystem requires an injective trapdoor function? Unapproximable trapdoor predicates and semantically secure public key cryptosystems are equivalent. So the question becomes whether unapproximable trapdoor predicates imply injective trapdoor functions.

From trapdoor functions to cryptosystem Theorem: If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error. Proof: Given a trapdoor one-way function F, construct an unapproximable family of trapdoor predicates P with decryption error ½ - 1/poly(k), and reduce the decryption error by repetition to get the the family claimed in the theorem.

Claim: p is an unapproximable trapdoor predicate family, with decryption error at most ½ - 1/[2Q(k)] –The output of p is (f(x),r,  ) –b =   (x r) –x’ = F-Inv(f,tp,y) and b’ =   (x’ r) –Since f is not injective function, even with tp, x’ may not be equal to x. –If x’ = x, then b’=b. –If x’  x then b’=b with probability at most ½ since r is random chosen. The chance that x = x’ is at least 1/Q(k) ( The size of pre-image of f is Q(k)). –So

To prove the theorem, we need a predicate with exponentially small decryption error. –The predicate is constructed as Polynomial number of p(b) are concatenated to form a final predicate. –To decrypt b with tp, let b i ’ = P-Inv (p, tp, (y i, r i,  i )). It outputs b’ which is 1 if the majority of the b i ’ are 1 and 0 otherwise. –b i ’ has decryption error ½ - 1/[2Q(k)], b has exponentially decryption error.

Several known results so far. 1.Existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption. 2.Injective trapdoor one-way function can be used to construct unapproximable trapdoor predicates. Question Can unapproximable trapdoor predicates be used to construct injective trapdoor one-way functions? If it is possible to implement using one-way functions a function G with “sufficiently” strong randomness properties” to maintain the security of this scheme, then the question would have a positive answer.

From a predicate to a function, we need to de-randomization, meanwhile maintaining the one-wayness of the function. –Method 1: It is one-way [Yao]. However, it is not a trapdoor function, because even with the trapdoor information, we cannot recover r 1,r 2,…r k. –Method 2: Where G is a pseudo-random generator. It is proved that f is not one-way either.

Method 3: Use a truly random function G, ie., a random oracle. To invert f, we need to invert p(b 1 ;r 1 ), p(b 2 ; r 2 ), …p(b k ; r k ). Even knowing r 1, r 2, r 3,…r k, since G is truly random generator, b 1, b 2,… b k are totally independent with r 1, r 2, r 3,…r k. And each p is unapproximable,so f is one-way function. Theorem: If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model.

Conclusion