Advances in Cryptology — CRYPTO '98

Volume 1462 of the series Lecture Notes in Computer Science pp 283-298


Many-to-one trapdoor functions and their relation to public-key cryptosystems

  • Mihir BellareAffiliated withDept. of Computer Science & Engineering, University of California at San Diego
  • , Shai HaleviAffiliated withT. J. Watson Research Center, IBM
  • , Amit SahaiAffiliated withMIT Laboratory for Computer Science
  • , Salil VadhanAffiliated withMIT Laboratory for Computer Science


The heart of the task of building public key cryptosystems is viewed as that of“making trapdoors;” in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of“trapdoorness” and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.