# Many-to-one trapdoor functions and their relation to public-key cryptosystems

## Abstract

The heart of the task of building public key cryptosystems is viewed as that of“making trapdoors;” in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of“trapdoorness” and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.

### References

- [AjDw]M. Ajtai and C. Dwork. A public-key cryptoSystem with worst-case/average-case equivalence.
*Proceedings of the*29th*Annual Symposium on the Theory of Computing*, ACM, 1997.Google Scholar - [AMM]Adleman, Manders and Miller. On taking roots in finite fields.
*Proceedings of the*18th*Symposium on Foundations of Computer Science*, IEEE, 1977.Google Scholar - [BHSV]M. Bellare, S. Halevi, A. Sahai, and S. Vadhan. Many-to-one trapdoor functions and their relation to public-key cryptosystems. Pull version of this paper, available via http://www-cse.ucsd.edu/users/mihir.Google Scholar
- [BeRo]M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols.
*Proceedings of the First Annual Conference on Computer and Communications Security*, ACM, 1993.Google Scholar - [Be]E. Berlekamp. Factoring polynomials over large finite fields.
*Mathematics of Computation*, Vol. 24, 1970, pp. 713–735.MathSciNetCrossRefGoogle Scholar - [BlMi]M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits,
*SIAM Journal on Computing*, Vol. 13, No. 4, 850–864, November 1984.MATHMathSciNetCrossRefGoogle Scholar - [Ca]R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information.
*Advances in Cryptology — Crypto 97 Proceedings*, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed., Springer-Verlag, 1997.Google Scholar - [CGH]R. Canetti, O. Goldreich and S. Halevi. The random oracle model, revisited.
*Proceedings of the*30th*Annual Symposium on the Theory of Computing*, ACM, 1998.Google Scholar - [piHe]W. Diffie and M. Hellman. New directions in cryptography.
*IEEE Trans. Info. Theory*, Vol. IT-22, No. 6, November 1976, pp. 644–654.MathSciNetCrossRefGoogle Scholar - [DDN]D. Dolev, C. Dwork, and M. Naor.
*Non-Malleable Cryptography. Proceedings of the*23rd*Annual Symposium on the Theory of Computing*, ACM, 1991.Google Scholar - [ElG]T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms.
*IEEE Trans. Inform. Theory*, Vol. 31, 1985, pp. 469–472.MathSciNetCrossRefGoogle Scholar - [GoLe]O. Goldreich and L. Levin. A hard predicate for all one-way functions.
*Proceedings of the*21st*Annual Symposium on the Theory of Computing*, ACM, 1989.Google Scholar - [GoMi]S. Goldwasser and S. Micali. Probabilistic Encryption.
*Journal of Computer and System Sciences*, Vol. 28, April 1984, pp. 270–299.MATHMathSciNetCrossRefGoogle Scholar - [GNW]O. Goldreich, N. Nisan, and A. Wigderson. On Yao's XOR Lemma.
*Electronic Colloquium on Computational Complexity*, TR95-050. March 1995. http://www.eccc.uni-trier.de/eccc/Google Scholar - [HILL]J. Håstad, R. Impagliazzo, L. Levin and M. Luby. Construction of a pseudo-random generator from any one-way function. Manuscript. Earlier versions in STOC 89 and STOC 90.Google Scholar
- [ImLu]R. Impagliazzo and M. Luby. One-way Functions are Essential for Complexity-Based Cryptography.
*Proceedings of the*30th*Symposium on Foundations of Computer Science*, IEEE, 1989.Google Scholar - [ImRu]R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations.
*Proceedings of the*21st*Annual Symposium on the Theory of Computing*, ACM, 1989.Google Scholar - [NaYu]M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks.
*Proceedings of the*22nd*Annual Symposium on the Theory of Computing*, ACM, 1990.Google Scholar - [Rab]M. Rabin. Digitalized Signatures and Public Key Functions as Intractable as Factoring.
*MIT/LCS/TR-212*, 1979.Google Scholar - [Ya]A. Yao. Theory and applications of trapdoor functions.
*Proceedings of the*23rd*Symposium on Foundations of Computer Science*, IEEE, 1982.Google Scholar