Many-to-one trapdoor functions and their relation to public-key cryptosystems

  • Mihir Bellare
  • Shai Halevi
  • Amit Sahai
  • Salil Vadhan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


The heart of the task of building public key cryptosystems is viewed as that of“making trapdoors;” in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of“trapdoorness” and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.


  1. [AjDw]
    M. Ajtai and C. Dwork. A public-key cryptoSystem with worst-case/average-case equivalence. Proceedings of the 29th Annual Symposium on the Theory of Computing, ACM, 1997.Google Scholar
  2. [AMM]
    Adleman, Manders and Miller. On taking roots in finite fields. Proceedings of the 18th Symposium on Foundations of Computer Science, IEEE, 1977.Google Scholar
  3. [BHSV]
    M. Bellare, S. Halevi, A. Sahai, and S. Vadhan. Many-to-one trapdoor functions and their relation to public-key cryptosystems. Pull version of this paper, available via Scholar
  4. [BeRo]
    M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Communications Security, ACM, 1993.Google Scholar
  5. [Be]
    E. Berlekamp. Factoring polynomials over large finite fields. Mathematics of Computation, Vol. 24, 1970, pp. 713–735.MathSciNetCrossRefGoogle Scholar
  6. [BlMi]
    M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits, SIAM Journal on Computing, Vol. 13, No. 4, 850–864, November 1984.MATHMathSciNetCrossRefGoogle Scholar
  7. [Ca]
    R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. Advances in Cryptology — Crypto 97 Proceedings, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed., Springer-Verlag, 1997.Google Scholar
  8. [CGH]
    R. Canetti, O. Goldreich and S. Halevi. The random oracle model, revisited. Proceedings of the 30th Annual Symposium on the Theory of Computing, ACM, 1998.Google Scholar
  9. [piHe]
    W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, Vol. IT-22, No. 6, November 1976, pp. 644–654.MathSciNetCrossRefGoogle Scholar
  10. [DDN]
    D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. Proceedings of the 23rd Annual Symposium on the Theory of Computing, ACM, 1991.Google Scholar
  11. [ElG]
    T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, Vol. 31, 1985, pp. 469–472.MathSciNetCrossRefGoogle Scholar
  12. [GoLe]
    O. Goldreich and L. Levin. A hard predicate for all one-way functions. Proceedings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989.Google Scholar
  13. [GoMi]
    S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299.MATHMathSciNetCrossRefGoogle Scholar
  14. [GNW]
    O. Goldreich, N. Nisan, and A. Wigderson. On Yao's XOR Lemma. Electronic Colloquium on Computational Complexity, TR95-050. March 1995. Scholar
  15. [HILL]
    J. Håstad, R. Impagliazzo, L. Levin and M. Luby. Construction of a pseudo-random generator from any one-way function. Manuscript. Earlier versions in STOC 89 and STOC 90.Google Scholar
  16. [ImLu]
    R. Impagliazzo and M. Luby. One-way Functions are Essential for Complexity-Based Cryptography. Proceedings of the 30th Symposium on Foundations of Computer Science, IEEE, 1989.Google Scholar
  17. [ImRu]
    R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. Proceedings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989.Google Scholar
  18. [NaYu]
    M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. Proceedings of the 22nd Annual Symposium on the Theory of Computing, ACM, 1990.Google Scholar
  19. [Rab]
    M. Rabin. Digitalized Signatures and Public Key Functions as Intractable as Factoring. MIT/LCS/TR-212, 1979.Google Scholar
  20. [Ya]
    A. Yao. Theory and applications of trapdoor functions. Proceedings of the 23rd Symposium on Foundations of Computer Science, IEEE, 1982.Google Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Shai Halevi
    • 2
  • Amit Sahai
    • 3
  • Salil Vadhan
    • 3
  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA
  2. 2.T. J. Watson Research CenterIBMYorktown HeightsUSA
  3. 3.MIT Laboratory for Computer ScienceCambridgeUSA

Personalised recommendations