Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare A. Saha S. Halevi S. Vadhan

Introduction • One-way

function – Easy to compute, hard to invert

• Trapdoor

function – One-way function – Hard to invert; but with trapdoor , easy to invert.

–

Injective

(one-to-one) trapdoor function suffices for a public key cryptosystem. (Proved by Yao) • Injectivity can guarantee the unique decryption

Several questions arise

• What’s the relationship between one-way function and trapdoor function?

– Does one-way function imply trapdoor function?

• Does a

public key cryptosystem

requires an injective

trapdoor

function?

– Is a non-injective trapdoor function able to construct a public key cryptosystem ?

– If yes, what is the

domain size

of such a non-injective trapdoor function?

Definitions:

• • • • • • PPT: – Probabilistic, polynomial time

x||y: x

– Concatenation of two strings

x

and

y



S:

– Select an element from the set S.

Pre-images

– of

f -1 (y) = { x



y

under a function

Dom(f): f(x) = y}.

f: Injective:

– A function is said to be injective if

Dom(f) = Range(f).

One-wayness:

– An function is said to be

on-way

if

InvProb f (I,k)

is negligible for any PPT algorithm

I.

• Trapdoorness: – A function

f

is said to be trapdoor if with knowing “

trapdoor information

”

tp

, one can invert

f

. – Formally, there exists a PPT algorithm

F– Inv (f, tp, y)

for all which outputs an element of

f -1 (y)

with probability 1

.

y



Range(f),

• Predicate

:

– A probabilistic function with domain {0,1},

p

, takes a bit

b

and flips coins

r

to generate some output

y = p(b:r).

• Decryption error 

(k)

of a predicate: – If there exists a PPT algorithm

P-Inv

, which with knowing trapdoor fails to decrypt only with probability: – is at most 

(k)

From on-way function to trapdoor functions

•

Theorem

: Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions.

– Proof: Given a family of one-way functions, construct a family of trapdoor one-way functions.

– Given

f

, we construct a

g

which “mimics”

f

but embeds a trapdoor .

•   =

f(



),

where under

f.

 is trapdoor of

g

, and  is the image of the trapdoor – Is

g

a one-way trapdoor function?

• If knowing 

,

a pre-image of

z

under

g

is

(z,



,



).

So knowing trapdoor, one can invert

g . g

is a trapdoor function

.

• Without knowing 

,

can we invert

g ?

– If

g(y,x, v) = z

then either requires inverting

f f(v) = z

at either

z

or 

or f(x) =

 . To calculate

g -1 (z) ,

both of which are hard by one wayness of

f .

–

g

is one-way function

.

•

g is one-way trapdoor function.

Does a public key cryptosystem requires an injective trapdoor function?

•

Unapproximable trapdoor predicates

and

semantically secure public key cryptosystems

are equivalent. • So the question becomes whether

unapproximable trapdoor predicates

imply

injective trapdoor functions.

From trapdoor functions to cryptosystem

•

Theorem

:

If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error.

• Proof: Given a trapdoor one-way function

F

, construct an unapproximable family of trapdoor predicates

P ½ - 1/poly(k),

with decryption error and reduce the decryption error by repetition to get the the family claimed in the theorem.

• Claim:

p

is an unapproximable trapdoor predicate family, with decryption error at most ½ -

1/[2Q(k)]

– The output of

p

–

b

=   (

x r

) – is

(f(x),r,

 )

x’

=

F-Inv(f,tp,y) and b’ =

  (

x’ r

) – Since

f

is

not

injective function, even with

tp

,

x’

may not be equal to

x

.

– If

x’ = x

, then

b’=b

. – If

x’



x

then

b’=b

with probability at most ½ since

r

The chance that

x = x’

is at least

1/Q(k)

is random chosen. ( The size of pre-image of

f

is

Q(k)).

–

So

• To prove the theorem, we need a predicate with exponentially small decryption error.

– The predicate is constructed as • Polynomial number of p(b) are concatenated to form a final predicate.

– To decrypt

b

with

tp

, let

b i ’

is 1 if the majority of the

b i ’

=

P-Inv (p, tp, (y i , r i ,

 are 1 and 0 otherwise.

i )).

It outputs

b’

which –

b i ’

has decryption error ½ error.

1/[2Q(k)], b

has exponentially decryption

Several known results so far.

1.

2.

Existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption.

Injective trapdoor one-way function can be used to construct unapproximable trapdoor predicates.

Question

• • Can

unapproximable trapdoor predicates

be used to construct

injective trapdoor one-way functions

?

If it is possible to implement using one-way functions a function G with “sufficiently” strong randomness properties” to maintain the security of this scheme, then the question would have a positive answer.

• From a predicate to a function, we need to

de-randomization,

meanwhile maintaining the one-wayness of the function.

– Method 1: • It is one-way [Yao]. However, it is not a trapdoor function, because even with the trapdoor information, we cannot recover

r 1 ,r 2 ,…r k

.

– Method 2: • Where G is a pseudo-random generator.

• It is proved that

f

is not one-way either.

• Method 3: Use a truly random function G, ie., a random oracle.

• To invert f, we need to invert

p(b 1 ;r 1 ), p(b 2 ; r 2 ), …p(b k ; r k ).

• Even knowing

r 1 , r 2 , r 3 ,…r k

, since G is truly random generator,

b 1 , b 2 ,… b k

are totally independent with

r 1 , r 2 , r 3 ,…r k.

And each

p

is unapproximable,so

f

is one-way function

.

•

Theorem

:

If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model

.

Conclusion