Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems

1
Many-to-one Trapdoor Functions and their
Relations to Public-key Cryptosystems

• M. Bellare S. Halevi
• A. Saha S. Vadhan

2
Introduction

• One-way function
• Easy to compute, hard to invert
• Trapdoor function
• One-way function
• Hard to invert but with trapdoor, easy to
  invert.
• Injective (one-to-one) trapdoor function suffices
  for a public key cryptosystem. (Proved by Yao)
• Injectivity can guarantee the unique decryption

3
Several questions arise

• Whats the relationship between one-way function
  and trapdoor function?
• Does one-way function imply trapdoor function?
• Does a public key cryptosystem requires an
  injective trapdoor function?
• Is a non-injective trapdoor function able to
  construct a public key cryptosystem?
• If yes, what is the domain size of such a
  non-injective trapdoor function?

4
Definitions

• PPT
• Probabilistic, polynomial time
• xy
• Concatenation of two strings x and y
• x ? S
• Select an element from the set S.
• Pre-images of y under a function f
• f -1(y) x? Dom(f) f(x) y.
• Injective
• A function is said to be injective if Dom(f)
  Range(f).
• One-wayness
• An function is said to be on-way if InvProbf(I,k)
  is negligible for any PPT algorithm I.

5

• Trapdoorness
• A function f is said to be trapdoor if with
  knowing trapdoor information tp, one can invert
  f.
• Formally, there exists a PPT algorithm F Inv (f,
  tp, y) for all y? Range(f), which outputs an
  element of f -1(y) with probability 1.
• Predicate
• A probabilistic function with domain 0,1, p,
  takes a bit b and flips coins r to generate some
  output y p(br).
• Decryption error ?(k) of a predicate
• If there exists a PPT algorithm P-Inv, which with
  knowing trapdoor fails to decrypt only with
  probability
• is at most ?(k)

6
From on-way function to trapdoor functions

• Theorem Suppose there exists a family of one-way
  functions. Then there exists a family of
  trapdoor, one-way functions.
• Proof Given a family of one-way functions,
  construct a family of trapdoor one-way functions.
• Given f, we construct a g which mimics f but
  embeds a trapdoor.
• ? f(?), where ? is trapdoor of g, and ? is the
  image of the trapdoor ? under f.
• Is g a one-way trapdoor function?
• If knowing ?, a pre-image of z under g is (z, ?,
  ?). So knowing trapdoor, one can invert g. g is a
  trapdoor function.
• Without knowing ?, can we invert g?
• If g(y,x, v) z then either f(v) z or f(x) ?
  . To calculate g-1(z) requires inverting f at
  either z or ? , both of which are hard by
  one-wayness of f.
• g is one-way function.
• g is one-way trapdoor function.

7
Does a public key cryptosystem requires an
injective trapdoor function?

• Unapproximable trapdoor predicates and
  semantically secure public key cryptosystems are
  equivalent.
• So the question becomes whether unapproximable
  trapdoor predicates imply injective trapdoor
  functions.

8
From trapdoor functions to cryptosystem

• Theorem If there exist trapdoor one-way function
  families with polynomially bounded pre-image
  size, then there exists a family of
  unapproximable trapdoor predicates with
  exponentially small decryption error.
• Proof Given a trapdoor one-way function F,
  construct an unapproximable family of trapdoor
  predicates P with decryption error ½ - 1/poly(k),
  and reduce the decryption error by repetition to
  get the the family claimed in the theorem.

9

• Claim p is an unapproximable trapdoor predicate
  family, with decryption error at most ½ -
  1/2Q(k)
• The output of p is (f(x),r, ?)
• b ? ? (x r)
• x F-Inv(f,tp,y) and b ? ? (x r)
• Since f is not injective function, even with tp,
  x may not be equal to x.
• If x x, then bb.
• If x?x then bb with probability at most ½
  since r is random chosen. The chance that x x
  is at least 1/Q(k) ( The size of pre-image of f
  is Q(k)).
• So

10

• To prove the theorem, we need a predicate with
  exponentially small decryption error.
• The predicate is constructed as
• Polynomial number of p(b) are concatenated to
  form a final predicate.
• To decrypt b with tp, let bi P-Inv (p, tp,
  (yi, ri, ?i)). It outputs b which is 1 if the
  majority of the bi are 1 and 0 otherwise.
• bi has decryption error ½ - 1/2Q(k), b has
  exponentially decryption error.

11
Several known results so far.

1. Existence of unapproximable trapdoor predicates
   is equivalent to the existence of semantically
   secure public-key encryption.
2. Injective trapdoor one-way function can be used
   to construct unapproximable trapdoor predicates.

Question

• Can unapproximable trapdoor predicates be used to
  construct injective trapdoor one-way functions?
• If it is possible to implement using one-way
  functions a function G with sufficiently strong
  randomness properties to maintain the security
  of this scheme, then the question would have a
  positive answer.

12

• From a predicate to a function, we need to
  de-randomization, meanwhile maintaining the
  one-wayness of the function.
• Method 1
• It is one-way Yao. However, it is not a
  trapdoor function, because even with the trapdoor
  information, we cannot recover r1,r2,rk.
• Method 2
• Where G is a pseudo-random generator.
• It is proved that f is not one-way either.

13

• Method 3 Use a truly random function G, ie., a
  random oracle.
• To invert f, we need to invert p(b1r1), p(b2
  r2), p(bk rk).
• Even knowing r1, r2, r3,rk, since G is truly
  random generator, b1, b2, bk are totally
  independent with r1, r2, r3,rk. And each p is
  unapproximable,so f is one-way function.
• Theorem If there exists a family of
  unapproximable trapdoor predicates, then there
  exists a family of injective trapdoor one-way
  functions in the random oracle model.

14
Conclusion