Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Trapdoor function
open-in-new
<h2 id="definition">Definition</h2> <p>A trapdoor function is a collection of <a href="/facts/One-way_function/rGtcumDW">one-way functions</a> { <i>f</i><i>k</i> : <i>D</i><i>k</i> → <i>R</i><i>k</i> } (<i>k</i> ∈ <i>K</i>), in which all of <i>K</i>, <i>D</i><i>k</i>, <i>R</i><i>k</i> are subsets of binary strings {0, 1}*, satisfying the following conditions: </p> <ul><li>There exists a probabilistic polynomial time (PPT) <i>sampling</i> algorithm Gen s.t. Gen(1<i>n</i>) = (<i>k</i>, <i>t</i><i>k</i>) with <i>k</i> ∈ <i>K</i> ∩ {0, 1}<i>n</i> and <i>t</i><i>k</i> ∈ {0, 1}* satisfies | <i>t</i><i>k</i> | < <i>p</i> (<i>n</i>), in which <i>p</i> is some polynomial. Each <i>t</i><i>k</i> is called the <i>trapdoor</i> corresponding to <i>k</i>. Each trapdoor can be efficiently sampled.</li> <li>Given input <i>k</i>, there also exists a PPT algorithm that outputs <i>x</i> ∈ <i>D</i><i>k</i>. That is, each <i>D</i><i>k</i> can be efficiently sampled.</li> <li>For any <i>k</i> ∈ <i>K</i>, there exists a PPT algorithm that correctly computes <i>f</i><i>k</i>.</li> <li>For any <i>k</i> ∈ <i>K</i>, there exists a PPT algorithm <i>A</i> s.t. for any <i>x</i> ∈ <i>D</i><i>k</i>, let <i>y</i> = <i>A</i> ( <i>k</i>, <i>f</i><i>k</i>(<i>x</i>), <i>t</i><i>k</i> ), and then we have <i>f</i><i>k</i>(<i>y</i>) = <i>f</i><i>k</i>(<i>x</i>). That is, given trapdoor, it is easy to invert.</li> <li>For any <i>k</i> ∈ <i>K</i>, without trapdoor <i>t</i><i>k</i>, for any PPT algorithm, the probability to correctly invert <i>f</i><i>k</i> (i.e., given <i>f</i><i>k</i>(<i>x</i>), find a pre-image <i>x' </i> such that <i>f</i><i>k</i>(<i>x' </i>) = <i>f</i><i>k</i>(<i>x</i>)) is negligible.<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a><a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a><a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a></li></ul> <p>If each function in the collection above is a one-way permutation, then the collection is also called a trapdoor permutation.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> </p> <h2 id="examples">Examples</h2> <p>In the following two examples, we always assume that it is difficult to factorize a large composite number (see <a href="/facts/Integer_factorization/EjMCTz2t">Integer factorization</a>). </p> <h3>RSA assumption</h3> <p>In this example, the inverse d {\displaystyle d} of e {\displaystyle e} modulo ϕ ( n ) {\displaystyle \phi (n)} (<a href="/facts/Euler%2527s_totient_function/mIQwXYzj">Euler's totient function</a> of n {\displaystyle n} ) is the trapdoor: </p> f ( x ) = x e mod n . {\displaystyle f(x)=x^{e}\mod n.} <p>If the factorization of n = p q {\displaystyle n=pq} is known, then ϕ ( n ) = ( p − 1 ) ( q − 1 ) {\displaystyle \phi (n)=(p-1)(q-1)} can be computed. With this the inverse d {\displaystyle d} of e {\displaystyle e} can be computed d = e − 1 mod ϕ ( n ) {\displaystyle d=e^{-1}\mod {\phi (n)}} , and then given y = f ( x ) {\displaystyle y=f(x)} , we can find x = y d mod n = x e d mod n = x mod n {\displaystyle x=y^{d}\mod n=x^{ed}\mod n=x\mod n} . Its hardness follows from the RSA assumption.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p> <h3>Rabin's quadratic residue assumption</h3> <p>Let n {\displaystyle n} be a large composite number such that n = p q {\displaystyle n=pq} , where p {\displaystyle p} and q {\displaystyle q} are large primes such that p ≡ 3 ( mod 4 ) , q ≡ 3 ( mod 4 ) {\displaystyle p\equiv 3{\pmod {4}},q\equiv 3{\pmod {4}}} , and kept confidential to the adversary. The problem is to compute z {\displaystyle z} given a {\displaystyle a} such that a ≡ z 2 ( mod n ) {\displaystyle a\equiv z^{2}{\pmod {n}}} . The trapdoor is the factorization of n {\displaystyle n} . With the trapdoor, the solutions of <i>z</i> can be given as c x + d y , c x − d y , − c x + d y , − c x − d y {\displaystyle cx+dy,cx-dy,-cx+dy,-cx-dy} , where a ≡ x 2 ( mod p ) , a ≡ y 2 ( mod q ) , c ≡ 1 ( mod p ) , c ≡ 0 ( mod q ) , d ≡ 0 ( mod p ) , d ≡ 1 ( mod q ) {\displaystyle a\equiv x^{2}{\pmod {p}},a\equiv y^{2}{\pmod {q}},c\equiv 1{\pmod {p}},c\equiv 0{\pmod {q}},d\equiv 0{\pmod {p}},d\equiv 1{\pmod {q}}} . See <a href="/facts/Chinese_remainder_theorem/7wwFIkuV">Chinese remainder theorem</a> for more details. Note that given primes p {\displaystyle p} and q {\displaystyle q} , we can find x ≡ a p + 1 4 ( mod p ) {\displaystyle x\equiv a^{\frac {p+1}{4}}{\pmod {p}}} and y ≡ a q + 1 4 ( mod q ) {\displaystyle y\equiv a^{\frac {q+1}{4}}{\pmod {q}}} . Here the conditions p ≡ 3 ( mod 4 ) {\displaystyle p\equiv 3{\pmod {4}}} and q ≡ 3 ( mod 4 ) {\displaystyle q\equiv 3{\pmod {4}}} guarantee that the solutions x {\displaystyle x} and y {\displaystyle y} can be well defined.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/One-way_function/rGtcumDW">One-way function</a></li></ul> <h2 id="notes">Notes</h2> <ul><li><a href="/facts/Whitfield_Diffie/oDKz7ChA">Diffie, W.</a>; <a href="/facts/Martin_Hellman/QCxKCFgn">Hellman, M.</a> (1976), <a href="http://www-ee.stanford.edu/~hellman/publications/24.pdf">"New directions in cryptography"</a> (PDF), <i><a href="/facts/IEEE_Transactions_on_Information_Theory/NbsWT0E4">IEEE Transactions on Information Theory</a></i>, 22 (6): 644–654, <a href="/facts/CiteSeerX_(identifier)/SceDmd3c">CiteSeerX</a> <a href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.37.9720">10.1.1.37.9720</a>, <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1109%2FTIT.1976.1055638">10.1109/TIT.1976.1055638</a></li> <li>Pass, Rafael, <a href="https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf"><i>A Course in Cryptography</i></a> (PDF), retrieved 27 November 2015</li> <li>Goldwasser, Shafi, <a href="https://cseweb.ucsd.edu/~mihir/papers/gb.pdf"><i>Lecture Notes on Cryptography</i></a> (PDF), retrieved 25 November 2015</li> <li>Ostrovsky, Rafail, <a href="http://web.cs.ucla.edu/~rafail/PUBLIC/OstrovskyDraftLecNotes2010.pdf"><i>Foundations of Cryptography</i></a> (PDF), retrieved 27 November 2015</li> <li>Dodis, Yevgeniy, <a href="http://www.cs.nyu.edu/courses/fall08/G22.3210-001/index.html"><i>Introduction to Cryptography Lecture Notes (Fall 2008)</i></a>, retrieved 17 December 2015</li> <li>Lindell, Yehuda, <a href="http://u.cs.biu.ac.il/~lindell/89-856/complete-89-856.pdf"><i>Foundations of Cryptography</i></a> (PDF), retrieved 17 December 2015</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Bellare, M (June 1998). "Many-to-one trapdoor functions and their relation to public-key cryptosystems". Advances in Cryptology — CRYPTO '98. Lecture Notes in Computer Science. Vol. 1462. pp. 283–298. doi:10.1007/bfb0055735. ISBN 978-3-540-64892-5. S2CID 215825522. <a href="978-3-540-64892-5" target="_blank">978-3-540-64892-5</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Pass's Notes, def. 56.1 <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Goldwasser's lecture notes, def. 2.16 <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Ostrovsky, pp. 6–10, def. 11 <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Pass's notes, def 56.1; Dodis's def 7, lecture 1. <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Goldwasser's lecture notes, 2.3.2; Lindell's notes, p. 17, Ex. 1. <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Goldwasser's lecture notes, 2.3.4. <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> </ol>