Certifying Trapdoor Permutations, Revisited

  • Ran CanettiEmail author
  • Amit LichtenbergEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11239)


The modeling of trapdoor permutations has evolved over the years. Indeed, finding an appropriate abstraction that bridges between the existing candidate constructions and the needs of applications has proved to be challenging. In particular, the notions of certifying permutations (Bellare and Yung, 96), enhanced and doubly enhanced trapdoor permutations (Goldreich, 04, 08, 11, Goldreich and Rothblum, 13) were added to bridge the gap between the modeling of trapdoor permutations and needs of applications. We identify an additional gap in the current abstraction of trapdoor permutations: Previous works implicitly assumed that it is easy to recognize elements in the domain, as well as uniformly sample from it, even for illegitimate function indices. We demonstrate this gap by using the (Bitansky-Paneth-Wichs, 16) doubly-enhanced trapdoor permutation family to instantiate the Feige-Lapidot-Shamir (FLS) paradigm for constructing non-interactive zero-knowledge (NIZK) protocols, and show that the resulting proof system is unsound. To close the gap, we propose a general notion of certifiably injective doubly enhanced trapdoor functions (DECITDFs), which provides a way of certifying that a given key defines an injective function over the domain defined by it, even when that domain is not efficiently recognizable and sampleable. We show that DECITDFs suffice for instantiating the FLS paradigm; more generally, we argue that certifiable injectivity is needed whenever the generation process of the function is not trusted. We then show two very different ways to construct DECITDFs: One is via the traditional method of RSA/Rabin with the Bellare-Yung certification mechanism, and the other using indistinguishability obfuscation and injective pseudorandom generators. In particular the latter is the first candidate injective trapdoor function, from assumptions other than factoring, that suffices for the FLS paradigm. Finally we observe that a similar gap appears also in other paths proposed in the literature for instantiating the FLS paradigm, specifically via verifiable pseudorandom generators and verifiable pseudorandom functions. Closing the gap there can be done in similar ways to the ones proposed here.


Non-interactive zero-knowledge Trapdoor permutations Indistinguishability obfuscation 



We thank Oded Goldreich and Ron Rothblum for their very useful comments.


  1. [Abu13]
    Abusalah, H.: Generic instantiations of the hidden bits model for non-interactive zero-knowledge proofs for np. Master’s thesis, RWTH-Aachen (2013)Google Scholar
  2. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 103–112. ACM (1988)Google Scholar
  3. [BG84]
    Blum, M., Goldwasser, S.: An Efficient probabilistic public-key encryption scheme which hides all partial information. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 289–299. Springer, Heidelberg (1985). Scholar
  4. [BG90]
    Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, New York (1990). Scholar
  5. [BGI+01]
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). Scholar
  6. [BGI14]
    Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). Scholar
  7. [BGRV09]
    Brakerski, Z., Goldwasser, S., Rothblum, G.N., Vaikuntanathan, V.: Weak verifiable random functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 558–576. Springer, Heidelberg (2009). Scholar
  8. [Bon98]
    Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). Scholar
  9. [BP15]
    Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). Scholar
  10. [BPW16]
    Bitansky, N., Paneth, O., Wichs, D.: Perfect structure on the edge of chaos. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 474–502. Springer, Heidelberg (2016). Scholar
  11. [BSMP91]
    Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)MathSciNetCrossRefGoogle Scholar
  12. [BW13]
    Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). Scholar
  13. [BY96]
    Bellare, M., Yung, M.: Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996)MathSciNetCrossRefGoogle Scholar
  14. [CFGP05]
    Chevassut, O., Fouque, P.-A., Gaudry, P., Pointcheval, D.: Key derivation and randomness extraction. IACR Cryptology ePrint Archive 2005:61 (2005)Google Scholar
  15. [CHK03]
    Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). Scholar
  16. [CL17]
    Canetti, R., Lichtenberg, A.: Certifying trapdoor permutations, revisited. Cryptology ePrint Archive, Report 2017/631 (2017).
  17. [CS03]
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefGoogle Scholar
  18. [DH76]
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  19. [DN00]
    Dwork, C., Naor, M.: Zaps and their applications. In: Proceedings of 41st Annual Symposium on Foundations of Computer Science, pp. 283–293. IEEE (2000)Google Scholar
  20. [EGL85]
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefGoogle Scholar
  21. [FLS90]
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string. In: Proceedings of 31st Annual Symposium on Foundations of Computer Science, pp. 308–317. IEEE (1990)Google Scholar
  22. [GGM86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)MathSciNetCrossRefGoogle Scholar
  23. [GL89]
    Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 25–32. ACM (1989)Google Scholar
  24. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefGoogle Scholar
  25. [GO92]
    Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactive zero-knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993). Scholar
  26. [Gol98]
    Goldreich, O.: Foundation of cryptography, February 1995Google Scholar
  27. [Gol04]
    Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2 (2004)Google Scholar
  28. [Gol08]
    Goldreich, O.: Computational complexity: a conceptual perspective. ACM SIGACT News 39(3), 35–39 (2008)CrossRefGoogle Scholar
  29. [Gol11]
    Goldreich, O.: Basing non-interactive zero-knowledge on (enhanced) trapdoor permutations: the state of the art. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 406–421. Springer, Heidelberg (2011). Scholar
  30. [GOS06]
    Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). Scholar
  31. [GOS12]
    Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM (JACM) 59(3), 11 (2012)MathSciNetCrossRefGoogle Scholar
  32. [GR13]
    Goldreich, O., Rothblum, R.D.: Enhancements of trapdoor permutations. J. Cryptol. 26(3), 484–512 (2013)MathSciNetCrossRefGoogle Scholar
  33. [GS08]
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). Scholar
  34. [KPTZ13]
    Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 669–684. ACM (2013)Google Scholar
  35. [KSS00]
    Kahn, J., Saks, M., Smyth, C.: A dual version of Reimer’s inequality and a proof of Rudich’s conjecture. In: Proceedings of 15th Annual IEEE Conference on Computational Complexity, pp. 98–103. IEEE (2000)Google Scholar
  36. [MM11]
    Matsuda, T., Matsuura, K.: On black-box separations among injective one-way functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 597–614. Springer, Heidelberg (2011). Scholar
  37. [Rab79]
    Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Technical report, DTIC Document (1979)Google Scholar
  38. [Rot10]
    Rothblum, R.: A taxonomy of enhanced trapdoor permutations. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 17, p. 145 (2010)Google Scholar
  39. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  40. [Rud84]
    Rudich, S.: Limits on the provable consequences of one-way functions. Ph.D. thesis, Wesleyan University (1984)Google Scholar
  41. [SW14]
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Proceedings of the Forty-Sixth Annual ACM Symposium on Theory of Computing, pp. 475–484. ACM (2014)Google Scholar
  42. [Yao82]
    Yao, A.C.: Theory and application of trapdoor functions. In: 23rd Annual Symposium on Foundations of Computer Science, SFCS 2008, pp. 80–91. IEEE (1982)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Boston UniversityBostonUSA
  2. 2.Tel Aviv UniversityTel AvivIsrael

Personalised recommendations