Editing Trapdoor function

{{Short description|One-way cryptographic tool}}
{{about|the mathematical cryptography function|the method of bypassing security|Backdoor (computing)}}
{{refimprove|date=July 2013}}
[[File:Trapdoor permutation.svg|300px|thumb|The idea of trapdoor function. A trapdoor function ''f'' with its trapdoor ''t'' can be generated by an algorithm '''Gen'''. ''f'' can be efficiently computed, i.e., in probabilistic [[polynomial time]]. However, the computation of the inverse of ''f'' is generally hard, unless the trapdoor ''t'' is given.<ref>Ostrovsky, pp. 6–9</ref>]]

In [[theoretical computer science]] and [[cryptography]], a '''trapdoor function''' is a [[function (mathematics)|function]] that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its [[Inverse function|inverse]]) without special information, called the "trapdoor". Trapdoor functions are a special case of [[one-way function]]s and are widely used in [[public-key cryptography]].<ref>{{Cite book|last=Bellare|first=M|title=Advances in Cryptology — CRYPTO '98|chapter=Many-to-one trapdoor functions and their relation to public-key cryptosystems|series=Lecture Notes in Computer Science|date=June 1998|volume=1462|pages=283–298|doi=10.1007/bfb0055735 |isbn=978-3-540-64892-5|s2cid=215825522}}</ref>

In mathematical terms, if ''f'' is a trapdoor function, then there exists some secret information ''t'', such that given ''f''(''x'') and ''t'', it is easy to compute ''x''. Consider a [[padlock]] and its key. It is trivial to change the padlock from open to closed without using the key, by pushing the shackle into the lock mechanism. Opening the padlock easily, however, requires the key to be used. Here the key ''t'' is the trapdoor and the padlock is the trapdoor function.

An example of a simple mathematical trapdoor is "6895601 is the product of two prime numbers.  What are those numbers?" A typical "[[Brute-force attack|brute-force]]" solution would be to try dividing 6895601 by many prime numbers until finding the answer. However, if one is told that 1931 is one of the numbers, one can find the answer by entering "6895601 ÷ 1931" into any calculator. This example is not a sturdy trapdoor function – modern computers can guess all of the possible answers within a second – but this sample problem could be improved by [[Integer factorization|using the product of two much larger primes]].

Trapdoor functions came to prominence in [[cryptography]] in the mid-1970s with the publication of [[Asymmetric key algorithm|asymmetric (or public-key) encryption]] techniques by [[Whitfield Diffie|Diffie]], [[Martin Hellman|Hellman]], and [[Ralph Merkle|Merkle]]. Indeed, {{harvtxt|Diffie|Hellman|1976}} coined the term. Several function classes had been proposed, and it soon became obvious that trapdoor functions are harder to find than was initially thought. For example, an early suggestion was to use schemes based on the [[subset sum problem]]. This turned out rather quickly to be unsuitable.

{{As of|2004}}, the best known trapdoor function (family) candidates are the [[RSA (algorithm)|RSA]] and [[Rabin cryptosystem|Rabin]] families of functions.  Both are written as exponentiation modulo a composite number, and both are related to the problem of [[prime factorization]].

Functions related to the hardness of the [[discrete logarithm problem]] (either modulo a prime or in a group defined over an [[Elliptic curve cryptography|elliptic curve]]) are ''not'' known to be trapdoor functions, because there is no known "trapdoor" information about the group that enables the efficient computation of discrete logarithms.

A trapdoor in cryptography has the very specific aforementioned meaning and is not to be confused with a [[Backdoor (computing)|backdoor]] (these are frequently used interchangeably, which is incorrect). A backdoor is a deliberate mechanism that is added to a cryptographic algorithm (e.g., a key pair generation algorithm, digital signing algorithm, etc.) or operating system, for example, that permits one or more unauthorized parties to bypass or subvert the security of the system in some fashion.

==Definition==

A '''trapdoor function''' is a collection of [[one-way function]]s { ''f''<sub>''k''</sub> : ''D''<sub>''k''</sub> → ''R''<sub>''k''</sub> } (''k'' ∈ ''K''), in which all of ''K'', ''D''<sub>''k''</sub>, ''R''<sub>''k''</sub> are subsets of binary strings {0, 1}<sup>*</sup>, satisfying the following conditions:
* There exists a probabilistic polynomial time (PPT) ''sampling'' algorithm Gen s.t. Gen(1<sup>''n''</sup>) = (''k'', ''t''<sub>''k''</sub>) with ''k'' ∈ ''K'' ∩ {0, 1}<sup>''n''</sup> and ''t''<sub>''k''</sub> ∈ {0, 1}<sup>*</sup> satisfies | ''t''<sub>''k''</sub> | < ''p'' (''n''), in which ''p'' is some polynomial. Each ''t''<sub>''k''</sub> is called the ''trapdoor'' corresponding to ''k''. Each trapdoor can be efficiently sampled.
* Given input ''k'', there also exists a PPT algorithm that outputs ''x'' ∈ ''D''<sub>''k''</sub>. That is, each ''D''<sub>''k''</sub> can be efficiently sampled.
* For any ''k'' ∈ ''K'', there exists a PPT algorithm that correctly computes ''f''<sub>''k''</sub>.
* For any ''k'' ∈ ''K'', there exists a PPT algorithm ''A'' s.t. for any ''x'' ∈ ''D''<sub>''k''</sub>, let ''y'' = ''A'' ( ''k'', ''f''<sub>''k''</sub>(''x''), ''t''<sub>''k''</sub> ), and then we have ''f''<sub>''k''</sub>(''y'') = ''f''<sub>''k''</sub>(''x''). That is, given trapdoor, it is easy to invert.
* For any ''k'' ∈ ''K'', without trapdoor ''t''<sub>''k''</sub>, for any PPT algorithm, the probability to correctly invert ''f''<sub>''k''</sub> (i.e., given ''f''<sub>''k''</sub>(''x''), find a pre-image ''x' '' such that ''f''<sub>''k''</sub>(''x' '') = ''f''<sub>''k''</sub>(''x'')) is negligible.<ref>Pass's Notes, def. 56.1</ref><ref>Goldwasser's lecture notes, def. 2.16</ref><ref>Ostrovsky, pp. 6–10, def. 11</ref>

If each function in the collection above is a one-way permutation, then the collection is also called a '''trapdoor permutation'''.<ref>Pass's notes, def 56.1; Dodis's def 7, lecture 1.</ref>

==Examples==
In the following two examples, we always assume that it is difficult to factorize a large composite number (see [[Integer factorization]]).

===RSA assumption===

In this example, the inverse <math>d</math> of <math>e</math> modulo <math>\phi(n)</math> ([[Euler's totient function]] of <math>n</math>) is the trapdoor:

: <math>f(x) = x^e \mod n.</math>

If the factorization of <math>n=pq</math> is known, then <math>\phi(n)=(p-1)(q-1)</math> can be computed. With this the inverse <math>d</math> of <math>e</math> can be computed <math>d = e^{-1} \mod{\phi(n)}</math>, and then given <math>y = f(x)</math>, we can find <math>x = y^d \mod n = x^{ed} \mod n = x \mod n</math>.
Its hardness follows from the RSA assumption.<ref>Goldwasser's lecture notes, 2.3.2; Lindell's notes, p. 17, Ex. 1.</ref>

===Rabin's quadratic residue assumption===

Let <math>n</math> be a large composite number such that <math>n = pq</math>, where <math>p</math> and <math>q</math> are large primes such that <math>p \equiv 3 \pmod{4}, q \equiv 3 \pmod{4}</math>, and kept confidential to the adversary. The problem is to compute <math>z</math> given <math>a</math> such that <math>a \equiv z^2 \pmod{n}</math>. The trapdoor is the factorization of <math>n</math>. With the trapdoor, the solutions of ''z'' can be given as <math>cx + dy, cx - dy, -cx + dy, -cx - dy</math>, where <math>a \equiv x^2 \pmod{p}, a \equiv y^2 \pmod{q}, c \equiv 1 \pmod{p}, c \equiv 0 \pmod{q}, d \equiv 0 \pmod{p}, d \equiv 1 \pmod{q}</math>. See [[Chinese remainder theorem]] for more details. Note that given primes <math>p</math> and <math>q</math>, we can find <math>x \equiv a^{\frac{p+1}{4}} \pmod{p}</math> and <math>y \equiv a^{\frac{q+1}{4}} \pmod{q}</math>. Here the conditions <math>p \equiv 3 \pmod{4}</math> and <math>q \equiv 3 \pmod{4}</math> guarantee that the solutions <math>x</math> and <math>y</math> can be well defined.<ref>Goldwasser's lecture notes, 2.3.4.</ref>

==See also==
* [[One-way function]]

==Notes==
{{reflist|2}}

==References==
*{{citation|first1=W.|last1=Diffie|author1-link=Whitfield Diffie|first2=M.|last2=Hellman|author2-link=Martin Hellman|title=New directions in cryptography|journal=[[IEEE Transactions on Information Theory]]|volume=22|issue=6|pages=644–654|year=1976|doi=10.1109/TIT.1976.1055638|url=http://www-ee.stanford.edu/~hellman/publications/24.pdf|citeseerx=10.1.1.37.9720}}
*{{citation|last1=Pass|first1=Rafael|title=A Course in Cryptography|url=https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf|access-date=27 November 2015}}
*{{citation|last1=Goldwasser|first1=Shafi|title=Lecture Notes on Cryptography|url=https://cseweb.ucsd.edu/~mihir/papers/gb.pdf|access-date=25 November 2015}}
*{{citation|last1=Ostrovsky|first1=Rafail|title=Foundations of Cryptography|url=http://web.cs.ucla.edu/~rafail/PUBLIC/OstrovskyDraftLecNotes2010.pdf|access-date=27 November 2015}}
*{{citation|last1=Dodis|first1=Yevgeniy|title=Introduction to Cryptography Lecture Notes (Fall 2008)|url=http://www.cs.nyu.edu/courses/fall08/G22.3210-001/index.html|access-date=17 December 2015}}
*{{citation|last1=Lindell|first1=Yehuda|title=Foundations of Cryptography|url=http://u.cs.biu.ac.il/~lindell/89-856/complete-89-856.pdf|access-date=17 December 2015}}

{{Cryptography public-key}}

[[Category:Theory of cryptography]]
[[Category:Cryptographic primitives]]