Certifying Trapdoor Permutations, Revisited

The modeling of trapdoor permutations has evolved over the years. Indeed, finding an appropriate abstraction that bridges between the existing candidate constructions and the needs of applications has proved to be challenging. In particular, the notions of certifying permutations (Bellare and Yung, 96), enhanced and doubly enhanced trapdoor permutations (Goldreich, 04, 08, 11, Goldreich and Rothblum, 13) were added to bridge the gap between the modeling of trapdoor permutations and needs of applications. We identify an additional gap between the current modeling of trapdoor permutations and their classic use in non-interactive zero-knowledge (NIZK) proof systems: Previous works implicitly assumed that it is easy to recognize elements in the domain, as well as uniformly sample from it, even for illegitimate function indices. To demonstrate this gap, we instantiate the Feige-Lapidot-Shamir NIZK protocol together with Bellare-Yung certification using the (Bitansky-Paneth-Wichs, 15) doubly-enhanced trapdoor permutation family, and show that this results in an unsound proof system. We propose a general notion of certifiably injective doubly enhanced trapdoor functions, and show that it suffices for implementing the FLS paradigm. We then show two very different ways to realize this notion: One is via the traditional method of RSA/Rabin with the Bellare-Yung certification mechanism, and the other using indistinguishability obfuscation and injective pseudorandom generators. In particular the latter is the first candidate trapdoor permutation from assumptions other than factoring, that suffices for the FLS paradigm.