Efficient Lossy Trapdoor Functions based on the Composite Residuosity Assumption

Lossy trapdoor functions (Peikert and Waters, STOC ’08) are an intriguing and powerful cryptographic primitive. Their main applications are simple and black-box constructions of chosen-ciphertext secure encryption, as well as collision-resistant hash functions and oblivious transfer. An appealing property of lossy trapdoor functions is the ability to realize them from a variety of number-theoretic assumptions, such as the hardness of the decisional Diffie-Hellman problem, and the worst-case hardness of lattice problems. In this short note we propose a new construction of lossy trapdoor functions based on the Damg̊ard-Jurik encryption scheme (whose security relies on Paillier’s decisional composite residuosity assumption). Our approach also yields a direct construction of all-but-one trapdoor functions, an important ingredient of the Peikert-Waters encryption scheme. The functions we propose enjoy short public descriptions, which in turn yield more efficient encryption schemes. ∗Efi Arazi School of Computer Science, Herzliya Interdisciplinary Center (IDC), Herzliya 46150, Israel. Email: [email protected]. †Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel. Email: [email protected]. 1 Lossy Trapdoor Functions A collection of lossy trapdoor functions consists of two families of functions. Functions in the first family are injective (and can be inverted using a trapdoor), whereas functions in the second family are lossy, namely the size of their image is significantly smaller than the size of their domain. The only computational requirement is that a description of a randomly chosen function from the first family is computationally indistinguishable from a description of a randomly chosen function from the second family. Definition 1.1 (Lossy trapdoor functions). A collection of (n, `)-lossy trapdoor functions is a triplet of probabilistic polynomial-time algorithms (G,F, F−1) such that: 1. G(1n, injective) outputs a pair (s, td) ∈ {0, 1}n × {0, 1}n. The algorithm F (s, ·) computes an injective function fs(·) over {0, 1}n, and F−1(td, ·) computes f−1 s (·). 2. G(1n, lossy) outputs s ∈ {0, 1}n. The algorithm F (s, ·) computes a function fs(·) over {0, 1}n whose image has size at most 2n−`. 3. The description of functions sampled using G(1n, injective) and G(1n, lossy) are computationally indistinguishable. The encryption scheme of Peikert Waters makes use of an intermediate primitive, called all-butone trapdoor functions. A collection of all-but-one trapdoor functions is associated with a set B, whose members are referred to as branches. The sampling algorithm of the collection receives an additional parameter b∗ ∈ B, called the lossy branch, and outputs a function f(·, ·) and a trapdoor td. The function f has the property that for any branch b 6= b∗ the function f(b, ·) is injective (and can be inverted using td), but the function f(b∗, ·) is lossy. Moreover, the lossy branch b∗ is computationally hidden. We refer the reader to [3] for a discussion on the relationship between lossy trapdoor functions and all-but-one trapdoor functions. Definition 1.2 (All-but-one trapdoor functions). A collection of (n, `)-all-but-one trapdoor functions is a triplet of probabilistic polynomial-time algorithms (G,F, F−1) and a sequence of branch sets B = {Bn} such that: 1. Given b∗ ∈ Bn the algorithm G(1n, b∗) outputs a pair (s, td) ∈ {0, 1}n × {0, 1}n. For every b ∈ Bn \ {b∗} the algorithm F (s, b, ·) computes an injective function fs,b(·) over {0, 1}n, and F−1(td, b, ·) computes f−1 s,b (·). The algorithm F (s, b∗, ·) computes a function fs,b∗(·) over {0, 1}n whose image has size at most 2n−`. 2. For any b1, b ∗ 2 ∈ Bn the description of functions sampled using G(1n, b1) and G(1n, b2) are computationally indistinguishable.