Advanced Topics in Cryptography January 27 , 2004 Lecture 1 Lecturer : Jonathan Katz Scribe ( s ) : Jonathan Katz 1 Introduction to These Notes

We give two definitions of trapdoor permutations. The first is completely formal, and maps well onto the (conjectured) trapdoor permutations that are used in practice. The second is slightly less formal, but is simpler to use and somewhat easier to understand. Generally speaking, however, proofs of security using the second of the two definitions can be easily modified to work for the first definition as well. (Stronger definitions of trapdoor permutations are sometimes also considered; see [1, 2] for some examples.) We begin with a syntactic definition, and then give a concrete example. Before giving the definition we introduce two pieces of notation. First is the abbreviation ppt which stands for “probabilistic, polynomial-time”. This, of course, refers to algorithms which may make random choices during their execution but which always terminate in a polynomial number of steps. This begs the following question: polynomial in what? To deal with this, we introduce the notion of a security parameter k which will be provided as input to all algorithms. For technical reasons, the security parameter is given in unary and is thus represented as 1. In some sense, as we will see, a larger value of the security parameter results in a “more secure” scheme. (Hopefully, the concrete example that follows will give some more motivation for the purpose of the security parameters.)