2

The classical One-Way Trapdoor Permutation is RSA. The permutation that it implements on a set of $n$ elements¹ is invertible by an adversary knowing only the public key with work $w$ conjecturally² such that $$\log w=\Theta\left(\left(\log n\right)^{1/3}\left(\log\log n\right)^{2/3}\right)$$

Is it known any other One-Way Trapdoor Permutation with faster asymptotic growth of $\log w$ w.r.t. $\log n$, and still efficiently computable in both directions in time polynomial w.r.t. $\log n$?

I'd be surprised if the answer was yes with modular arithmetic or plain Elliptic Curve over a finite field; but I can't tell for pairings or other constructs.

¹ and a particularly nice one: $[0,n)$; but don't make that an absolute requirement.

² assuming in particular that GNFS remains the best attack, and that the first coefficient of its currently conjectured cost $L_n\left[1/3,\sqrt[3]{64/9}\,\right]$ is not improved.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 5
    I think the only known trapdoor one-way permutations are based on either hardness of factoring (RSA, Paillier), or indistiguishability obfuscation (iO). So the answer to your question would be “no,” with the proviso that it could become “yes” if iO ever becomes efficient enough relative to its security. – Chris Peikert May 28 '20 at 01:59
  • @Chris Peikert: that would make a nice answer, perhaps explaining in what sense iO implements OWTP. – fgrieu May 28 '20 at 05:37
  • 3
    I believe he is referring to this paper which constructs OWTP from iO and one-way functions. – ckamath May 28 '20 at 12:24

0 Answers0