## CryptoDB

### Paper: How to Build a Trapdoor Function from an Encryption Scheme

Authors: Sanjam Garg , UC Berkeley and NTT Research Mohammad Hajiabadi , University of Waterloo Giulio Malavolta , Max Planck Institute for Security and Privacy Rafail Ostrovsky , UCLA DOI: 10.1007/978-3-030-92078-4_8 Search ePrint Search Google ASIACRYPT 2021 In this work we ask the following question: Can we transform any encryption scheme into a trapdoor function (TDF)? Alternatively stated, can we make any encryption scheme randomness recoverable? We propose a generic compiler that takes as input any encryption scheme with pseudorandom ciphertexts and adds a trapdoor to invert the encryption, recovering also the random coins. This universal TDFier only assumes in addition the existence of a hinting pseudorandom generator (PRG). Despite the simplicity, our transformation is quite general and we establish a series of new feasibility results: - The first identity-based TDF [Bellare et al. EUROCRYPT 2012] from the CDH assumption in pairing-free groups (or from factoring), thus matching the state of the art for identity-based encryption schemes. Prior works required pairings or LWE. - The first collusion-resistant attribute-based TDF (AB-TDF) for all ($NC^1$, resp.) circuits from LWE (bilinear maps, resp.). Moreover, the first single-key AB-TDF from CDH. To the best of our knowledge, no AB-TDF was known in the literature (not even for a single key) from any assumption. We obtain the same results for predicate encryption. As an additional contribution, we define and construct a trapdoor garbling scheme: A simulation secure garbling scheme with a hidden trigger'' that allows the evaluator to fully recover the randomness used by the garbling algorithm. We show how to construct trapdoor garbling from the DDH or LWE assumption with an interplay of key-dependent message (KDM) and randomness-dependent message (RDM) techniques. Trapdoor garbling allows us to obtain alternative constructions of (single-key) AB-TDFs with additional desirable properties, such as adaptive security (in the choice of the attribute) and projective keys. We expect trapdoor garbling to be useful in other contexts, e.g. in case where, upon successful execution, the evaluator needs to immediately verify that the garbled circuit was well-formed.
##### BibTeX
@inproceedings{asiacrypt-2021-31455,
title={How to Build a Trapdoor Function from an Encryption Scheme},
publisher={Springer-Verlag},
doi={10.1007/978-3-030-92078-4_8},
author={Sanjam Garg and Mohammad Hajiabadi and Giulio Malavolta and Rafail Ostrovsky},
year=2021
}