In the following two examples, we always assume that it is difficult to factorize a large composite number (see
Integer factorization).
RSA assumption In this example, the inverse d of e modulo \phi(n) (
Euler's totient function of n) is the trapdoor: : f(x) = x^e \mod n. If the factorization of n=pq is known, then \phi(n)=(p-1)(q-1) can be computed. With this the inverse d of e can be computed d = e^{-1} \mod{\phi(n)}, and then given y = f(x), we can find x = y^d \mod n = x^{ed} \mod n = x \mod n. Its hardness follows from the RSA assumption.
Rabin's quadratic residue assumption Let n be a large composite number such that n = pq, where p and q are large primes such that p \equiv 3 \pmod{4}, q \equiv 3 \pmod{4}, and kept confidential to the adversary. The problem is to compute z given a such that a \equiv z^2 \pmod{n}. The trapdoor is the factorization of n. With the trapdoor, the solutions of
z can be given as cx + dy, cx - dy, -cx + dy, -cx - dy, where a \equiv x^2 \pmod{p}, a \equiv y^2 \pmod{q}, c \equiv 1 \pmod{p}, c \equiv 0 \pmod{q}, d \equiv 0 \pmod{p}, d \equiv 1 \pmod{q}. See
Chinese remainder theorem for more details. Note that given primes p and q, we can find x \equiv a^{\frac{p+1}{4}} \pmod{p} and y \equiv a^{\frac{q+1}{4}} \pmod{q}. Here the conditions p \equiv 3 \pmod{4} and q \equiv 3 \pmod{4} guarantee that the solutions x and y can be well defined. ==See also==