A trapdoor one-way function is an extended version of a zero-way permutation. A zero-way permutation was first introduced by Niemi-Renvall in Asiacrypt'94. In this paper we define the class of functions called no-way functions. This is an extended version of a zero-way permutation. Intuitively, a function f is no-way if, without trapdoor, both computing f and computing f-1 are hard. Li-Chida-Shizuya defined the notion of a no-way function, which is a provable-security version of a zero-way permutation. They also gave an example of a no-way function such that computing f and f-1 is proven to be as hard as breaking the Diffie-Hellman key exchange scheme. We redefine the notion of a trapdoor no-way function more preciously, classify no-way functions by the property of the trapdoor: common, separated and semi-separated trapdoor no-way, give a method for constructing trapdoor no-way functions from trapdoor one-way functions, and also give an example of trapdoor no-way functions.

In this paper we discuss the relation between a one-way group homomorphism and a one-way ring homomorphism. Let U,V be finite abelian groups with #U=n. We show that if there exists a one-way group homomorphism f:UV, then there exists a one-way ring homomorphism F:ZnUZnImf. We also give examples of such ring homomorphisms which are one-way under a standard cryptographic assumption. This implies that there is an affirmative solution to an extended version of the open question raised by Feigenbaum and Merrit: Is there an encryption function f such that both f(x+y) and f(xy) can be efficiently computed from f(x) and f(y)? A multiple signature scheme is also given as an application of one-way ring homomorphisms.

A near-ring is an extended notion of a usual ring. Therefore a ring is a near-ring, but the converse does not necessarily hold. We investigate in this paper one-way functions associated with finite near-rings, and show that if there exists a one-way group homomorphism, there exists a one-way non-ring near-ring homomorphism (Theorem 1); if there exists a one-way ring homomorphism (Theorem 2). Further, we introduce a discrete logarithm problem over a finite near-ring, and show that the integer factoring is probabilistic polynomial-time Turing equivalent to a modified version of this problem (Theorem 3). Theorem 1 implies that under some standard cryptographic assumption, there is an affirmative but trivial solution to the extended version of the open question: Is there an encryption function f such that both f(x+y) and f(xy) are efficiently computed from given f(x) and f(y) ?

Verifying the signing order is sometimes very important in multisignature schemes. A multisignature scheme in which the signing order can be verified is called structured multisignature scheme and many such schemes have been proposed so far. However, there are not many structured multisignature schemes utilizing an algebraic structure of underlying algebraic operation. Ohmori, Chida, Shizuya and Nishizeki have proposed a structured multisignature scheme by utilizing a non-commutative ring homomorphism. Since their scheme does not fully reflect the structure of signers and its rigorous security analysis is not provided, we construct an improved structured multisignature scheme overcoming these problems by utilizing the non-commutative ring homomorphism in a different way and discuss its rigorous security against various attacks, including signer structure forgery, rogue key attack and attack-0 under the discrete logarithm assumption. As far as we know, the scheme in [30], which does not use non-commutative ring homomorphism, guarantees the most rigorous security but the number of signers is restricted in order to prevent attack-0. In contrast, our scheme overcomes attack-0 by virtue of a ring homomorphism and no restriction is imposed on the number of signers.

The certified discrete logarithm problem modulo p prime is a discrete logarithm problem under the conditions that the complete factorization of p-1 is given and by which the base g is certified to be a primitive root mod p. For the cryptosystems based on the intractability of certified discrete logarithm problem, Sakurai-Shizuya showed that breaking the Diffie-Hellman key exchange scheme reduces to breaking the Shamir 3-pass key transmission scheme with respect to the expected polynomial-time Turing reducibility. In this paper, we show that we can remove randomness from the reduction above, and replace the reducibility with the polynomial-time many-one. Since the converse reduction is known to hold with respect to the polynomial-time many-one reducibility, our result gives a stronger evidence for that the two schemes are completely equivalent as certified discrete log cryptosystems.