“…Lossy trapdoor functions have been built from a variety of standard cryptographic assumptions, such as the Decisional Diffie-Hellman (DDH) [49,26,30] and Learning with Errors (LWE) assumptions [49,8,2], the Quadratic Residuosity (QR) [38,26,25] and Composite Residuosity (DCR) assumptions [26], the Phi-hiding assumption [42,3] and more [47,54]. They have found numerous applications in cryptography, including chosen-ciphertext security, trapdoor functions with many hard-core bits, collision-resistant hash functions, oblivious transfer [49], deterministic [9,51] and hedged public-key encryption [6,53] in the standard model, instantiability of RSA-OAEP [42], computational extractors [24,28], pseudo-entropy functions [18], selective-opening security [7], and more.…”