Abstract. Bellare, Boldyreva, Desai, and Pointcheval [1] recently proposed a new security requirement of the encryption schemes called “keyprivacy.” It asks that the encryption provide (in addition to privacy of the data being encrypted) privacy of the key under which the encryption was performed. Incidentally, Rivest, Shamir, and Tauman [2] recently proposed the notion of ring signature, which allows a member of an ad hoc collection of users S to prove that a message is authenticated by a member of S without revealing which member actually produced the signature. We are concerned with an underlying primitive element common to the key-privacy encryption and the ring signature schemes, that is, families of trap-door permutations with a common domain. For a standard RSA family of trap-door permutations, even if all of the functions in a family use RSA moduli of the same size (the same number of bits), it will have domains with different sizes. In this paper, we construct an RSA fami...