Authentication is crucial for network system security, relying on methods such as passwords, ID cards, biometrics, and behavioral characteristics. The conventional centralized authentication may lead to potential performance bottlenecks and privacy risks such as key exposure, single point of failure. Decentralized authentication systems using cryptographic techniques aim to address these issues but often tradeoff between flexibility and communication efficiency. In this paper we propose a new cryptographic concept called designated private set-based trapdoor authentication (DPSBTA) for flexible and efficient trust management in decentralized systems. DPSBTA eliminates the need for a trusted authority, with users’ access privileges defined by their private sets. During the authentication process, each server can designate an element set and only if a user holds adequate elements which are contained in the designated set can he obtains a credential from the server. The key features of DPSBTA include: decentralized trapdoor authentication management, without a trusted authority, conducted in a double threshold manner; privacy preservation, as servers do not know users’ element holdings or credential generation; round-optimal communication, with only two rounds of interaction between users and servers. We present the generic construction, security models, and concrete algorithms with correctness proof. The theoretical proof and the performance evaluations demonstrate the tangible security and high efficacy of the proposed DPSBTA.