Partitioned encryption and achieving simultaneity by partitioning

Information Processing Letters 26 (1987/88) 81-88 North-Holland

PARTITIONED

ENCRYPTION

19 October 1987

AND ACHIEVING SIMULTANEITY

BY PA‘RTI’I’IONING

Zvi GALIL * Department of Computer Science, Columbia University in the City of New York, NY 10027, U.S.A., and Department of Computer Science, Tel Aviv University, Tel Aviv, Israel

Moti YUNG *? Department of Computer Science, 450 Computer Science Building, Columbia University in the City of New York, NY 10027, U.S.A.

Communicated by W.L. Van der Poe1 Received 18 February 1987 We present a method called Partitioned Encryption whose main property is its simplicity. It is an extension of Probabilistic Public-Key Encryption, which can be used in designing cryptographic protocols and can be applied to distributed problem solving. We also give a modification of Secret Sharing called Partitioned Secret Sharing. We demonstrate the power of Partitioned Encryption: combining it witl? the partitioning of the user set $TS a solution scheme for ‘Verifiable Secret Sharing’ and ‘Simultaneous Broadcast in the Presence of Faults’, which are important primitives of fault-tolerant distributed computing introduced by Chor, Goldwasser, Micali and Awerbuch (1985). The scheme is fully polynomial, simple, and efficient in terms of communication rounds. The basic partitioning methods are suggested as general tools for distributed computing, which are easy to implement and analyze. Keyword: Cryptography, fault-tolerant distributed computing, probabilistic encryption, partitioned encryption, cryptographic protocol, zero-knowledge interactive proof-system, verifiable secret-sharing, simultaneous broadcast

1. Introduction

Here we present a cryptographic tool which can be useful in solving distributed problems: partitioned encryption. It can be combined with methods of network partitioning to solve fault-tolerant distributed computing problems. We demonstrate its applicability to a central problem in distributed computing: achieving broadcast simultaneity in the presence of faulty processors. Chor, Goldwasser, Micali and Awerbuch [9] introduced a primitive of distributed computing called ‘Simultaneous Broadcast’, in which all messages transmitted in a communication round are * Supported in part by the National Science Foundation under Grants Nos. MCS-8303139 and DCR-8511713. ’ Supported in part by an IBM graduate fellowship. 0020-0190/87/$3.50

independent of each other. Using cryptographic tools, they designed an implementation on realist3c broadcast networks. The computation complexity of their solution is O(2’) where t is the number of faulty processors. Therefore, since we restrict our attention to computation which is polynomial in a, the size of the network, their solution is limited to t = O(log n) faults. In this paper we suggest partitioned encryption, which can be constructed from any probabilistic encryption scheme based on the intractability of factoring (all concrete schemes have this property). This yields a protocol for Verifiable Secret Sharing which is used to solve the Simultaneous Broadcast problem in the presence of up to fi faulty processors in polynomial time using any probabilistic encryption. So, our solution which is partly based on the work in [9], improves it in two ways: it is fully

@ 1987, Elsevier Science Publishers B.V. (North-Holland)

81

Volume 26, Number 2

INFORMATION

PROCESSING LETTERS

polynomial and it is simpler (since it can be based on any probabilistic encryption). Using the multiprime RSA (of [9]) as the underlying encryption, we can tolerate up to 4s faults. Our protocol makes use of a modification of Shamir’s Secret Sharing scheme [20] which we call Partitioned Secret Sharing.

Recently, new and more robust protocols for the simultaneous broadcast have been developed. The protocols of [14,2,12] are robust (tolerate up to a constant fraction number of faults). These prtiiocols are much more involved than the simple scheme presented here.

2. Background 2.1. Intractable problems and probabilistic encryption schemes

Probabilistic encryption was first suggested in It is an encryption method in which extracting any partial information about the cleartext from the ciphertext is intractable, assuming that an underlying number-theoretic problem is intractable (not in polynomial time). Other prob&ilistic encryption schemes were found and analyzed in [1,3,21,5,22]. The underlying intractable problems (such as factorization of a composite number or extracting roots module a composite number) have a security parameter (k) which is the length of the prime numbers used. A key in the system (which is denoted by Ni) is the product of two prime numbers of this length, whose factors are kept secret by the key oxvner. The security of the schemes can be expressed as follows: Assume that the a priori probability of a given property of the cleartext message is p (w.1.o.g. P = f). When the encrypted message is given, guessing 0% property in polynomial time with probability greater than p + l/R(k) fo - any polynomial R, implies a random polynomial-time algorithm for the intractable problem.

[ 151.

2.2. Zero-knowledge interactive proofs In [16], Goldwasser, Micali and Rackoff developed a computational complexity approach to the 82

19 October 1987

theory of knowledge. This theory is a basic tool in proving correctness of protocols. A message is said to convey knowledge If it contains a result of a computation that is intractable for the receiver (i.e., not in random polynomial time). We use the concept of zero-knowledge to show exactly what information is transferred in various steps of the protocols we describe. Informally, an interactive protocol is said to be zero-knowledge if the probability distribution of the possible communications that may be exchanged durLg an actual execution of the protocol (which depends on the parties’ private coin-flips) is indistinguishable from the probability distribution of simulations of the communication that can be run by a polynomial-time machine. (Two probability distributions are indistinguishable if no random polynomial-time computation can tell them apart [22,15,16].) The zero-knowledge property enables us to conclude that no computational advantage is given by an execution of the protocol. It enableE modular design of protocols, since we can concatenate two zero-knowledge sub-protocols and g:et a zero-knowledge protocol. Interactive proof systems are protocols for one processor (the prover) to communicate a proof to a second processor (the verifer) who has limited computing power. We use zero-knowledge interactive proof systems to ensure that only the fact proven is transmitted and nothing more. Formal definitions are described in [16]. A very important recent result of Goldreich, Micali and Wigderson [14] is that, assuming oneway functions exist, all languages in NP have a zerc+knowledge proof. The Oblivious Transfer (O.T.) Protocol, introduced by Rabin (see [ 17]), has been found to be a useful component in developing protocols [4,11]. The O.T. protocol enables A, who knows the factorization of N (a composite which is a product of two large primes), to transmit the factorization to user B with probability 3. The transfer is realized in such a way that .4 does not know whether or not B received the factorization, and a third party does not get any knowledge by overhearing the communication. Fischer, Micali and Rackoff [18] found a refinement of the original protocol which uses a zero-knowledge proof by which B convinces A that he is following the protocol. The

Volume 26, Number 2

INFORMATION

PROCESSING

fact that the refined protocol has the properties specified above is equivalent to the intractability of factoring. A generalization of the O.T. to a number N with u prime factors yields the following results: B gets exactly one random split of N into S, and S, (not necessarily prime) such that N = S, *S2, while A cannot guess which split B received with probability greater than (i)“. Blum designed a Mental-Poker protocol [8] by applying the O.T. with several prime factors. In [9] it was used in Verifiable Secret Sharing which we shall explain and extend in the next section. Another zero-knowledge interactive proof that we employ is presented in [9]. It is an interactive proof by which the owner of a key proves to the verifier that he knows how to decrypt using his key. 2.3. Simultaneous broadcast Our distributed computation model is a network of n processors which communicate by exchanging messages over communication channels. WC assume that the processors are random polynomial-time machines. An adversary is allowed to choose up to t faulty processors. These processors do not behave according to the protocol; instead, they follow the adversary’s protocol. The adversary is a random polynomial-time machine with access to the communication history. His choices are made in a dynamic fashion. (We can also assume that the adversary has private negotiation channels by which he tries to corrupt processors, asking for specific information: a processor becomes faulty by reacting to the adversary’s query.) This adaptive behaviour is similar to the adversary of [12]; the behaviour of the adversary is a function of the current information available to him. (More about adversary models in fault-tolerant distributed computing can be found in [7].) A broadcast network is one in which communication is performed in rounds. In round i, the message m iJ of a nonfaulty processor j is independent of other messages in the round ;it can be dependent upon past rounds). An ideal network in which all processors broadcast their messages of round i simultaneously bs called a simultaneousbroadcast net work.

LETTERS

19 October 1987

The model which assumes simultaneity is very powerful in the sense that designing protocols for this model is comparatively easy. In this model, implementing coin flipping requires a single round in which each processor broadcasts a bit, and then the individual bits are added modulo 2. The result is a random bit iff at least one processor chooses its bit at random. Similarly, uninfluenced voting can be implemented as follows: first, each processor broadcasts its vote and then the vote is tallied. Simultaneity ensures that no vote is influenced by the knowledge of the likely winner. A similar protocol is possible for sealed bidding in which contractors offer the bids, and the lowest offer is then selected. These examples show the simplicity with which many protocols can be designed using the ideal model. However, the existence of even one faulty processor, who can delay his broadcast, can cause any of these protocols to lose the desired properties, and the faulty processor(s) can gain control over its outcome. Both the paper by Chor et al. [9] and this paper use cryptographic tools to simulate the ideal situation in the realistic broadcast network. Furthermore, a broadcast network model can be simulated by the more general point-to-point network (such as ARPANET) using the Byzantine Agreement protocol to achieve reliable broadcast in this network (in particular, recent efficient protocols [6,12,10]). Thus, we can achieve Simultaneous Broadcast on these networks as well.

3. Partitioned encryption and partitioned verifiable secret sharing 3. I. Partitioned encryption

Partitioned Encryption (PE) is a method for encrypting a secret message in a distributed manner, that is, breaking the secret into pieces and using many keys, one for each piece of the encryption. It can be useful when a user wants to force the cryptanalyst to break several keys in order to get the secret. A more important application is in a distributed system when a secret is distributed and its pieces are encrypted using different users’ keys, This distributed encryption 83

Volume 26, Number 2

INFORMATION

PROCESSING LETTERS

forces the receivers of the pieces to cooperate in order to recover the secret. The PE scheme presented can be based on any probabilistic encryption scheme (see Section 2.1). It has the property that, given any partial decryption, the remaining problem of completing the decryption is still as secure as the encryption function (that is, breaking the encryption can be reduced to the intractable problem on which the probabilistic encryption scheme is based). Let a sequence of encryption keys be (E,,, E , . . . , E,,), where j is polynomial in the probleg’s parameters and each key E, is drawn from the same family of keys and has security parameter k. Suppose the message is a single bit b. The user encrypts b by choosing j - 1 random bits bi (i = I,2,. . . ,j - 1) and bj such that @:=i (bi) = b (where $ is addition modulo 2). He then probabilistic encrypts these bits. He chooses a string xi such that E,,(xi) encrypts bi. For example, in the scheme of [15] where the keys are a product of two primes which are congruent to 3 (mod 4), a random xi c Z,* is chosen. A zero is encrypted as a quadratic residue x f (mod n i ) and a one is encrypted as a quadratic nonresidue (-1)x: (mod ni). The PE is the sequence (E,,(x,), . . . ,E, (Xj)). We say that a PE is partially deciphered if a proper subset of the encryptions is deciphered. X1. Theorem. breaking PE based on the probabilistic encryption keys (even when PE is partially deciphered) is computationally at least as hard as the underlying probabilistic encryption.

The proof of the theorem is by an easy polynomial-time reduction (of the underlying encryption scheme to PE), since the generation of encryption keys is in prohlibilistic polynomial time. Notice that decrypting any proper subset of the hi’s does not help in decrypting b since any such subset of the bi’S is random. This partial decryption of PE does not reduce the computation needed to find the encrypted bit (by more than a polynomial factor), since we have at least one more key to break, while the partial information we know is just a random bit. Next we describe the Verifiable Secret Sharing protocol which uses PE. 84

19 October 1987

3.2. Partitioned verifiable secret sharing In [20], Shamir proposed a method for sharing a secret in which a dealer distributes his secret h into n pieces hl, h2,..., h,. The scheme is such that any subset of the set of pieces of size < t (for a given t < n) cannot be combined to reconstruct h, while with any t or more pieces it can easily be done. Such a scheme is called an (n, t) threshold scheme. The idea is to generate a (t - l)-degree polynomial P over the field h, where p is a large prime, such that P(0) = h, P(i) = hi, i = 1, 2, . . . , n and to use polynomial interpolation for reconstruction. As noted in 191, Shamir’s scheme is based on a nonfaulty dealer who distributes the pieces privately. Thus, the scheme is not directly useful in a fault-tolerant environment since there is no way for a user to verify that the piece he received is indeed a valid share of the secret (i.e., hi such that the polynomial passes through the point (i, hi)). This difficulty leads in [93 to the design of a new method which is suitable for fault-tolerant networks: Verifiable Secret Sharing. Before presenting our scheme, we explain what we mean by partitioned secret sharing. Assume that there are two populations of sizes n, and n 2, and the dealer wants the distribution of the secret to be reconstructable iff t, members of the first population and t, members of the second cooperate. This is useful when a quorum is required in which there are enough representatives of each population. It is easily implementable by taking a random number c, and computing c2 = h @ ci and then using different polynomials to hide each chunk Ci and distribute it to the respective population. Our scheme, Partitioned Verifiable Secret Sharing, is a similar extension of the Verifiable Secret Sharing protocol of [9]. The idea is to partition the users into g disjoint groups and to distribute the secret into g chunks. Each chunk is given to a group and is shared among its members who are given pieces of the chunk, one to each member. A user will be able to verify that each piece of a chunk given to any user is a valid one. The number of faulty processors in the network is not large enough to allow them to reconstruct the entire secret by colluding among themselves ahead of time. At the same time, there

Volume 26, Number 2

INFORMATION

PROCESSING LETTERS

19 October 1987

Protocol. Dealer A distributes a secret bit b to n receivers, partitioned into g groups of size s (gs = n). We assume the keys used are each the product of two primes of length k. a Part IL: Preparations 1. A picks g keys Nip i = 1, 2,..., g (these keys are used in a probabilistic encryption scheme (see Section 2.1). 2. A picks g - 1 random bits bi, i = 1, 2,. . . , g - 1 and picks bp such that @:=I (bi) = b. 3. For each bi, A picks Xi E Z 8, at random such that the encryption yi = EN,(Xi) hides the value bi. 4. A broadcasts the values (Ni, yi), i = 1, 2,. . . , g. * Part 2: Distribution of pieces

5. In this stage, knowledge about Ni is given to all participants from group i (i = 1, 2,. . . , g): Each r&zeiver in group i gets the two factors of Ni with probability 1 - (i)k; this is achieved by the O.T. protocol between the dealer and the user, repeated k times in parallel [23]. * * __________ ( tu&ng rb Part 3:

point} ----------

* 4

Reconstruction of the secret

6. Each receiver C broadcasts his piece of knowledge (the factors of his group’s key).

7. Decision making: If C detects that A deviated from the protocol before the turning point, C decides that b = ‘ empty message’. Otirerwise, C who obtained all the decryption keys (in step 6) can reconstruct the secret b by decoding yi, i = 1, 2,. . . , g.

are enough nonfaulty processors in each group to reconstruct the chunk belonging to the group. There is a crucial turning point in the protocol. Before it, any deviation of the dealer from the protocol is detected with very high probability and the users decide that the dealer’s message is the empty one. After the turning point, the secret is determined and reconstructable. The abov*e Protocol describes the process for dealer A. Why does the Protocol work? We have to show that the faulty processors do not learn the secret ahead of time, that a faulty dealer gets caught before the turning point, and that after the turning point the secret is determined and reconstructable by the non.faulty processors. In order to get b, one must get all the bi’s. If here is at least one nonfaulty user in each group and A deviates from the protocol before the turning point then this event will be recognized with very high probability by all nonfaulty users who decide that A’s message is the empty one. As long as the number of faulty processors (t) is smaller than the number of groups (g), by the pigeonhole principle the faulty processors cannot get the secret before the turning

point. If the number of faults is less than the size of a group (sj as -well, then after the turning point the faulty processors cannot prevent the secret from being opened, since there is a nonfaulty processor in each group who opens his group’s piece of the secret. After the turning point, a faulty processor cannot present a piece of the secret which is not valid (since validity of pieces, namely the two prime factors, can be checked) and the worst he can do at this step is to halt. Since the O.T. ta’tes a few rounds of communication, the whole Protocol uses a constant nu-nber of rounds.

4. The network partitioning and the simultaneous broadcast

We show how the simultaneous broadcast is implemented in a broadcast network. In order to broadcast his bit, each processor runs the P-VSS with the following modifications: At the beginning, it partitions the network into g groups of size s (this partitioning can be fixed). Then, Part 1 85

Volume 26, Number 2

INFORMATION

PROCESSING LETTERS

of the Protocol is Ron. At the end of this part, the processor proves to all processors that it can decrypt using the keys which encrypt the chunks of the secret (following the zero-knowledge proof given in is]). Thus, before the distribution of secrets, each processor is convinced that every other processor knows his own secret. After that, all secrets are distributed using Part 2 of the Protocol. Next, each processor opens his secret by himself; in case it fails to do so, its secret is reconstructed using Part 3 of the Protocol. Note that the cost of the computation is fully polynomial (i.e., polynomial in the size of the network (n), the security parameter (k), and the number of faults (t)). To make sure that this simulation works we should check how many faulty processors are allowed. We saw in the previous section that the following two constraints must hold: t < g and t < s. Thus, by choosing the partition parameter g = s = fi and using the PE keys based on one of the probabilistic encryption schemes mentioned in Section 2.1, the following holds. 4.1. Tlneorem. Assuming the probabilistic

encryption scheme used is secure (i.e., its underlying number-theoretic problem is intractable ): the Protocol presented is a fully polynomial scheme which achieves simultaneous broadcast on a broadcast network for up to t < J;; faulty processors.

5. Combining partitioning with multi-prime RSA

In this section we combine the work presented in the last two sections with the one of [9] to increase the number of faults when partitioning methods are used. First, we review the RSA encryption method used in [9]. The RSA function [19] is defined by E,(x) = xe (mod M) where M is the product of two large primes and (e,
19 October 1987

To encrypt a bit b, a user picks a random x E Z g such that b is the least-significant bit of x, lbs(x), and uses E,(x) as the encryption of b. In the Protocol, an extension of the above RSA method is used as the underlying encryption function of the PE. The scheme is the multi-prime RSA encryption of [9] in which each key Ni is the product of u primes Pij of length k, Ni = Pi,** Pi.2* * * Pi,,. We need the following results of [1,8]. l

l

5.1. Theorem.

The following three problems are computationally equivalent: (a) Given a message encrypted by an RSA key (xe mod M) where M_= P1 * P2, where Pi and P2 are k bit long primes and (e, , 2” (all Pi, i= 1, 2, . . . , u are ‘1;bit long primes), an encryption x” (mod N), and N’s partial factorization: M and the primes P3, I$,..., P,,. Guess the lsb(x) with probability greater than $ + l/R(k), for any polynomial

R. The following changes are needed in the Partitioned Verifiable Secret Sharing Protocol when multi-prime RSA is used: In Part 1, the secret bit is partitioned as before, each piece bi is encrypted as yi = XT (mod Ni), where lsb(xi) = bi for all i = 1, 2,..., g. When the secret is distributed in Part 2, each user runs the O.T. with the dealer only once. As a result, the knowledge each user gets is a random split of Ni (this is the secret sharing as in [9], within groups). III ?art 3, each user reveals his random split of the number of his group. Then, every user collects all the randcm splits of all the Ni’s and tries to factor these numbers. (For each Ni, there are at least s - t splits available.) Once all Ni’S have been factored and found to have u prime factors, every user can take the eth roots, find the bi’S and recover b. If one of the keys Ni is not fully factored nr is not a product of u primes, then the users decide that b = ‘empty message’. At

Volume 26, Number 2

INFORMATIOET PROCESSING LETTERS

least log u splits of Ni are needed to fully factor the number isince u = number of primes). Otherwise, the problem of getting the secret is still as hard as decoding a message encrypted by a twoprime RSA (Theorem 5.1). If the number of faulty participants t is less than g log u, then by the pigeonhole principle there is one Ni which is not fully factored. By Theorems 3.1 and 5.1, it is still as hard to decrypt b as it is to invert the RSA function. Let p be the a priori prob&ility that the faulty processors can get the secret bit b (w.1.o.g. p = f); if we assume that t is smaller than g log u, then the faulty processors cannot collude and get the secret before the turning point with probability greater than p + l/R(k) for any polynomial R and sufficiently large k; i.e., there will be a key which will not be fully factored by the faulty group of size t. This achieves the secret unpredictability property. After the turning point, however, the faulty processors might not cooperate with the others. Thus, again, we have to make sure that there are enough nonfaulty processors in each group. Hence, we assume the worst case occurs in a group, and that all the t faulty processors are in the same group, and only s - t nonfaulty processors can share their splits. Analyzing the probability of the event that a group is not able to fxtor its key, note that, for each pair of prime factors of Ni, the probability that a random split does not separate them is 4 so, for s - t random independent splits, the probability that two specific primes were not separated is
<

u2/(21+s-g

=

Ln2/(21 +s-(n/s

log u)

log u)

)

.

19 October 1987

We choose the partition parameters to be size s =

C@gT,

and the number of groups g = J;T/(cJl;)gn)*

Note that since the computation is polynomial in the size of the network, u must be polynomial in n (for simplicity, assume u = n). The probability that a full split of a key encrypting a chunk is not given to the nonfaulty processors is n2/(21 +s-([n/sl log@)< n2/2(nlogn)“2, which is negligible for large enough n. Thus, the secret will be opened by the nonfaulty processors with very high probability. The choice of g and s constrains the number of faulty processors to be t = 0(,/z). We conclude that the following holds. 5.2. Theorem. Assuming RSA is intractable, the simultaneous broadcast scheme presented is a fully polynomial scheme which achieves simultaneous broadcast on a broadcast network for up to t = 0( JF&Y) faulty processors. 6. Conclusion

We have presented the Partition Encryption (PE) technique and the idea of partitioned secret sharing. Combining them with network partitioning, we have presented a fully polynomial protocol for achieving simultaneity in distributed systems (with up to fi faulty processors based on any probabilistic encryption and up to O(dm) based on multi-prime RSA). This shows the applicability of PE in the case when information is shared among users in a fault-tolerant environment. PE seems to be a general and easily implemented tool for such distributed computing applications. Acknowledgment

We would like to thank N. Alon, 0. Goldreich, S. Haber and S. Micali for their comments and discussions. 87

Volume 26, Number 2

INFORMATION

PROCESSING LETTERS

References [l] W. Alexi, B. Chor, 0. Goldreich and C.P. Schnorr, RSA/rabin bits are l/2 t (l/poly( k )) secure, Proc. 25th IEEE FOCS (1984) 449-457. [2] N. Alon, Z. Galil and M. Yung, Majority assignment ane fault tolerant cryptographic protocols, Unpublished manuscript, 1986. [3] L. Blum, M. Blum and M. Shub, Comparisons oi two pseudo-random number generators, Proc. Crypt082 (1982) 61-78. [4] M. Blum, Three Applications of the Oblivious I’ransfer, Rept., Univ. of California at Berkeley, September 1981. [S] M. Blum and S. Goldwasser, An efficient probabilistic public-key scheme which hides all partial information, Proc. Ciypto84 (1985) 289-301. [6] G. Bracha, An O(log n) expected rounds randomized Byzantine generals algori:hm, Proc. 17th ACM-SIGACT STOC (1985) 316-326. [7] B. Chor and C. Dwork, Randomized algorithms for distributed agreement, Unpublished manuscript, 1986. [8] B. Chor, 0. Goldreich and S. Goldwasser, The bit security of modular squaring given partial factorization of the modulus, Proc. Crypt085 (1985) 448-457. [9] B. Chor, S. Goldwasser, S. Micali and B. Awerbuch, Verifiable secret sharing and achieving simultaneity in the presence of faults, Proc. 26th IEEE FOCS (1985) 383-395. [lo] C. Dwork, D. Shmoys and L. Stockmayer, Flipping persuasively in constant expected time, Proc. 27th IEEE FOCS (1986) 222-232. [l l] S. Even, 0. Goldreich and A. Lempel, A randomized protocol for signing contracts, Comm. ACM 28 (6) (1985) 637-647. [12] P. Feldman and S. Micali, Byzantine agreement in con-

88

19 October 1987

stant time (and trusting no one), Proc. 26th IEEE FOCS (1985) 267-276. [13] P. Feldman and S. Micah Efficient simultaneous broadcast, Unpublished manuscript, 1986. [14] 0. Goldreich, S. Micah and A. Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design, Proc. 27th IEEE FGCS (1986) 174-187. [15] S. Goldwasser and S. Micah, Probabilistic encryption and hop. to play mental poker keeping secret all partial information, Proc. 14th Ann. ACM-SIGACT Symp. on Theory of Computing (1982) 363-377. [16] S. Goldwasser, S. Micali and C. Rackoff, The knowledge complexity of interactive proof-systems, Proc. 17th ACM-SIGACT STOC (1985) 291-304. [17] J. Halpem and M.O. Rabin, A logic to reason about likehood, Proc. 15th ACM STOC (1983) 310-319. [18] C. Rackoff, S. Micah and M. Fischer, A secure protocol for the oblivious transfer, Proc. Eurocrypt’84, La Sorbonne, Paris, April 1984. [19] R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Comm. ACM 21 (2) (1978) 120-126. [20] A. Shamir, How to share a secret, Comm. ACM 22 (11) (1979) 612-613. [21] U. Vazirani and V. Vazirani, Efficient and secure pseudorandom number generation, Proc. 25th IEEE FOCS (1984) 458 -463. [22] A.C. Yao, Theory and applications of trapdoor functions, Proc. 23rd IEEE FOCS (1982) 80-91. [23] M. Yung, Cryptoprotocols: Subscription to a public-key, the secret blocking and the multi-player mental poker game, Proc. Crypt084 (1985) 439-453.