By Martin E. Hellman, Justin M. Reyneri (auth.), David Chaum, Ronald L. Rivest, Alan T. Sherman (eds.)

ISBN-10: 1475706022

ISBN-13: 9781475706024

ISBN-10: 1475706049

ISBN-13: 9781475706048

**Example text**

D - 2°- 2 C If (D ~C) E ,_ D then D ,_ D - C 54 Ernest F. Brickell There is, however, a method for combining the multiplication procedure with the division procedure. We can reverse the order of the additions in the multiplication procedure. o • B + a. 1 • 2B After a few steps, the top (high-order) bits of Dare not changing very often. It might be possible to determine if a given multiple of C, say 2 1c, should be subtracted from D before the multiplication procedure has finished many steps. In examining this idea closely, there are two problems that arise.

With P(k-1), which we have seen above admits of a uniform probability measure). The probability measure on the set S of substances can, of course, be arbitrary, though S must be of Lebesgue measure zero in ( 0, 1 ) • 4. DISCUSSION It would be interesting to have entire Bloom threshold schemes which have the one-time pads of this paper as special cases. It would, in fact, be nice to have any example of an infinite rigid threshold scheme, so that we could construct infinite pool/split/restitute processes.

ZN') = (! 3 ,5 ,9} . 1 . 6, 8} ) and ( Zp". ZN") = ( ! 3. 6. 8 l. I 1 . 5 . , it gives back the message M It is obvious that once the partition ( Bp , BN ) is found, the function f and the message M can be recovered unambiguously (assuming that the network convention holds) . , their subscripts . The basic idea is to convert the 'hard' problem of finding a partition ( Bp , BN ) to the 'easy' problem of finding a partition ( Ap , AN ) . In either case the message recovered will be the same if Ap = I ~i I bii ~ Bp l and AN = I aii I bii ~ BN l · The receiver R has at his disposal only the ciphertext C and the trapdoor parameters w- 1 and m to help him find ( Ap , AN ) .

