Verifiable and Private Oblivious Polynomial Evaluation

. It is a challenging problem to delegate the computation of a polynomial on encrypted data to a server in an oblivious and veriﬁable way. In this paper, we formally deﬁne Veriﬁable and Private Oblivious Polynomial Evaluation (VPOPE) scheme. We design a scheme called Veriﬁable IND-CFA Paillier based Private Oblivious Polynomial Evaluation (VIP-POPE). Using security properties of Private Polynomial Evaluation (PPE) schemes and Oblivious Polynomial Evaluation (OPE) schemes, we prove that our scheme is proof unforgeability , indistinguisha-bility against chosen function attack , and client privacy -secure under the Decisional Composite Residuosity assumption in the random oracle model


Introduction
From harmless smart gardening [19] to critical applications such as forest fire detection [17], data monitoring through sensors is becoming pervasive.In particular, sensors for monitoring health-related data are more and more widely adopted, be it through smartwatches that track the heart rate, or sensors implemented in the patient's body [2].This medical data can sometimes be used to assess the health status of an individual, by applying a single variable polynomial prediction function on it [7].However, when it comes to medical data, extreme care must be taken in order to avoid any leakage.Recently, the leak of medical data of 1.5 million SingHealth users in Singapore strongly incentivized to improve the security and privacy surrounding medical data [1].In this context, we consider the following problem: How can a company use medical data recorded by clients to give them predictions about their health status in a private way?
For instance, this company may collect Fitbit data from its customers, and use it to predict things such as a risk factor for certain diseases.For economic reasons, this company keeps the polynomial secret: it invested time to build it, and required to collect lots of data.Its economic model is based on the secrecy of the polynomial: the clients pay the company to obtain the polynomial's output on their medical data.If the polynomial was public, then the clients would directly compute it, and the company would cease to exist.However, as the company grows, it becomes difficult to treat all the computation requests, so that the company needs to delegate this computation to a cloud service.The company trusts the cloud service provider and gives the secret polynomial; however, the clients may not trust the server to produce correct results, so that the company would like the server to be able to prove the correctness of each prediction to the client, i.e., prove that its output is correct with regards to the secret prediction function.In this scenario, the problem is how to delegate computations on a secret polynomial function to an external server in a verifiable way.This problem is solved by Private Polynomial Evaluation (PPE) schemes [14,12,4,25] illustrated in Fig. 1.In a PPE scheme, the company outsources the secret polynomial function f (•) to an external server.Moreover, the company provides some public information vk called verification key.This verification key is used with the proof π generated by the server during the delegated computation of f (x) to allow clients to verify the correctness of the result returned by the server.
However, PPE schemes do not protect the privacy of the clients: their data is handled in clear by the server.After the SingHealth hack, the company wants to be sure that even if an intruder hacks the server, he will not be able to steal the medical data of its clients.To solve this problem, we propose a new primitive called Verifiable and Private Oblivious Polynomial Evaluation (VPOPE).A VPOPE scheme is a private polynomial evaluation scheme, in which the data of the client cannot be read by the cloud server.More precisely, the client sends his encrypted data to the server, and the server never learns anything about x.We illustrate this new primitive in Fig. 2.

Related Works
VPOPE schemes are related to several research domains.The first one is the Verifiable Computation (VC) introduced by Gennaro et al. [13].The aim of VC is to delegate a costly computation to an untrusted third party.This third party returns the result of the computation and a proof of correctness, which is easier to verify.Primitives where everyone can check the correctness of the computation are said to be publicly verifiable [23].VC has given rise to a bunch of protocols [5,9,6,22,21].Although VC is related to our paper; the difference is that in these works, the polynomial used by the server is not secret.
Another similar primitive is Oblivious Polynomial Evaluation (OPE) introduced by Naor and Pinkas [18].OPE protocols are constituted of two parties.The first party, A, knows a secret function f (•) and the other one, B, has a secret element x.The aim of OPE is that B receives f (x) in such a way A learns nothing about the value x sent by B, and that B learns nothing about the function f (•).OPE are used to solve different cryptographic problems as set membership, oblivious keyword search, and set intersection [16,11,10].Although OPE and VPOPE are very similar; their difference lies in the fact that OPE do not consider the verifiability of the computation of f (x), whereas it is a crucial point in VPOPE since the client does not trust the server.
Finally, the nature of VPOPE is very close to those of Private Polynomial Evaluation (PPE).To the best of our knowledge, only five papers [15,14,12,4,25] propose to hide a polynomial used by the server and allow a client to verify the returned results.Kate et al. [15] formally define a primitive called commitments to polynomials that can be used as a PPE scheme and propose the PolyCommit Ped scheme.In this primitive, the committer publishes some points (x, y) of the secret polynomial together with a proof that y = f (x).Then, she can open the commitment a posteriori to reveal the secret polynomial.This is primitive is close to PPE and VPOPE schemes since the verification key used in PPE and VPOPE can be viewed as a commitment.However, this verification key is computed by a trusted party (the company) and computations are performed by an untrusted party (the server).Although the verification cost is in constanttime, it uses three pairing computations, and we show that, in practice, the verification cost of our VPOPE scheme is more efficient (see Section 5.2).
Independently of Kate et al. [15], Guo et al. [14] propose a scheme with similar security properties to delegate the computation of a secret health-related function on the users' health record.The polynomials are explicitly assumed to have low coefficients and degree, which significantly reduces their randomness.However, the authors give neither security models nor proofs.Later, Gajera et al. [12] show that any user can guess the polynomial using the Lagrange's interpolation on several points.They propose a scheme where the degree k is hidden and claim that it does not suffer from this kind of attack.
Following this work, Bultel et al. [4] show that hiding the degree k is useless and that no scheme can be secure when user query more than k points to the server.Moreover, they give a cryptanalysis of Guo et al. [14] PPE scheme and of Gajera et al. [12] PPE scheme which requires only one query to the server and present the first security model for PPE schemes.A PPE scheme must satisfy the following properties: (i) proof unforgeability (UNF) requires that the server cannot provide a valid proof to the client for a point that is not a point of the secret polynomial; (ii) indistinguishability against chosen function attack (IND-CFA) requires that the client cannot distinguish which of two polynomials of her choice has been evaluated by the server.Bultel  weaker assumption than t-SDH.Despite having the additional property that it protects the privacy of the client, we show that the verification of our VPOPE scheme is more efficient than for PIPE.
More recently, Xia et al. [25] proposed a new efficient PPE scheme.As PIPE, their scheme satisfies the required security properties defined in [4].Their scheme is based on the Pedersen's Verifiable Secret Sharing [24] and does not depend on NIZKP to allow the client to verify the correctness of the result contrary to Bultel et al. [4].In addition to have computational advantages over previous PPE schemes, Xia et al.'s scheme relies only on the Discrete Logarithm assumption.However, the verification cost of Xia et al.'s scheme also requires k exponentiations where k is the degree of the secret polynomial, which makes it costlier than our scheme that needs only three exponentiations, one Paillier decryption, and k multiplications.

Contributions
The contributions of this paper are summarized as follows: -We formally define the VPOPE schemes and give security framework based on those of PPE and Oblivious Polynomial Evaluation (OPE) schemes.-We design VIP-POPE (for Verifiable IND-CFA Paillier based Private Oblivious Polynomial Evaluation), an efficient and secure VPOPE scheme.This scheme uses homomorphic properties of Paillier's encryption scheme [20] in order to achieve encrypted polynomial evaluation.-We also formally prove its security in the random oracle model and compare its efficiency for the verification cost with the existing PPE schemes.We show that VIP-POPE is more efficient for the verification part than PPE schemes presented in [15,4,25].

Outline
In the next section, we recall the cryptographic notions used in this paper.
In Section 3, we give the PPE and OPE security model for VPOPE schemes.Then, we present in Section 4, our VPOPE scheme called VIP-POPE.Before to conclude, we prove in Section 5 that VIP-POPE satisfies the security properties for VPOPE schemes and compare its verification cost with other PPE schemes of the literature.

Preliminaries
We start by recalling the definition of the cryptographic tools used in this paper.
In the rest of the paper, we denote by poly(η) the set of probabilistic polynomial time algorithms with respect to the security parameter η.

Paillier Cryptosystem
We now recall the generation, the encryption and decryption algorithms of the Paillier's public key encryption scheme [20] used in our scheme.Key Generation.We denote by Z n , the ring of integers modulo n and by Z n the set of invertible elements of Z n .The public key pk of Paillier's encryption scheme is (n, g), where g ∈ Z n 2 and n = pq is the product of two prime numbers.The corresponding secret key sk is (λ, µ), where λ is the least common multiple of p − 1 and q − 1 and µ = (L(g λ mod n 2 )) −1 mod n, where L(x) = x−1 n .Encryption Algorithm.Let m be a message such that m ∈ Z n .Let r be a random element of Z n .We denote by E pk the encryption algorithm that produces the ciphertext c from a given plaintext m with the public key pk = (n, g) as follows: c = E pk (m) = g m r n mod n 2 .Decryption Algorithm.Let c be the ciphertext such that c ∈ Z n 2 .We denote by D sk the decryption function of the plaintext c with the secret key sk = (λ, µ) defined as follows: Paillier's cryptosystem is a partial homomorphic encryption scheme.Let m 1 and m 2 be two plaintexts in Z n .The product of the two associated ciphertexts with the public key pk = (n, g), , is the encryption of the sum of m 1 and m 2 .We also remark that: Theorem 1. Paillier's cryptosystem is IND-CPA-secure if and only if the Decisional Composite Residuosity Assumption holds [20].
To present our scheme, we first claim the following property on Paillier ciphertexts.
Property 1.Let n be the product of two prime numbers, x ∈ Z n , and g ∈ Z n 2 .We set pk = (n, g) a Paillier public key.Let {t i } k i=1 such that for all i ∈ {1, . . ., k}, we have t i = t x i−1 • r n i with t 0 = g, and r i ∈ Z n 2 .Then for all i ∈ {1, . . ., k}, t i = E pk (x i ).

Zero-Knowledge Proof
We use the ZKP given by Baudron et al. [3] to prove the plaintexts equality of k ∈ N Paillier ciphertexts.Let Z n 2 be a multiplicative group where n is the product of two prime numbers p and q.The language is the set of all statements Since the ZKP given by Baudron et al. [3] is a sigma protocol, we can use the Fiat-Shamir Transformation [8] to obtain a NIZKP.We formally define this NIZKP called DecPaillierEq.
Definition 1 (DecPaillierEq [3]).Let n be the product of two prime numbers p and q and H be a hash function, L be the set of all (t 1 , . . ., t k ) ∈ (Z n 2 ) k such that for all i ∈ {1, . . ., k}, t i = t x i−1 • r n i mod n 2 where t 0 ∈ Z n 2 and r i ∈ Z n 2 .We define the NIZKP DecPaillierEq = (Prove, Verify) for L as follow: -Prove((t 1 , . . ., t k ), ω): Using the witness ω = (x, t 0 , Moreover, Baudron et al. [3] prove the following theorem.
Theorem 2. DecPaillierEq is unconditionally complete, sound and zero-knowledge in the random oracle model.

Definition and Security Model
Before we present our security model, we first formally define a Private Oblivious Polynomial Evaluation scheme.Definition 2. A Verifiable and Private Oblivious Polynomial Evaluation (VPOPE) scheme is composed of eight algorithms (setup, init, keyGen, queryGen, queryDec, compute, decrypt, verif) defined as follows: setup(η) : Using the security parameter η, this algorithm generates a ring F , public parameters pub and secret parameters sec.It returns (pub, F, sec).-init(F, f, sec) : Using F , the secret polynomial f , and parameters sec, this algorithm returns a verification key vk and a server key sk f associated to the secret polynomial f .-keyGen(η, pub, k) : Using the security parameter η and public parameters pub, this algorithm generates and returns a client's key pair (pk c , sk c ). -queryGen(pk c , x) : Using a public key pk c and an input x, this algorithm generates an encrypted query t associated to x, a proof π t proving that t is a valid encrypted query, and returns (t, π t ).-queryDec(sk c , t) : Using a secret key sk c and an encrypted request t, this algorithm outputs x if t is a valid request of x, ⊥ otherwise.-compute(t, π t , f, sk f , F ) : Using t, π t , f , sk f , and F , this algorithm returns an encrypted value d along with a proof π d proving that d is an encryption of f (x) if the proof π t is "accepted".Else it returns ⊥. -decrypt(sk c , d) : Using a secret key sk c and the encrypted value d, this algorithm returns y, the decryption of d. -verif(x, sk c , pub, y, π d , vk) : This algorithm returns 1 if the proof π d is "accepted", 0 otherwise.We use security notions of P P E schemes formalized by Bultel et al. [4], namely Unforgeability (UNF), and Indistinguishability against Chosen Function Attack (IND-CFA), and adapt them to VPOPE schemes.The security model IND-CFA ensure secrecy of the polynomial, the security model UNF ensures validity of the verification process.Since VPOPE schemes consider encrypted data on client side, we recall the Client's Privacy -Indistinguishability (CPI) security property defined by Naor and Pinkas [18] to include the privacy on data client.Moreover, we define the Query Soundness (QS) notion in order to prove that a client cannot have other information than points that she queried.In all the security models, we denote by F [x] k , the set of all polynomials of degree k over a finite field F .

Client's Privacy -Indistinguishability
We first recall the Client's Privacy -Indistinguishability (CPI) security for VPOPE schemes introduced by Naor and Pinkas [18].In this model the adversary chooses two queries (x 0 , x 1 ) and tries to guess the evaluation x b asked by the client.The adversary has access to the ciphertext oracle CO CPI (•) taking x as input and returns the encrypted query t.A VPOPE scheme is CPI-secure if no adversary can output the query chosen by the client with a better probability than by guessing.
Definition 3 (Client's privacy -indistinguishability.).Let Π be a VPOPE, A = (A 1 , A 2 ) ∈ poly(η) 2 be a two-party adversary.The client's privacy -indistinguishability (CPI) experiment for A against Π is defined in Fig. 3, where A has access to the oracle CO CPI (•).The advantage of the adversary A against the CPI experiment is given by: A scheme Π is CPI-secure if this advantage is negligible for any A ∈ poly(η) 2 .

Chosen Function Attack
Exp  We recall the model for k-Indistinguishability against Chosen Function Attack (k-IND-CFA).In this model, the adversary chooses two polynomials (f 0 , f 1 ) and tries to guess the polynomial f b used by the server, where b ∈ {0, 1}.The adversary has access to a server oracle CO CFA (•) and sends to her an encrypted query t associated to her data x along with a proof π t .The oracle decrypts the query t and obtains x if t is valid.If f 0 (x) = f 1 (x), the oracle returns d i.e. the encrypted value of f b (x), along with a proof π d .If f 0 (x) = f 1 (x), then the server returns nothing.In practice, an adversary chooses (f 0 , f 1 ) such that f 0 = f 1 , but with k points (x i , y i ) such that f 0 (x i ) = f 1 (x i ).It allows the adversary to maximize his oracle calls in order to increase his chances of success.

Definition 4. (k-IND-CFA).
Let Π be a VPOPE, A = (A 1 , A 2 ) ∈ poly(η) be a two-party adversary and k be an integer.The k-IND-CFA experiment for A against Π is defined in Fig. 4, where A has access to the server oracle CO CFA (•).The advantage of the adversary A against the k-IND-CFA experiment is given by: Query Soundness and f (queryDec(skc, t)) = decrypt(skc, d) such that (d, π d ) ← compute(t, πt, f, sk f , F ): then return 1 ; else return 0 .We now define a model for Query Soundness (QS).In this model, the adversary tries to learn other information than points of the secret polynomial that she queried by sending a particular query t along with a proof π t to the server.Definition 5 (Query Soundness).Let Π be a VPOPE, and A ∈ poly(η) be an adversary.The Query Soundness (QS) experiment for A against Π is defined in Fig. 5.The advantage of the adversary A against the QS experiment is given by: A scheme Π is QS-secure if this advantage is negligible for any A ∈ poly(η).
Unforgeability  Finally, we recall the unforgeability property.A VPOPE is unforgeable when a dishonest server cannot produce a valid proof for a point (x, y) such that y = f (x).In this model, the secret polynomial f is chosen by the server.Definition 6 (Unforgeability).Let Π be a VPOPE, A = (A 1 , A 2 ) ∈ poly(η) be a two-party adversary.The unforgeability (UNF) experiment for A against Π is defined in Fig. 6.We define the advantage of the adversary A against the UNF experiment by: A scheme Π is UNF-secure if this advantage is negligible for any A ∈ poly(η) 2 .

Security Against Collusion Attacks
There are two possible collusion scenarios: collusion of a client and the server, and collusion of two or more clients.

Scenario 1:
In collusion of a client and the server, the server can provide the secret polynomial to the client.This is inherent problem and cannot be prevented.The client can share public parameters and verification keys with the server but these parameters are already public and known to the server.The collusion does not give any advantage to the server to forge fake proof of computation.Scenario 2: In collusion of two or more clients, sharing Paillier secret key with each other does not provide any information about the secret polynomial.All the verification keys and public parameters are same for each client.The inherent limitation is that the collusion of clients can share their evaluated points with each other and if the total number of points is more than k, where k is the degree of the secret polynomial, then clients can derive the polynomial.This problem exists in any polynomial computation and cannot be prevented.

VIP-POPE Description
In our scheme, we assume that the server is not trusted with the computation result and clients are curious to learn about the secret polynomial.A client may forge an encrypted query to gain more information about the secret polynomial.We first give the intuition of our scheme VIP-POPE and then give its formal definition.
We use homomorphic properties of Paillier's cryptosystem to design our scheme called VIP-POPE.The key idea is to use the fact that a client can generate an encrypted query t = {t i } k i=1 where t i = E pk (x i ) and k is the degree of the secret polynomial f (•) to allow the server to compute E pk (f (x)).Since the server knows coefficients {a i } k i=0 of f (•), it computes E pk (f (x)) as follows: The client may forges an untrustworthy encrypted query to learn more than a point on the polynomial.To avoid this kind of attack, the client must provide a proof of validity π t for each query t = {t i } k i=1 that she sends to the server, i.e., a proof that t i = E pk (x i ) for all i ∈ {1, . . ., k}.Based on Property 1, such a proof can be built using the NIZKP DecPaillierEq presented in Definition 1.

Formal Definition of VIP-POPE
We now give the formal definition of our scheme VIP-POPE.The algorithms setup and init are run by the company, the algorithm compute is run by the server and the algorithms keyGen, queryGen, decrypt and verif are run by a client.Definition 7. Let VIP-POPE = (setup, init, keyGen, queryGen, queryDec, compute, decrypt, verif) be a scheme defined by: setup(η) : Using the security parameter η, this algorithm first generates a prime number q.It selects a multiplicative group G of order q and generated by h.It picks (s 1 , s 2 ) ← (Z q ) 2 and sets pub = (h s1 , h s2 , h, q), sec = (s 1 , s 2 ), and F = Z q .Finally, it outputs pub, F , and sec.-init(F, f, sec) : We set f (x) = i=k i=0 a i • x i where a i ∈ Z q .For all i ∈ {0, . . ., k}, it picks r i ∈ Z q and computes α i = (a i +r i )•s 1 and , and returns (vk, sk f ).-keyGen(η, pub, k) : For a client c, it picks two primes p c and q c such that (k + 1)q 2 < p c q c and p c ≈ q c .It sets n c = p c q c .According to n c , it generates a Paillier key pair such that pk c = (n c , g c ) and sk c = (λ c , µ c ) as described in Section 2. It outputs (pk c , sk c ). -queryGen(pk c , x) : Using x and the Paillier public key pk c , this algorithm computes, for all i ∈ {1, . . ., k}, t i = E pk (x i ) and returns the encrypted query t = (pk c , {t i } k i=1 ) along with a proof π t of equality of plaintexts using proof PaillierEq .
-queryDec(sk c , t) : First this algorithm parses t as (pk c , {t i } k i=1 ).Using the Paillier secret key sk c , this algorithm sets x = D skc (t 1 ).
compute(t, π t , f, sk f , F ) : If π t is accepted by verify PaillierEq , this algorithm uses {t i } k i=1 from t, coefficients {a i } k i=0 of the polynomial function f (•), and {α i } k i=0 from the server secret key sk f to compute: and returns (d, π d ), else it returns ⊥.
decrypt(sk c , d) : Using the Paillier secret key sk c which is equal to (λ c , µ c ), this algorithm returns y = D skc (d) mod q. -verif(x, sk c , pub, y, π d , vk) : Using x, sk c , vk, and the proof π d , this algorithm computes: If (h s1 ) y • (h s2 ) z = h y , then the algorithm returns 1, else it returns 0.
Parameter Selection.First, consider the additive group F = Z q of order q.
The size of the prime q must be at least 1024 bits to make the discrete logarithm problem hard in the group G.We recall that the polynomial f (•) is equal to i=k i=0 a i • x i where a i ∈ Z q for all i ∈ {0, . . ., k}.Hence, all evaluations are in Z q ; thus we assume that for all i ∈ {0, . . ., k}, we have 0 ≤ x i < q, and that 0 ≤ f (x) < q.Moreover, the client encrypts for all i ∈ {1, . . ., k} the value x i .The evaluation performed by the server is done over encrypted values, i.e., successful decryption due to Paillier cryptosystem properties, where Z nc is the plaintext space of Paillier cryptosystem, p c and q c are two prime numbers.Since 0 ≤ a i < q and 0 ≤ x i < q, we have a i • x i < q 2 for each i ∈ {0, . . ., k} that gives us a 0 + a . Hence, we need to have (k + 1) • q 2 < n c to always have successful decryption.Moreover, we recommend the size of each prime p c and q c to be at least 1024 bits to make the factorization of n c hard.

Security and Performance Analysis
We first give a theorem on the security of VIP-POPE.Then we provide some comparisons with PPE schemes of the literature [15,4,25].

Security proofs
We present the security proofs of VIP-POPE in our security model.Theorem 3. VIP-POPE is a CPI-secure scheme under the DCR assumption.Proof.We assume there exists A ∈ poly(η) 2 such that Adv CPI VIP-POPE,A (η) is non-negligible and we show there exists an algorithm B ∈ poly(η) such that Adv IND-CPA Paillier,B (η) is non-negligible.We build B as follows: -B receives Z q , sec from setup(η) and pk c from keyGen(η, pub, k).
We remark that: 1.The experiment CPI is perfectly simulated for A. Proof.Let A ∈ poly(η) be an algorithm.We show that there exists an algorithm B ∈ poly(η) simulating the experiment Exp k-IND-CFA VIP-POPE,A (η) to A. We build B as follows: -B generates (pub, Z q , sec) ← setup(η), where pub = (h s1 , h s2 , h), and sec = -B picks r $ ← Z q .For all i ∈ {0, . . ., k}, it picks r i $ ← Z q , and sets α i = (a b,i + r i ) • s 1 , and We remark that r and r i (for 0 ≤ i ≤ k) are chosen in the uniform distribution of Z q , then each element of vk comes from the uniform distribution on Z q .Finally, we have: We deduce that the experiment k-IND-CFA is perfectly simulated for A. Then A cannot do better than the random to guess the value of the chosen b.Hence, we have: Pr in each scheme.In Fig. 7, we observe that VIP-POPE takes almost constant time while the cost of verification equation in PIPE and Xia's scheme increases linearly with respect to the degree k.Moreover, our scheme takes only around 5 − 6 milliseconds for verification equation even for k = 100 which makes it practically feasible for real applications.

Conclusion
In this paper, we gave a formal definition of new primitive called VPOPE (for Verifiable and Private Oblivious Polynomial Evaluation).This primitive allows a company to delegate the computation of a secret polynomial f (•) to an external server on client's encrypted data in a verifiable way.In other terms, a client sends an encrypted query to a server associated to her secret data x using her own public key pk.Then, the client receives d with a proof that d = E pk (f (x)).We design the first VPOPE scheme called VIP-POPE (for Verifiable IND-CFA Paillier based Private Oblivious IND-CFA Polynomial Evaluation) and prove that it satisfies the required security properties, i.e., VIP-POPE is CPI-, IND-CFA-, QS-, UNF-secure in the random oracle model.Moreover, we compare our scheme to other existing PPE schemes of the literature and show that its computational verification cost is less as compared others.

2 .Theorem 4 .
B wins the IND-CPA experiment if and only if A wins the CPI experiment.Since Adv CPI VIP-POPE,A (η) is non-negligible, then Adv IND-CPA Paillier,B (η) is non-negligible.However, Paillier cryptosystem is IND-CPA under the DCR assumption, then B can be used to break the DCR assumption, which contradicts our hypothesis and concludes the proof.For any k ∈ N, VIP-POPE is a k-IND-CFA-secure scheme.
et al.show that PolyCommit Ped scheme from Kate et al. [15] satisfies these security properties.Moreover, Bultel et al.design a PPE scheme called PIPE that is IND-CFA secure and solves an open problem described by Kate et al.concerning the design of a scheme with a