@Article{BR99,
  author = 	 { Mihir Bellare and Ronald L. Rivest },
  title = 	 { Translucent Cryptography---An Alternative to Key Escrow, and 
                   Its Implementation via Fractional Oblivious Transfer },
  journal = 	 { Journal of Cryptology },
  publisher =    { Springer },                  
  issn =         { 0933-2790 },
  OPTyear = 	 { 1999 },
  OPTmonth = 	 { October },
  date =         { 1999-10 },                  
  volume = 	 { 12 },
  number = 	 { 2 },
  pages = 	 { 117--139 },
  url =          { http://dx.doi.org/10.1007/PL00003819 },
  doi =          { 10.1007/PL00003819 },
  keywords =     { key escrow, translucent, oblivious transfer, discrete
                   logarithms, communications policy },                  
  abstract =     {
                  We present an alternative to the controversial
                  ``key-escrow'' techniques for enabling law
                  enforcement and national security access to
                  encrypted communications. Our proposal allows such
                  access with probability $p$ for each message, for a
                  parameter $p$ between $0$ and $1$ to be chosen (say, by
                  Congress) to provide an appropriate balance between
                  concerns for individual privacy, on the one hand,
                  and the need for such access by law enforcement and
                  national security, on the other. (For example, with
                  $p=0.4$ , a law-enforcement agency conducting an
                  authorized wiretap which records 100 encrypted
                  conversations would expect to be able to decrypt
                  (approximately) 40 of these conversations; the
                  agency would not be able to decrypt the remaining 60
                  conversations at all.) Our scheme is remarkably
                  simple to implement, as it requires no prior
                  escrowing of keys. 
                  \par
                  We implement translucent
                  cryptography based on noninteractive oblivious
                  transfer. Extending the schemes of Bellare and
                  Micali [2], who showed how to transfer a message
                  with probability $\frac{1}{2}$, we provide schemes for
                  noninteractive fractional oblivious transfer, which
                  allow a message to be transmitted with any given
                  probability $p$ . Our protocol is based on the
                  Diffie-Hellman assumption and uses just one El Gamal
                  encryption (two exponentiations), regardless of the
                  value of the transfer probability $p$ . This makes the
                  implementation of translucent cryptography
                  competitive, in efficiency of encryption, with
                  current suggestions for software key escrow.  
                  },
}