-
基于容错学习(learning with error problem, LWE)的密码是一类备受关注的抗量子计算攻击的公钥密码体制[1]。BGN加密方案[2]描述了一种允许任意次加法和一次乘法的密文运算的加密系统,并且在密文的运算中,密文的规模没有增长。文献[3]基于LWE构造了一种简单的BGN加密方案GHV10,GHV10的解密算法需要用到陷门技术[4]。文献[5]构造了一种BGN加密方案,但是基于双线性配对和子集判定假设的。
加密方案BGV12[6]是一种全同态加密方案,加密的明文是比特,密文是向量。因为密文的乘法运算是向量的张量积,所以密文在运算后规模扩大。BGV12利用密钥交换、模转换等技术来控制噪音的增长和密文的规模,从而实现了全同态加密运算。如果为了实现密文的一次乘法运算仍然需要使用这些技术,那么BGV12就显得有些差强人意。本文利用BGV12的加密方案设计了一种变形的加密方案。加密的明文为矩阵(明文打包运算[7]),密文也为矩阵。因为密文的乘法运算是矩阵的乘法,而不是矩阵的张量积,所以密文的规模在运算后没有增大。
文献[8]基于RLWE构造了一种全同态加密算法ZXJXZ14,并扩展成一种门限加密方案。本文依据ZXJXZ14,也将设计BGN加密方案扩展成一种门限加密方案,并且同样能抵抗密钥泄露攻击。
-
本节利用BGV12的加密方案设计了一种变形的加密方案。加密的明文为矩阵,密文也为矩阵。因为密文的乘法运算是矩阵的乘法,所以密文的规模在运算后没有增大。又因为该加密方案也支持任意次密文加法运算,所以为BGN加密方案。
-
BGN加密方案由五元组(E.Setup, E.SecretKeygen, E.PublicKeygen, E.Enc, E.Enc, E.Dec)构成。
初始化阶段$ {\rm{E}}{\rm{.Setup(}}{{\rm{1}}^\lambda }{\rm{, }}{{\rm{1}}^\mu }{\rm{)}} $:适应性地选择μ比特的模q,及参数$ n = n(\lambda, \mu )$,$ m = \left\lceil {(2n + 1)\log q} \right\rceil $,$ \chi = \chi (\lambda, \mu ) $。
密钥生成算法E.SecretKeygen(1n):选取 $\mathit{\boldsymbol{S}}\leftarrow \mathbb{Z}_{q}^{n\times m} $,输出。
公钥生成算法E.PublicKeygen(S):选取$ \mathit{\boldsymbol{A}}\leftarrow \mathbb{Z}_{q}^{m\times n} $及$\mathit{\boldsymbol{X}}\leftarrow {{\chi }^{n\times n}}$,计算$\mathit{\boldsymbol{B}}={{[\mathit{\boldsymbol{SA}}+2\mathit{\boldsymbol{X}}]}_{q}}$。输出。
加密算法E.Enc(pk, M):对于明文$\mathit{\boldsymbol{M}}\in {{\{0, 1\}}^{n\times n}}$,,选取$\mathit{\boldsymbol{R}}\in {{\{0, 1\}}^{n\times n}}$,并输出密文。
解密算法E.Dec(sk, C):对于密文C,,令,然后输出${{m}_{(i, j)}}={{\left[{{\left[<{{\mathit{\boldsymbol{e}}}_{i}}, {{\mathit{\boldsymbol{s}}}_{j}}> \right]}_{q}} \right]}_{2}}$,这里ei是E是的第i行,sj是的第j列,$i, j\in [n]$。
注:解密算法中的右乘是多余的,仅在乘积密文的解密中会用到。
命题1 (正确性)设$q, n, m, |\chi |\le B$为上述加密方案E所需的参数,$\mathit{\boldsymbol{S}}\in \mathbb{Z}_{q}^{n\times m}$为任意矩阵,$\mathit{\boldsymbol{M}}\in {{\{0, 1\}}^{n\times n}}$。令,$\mathit{\boldsymbol{C}}\leftarrow \rm{E}\rm{.Enc}(\rm{pk}, \mathit{\boldsymbol{M}})$,如果${{[\mathit{\boldsymbol{M}}+2\mathit{\boldsymbol{XR}}]}_{q}}=\mathit{\boldsymbol{M}}+2\mathit{\boldsymbol{XR}}$,那么$\rm{E}\rm{.Decs}(\rm{sk}, \mathit{\boldsymbol{C}})=\mathit{\boldsymbol{M}}$。
证明:由定义可知,因而解密正确。
引理1 (安全性)[5]:设参数$m, n, q, \chi $,使得${\rm{LWE}}_{m, n, q, \chi }$成立,那么对任意的$\mathit{\boldsymbol{M}}\in \mathbb{Z}_{2}^{n\times n}$,如果,$\mathit{\boldsymbol{R}}\in {{\{0, 1\}}^{n\times n}}$,则$(\mathit{\boldsymbol{BR}}, \mathit{\boldsymbol{AR}})$与$\mathbb{Z}_{q}^{m\times n}\times \mathbb{Z}_{q}^{m\times n}$上的均匀分布计算不可区分。
-
设密文:
$$\begin{align} & {{\mathit{\boldsymbol{C}}}_{1}}={{\left[\left( \begin{matrix} \mathit{\boldsymbol{B}}{{\mathit{\boldsymbol{R}}}_{1}}+{{\mathit{\boldsymbol{M}}}_{1}} & \bf{0} \\ -\mathit{\boldsymbol{A}}{{\mathit{\boldsymbol{R}}}_{1}} & \bf{0} \\ \end{matrix} \right) \right]}_{q}} \\ & {{\mathit{\boldsymbol{C}}}_{2}}={{\left[\left( \begin{matrix} \mathit{\boldsymbol{B}}{{\mathit{\boldsymbol{R}}}_{2}}+{{\mathit{\boldsymbol{M}}}_{2}} & \bf{0} \\ -\mathit{\boldsymbol{AR}}{}_{2} & \bf{0} \\ \end{matrix} \right) \right]}_{q}} \\ \end{align}$$ 则:
1) 加法
对于适合的参数有:
$${{\mathit{\boldsymbol{C}}}^{+}}={{\mathit{\boldsymbol{C}}}_{1}}+{{\mathit{\boldsymbol{C}}}_{2}}={{\left[\left( \begin{matrix} \mathit{\boldsymbol{B}}({{\mathit{\boldsymbol{R}}}_{1}}+{{\mathit{\boldsymbol{R}}}_{2}})+({{\mathit{\boldsymbol{M}}}_{1}}+{{\mathit{\boldsymbol{M}}}_{2}}) & \bf{0} \\ -\mathit{\boldsymbol{A}}({{\mathit{\boldsymbol{R}}}_{1}}+{{\mathit{\boldsymbol{R}}}_{2}}) & \bf{0} \\ \end{matrix} \right) \right]}_{q}}$$ 是${{[{{\mathit{\boldsymbol{M}}}_{1}}+{{\mathit{\boldsymbol{M}}}_{2}}]}_{2}}$的密文。
2) 乘法
规定密文乘积为${{\mathit{\boldsymbol{C}}}^{*}}={{\mathit{\boldsymbol{C}}}_{1}}\mathit{\boldsymbol{C}}_{2}^{{\rm{T}}}\ {\rm{mod}}q$。因此
$$\begin{matrix} \left( \begin{matrix} {{\mathit{\boldsymbol{I}}}_{n}} & \mathit{\boldsymbol{S}} \\ \mathit{\boldsymbol{0}} & \mathit{\boldsymbol{0}} \\ \end{matrix} \right){{\mathit{\boldsymbol{C}}}^{*}}{{\left( \begin{matrix} {{\mathit{\boldsymbol{I}}}_{n}} & \mathit{\boldsymbol{S}} \\ \mathit{\boldsymbol{0}} & \mathit{\boldsymbol{0}} \\ \end{matrix} \right)}^{\rm{T}}}= \\ \left( \begin{matrix} {{\mathit{\boldsymbol{I}}}_{n}} & \mathit{\boldsymbol{S}} \\ \mathit{\boldsymbol{0}} & \mathit{\boldsymbol{0}} \\ \end{matrix} \right)\left( \begin{matrix} \mathit{\boldsymbol{B}}{{\mathit{\boldsymbol{R}}}_{1}}+{{\mathit{\boldsymbol{M}}}_{1}} & \bf{0} \\ -\mathit{\boldsymbol{A}}{{\mathit{\boldsymbol{R}}}_{1}} & \bf{0} \\ \end{matrix} \right)\times \\ \ {{\left( \left( \begin{matrix} {{\mathit{\boldsymbol{I}}}_{n}} & \mathit{\boldsymbol{S}} \\ \mathit{\boldsymbol{0}} & \mathit{\boldsymbol{0}} \\ \end{matrix} \right)\left( \begin{matrix} \mathit{\boldsymbol{B}}{{\mathit{\boldsymbol{R}}}_{2}}+{{\mathit{\boldsymbol{M}}}_{2}} & \bf{0} \\ -\mathit{\boldsymbol{A}}{{\mathit{\boldsymbol{R}}}_{2}} & \bf{0} \\ \end{matrix} \right) \right)}^{\rm{T}}}\bmod q= \\ \left( \begin{matrix} {{\mathit{\boldsymbol{M}}}_{1}}\mathit{\boldsymbol{M}}_{2}^{\rm{T}}+{{\mathit{\boldsymbol{X}}}^{*}} & \bf{0} \\ \bf{0} & \bf{0} \\ \end{matrix} \right)\bmod q \\ \end{matrix}$$ 式中,${{\mathit{\boldsymbol{X}}}^{*}}=2{{\mathit{\boldsymbol{M}}}_{1}}\mathit{\boldsymbol{R}}_{2}^{\rm{T}}\mathit{\boldsymbol{X}}_{2}^{\rm{T}}+2{{\mathit{\boldsymbol{X}}}_{1}}{{\mathit{\boldsymbol{R}}}_{1}}\mathit{\boldsymbol{M}}_{2}^{\rm{T}}+4{{\mathit{\boldsymbol{X}}}_{1}}{{\mathit{\boldsymbol{R}}}_{1}}\mathit{\boldsymbol{R}}_{2}^{\rm{T}}\mathit{\boldsymbol{X}}_{2}^{\rm{T}}$,那么对于适合的参数${{\mathit{\boldsymbol{C}}}^{*}}={{\mathit{\boldsymbol{C}}}_{1}}\mathit{\boldsymbol{C}}_{2}^{\rm{T}}\ \bmod q$为${{[{{\mathit{\boldsymbol{M}}}_{1}}\mathit{\boldsymbol{M}}_{2}^{\rm{T}}]}_{2}}$的密文。
-
定理2 令n为安全参数,任意的$c=c(n)>0$。设$q>6{{n}^{2c+6}}$为素数,$m=\left\lceil (2n+1)\log q \right\rceil $,$B={{n}^{\frac{3}{2}}}$。那么上述加密方案支持密文的${{n}^{c}}$次加法和一次乘法运算。
证明:先考虑密文C为$ l\le {{n}^{c}} $个密文的和,记。
因为
$$ \begin{matrix} {{\left\| \mathit{\boldsymbol{B}}\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{R}}}_{i}}}+\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{M}}}_{i}}} \right\|}_{\infty }}=l+2nBl< \\ {{n}^{c}}(1+2{{n}^{5/2}})<3{{n}^{c+\frac{5}{2}}}<\frac{q}{2} \\ \end{matrix} $$ 所以${{\left[\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{M}}}_{i}}}+2\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{X}}}_{i}}{{\mathit{\boldsymbol{R}}}_{i}}} \right]}_{q}}=\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{M}}}_{i}}}+2\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{X}}}_{i}}{{\mathit{\boldsymbol{R}}}_{i}}}$,故$ {\rm{E}}{\rm{.Dec}}({\rm{sk}}, \mathit{\boldsymbol{C}})={{\left[\sum\limits_{i=1}^{l}{{{\mathit{\boldsymbol{M}}}_{i}}} \right]}_{2}} $。
下面考虑密文C′为两个密文的乘积,这两个密文分别为$ {{l}_{1}}, {{l}_{2}} $个密文的和,其中$ {{l}_{1}}+{{l}_{2}}\le {{n}^{c}} $,记。
因为:
$$ \begin{matrix} {{\left\| \left( \sum\limits_{i=1}^{{{l}_{1}}}{{{\mathit{\boldsymbol{M}}}_{i}}}+2\sum\limits_{i=1}^{{{l}_{1}}}{{{\mathit{\boldsymbol{X}}}_{i}}{{\mathit{\boldsymbol{R}}}_{i}}} \right){{\left( \sum\limits_{i=1}^{{{l}_{2}}}{{{{\mathit{\boldsymbol{{M}'}}}}_{i}}}+2\sum\limits_{i=1}^{{{l}_{2}}}{{{\mathit{\boldsymbol{X}}}_{i}}{{\mathit{\boldsymbol{R}}}_{i}}} \right)}^{\rm{T}}} \right\|}_{\infty }}= \\ n({{l}_{1}}+2nB{{l}_{1}})({{l}_{2}}+2nB{{l}_{2}})\le \\ n{{(1+2nB)}^{2}}{{l}_{1}}({{n}^{c}}-{{l}_{1}})< \\ \frac{{{n}^{2c+1}}}{4}\left( 1+4{{n}^{\frac{5}{2}}}+4{{n}^{5}} \right)<\frac{5}{4}{{n}^{2c+6}}<\frac{q}{2} \\ \end{matrix} $$ 所以$ {\rm{E}}{\rm{.Dec}}({\rm{sk}}, C') = {\left[{\left( {\sum\limits_{i = 1}^{{l_1}} {{\mathit{\boldsymbol{M}}_i}} } \right){{\left( {\sum\limits_{i = 1}^{{l_2}} {{\mathit{\boldsymbol{M}}_i}} } \right)}^{\rm{T}}}} \right]_2} $。
注:本方案与GHV10[3]相比较,对于任意的$c = c(n) > 0$,仅要求$ q > 6{n^{2c + 6}} $为素数,而GHV10要求$q > {2^{20}}{(c + 4)^3}{n^{3c + 4}}{\rm{lo}}{{\rm{g}}^5}n$为素数。这意味着如果q的范围扩大,则能支持比$c = c(n) > 0$更大的运算。
-
本节首先介绍密钥同态,然后构造门限加密方案,最后证明该方案能抵抗密钥泄露攻击。
-
假设密钥, 选取$\mathit{\boldsymbol{A}}\leftarrow \mathbb{Z}_{q}^{m\times n}$, ${{\mathit{\boldsymbol{X}}}_{i}}\leftarrow {{\chi }^{n\times n}}$,令:
$${{\mathit{\boldsymbol{B}}}_{i}}={{[{{\mathit{\boldsymbol{S}}}_{i}}\mathit{\boldsymbol{A}}+2{{\mathit{\boldsymbol{X}}}_{i}}]}_{q}}\in \mathbb{Z}_{q}^{n\times n}$$ 那么,$i = 1, 2$。因为:
$$\begin{array}{c} \left( {\begin{array}{*{20}{c}} {{\mathit{\boldsymbol{B}}_1} + {\mathit{\boldsymbol{B}}_2}}\\ { - \mathit{\boldsymbol{A}}} \end{array}} \right) = \left( {\begin{array}{*{20}{c}} {({\mathit{\boldsymbol{S}}_1} + {\mathit{\boldsymbol{S}}_2})\mathit{\boldsymbol{A}} + 2({\mathit{\boldsymbol{X}}_1} + {\mathit{\boldsymbol{X}}_2})}\\ { - \mathit{\boldsymbol{A}}} \end{array}} \right) = \\ {\rm{E}}{\rm{.PublicKeygen}}({\mathit{\boldsymbol{S}}_1} + {\mathit{\boldsymbol{S}}_2}) \end{array}$$ 所以得到了对应于结合密钥的结合公钥,这就是密钥同态。
-
类似于文献[8],本文也假设存在一个可信第三方F,F计算结合公钥、密钥,然后把计算后的结果发送给各个参与者(假设共k个参与者),并同时保证密钥的安全性。为了保证语义安全,本文同样加入了干扰噪音。
密钥生成算法TE.SecretKeygen(1n):取${{\mathit{\boldsymbol{S}}}_{i}}\leftarrow \mathbb{Z}_{q}^{n\times m}$,输出, $ i\in [k] $。
公钥生成算法TE.PublicKeygen(S):取$\mathit{\boldsymbol{A}}\leftarrow \mathbb{Z}_{q}^{m\times n}$,${{\mathit{\boldsymbol{X}}}_{i}}\leftarrow {{\chi }^{n\times n}}$,计算${{\mathit{\boldsymbol{B}}}_{i}}={{[{{\mathit{\boldsymbol{S}}}_{i}}\mathit{\boldsymbol{A}}+2{{\mathit{\boldsymbol{X}}}_{i}}]}_{q}}$,输出,$ i\in [k] $。
当F从k个参与者中接收到$ {\rm{p}}{{\rm{k}}_i} $后诚实地计算$\mathit{\boldsymbol{B}} = \sum\limits_{i = 1}^k {{\mathit{\boldsymbol{B}}_i}} $。故结合公钥为:。
加密算法TE.Enc(pk,M):对于明文$\mathit{\boldsymbol{M}} \in {\{ 0, 1\} ^{n \times n}}$及公钥,均匀取$\mathit{\boldsymbol{R}} \in {\{ 0, 1\} ^{n \times n}}$及干扰噪音${\mathit{\boldsymbol{X}}^*}$,输出密文。
解密算法TE.Dec(sk, C):各参与者把解密共享发送给F,F诚实地计算。并输出明文M。
正确性可由以下运算得出。
$$\begin{array}{c} {\left[{\sum\limits_{i = 1}^k {\left( {\begin{array}{*{20}{c}} {{\mathit{\boldsymbol{I}}_n}}&{{\mathit{\boldsymbol{S}}_i}}\\ {\bf{0}}&{\bf{0}} \end{array}} \right)\mathit{\boldsymbol{C}}{{\left( {\begin{array}{*{20}{c}} {{\mathit{\boldsymbol{I}}_n}}&{{\mathit{\boldsymbol{S}}_i}}\\ {\bf{0}}&{\bf{0}} \end{array}} \right)}^{\rm{T}}}} } \right]_q}\bmod 2 = \\ {\left[{\left( {\begin{array}{*{20}{c}} {\mathit{\boldsymbol{BR}} + \mathit{\boldsymbol{M}} + 2{\mathit{\boldsymbol{X}}^*}-\sum\limits_{i = 1}^k {{\mathit{\boldsymbol{S}}_i}\mathit{\boldsymbol{AR}}} }&{\bf{0}}\\ {\bf{0}}&{\bf{0}} \end{array}} \right)} \right]_q}\bmod 2 = \\ {\left[{\left( {\begin{array}{*{20}{c}} {\mathit{\boldsymbol{M}} + 2\left( {{\mathit{\boldsymbol{X}}^*} + \sum\limits_{i = 1}^k {{\mathit{\boldsymbol{X}}_i}\mathit{\boldsymbol{R}}} } \right)}&{\bf{0}}\\ {\bf{0}}&{\bf{0}} \end{array}} \right)} \right]_q}\bmod 2 \end{array}$$ -
可以仿照文献[8]的游戏来证明结合密钥的安全性,即攻击者不能以显著优势区分在诚实公钥下的加密密文与均匀选取的假密文,证明省略。
A BGN-Type Encryption from LWE with a Threshold Encryption Scheme
-
摘要: BGN加密方案是指允许密文任意次加法和一次乘法运算的加密方案,并且在密文的运算中,密文的规模没有增长。BGV12加密方案是基于(G)LWE的全同态加密方案,为了实现乘法同态,需要用到密钥交换、模转换等技术。该文在BGV12基础上构造了一种BGN加密方案。虽然只能支持密文的一次乘法运算,但不需要其他技术的支持,因而更快捷。与GVH10加密方案相比,有更好的参数规模。此外,将BGN加密方案扩展成一种门限加密方案,该门限加密方案同样允许所有参与者共同解密一个密文而没有泄露明文的任何信息,并且能抵抗密钥泄露攻击。Abstract: The BGN (Boneh-Goh-Nissim) cryptosystem is a cryptosystem that permits arbitrary number of additions and one multiplication of ciphertext without growing the size of ciphertext. The scheme of BGV12 is a fully homomorphic encryption from (G)LWE which needs key switching, modulus switching and other technologies for the multiplicative homomorphism. This paper describes a BGN scheme based on BGV12. Although our constructed scheme only permits one multiplication, it does not need other technologies, so it is more efficient. Comparing with the scheme of GVH10, our scheme has better size of parameter. In addition, we extend our scheme to a threshold encryption scheme, which allows parties to cooperatively decrypt a ciphertext without learning anything but the plaintext, and can be protected from related-key attacks.
-
[1] 王小云, 刘明洁.格密码学研究[J].密码学报, 2014, 1(1):13-27. http://www.docin.com/p-797578273.html WANG Xiao-yun, LIU Ming-jie. Survey of lattice-based cryptography[J]. Journal of Cryptologic Research, 2014, 1(1):13-27. http://www.docin.com/p-797578273.html [2] BONEH D, GOHE J, NISSIM K. Evaluating 2-DNF formulas on ciphertexts[C]//Proceedings of Second Theory of Cryptography Conference, TCC 2005. Cambridge, MA, USA: Springer, 2005: 325-341. http://www.springerlink.com/content/wtt5caxkr94laxkg [3] GENTRY C, HALEVI S, VAIKUNTANATHAN V. A simple bgn-type cryptosystem from LWE[C]//Proceedings of Advances in Cryptology-EUROCRYPT 2010. Riviera, French: Springer, 2010: 506-522. [4] MICCIANCIO D, PEIKERT C. Trapdoors for lattices: Simpler, tighter, faster, smaller[C]//Proceedings of Advances in Cryptology-EUROCRYPT 2012. Cambridge, UK: Springer, 2012: 700-718. http://dx.doi.org/doi:10.1007/978-3-642-29011-4_41 [5] ZHANG Wei. A BGN-type multiuser homomorphic encryption scheme[C]//Proceedings of 2015 International Conference on Intelligent Networking and Collaborative Systems. Taipei, Taiwan, China: IEEE, 2005: 268-271. http://ieeexplore.ieee.org/document/7312083/ [6] BRAKERSHI Z, GENTRY C, VAIKUNTANATHAN V. (Leveled) fully homomorphic ncryption without bootstrapping[C]//Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. Cambridge, Massachusetts: ACM. 2012: 309-325. [7] HIROMASA R, ABE M, OKAMATO T. Packing messages and optimizing bootstrapping in GSW-FHE[C]//Proceedings of Public-Key Cryptography-PKC 2015. Gaithersburg, MD, USA: Springer, 2015: 699-715. doi: 10.1007/978-3-662-46447-2_31 [8] ZHANG Xiao-jun, XU Chun-xiang, JIN Chun-hua, et al. Efficient fully homomorphic encryption from RLWE with an extension to a threshold encryption scheme[J]. Future Generation Computer Systems, 2014(36):180-186. https://www.sciencedirect.com/science/article/pii/S0167739X13002422 [9] REGEV O. On lattices, learning with errors, random linear codes, and cryptography[C]//Proceedings of the ThirtySeventh Annual ACM Symposium on Theory of Computing. Baltimore, MD, USA: ACM, 2005: 84-93. http://dl.acm.org/citation.cfm?id=1060603 [10] PEIKERT C. Public-key cryptosystems from the worst-case shortest vector problem[C]//Proceedings of the 41st Annual ACM Symposium on Theory of Computing. New York: ACM, 2009: 333-342. [11] BRAKERSKI Z, LANGLOIS A, PEIKERT C, et al. Classical hardness of learning with errors[C]//Proceedings of the 45th Annual ACM Symposium on Symposium on Theory of Computing. New York: ACM, 2013: 575-584. http://dl.acm.org/citation.cfm?id=2488680&CFID=686169129&CFTOKEN=32716639 [12] GENTRY C, SAHAIY A, WATERS B. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based[C]//Proceedings of Advances in Cryptology-CRYPTO 2013. Santa Barbara, CA, USA: Springer, 2013: 75-92. doi: 10.1007/978-3-642-40041-4_5
计量
- 文章访问数: 5800
- HTML全文浏览量: 1991
- PDF下载量: 147
- 被引次数: 0