Content uploaded by Khaled Elleithy

Author content

All content in this area was uploaded by Khaled Elleithy on Oct 05, 2017

Content may be subject to copyright.

Approaching Secure Protocol from Quantum

Perspective

,Abdalraouf Hassan, Wesam Batrafi, and Khaled Elleithy

Department of Computer Science Engineering

University of Bridgeport

Bridgeport, CT, 06604, USA

(abdalrah, wbatarfi)@my.bridgeport.edu, elleithy@bridgeport.edu

Abstract— The aim of quantum cryptography is to overcome

the everlasting problem of unrestricted security in private

communication. The usage of the quantum principles protects

the privacy of the user’s data during the time it is in the

transmission process through the telecommunication channels.

The sophisticated algorithm we have developed will make the

data meaningless to eavesdroppers. The security of modern

cryptographic systems has been accomplished by using a long

key that will require many years to launch a brute force attack.

Therefore, we designed an efficient algorithm that was developed

based on BB84 and B92 techniques. In this paper, we utilized the

classic features of quantum mechanism, such as superposition

and the uncertainty principle. We present the underlining

mechanisms of quantum cryptography that enhances the security

of data transmission in three stages with valid results that

promise a low error rate that leads to a strong consistent key by

raising the constraint of the security concept.

Keywords— Quantum, Cryptography, Security, BB84, B92.

I. I

NTRODUCTION

The revolution of Quantum mechanism occurred early in

the 20th century. Therefore, every time we use electronics

devices or transmit and receive information unconsciously, we

utilize our knowledge of the nature of quantum. Yet, in

information, technology there is still enough room for

developing quantum properties [1]. During the early 80,

scientists have acknowledged quantum aspects as a supply for

identifying with protocols banned by traditional laws of

physics. Furthermore, in modern computers, the increase in

performances goes hand in hand with decrease in size.

Consequently, more rapidly, a single transistor will be so

modest that it will be essential to account for quantum effects

to understand fully and to predict decisively its behavior [2].

The theory of quantum cryptography was developed in

1984 (BB84) by Charles H. Bennett and Gilles Brassard as part

of a research study between physics and information at IBM. It

was known at that time as quantum distribution scheme [1].

The fundamental concept of the quantum system relies on

the distribution of single particles or photons and the value of a

classical bit encodes by the polarization of a photon [2].

Actually, the quantum cryptography is based on two important

elements of quantum mechanics: The Heisenberg Uncertainty

principle and the principle of photon polarization. Based on

physical law, a photon is an elementary particle of light

carrying a fixed amount of energy, light may be polarized;

polarization is a physical property that comes forward when

light is observed as an electromagnetic wave [3]. The direction

of a photon’s polarization can be fixed to any desired angle

(using a polarizing filter) and can be measured using a calcite

crystal.

II. P

ROBLEM IDENTIFICATION

While genuine algorithms have fulfilled the markets for a

practical secure system, the search for a provable secure

algorithm is still searched by scientists. Furthermore, security

of RSA, the mainly used crypto protocol today, resides on the

not disproven fact that no efficient factorization algorithm that

is able to break it in logical times is known.

We now know that if quantum computers will be ever

available, RSA could be broken by Shor’s quantum Algorithm

[4] a quantum computer could factorize large numbers in a

very efficient manner exploiting entangled states. The open

traditional problem was essentially the key distribution

process. Identical shared keys will be given to Alice and Bob

by QC protocol. Then to categorize the approximate

communication error level, the two parties have to compare

their strings [5]. The third party Eve interceptions could be the

reasons for the error, channel flaws (as losses) and detectors’

inefficiencies and/or dark counts, to make it more difficult to

differentiate among these types of errors is physically

impossible. For that reason, we assume all the errors are due to

eavesdropping. QC tries to answer the following question: Is it

actually possible to produce and distribute a sequence of truly

strings random numbers of bits to form a shared trusted key in

a provably secure way?

III. RELATED

WORK

The Heisenberg Uncertainty principle states that, it is not

possible to measure the quantum state of any system without

disturbing that system. This means that polarization of a

photon or light particle can only be known at the point when it

is measured [9]. This principle plays an important role in

preventing the attempts of eavesdroppers in a cryptosystem

based on quantum cryptography [6].

Secondly, the photon polarization principle explains how

light photons can be polarized in a specific direction. In

addition, an eavesdropper cannot copy unknown qubits i.e.

unknown quantum states, due to the no-cloning theorem which

was first presented by [8] in 1982. The quantum cryptography

allows a bit string to be agreed between two communications

parties without having two parties to meet face to face, and yet

these two parties can be sure with a high confidence that the

agreed bit string is exclusively shared between them.

A. One Time Pad

In cryptography, a one-time pad (OTP) is an encryption

technique that cannot be broken if used correctly [10]. In this

technique, a plaintext is paired with a random, secret key (or

pad). Then, each bit or character of the plaintext is encrypted

by combining it with the corresponding bit or character from

the pad using modular addition [4]. If the key is truly random

and at least as long as the plaintext and never reused in whole

or in part and kept completely secret, the resulting cipher text

will be impossible to decrypt or break [7]. It has also been

proven that any cipher with the perfect secrecy property must

use keys with effectively the same requirements as OTP keys.

However, practical problems have prevented one-time pads

from being widely used.

Despite Shannon's proof of its security, the one-time pad

has serious weakness in practice; it requires perfectly

unpredictable random one-time pad numbers, which is a non-

trivial software requirement [5].

Secure generation and exchange of the one-time pad

material must be at least as long as the message [9]. The

security of the one-time pad is only as secure as the security of

the one-time pad key-exchange. Careful treatment must make

sure that it continues to remain secret from any adversary

Key distribution is needed bcause the pad, like all shared

secrets, must be passed and kept secure, and the pad has to be

at least as long as the message, once a very long pad has been

securely sent (e.g., a computer disk full of random data), it can

be used for numerous future messages until the sum of their

sizes equals the size of the pad [12]. Quantum key distribution

also proposes a solution to this problem.

Distributing very long one-time pad keys [11] is inconvenient

and usually poses a significant security risk. The pad is

essentially the encryption key but unlike keys for modern

ciphers, it must be extremely long and is much too difficult for

humans to remember [8]. Storage media such as thumb drives,

DVD-Rs, or personal digital audio players can be used to carry

a very large one-time-pad from place to place in a non-

suspicious way, but even so the need to transport the pad

physically is a burden compared to the key negotiation

protocols of a modern public-key cryptosystem. Finally, the

effort needed to manage one-time pad key material scales very

badly for large networks of communicants [7].

The number of pads required increase as the square of the

number of user’s increase freely exchanging messages. For

communication between only two persons or a star network

topology, this is less of a problem [14].

The key material must be securely disposed of after use to

ensure that key material is never reused and to protect the

messages sent. Because the key material must be transported

from one endpoint to another and persist until the message is

sent or received, it can be more vulnerable to forensic

recovery than the transient plaintext it protects [13].

IV. C

RYPTOGRAPHY

Cryptography came to use thousands of years ago, and

since then, it has been constantly developing along with

human civilization [11]. The significantly influenced

human society and some time even the course of history.

Today cryptography has become important technology in

the internet society that each individual relies on [9].

One typical example is the RSA [7] crypto scheme; it is

often used in online shopping: The net shop prepares a

public key containing the product (N) of p and q prime

numbers. A net shop published this product (N) for its

customers and keeps the values of p and q secret [8].

The costumers encrypted their credit card information

with the purchase information with public key and sent

the encrypted data to the net shop; the net shop derives

the private key from the two primes by simple calculation

to decrypt this data [10]. Let us assume the malicious

hacker knows the public key but has no idea of the private

key. For decryption, the hacker needs to factorize (n) to

find the prime p and q. The factorization of this prime

numbers is a time consuming task when (n) is large [8].

In the end of the last century, it was said even the most

powerful computer would take thousands of years to

factorize 200 digit numbers [12]. Since then rapid

progress has been made in both software and hardware.

In December 2009, an international team of researchers

succeeded in cracking 786-bit RSA key in only two years

using a novel encryption algorithm and cluster of personal

computers [15]. If military intelligence had a method of

breaking longer keys, it would never announce this fact.

For this reason, RSA scheme today employs a public key

with at least 1024-bit key.

In recent years, the fiber tapping device [13] became

available in the market, making it easy for hacker to tap

signal for a fiber. It has been actually reported that fiber

networks in some U.S. investment firms and Frankfort

airport were intercepted in the past. Therefore, encryption

is necessary to guarantee safe transmission to sensitive

data.

A. BB84

The first QKD protocol was introduced in 1984 [6], labeled

as BB84. It used two polarization bases, rectilinear (R) basis

and diagonal (D) basis, and the single photon that may be

polarized with four states: |h›, |v› |lcp›, and |rcp›. Polarization

state |h› (|v›) in R-basis reveals “0” (“1”) and polarization

state |lcp› (|rcp›) in D-basis reveals “0” (“1”). The italic letters

h mean horizontal, v vertical, lcp left circle polarized, and rcp

right circle polarizes [10].

Alice and Bob would like to send an encrypted message to

each other so their message securely can be made private [12].

To do this, they need a cryptographic key that is only known

to them that they will use to encrypt their message [15]. In

addition, there is Eve; she tries to intercept their message,

BB84 will allow them to come up with secret key both can use

and trust.

To follow the BB84 protocol, Alice and Bob need to use two

communication channels [11], classical channel and quantum

channel. The classical channel allows them to send individual

bits of information back and forth. As the bits travel among

the classical channel, it is possible for Eve to intercept them.

Eve can observe the bits and send a copy of them to their

regular destination. When communicating through a classical

channel, Alice and bob have no way to detect Eve.

The quantum channel [8] behaves differently. Instead of

transferring bit, it transfers qubits. The qubits represent bit,

and either of two processes can generate them. Let us call

them (A) and (B). The BB84 takes advantage of some

properties of qubits. Qubits cannot be copied and it is not

possible to determine whether if qubits were generated by

process (A) or (B). When qubits represent zero in machine

(A), it will produce a zero and when qubits represent one, the

machine will produce one [10]. In both cases the qubits will be

destroyed in the process, on the other hand, if machine (A) is

fed with qubits that were produced by machine (B), the output

will be randomly half the time is zero and half the time is one,

and the qubits is still be destroyed [9]. Likewise, a special

machine exists to observe qubits produced by process (B). Let

us call it machine (B). When it gives qubits produced by

process (B), a machine (B) will out put the correct bit, but

when is fed a qubits produced by process (A), machine (B)

output will be random and just as machine (A) qubits will be

destroyed. Therefore, when Bob receives a qubit over the

quantum channel, he will not know which machine to use to

observe it. He will decide by a coin toss [5]. Half the time he

will feed qubits to machine (A) and half the time, he will feed

it to machine (B) [9].

The protocol began [11] when Alice sent Bob a very large

number of qubits over the quantum channel. Bob recorded all

the output he received as he fed the qubits randomly to his

qubits measuring machine. He will pick the right machine half

the time; an average 50 percent of his measuring will be

correct for the remaining qubits. He will still end up half the

time just by chance. This means 75% of Bob measurement

will be correct [5].

However, if Eve intercepted [9] the qubits before they

reach Bob, she will also need to make random guesses as to

which machine to use. Thus because Eve intercepted half of

the qubits, therefore half of the qubits she will send to Bob.

Half has been generated correctly and half of them incorrectly

[5]. This means only 75% of the qubits that will reach Bob

will represent what Alice intended [9]. Now when Bob

receives the qubits, he will have to make random guesses. This

will give Bob a new accuracy of 62.5%. Bob however does

not know that yet, so he and Alice will have to communicate

some information to each other to work out what accuracy

Bob is getting. Once Bob finished measuring all the qubits he

received, he will open the classical channel and send Alice a

stream of bits that indicates to her which machines he used to

measure each of her qubits. Once she received that message

from Bob, she will review the personal record and send to Bob

telling him which of the qubits he ended up measuring

correctly [11]. Now Bob can throw away the wrong qubits and

Alice can do the same. Now they are in possession of a string

of bits that is only known to them and no one else.

If the observation accuracy [10] is below 100%, they will

know Eve intercepted some of their Qubits and the

communication is not secure. Proved that Eve was attempting

to confound their effort, they should now be in possession of

string of bits that is known only to them. They have very large

sequence of bits so they can afford to sacrifice a random

subset of them in order to determine whether Eve was

listening to them over the classical channel [7]. They need to

choose a subset of bits and compare them, and if they are

satisfied they are secure, then they can use the reaming bit to

form a secret cryptographic key. If they observe an accuracy

of 100 %, they can be reasonably confident that their share

key is secure. Now they can use them to encrypt further

communications, using this protocol allow Alice and Bob to

generate a cryptographic key and they can determine whether

secrecy has been compromised or not.

Table 1.A 8-bit sample of Alice (A) and Bob (B) for BB84

Sequence of

bits 1 2 3 4 5 6 7 8

A’s bit 1 0 1 0 0 1 0 0

A’s source

basis D R R D R D D D

A’s

polarization |rc

p›

|h› |v› |lcp› |h› |rcp› |lcp› |lcp›

B’s detector

basis D D D R R D R D

B’s

measuremen

t

|rc

p›

|rc

p›

|lcp› |v› |h› |rcp› |h› |lcp›

B’s bit 1 1 0 1 0 1 0 0

A’s response Y N N N Y Y N Y

Shared

secret key 1 _ _ _ 0 1 _ 0

B. Protocol B92

In the B92 protocol [4], two states can be regarded as

“half” of the BB84 protocol. Alice and Bob first have to agree

that Alice uses |h›-photon and |rcp›-photon to represent “0”

and “1”. Bob uses |lcp›-basis and |v›-basis as “0” and “1”.

Table 1 and Table 2 show BB84 and B92 in detail.

Based on B92 only two states are more important than the

possible four polarization states in BB84 protocol [16], and

this is the main difference in B92. “0” can be encoded as “0”

degree in the (R) rectilinear basis and “1” can be encoded by

“45” degrees in the diagonal basis (D). Just like the BB84,

Alice transmits to Bob a random string of photons encoded

with randomly chosen bits, however now, Alice dictates which

bases she must use [1]. Bob still randomly chooses a basis by

which to measure, but if he chooses the wrong basis, he will

not measure anything (a condition in quantum mechanics that

is known as an erasure). Bob can simply tell Alice after each

bit she sends whether or not he measured it correctly.

Table 2.A 8-bit sample of Alice (A) and Bob (B) for B92

Sequence of

bits

1 2 3 4 5 6 7 8

Alice’s bit 1 1 0 0 1 0 0 1

A’s

polarization

|rcp› |rcp› |h› |h› |rcp› |h› |h› |rcp›

B’s detector |lcp› |v› |v› |v› |lcp› |lcp› |v› |lcp›

Bob’s bit 0 1 1 1 0 0 1 0

Bob

measurement

N Y N N N Y N N

Shared secret

key

_ 1 _ _ _ 0 _ _

In Table 2, only two bits are shared by Alice and Bob (2, 6)

as the secret key, the efficiency is 2/8= 25%.

For protocol B92 [4, 17, 18], the ideal efficiency is 25%. To

analyze the +efficiency properly we tested the research and

compiled the data shown in Figure 2. Assume that Alice sent

|h›-photon, i.e., “0” (Figure 2(a)). Bob will choose randomly

|lcp› -basis or |v›-basis. If Bob selects the wrong basis, i.e., |v›-

basis, he cannot detect the photon. If Bob selects the correct

basis, i.e., |lcp›-basis, he has 50% probability to detect the

photon; however, even if he chooses the correct basis, he still

has the probability of 50%. Finally, Bob will have idealized

maximum efficiency of 25% to share the correct bits [16, 17,

18].

V. P

ROPOSAL

A

LGORITHM TO

I

MPROVE SECURITY

In this protocol, we introduced the three stages process. The

first stage convention is similar to the BB84 protocol. Alice

will choose random strings bits through the four bases

according to the BB84 protocol and send them to Bob through

Quantum channel. Bits “0” can be encoded as |v› state in (R)

basis and as |lcp› degrees in the (D) basis and bits “1” can be

encoded as |v› state in (R) and |rcp› (D) basis [11].

A. In the first stage Bob will make his guess and use random

basis to measure Alice’s Qubits; then Bob will open a

classical channel to communicate with Alice and announce

what basis he used to measure his bits. Alice will compare

their bases and find out which is the wrong measurement

and then discard the wrong basis from the strings that she

received from Bob, and she will save what resulted from

this process.

a) In the second stage Alice will repeat the first step

again and generate another random sequence of

photon using the same polarization basis from stage

one and send it to Bob through quantum channel.

b) Bob will detect each photon that is represented in the

binary sequence using random basis from |lcp›, |rcp›-

basis or |h›, |v›-basis to measure Alice string.

c) Alice and Bob will share the results of Bob’s

measurement through classical channel. Alice will

analyze Bob’s result and proceed to the final stage.

d) Alice compares both Bob’s result with her string, and

discards the correct matched Bob’s result from his

measurement.

e) Finally, Alice will combine the first stage result and

second stage result string together to generate the

final shared secret key. It will be a strong

sophisticated key that will provide more security and

reliability to their information transaction.

These key will be developed from the result of deriving the

two keys represented as one strong Encryption key, so both

user can use now to transmit their data safely.

First stage for producing the key works exactly according to

BB84 protocol

Table 3.A 8-bit sample of Alice (A) and Bob (b) 1st stage

Sequence of

bits

1 2 3 4 5 6 7 8

A’s bit 1 0 1 1 0 1 0 1

A’s basis D D R D R D R R

A’s

polarization

|rcp› |lcp› |v› |rcp› |h› |rcp› |h› |v›

B’s detector R D R R R D D D

B’s

measurement

|h› |lcp› |v› |h› |h› |rcp› |rcp› |lcp›

Bob’s bit 0 0 1 0 0 1 1 0

Bob reports

basis

R D R R R D D D

A’s response N Y Y N Y Y N N

1

st

shared

secret key

_ 0 1 _ 0 1 _ _

B. The Second stage for producing the secret key

Alice will generate another random string through the

quantum channel to Bob. Bob will measure the string

randomly and compare his measured bits through classic

channel with Alice. Alice here will discard the correct basis

that is matched Bob’s measurement from her string.

C. The Third stage Alice will compare both keys from first

and second stage together and combine them as one strong

secret key that will be used to transfer data between both

parties through the classic channel.

Table 3.B 8-bit sample of Alice (A) and Bob (b) 2

nd

stage

Sequence of

bits

1 2 3 4 5 6 7 8

A’s bit 0 0 1 0 1 1 1 0

A’s basis D R D R R R R D

A’s

polarization

|lcp› |h› |rcp› |h› |v› |v› |v› |lcp›

B’s detector D R D R R D R D

B’s

measurement

|lcp› |v› |lcp› |h› |v› |rcp› |h› |lcp›

Bob’s bit 0 1 0 0 1 1 0 0

Bob reports D R D R R D R D

A’s response N Y Y N N Y Y N

2

nd

Shared

secret key

_ 1 0 _ _ 1 1 _

Final stage to combine 1

st

and 2

nd

secret key to finalized the

shared secret key.

Table 3.C 8-bit sample of Alice (A) and Bob (b) final stage

1

st

key 0 _ 1 0 1 _ _ _ _

2

nd

key _ 1 0 _ _ 1 _ 1 _

Final

Shared

Secret

key

0

1

0

1

0

1

1

1

_

VI.

ANALYSIS

In figure 3.A, if Bob chooses the correct basis, he will detect

the correct polarized photon. However, if Bob chooses the

wrong basis, he knows that his result is inconclusive.

Therefore, the idealized maximum efficiency is 50% for

BB84. It also shows that Alice used R-basis sending |h›-

photon and |v›-photon. In B92, the efficiencies are 25% and

for BB84 its 50% and this is the price that two QKD protocol

must pay for secrecy. Here we proposed two-way transmission

over the quantum channel (Alice →Bob and Alice→ Bob)

instead of one-way transmission. Our enhanced QKD protocol

has three stages. In the first stage, Alice sends random

sequence of photon according to BB84; in the second stage

Alice will use a modified version of BB84 to send another

large sequence of photon, and in the final stage Alice will

generate a cryptography key that resulted from previous

stages.

Our enhanced protocol enhances the efficiency to 43.8%

with the average complexity order 2.76 when using BB84 in

the first stage. In addition, when using the modified version in

the second stage the idealized maximum efficiency can reach

28.9% with average complexity of 2.4.

VII. C

ONCLUSION

Quantum cryptography is a fascinating illustration because of

the uncertainty principle imposes restrictions on the capacity

of certain types of communication channels. It is not possible

for hackers to determine whether the qubits were generated by

R-basis or D-basis. Furthermore, transmitting the qubits

through the quantum channel, it leads to developing a strong

cryptographic key. However, in our proposed protocol, we

take advantage of the properties of quantum qubits twice to

generate a secret key that can be generated without any

interference from an eavesdropper. Therefore, we developed a

strong reliable key by adding more security demands without

worrying about any guesses from an intruder who might be

present. Even if the guess of the attacker in the first case was

25%, we have decreased the error rate to 15% to 18%. This is

because of` the principles of quantum mechanics that ensures

that no eavesdropper can successfully measure the quantum

state while it is being transmitted without disturbing the state

in some detectable way. Using this protocol allows Alice and

Bob to generate a secure cryptographic key, and then they can

determine whether their secrecy has been compromised.

R

EFERENCES

[1] Shor, Peter W. "Algorithms for quantum computation: discrete

logarithms and factoring." Foundations of Computer Science, 1994

Proceedings., 35th Annual Symposium on. IEEE, 1994.

[2] Porzio, Alberto. "Quantum cryptography: Approaching

communication security from a quantum perspective." Photonics

Technologies, 2014 Fotonica AEIT Italian Conference on. IEEE,

2014.

[3] Brief histories of crypto techniques and machinerie

http://en.wikipedia. org/wikilHistory _ oC cryptography ;

[4] P. W. Shor, "Algorithms for quantum computation: discrete

logarithms and factoring" in Proceedings of the 35th Annual

Symposium on Foundations of Computer Science (ed.

Goldwasser, S. ) pp. 124-134 (IEEE Computer Society Press,

1994), see also SIAM J. Com put. 26:1484 (1997);

[5] Carl W. Helstrom, "Quantum Detection and Estimation Theory",

(Academic Press Inc., New York, 1976, ISBN 0123400503); J.

A. Wheeler and W. H. Zurek, "Quantum Theory and

Measurement", (Princeton Univ. Press, Princeton,1984, ISBN

0691083169);

[6] W. K. Wootters, e W. H. Zurek, "A single quantum cannot be

cloned", Nature, vol. 299, pp. 802-803, Oct 1982;

[7] Kitaev, Alexei Yu, Alexander Shen, and Mikhail N. Vyalyi. Classical

and quantum computation. Vol. 47. Providence: American

Mathematical Society, 2002.

[8] Trojek, Pavel, et al. "Compact source of polarization-entangled

photon pairs." Optics express 12.2 (2004): 276-281.

[9] Li, Xiaoyu. "A quantum key distribution protocol without classical

communications." arXiv preprint quant-ph/0209050 (2002).

[10] Kuhn, D. Richard. "Vulnerabilities in Quantum Key Distribution

Protocols." arXiv preprint quant-ph/0305076 (2003).

[11] C.H. Bennett and G. Brassard, "Quantum Cryptography: Public

Key Distribution and Coin Tossing", Proceedings of IEEE

International Conference on Computers Systems and Signal

Processing, Bangalore India, December 1984, pp.175-179 (1984);

[12] F. Grosshans and P. Grangier, "Continuous Variable Quantum

Cryptography Using Coherent States", Phys. Rev. Lett., vol.

88,n. 5, pp. (057902) 1-4, Jan 2002;

[13] G Nocerino, D Buono, A Porzio and S Solimeno, "Survival of

continuous variable entanglement over long distances", Phys.

Scr., vol. TI53, pp. (014049)1-6, Mar. 2013;

[14] C. H. Bennett, D. P. DiVincenzo, J. A. SmolinandW. K.Wootters,

“Mixed state entanglement and quantum error correction,”Phys. Rev.

A54, 3824–3851(1996), arXive e-print quant-ph/9604024.

[15] N.J. Cerf, S. lblisdir, and G. Van Assche, "Cloning and

cryptography with quantum continuous variables", Eur. Phys. J. D,

vol. 18, n. 2, pp. 211-218, Feb. 2002;

[16] T. C. Ralph, "Continuous variable quantum cryptography", Phys.

Rev. A, vol. 61, n. I, pp. (010303)1-4, Jan 1999;

[17] Kartalopoulos, Stamatios V. "Identifying vulnerabilities of quantum

cryptography in secure optical data transport." Military

Communications Conference, 2005. MILCOM 2005. IEEE. IEEE,

2005.

[18] Gisin, Nicolas, et al. "Quantum cryptography." Reviews of modern

physics 74.1 (2002): 145.