En Zhang , Xintao Duan , Siuming Yiu, Junbin Fang, Zoe L. Jiang , Tsz HonYuen and Jie Peng

Abstract: In the setting of (t, n) threshold secret sharing, at least t parties can reconstruct the secret, and fewer than t parties learn nothing about the secret. However, to achieve fairness, the existing secret sharing schemes either assume a trusted party exists or require running multi-round, which is not practical in a real application. In addition, the cost of verification grows dramatically with the number of participants and the communication complexity is O(t), if there is not a trusted combiner in the reconstruction phase. In this work, we propose a fair server-aided multi-secret sharing scheme for weak computational devices. The malicious behavior of clients or server providers in the scheme can be verified, and the server provider learns nothing about the secret shadows and the secrets. Unlike other secret sharing schemes, our scheme does not require interaction among users and can work in asynchronous mode, which is suitable for mobile networks or cloud computing environments since weak computational mobile devices are not always online. Moreover, in the scheme, the secret shadow is reusable,and expensive computation such as reconstruction computation and homomorphic verification computation can be outsourced to the server provider, and the users only require a small amount of computation.

Keywords: Secret sharing, server-aided, non-interactive, fairness.

1 Introduction

Secret sharing schemes are important building blocks in modern cryptography and have wide applications in access control, electronic voting, attribute-based encryption, secure multiparty computation, etc. In 1979, Shamir [Shamir (1979)] and Blakely [Blakely(1979)] independently proposed the (t,n)threshold secret sharing scheme. A (t,n)secret sharing scheme involves a dealer and a set of participants. It allows the dealer to distribute shares of a secret among participants. Any group oftor more participants can recover the secret, however, any group of size less thantcannot obtain any information about the secret. Later, a series of secret sharing schemes were proposed.

The work of Chor et al. [Chor, Goldwasser, Micali et al. (1985)] first proposed the verifiable secret sharing (VSS) scheme to achieve security against cheaters. The works of[Feldman (1987); Pedersen (1991)] respectively proposed a VSS scheme based on homomorphic commitments. Recently, Cafaro et al. [Cafaro and Pelle (2015)] introduced a new computational problem (i.e. the Exponentiating Polynomial Root Problem) and proposed a space-efficient VSS scheme. Mohamed [Mohamed (2017)] proposed hierarchical threshold secret sharing scheme for color images. Mashhadi [Mashhadi (2017)] proposed a secure publicly verifiable and proactive secret sharing scheme with a general access structure. Miao et al. [Miao, Yan, Wang et al. (2015)] introduced the notion of randomized component (RC) and proposed a (t,m,n)-group oriented secret sharing. In their scheme,oncem(m≥t) players form a tightly coupled group by generating RCs, the secret can be constructed only if allmRCs are correct. Cramer et al. [Cramer, Damg?rd, D?ttling et al.(2015)] presented a novel method for constructing secret sharing schemes from linear error correcting codes and linear universal hash functions. The work of Komargodski et al.[Komargodski and Zhandry (2016)] constructed two very natural extensions of secret sharing. The first one is called distributed secret sharing, and the second one is called functional secret sharing. Liu et al. [Liu, Ma, Wei et al. (2016)] proposed a multi-group dynamic quantum secret sharing scheme.

To share multiple secrets, a series of works [Pang and Wang (2005); Zhang and Cai(2013); Mashhadi and Dehkordi (2015); Shivani (2017); Deng, Wen and Shi (2017); Liu,Zhang and Zhang (2016); Pilaram and Eghlidos (2017)] have explored protocols for a multi-secret sharing scheme. Pang et al. [Pang and Wang (2005)] proposed a new multisecret sharing scheme based on Shamir’s secret sharing. Zhang et al. [Zhang and Cai(2013)] proposed a rational multi-secret sharing scheme in standard point-to-point communication networks. Mashhadi et al. [Mashhadi and Dehkordi (2015)] proposed two verifiable multi-secret schemes based on a linear feedback shift register public key and new nonhomogeneous linear recursions. Recently, Shivani [Shivani (2017)] proposed a multi secret sharing scheme with unexpanded meaningful shares. Deng et al. [Deng, Wen and Shi (2017)] proposed a threshold multi-secret sharing scheme based on phaseshifting interferometry. Liu et al. [Liu, Zhang and Zhang (2016)] analyzed the security of several verifiable multi-secret sharing schemes and showed that these schemes are vulnerable to attack. Next, they presented two improved verifiable multi-secret sharing schemes. Pilaram et al. [Pilaram and Eghlidos (2017)] proposed an efficient lattice based multistage secret sharing scheme which can resist against quantum computers.

In the setting of secret sharing, one desirable property is fairness, which guarantees that if one party learns the secret, the other parties do too. To achieve fairness, Tompa et al.[Tompa and Woll (1989)] proposed a multi-round secret sharing scheme in which the real secretDis encoded as a sequence {D1,… ,Dk}whereDi=Dforichosen randomly andDj=dumfor allj≠i, where dum is a dummy legal value. In thejthround for 1≤j≤k,all active parties pool their shares and reconstructDjof the sequence until someDj≠dum. In their scheme, all the active parties require simultaneously pooling of their shares, and the cheater has a probability1/kof learning the secret while the others do not.In 2013, Tian et al. [Tian, Ma, Peng et al. (2013)] proposed a fair threshold secret sharing scheme following the approach of Gordon et al. [Gordon, Hazay, Katz et al. (2011)]. In their works, the dealer distributes a list of lengthv, and the true share is hidden in the list,and each party learns the true share with probability1/v.The reconstruction protocol requires at mostviterations. Recently, the work of Harn et al. [Harn, Lin and Li (2015)]proposed an asynchronous secret reconstruction scheme to protect the secret against both inside and outside adversaries. Another line of works [Halpern and Teague (2004); Liu,Li and Ma (2017); Zhang and Liu (2013); Tian, Peng, Lin et al. (2015); Zhang, Yuan and Du (2015); Jin, Zhou and Ma (2017)] focused on designing rational secret sharing schemes. In this setting, players are rational rather than corrupt or honest. Halpern et al.[Halpern and Teague (2004)] first introduced rational secret sharing and multiparty computation. They pointed out that any method for sharing secret reconstruction with a commonly known upper bound on the running time is unstable, and no parties will send a shadow in the last round since they have no incentive to do so. Following the seminal work of Halpern et al. [Halpern and Teague (2004)], all existing rational secret sharing schemes require running multi rounds.

Unfortunately, all the above schemes are not fully satisfied to guarantee fairness. It is not hard to see that no party has any incentive to broadcast his/her shadow in a traditional single round secret sharing scheme since not sending his/her shadow weakly dominates sending his/her shadow. For example, assume thattactive parties cooperate to reconstruct a secret that was shared using at-out-of-nsecret sharing scheme. If each party simultaneously broadcasts his/her share to all others, every party can learn the secret.However, if one party does not broadcast his/her share, it can still reconstruct the secret(because it received thet?1shares of all other parties), but the others cannot (because they only havet?1shares). In contrast, all existing fair secret sharing schemes and rational secret sharing schemes require running multi rounds, which are rather inefficient, in particular in the case of weak computational devices such as smart phones, PDAs or tablets.

1.1 Motivation

With the rapid development of information technologies and smart terminals, cloud computing has become a vital part of daily activity. Using smart phones, users can easily upload or share their personal data to others for diverse purposes or download kinds of applications from the Apple store or Google Play store, such as Google drive, Dropbox,Baidu cloud and Wechat. For instance, patients can upload their own e-health records to the cloud and users can download applications from the Apple store or Google Play store.A server-aided secret sharing model is described in Fig. 1. Although cloud outsourcing computation’s benefits are tremendous, security and privacy concerns are the primary obstacles to wide adoption.

Recently, several server-aided MPC protocols have been considered to trade off the parties’ work at the expense of the servers [Peter, Tews and Katzenbeisser (2013); López-Alt, Tromer and Vaikuntanathan (2012); Zhang, Li, Niu et al. (2017); Gordon, Katz and Liu (2015)]. Unfortunately, all existing server-aided MPC protocols are still far from practical for the secret sharing scheme. Moreover, to achieve fairness, the existing secret sharing schemes either assume a trusted party exists or require running multi-round. In addition, the cost of verification grows dramatically with the number of participants and the communication complexity isO(t), if there is not a trusted combiner in the reconstruction phase.

Figure 1: Outsourcing secret sharing system model

1.2 Contributions

In this work, we propose an outsourcing multi-secret sharing scheme, as shown in Fig. 1.Given the recent emergence of public clouds, such as Amazon EC2 and Microsoft Azure,clients are able to delegate expensive computation to a powerful cloud server, and in the scheme, it is fair for every client to obtain the multi secrets with limited computation cost.Our approach is particularly suited to applications where clients are very resourceconstrained and not always online. To the best of our knowledge, this is the first serveraided secret sharing scheme. Compared with previous secret sharing schemes, the proposed scheme has a number of advantages as follows.

(a) The scheme is suitable for reusable multi-stage multi-secret sharing and expensive computation can be outsourced to an untrusted cloud server.

With the amount of data generated, collected, and analyzed by computing systems growing at an amazing rate, reusable multi-stage multi-secret sharing schemes have attracted much attention from researchers. In our scheme, expensive computation such as secret reconstruction and homomorphic encryption can be performed by the cloud service provider. Themsecrets that have been reconstructed cannot reveal any information about the nextmsecrets that have not been reconstructed. Moreover, the cloud service provider (CSP) learns nothing about the secret shadow and the secret.

(b) It is fair for every active client to obtain the multi secrets.

To achieve fairness, all existing fair or rational cryptographic protocols require running many rounds, which is not efficient in a real application. In this work, we propose a server-aided secret sharing scheme. Following Gordon et al. [Gordon, Katz and Liu(2015)], we assume that the CSP cannot collude with the parties, this is due to a connection we establish between our scheme and virtual black-box (VBB) obfuscation,which is already known to be impossible [Barak, Goldreich, Impagliazzo et al. (2001)].In addition, there are many settings where collusion does not occur; for example, given the consequences of legal action and bad publicity, it is reasonable to assume that the large CSP (e.g. Google, Amazon or Microsoft) will not collude with the parties. Finally,it is fair for anytactive clients to obtain multiple secrets, which means if one client obtains the secrets, all the othert?1clients do too.

(c) The scheme does not require user interaction or always being online.

There are many settings in practice where users usually access their profiles via resource constrained mobile devices that are not always online, and a completely non-interactive solution is crucial for such systems to work in practice. Our scheme can reconstruct the secret without any interaction among the clients. Once online, clients can retrieve the secret, while the server learns nothing at all.

(d) The scheme is verifiable, and the verifiable stage can be done by the weak computational devices in the idle time.

Generally, the cloud service provider may have a strong financial incentive to try to cheat and return a wrong result to the client. General non-interactive verifiable computation can be used to address this problem. Unfortunately, existing solutions are either inefficient or rely heavily on user interaction. In this work, we use a one-way hash function to add verification capabilities. Given the secrets, the dealer computesk=h(s)and makes it public, and after reconstructing a secrets', the client verifies whetherh(s')=k. Ifh(s')≠k, the CSP is cheating. In addition, the verifiable stage can be performed by the weak computational devices during idle time.

1.3 Overview

The remainder of this paper is organized as follows. In Section 2, the preliminary of cryptography and secret sharing are introduced. Section 3 introduces the server-aided secret scheme. In Section 4, we analyze the new scheme, and we compare our solution with the existing secret sharing schemes in Section 5. Finally, we present our conclusions in Section 6.

2 Preliminaries

2.1 Two-variable one-way function

Definition 2.1Letkbe a security parameter, and letf[x]denote the set of valuesf(x,y)for all possibley. A functionf(x,y)is called a two-variable one-way function if it is easily computable, but for anyyi∈{0,1}kwhere1≤i≤l, for any polynomial time algorithmA, for all polynomialspand all sufficiently largek, the probability thatAon inputsf(x,yi)and outputs aysuch thaty≠yiis held that

Remark:The two-variable one-way function has several properties as follows.

(a) Givenxandy, it is easy to evaluatef(x,y); (b) Without the knowledgey, it is hard to calculatef(x,y)given anyx; (c) Givenxandf(x,y), it is hard to computey;

(d) Givenyandf(x,y), it is hard to evaluatex; (e) Giveny, it is hard to find different valuesxandx′such thatf(x,y) =f(x′,y); (f) When pairs ofxandf(x,y)are given,it is hard to computef(x′,y)wherex≠x′.

2.2 Secret sharing scheme

Definition 2.2LetFqbe a finite field. At-out-of-nsecret sharing scheme is a pair of algorithmsShare(·)andRec(·). For every secrets∈Fq,Share(·)outputs a vectorc1,… ,cn. For anyt-subset [i1,… ,it]? [n], it holds that

Definition 2.3LetP= {P,… ,P}be a set of participants. A collection A?2Pis monotone

1nifB∈AandB?B′?Pimply thatB′∈A . Sets inAare called qualified subsets, and sets in2PAare called unqualified subsets.

Definition 2.4LetP= {P1,… ,Pn}be a set of participants,Sibe the space from which theithsecretscan be selected,{S}be the family of A-secrets-sets, andH(X)be the

i

AA?Pentropy ofX. A multi-secret sharing scheme for {SA}A?Pis a sharing of the secrets inSamong participants inPthat satisfies the following requirements:

(a) For all subsetsA?P, it holdsH) =0.

(b) For all subsetsA?PandT?, it holdsH(T|A) =H(T).

Definition 2.5A verification secret sharing scheme satisfies the following requirements:

(a) If the dealer and participantPiboth follow the scheme, thenPiaccepts the share with probability 1.

(b) For all subsetsT1andT2of {1,…,n}of sizet, if all participants (Pi)i∈T1and (Pi)i∈T2have accepted their shares, then the following holds except with negligible probability: Ifsiis the secret constructed by the parties inTi(fori= 1,2), thens1=s2.

3 The server-aided multi-secret sharing scheme (SMSSS)

In this section, with some modifications, Pang’s MSS approach can be used in our serveraided multi-secret sharing scheme.

3.1 System parameters

LetP=P1,… ,Pnbenparticipants and letf(r,c)be a two-variable one-way function.Suppose thathis a collision resistant hash function and thatpis a safe prime, such asq|(p?1), whereqis a big prime. We useαto denote the generator of orderqoverand uses1,… ,smto denotemsecrets shared amongnparticipants. The dealer selects ρifrom [m,q?1]asPi’s public identity information for1≤i≤nand creates a public notice board that can be accessed by the participants and the cloud service provider. However,the public information on the board can only be updated by the dealer.

3.2 Protocol for sharing phase

The dealer executes the following steps:

Step 1:The dealer randomly choosesndistinct integersciand an integerξand then sends it toPiby a secret channel.

Step 2:Randomly choose an integerrand computef(r,ci)for1≤i≤n.

Step 3:With the knowledge of(n+m)pairs of (0,ξ⊕s1),(1,ξ ⊕s2),… ,(m?1,ξ ⊕sm)and (ρi,f(r,ci))for1≤i≤n, the dealer constructs a (n+m?1)th degree polynomial as follows.

Step 4:The dealer generates the public verification information:=αakmod pfor 0≤k≤n+m?1, chooses the (n+m?t)minimum integers σ1, σ2,… ,σn+m?tfrom the set{[m,q? 1]? ρj}for 1≤j≤n, and computesW(σi)for 1 ≤i≤n+m?t.

Step 5:The dealer publishes(r,W(σi) ,αk,h(sj))on the notice board, where 1 ≤i≤n+m?t,0≤k≤n+m?1and 1≤j≤m.

3.3 Protocol for outsourcing phase

LetPube the set of thetactive participants foru= 1′,2′, … ,t′.

Step 1:Puencrypts his/her pseudo shadowf(r,cu)using the cloud service provider(denoted by CSP)’s public keyPKand sends the ciphertextEPK(f(r,cu))to CSP.

Step 2:CSP decrypts the ciphertext and checks the following equation to verify whetherPu’s secret shadow is valid:

If the verification fails, CSP informs all thetactive participants and aborts the protocol,else the protocol continues.

Step 3:With the knowledge oftpairs of (ρu,f(r,cu)),u= 1′,2′, … ,t′andn+m?tpairs of (σv,W(σv)),1 ≤v≤n+m?t. The (n+m?1)thdegree polynomialW(x)can be uniquely determined as

3.4 Protocol for reconstruction phase

Step 1:CSP sendsW(χ)for 0 ≤χ≤m?1toPu.

Step 2:Paiverifies whetherh(W(i)⊕ ξ) =h(si+1), for (i= 0,… ,m?1). If the check succeeds, themsecrets can be obtained ass1=W(0)⊕ ξ,s2=W(1)⊕ ξ,… ,sm=W(m? 1)⊕ξ, else the CSP has deviated the protocol andPaiaborts the protocol.

4 Scheme analysis

In this section, we analyze the security and performance of the scheme.

Theorem 4.1The SMSSS is secure against malicious adversaries and anyt-1 or fewer clients’ collusion cannot reconstruct the secrets.

Proof. The security of our outsourcing secret sharing scheme can be analyzed as follows.(a) The malicious behaviors of clients can be verified by checking Eq. (4).

Due to the homomorphic property of exponentiation, a commitment of a sharef(r, cu)can be written as:

Therefore, the cheating behaviors of clients can be detected by the CSP.

(b) Anyt-1 or fewer clients’ collusion cannot learn the secrets.

In the scheme, anyt-1 or fewer clients’ cooperation cannot determine the polynomialW(x), so they cannot learn the secrets. However, anytor more clients’ cooperation can determine the polynomialW(x) and then learn the secrets by usingsi=W(i) ⊕ξ(i= 0,… ,m?1).

(c) The CSP learns nothing about the secrets.

The scheme provides input and output privacy for the client, and this is a critical feature for many real-life scenarios. Every active client only submits a pseudo shadowf(r,cu) in the secret reconstruction stage, and the real shadow is protected by the properties of the two-variable one-way function. Therefore, the CSP does not learn any information about the input and output of the client. In the scheme, following the seminal work of Gordon et al. [Gordon, Katz and Liu (2015)], we assume that the CSP does not collude with the clients, since Gordon et al. [Gordon, Katz and Liu (2015)] pointed out that simulationsecure multi-client verifiable computation is impossible to realize when the server colludes with clients. Actually, in real life, it is reasonable to assume that the large CSP(e.g. Google, Amazon or Microsoft) will not collude with the parties.

(d) The client can verify the output provided by the CSP.

Because clients lose control on their data and do not have access to the cloud’s internal operational details, the CSP may have a strong financial incentive to try to cheat and return a wrong result to the client without detection. Therefore, the client needs some guarantees that the answer returned from the server is correct. General non-interactive verifiable computation can be used to ensure that the CSP performs the computation correctly. Unfortunately, existing solutions are either inefficient or rely heavily on user interaction. In contrast, we use a one-way hash function to add verification capabilities.Given the secrets, the dealer computesk=h(s)and makes it public, and after reconstructing a secrets', the client verifies whetherh(s')=k. Ifh(s')≠k, the CSP is cheating. The proposed verifiable method is more efficient and practical than previous non-interactive verifiable computation.

Theorem 4.2The SMSSS is a multi-secret sharing scheme, and each client can use his/her secret shadow many times.

Proof. During the protocol for the sharing phase, the dealer uses the pseudo shadowf(r,ci)instead of the real shadowci, and themsecrets (s1,…,sm) are hidden by ξ⊕sjfor 1≤j≤m. With the knowledge of (n+m) pairs of (0,ξ ⊕s1),(1,ξ ⊕s2),…,(m? 1,ξ⊕sm)andfor1≤i≤n, the (n+m?1)thdegree polynomialW(x)can be uniquely determined. Each active client sends his/her pseudo shadow to the CSP in the reconstruction phase. Givenf(r,cu), it is hard to computecuforu= 1′,…,t′by the properties of the two-variable one-way function. With the knowledge oftpairs of(ρu,f(r,cu))andn+m-tpairs of (σv,W(σv)), the CSP can construct the (n+m?1)thdegree polynomialW(x) and learnW(χ)for 0 ≤χ≤m?1. However, the CSP learns nothing about themsecrets sincemsecret are hidden byξ⊕sjfor 1≤j≤m. In addition,each client can use his/her shadow many times. For example, to reconstruct the nextmsecrets, the dealer randomly chooses a newr, which is not equal to the last one and computesf(r,ci)for1≤i≤n. Then, the dealer runs Step 3-Step 5 of the sharing phase without redistributing the secret shadow. In contrast, each active clientPucalculates pseudo shadowf(r,cu)and sends it to the CSP, and finally, the othermsecrets can be constructed.

Theorem 4.3The SMSSS is complete fairness for every client and can work in an asynchronous network.

Proof. There are two major kinds of fair secret sharing: One is the protocols relying on a Trusted Third Party (TTP) to ensure the fairness of the protocol, and the other is the protocols without TTP. However, in real life, it is very hard to find a TTP in a distributed network. Therefore, we turn to consider the second case: Most previous protocols assumed that the parties had access to a simultaneous channel (meaning that all parties can simultaneously send messages and no party can see what the others broadcast before sending its own), which is problematic to implement in practice.

Throughout this paper, we assume that all information is communicated asynchronously.However, in an asynchronous secret reconstruction, when all other parties honestly release their shares, a dishonest party can always exclusively recover the secret by presenting a fake share last. Thus, the other honest parties get nothing but a fake secret. In our scheme, the above problem is addressed by using an untrusted service provider that cannot collude with participants. Given the consequences of legal action and bad publicity,it is reasonable to assume that the large CSP (e.g. Google, Amazon or Microsoft) will not collude with the parties. In our scheme, all the active t clients send pseudo shadowf(r,cu)asynchronously to the CSP, and no client can see what the others send before sending its own. Once one client sends a fake pseudo shadow, the cheating behavior will be detected by the CSP, and the cheating client learns nothing about the secret. Finally, in the reconstruction phase, every active client can obtain the m secrets.

5 Performance evaluation

We performed the test at Python 3.5.4rc1, and we ran all clients and the server on the same host, so that network latency was able to be ignored. A full overview of the computation time of each protocol step is given in Tab. 1. The data in Fig. 2(a) (marked by the blue line) shows the runtime of the secret reconstruction. In addition, we computed how much time it takes to encrypt the secret, and the data in Fig. 2(a) (marked by the red line) shows that the runtime of the secret encryption grows linearly with the number of clients. In contrast, it is clear that the veri fi cation algorithm takes more time than secret encryption and reconstruction in Fig. 2(b) and the runtime of secret veri fi cation is 0.14 seconds whent=6.In addition, we compare our solution with the existing secret sharing schemes. Tab. 2 shows the main comparative information of our scheme and fi ve schemes analyzed.Based on Shamir’s secret sharing, Pang et al. [Pang and Wang (2005)] proposed a new (t,n) multi-secret sharing scheme. In the scheme, multi-secret can be shared amongnparticipants, andtor more participants can reconstruct these secrets, butt-1 or fewer participants can derive nothing about these secrets. Liu et al. [Liu, Zhang and Zhang(2016)] analyzed the security of several proposed veri fi able multi-secret sharing and proposed two improved schemes. These schemes can not only resist cheating by the dealer or participants, but also remove the use of private channels. Unfortunately, the above schemes cannot ensure fairness and the communication complex isO(t). Pilaramet al. [Pilaram and Eghlidos (2017)] proposed an ef fi cient lattice based multistage secret sharing scheme which can resist against quantum computers. However, the scheme requires a trusted combiner to recover the secret. To achieve fairness, the protocols of Harn et al. [Harn, Lin and Li (2015); Liu, Li and Ma (2017)] require running multi-round,which are not suitable for weak computational devices.In contrast, our scheme only requires running single-round and the communication cost isO(1). In the scheme, expensive computation such as secret reconstruction and homomorphic veri fi cation can be performed by the cloud servers, users only require a small amount of computation. Moreover, our scheme does not require interaction among users. Noninteraction is very desirable in the setting of mobile networks or cloud computation since weak computational mobile devices are not always online. The secrets can be reconstructed by the CSP, and once clients are online, they can retrieve the secret by themselves.

Table 1: Computation time (in s) of each protocol step

Figure 2: The runtime of secret encryption, reconstruction and verification

Table 2: Comparison with the existing secret sharing schemes

6 Conclusion

In this paper, we propose the fi rst server-aided multi-secret sharing scheme. The protocol,which only requires running a single round, offers complete fairness for every active client. Expensive computation such as reconstruction computation and homomorphic veri fi cation computation can be outsourced to the server provider. In contrast, every client only requires a small amount of computation. Moreover, our scheme does not require interaction among users; any malicious behavior by clients and the CSP can be veri fi ed and can work in an asynchronous mode, which is very suitable for mobile networks or cloud computing environments.

Acknowledgments:This work was supported by the National Natural Science Foundation of China (U1604156, 61602158, 61772176) and Science and Technology Research Project of Henan Province (172102210045).