Authentication and key distribution protocol based on Diffie-Hellman algorithm and physically unclonable functions

id


INTRODUCTION
The 6G mobile network will consist of heterogeneous nodes, from macro-level devices (satellites) to autonomous vehicles and intelligent infrastructure sensors [1].This network heterogeneity and a significant increase in coverage can reduce the security and privacy of users of 6G networks compared to previous generations of mobile communications.Potential losses from security incidents can be critical concerning personal information, finances, health, and even the life of network subscribers if, for example, attacks on unmanned transport systems are implemented, leading to mass traffic accidents, including fatalities [2].6G security mechanisms will be based on symmetric and asymmetric cryptography in the context of quantum computing development [3].Providing security against quantum computing can reduce the effectiveness of these mechanisms.
One of the promising technologies for increasing quantum stability in the public key cryptography model is the use of quantum key distribution [4].However, due to the high cost, it is still challenging to implement a quantum network around the world.Another new method uses quantum-safe hybrid key exchange mechanisms based on the theory that a cryptosystem will remain secure if one of its key exchange methods remains secure [5].As an example of such an approach, it is proposed to combine a classical key TELKOMNIKA Telecommun Comput El Control  Authentication and key distribution protocol based on Diffie-Hellman algorithm and … (Victor A. Yakovlev) 291 exchange method, such as the Diffie-Hellman (DH) scheme, and a quantum-safe key encapsulation mechanism [6].
The DH method allows a common encryption key (DH key) to be formed over the hackable communication channel to establish a secure connection between the two correspondents [7].This method is commonly used in network protocols secure sockets layer/transport layer security (SSL/TLS), IPsecurity (IPSec), pretty good privacy privacy (PGP), and other applications.The DH algorithm security cannot be compromised because some network protocols and services depend upon DH key exchange for reliable communication.Therefore, many researchers propose various ways to modify the DH scheme to make this algorithm more resistant to attacks and more effective for new applications, for the internet of things (IoT), cloud systems, and new generation cellular communications.The user registration phase, integrated with DH key exchange and random key generation, is the core of the proposed authenticated key management scheme (AKMS) [8].The AKMS scheme guarantees confidentiality in transferring keys between users using two keys and encryption.First, the server generates a random key to encrypt the file before transmission.The user then encrypts a random key using a key generated by the DH key exchange.The authors of the work [9] also apply integration with the classical protocol and propose a secure and efficient routing protocol (RPL) for IoT networks.To secure this powerful new RPL protocol and guarantee authentication and data integrity, nodes must have a shared secret key calculated using the new advanced DH algorithm.We considered various ways to store data in the cloud for a given time using several cryptographic solutions, including the DH key distribution protocol [10].
A DH key digital signature is one of the directions for solving the key authentication task [11].The digital signature is verified using the open key distributed in the network utilizing a certificate.This approach is used in SIGMA protocol [12], the base for the internet key exchange (IKE) protocol v.2, and requires public key infrastructure (PKI).Another approach to solving the authentication task for the key distributed using the DH method is to use binary sequences previously distributed among users.The users develop these sequences while pairing their mobile devices in a face-to-face meeting [13].The eavesdropper is removed from the users and does not have access to the sequences that are exchanged between the users.The users cannot directly use the generated sequences as encryption keys because these sequences contain a certain percentage of errors (misalignments).This approach is studied in detail in the paper [14].The peculiarity of the approach is that users need to connect their mobile devices to obtain almost identical sequences and use them efficiently to select a key using the DH method.This method is preferably oriented to mobile devices such as smartphones.
A physically unclonable function (PUF) is a property of a physical (digital) system that cannot be cloned (reproduced, copied) in other physical systems [15].PUFs owe their unclonability to the fact that they consist of several random components in the production process and cannot be controlled.Due to random parameters, each digital system can be treated as unique and physically unconnected.The PUFs is based on extracting unique parameters from digital systems.PUFs have gained great popularity in the last 10-15 years in solving various cybersecurity problems and, primarily, in solving authentication tasks [16].
In this paper, we consider a method for authenticating a key generated by the DH protocol, with the participation of a trusted center (TC) and using PUF.We have proposed two options for key distribution protocols among network users with hardware implementation of a PUF in their devices.The trusted authority (TA) has a database of request-response value pairs for each user's PUF.The main contributions of this work are highlighted: a.We have formulated requirements for PUFs suitable for authentication systems.b.We develop two variants of DH key authentication protocols using arithmetic operations and PUFs.c.We analyze and evaluate the security of the proposed protocols.
The rest of the paper is organized as follows.The next part briefly describes the standart scheme of DH algorithm and analyses the PUF construction principles, their features and the models used to formalize their parameters.The third section explains the approach to building DH key authentication systems based on PUF and TA presents developed authentication protocol variants using arithmetic operations and hash functions.Analyze and evaluate results for the security of the proposed protocols are present in the fourth part.The conclusion summarizes the work and points out promising directions for further research.

THE COMPREHENSIVE THEORETICAL BASIS 2.1. The existing scheme of DH algorithm and its vulnerabilities
Let us assume that Alice and Bob exchange information over a network using the standard DH key exchange process [7].Network users Alice (А) and Bob (В) agree on the parameters p and g, where р is a prime number and g is an element of a finite field GF(p), which generates a group having a high group, and the following protocol is executed.Keys computed by Alice and Bob are equal   =   ( ) =   =   ( ) =   .Cryptographic protocols based on cryptographic algorithms can provide a high level of security.But cryptographic protocols can be compromised by vulnerabilities such as man-in-the-middle (MITM) attacks in areas of remote user interaction [17].An overview of MITM attacks targeting the DH protocol was provided [18].Eavesdropper eve can record the messages that will be sent from Alice to Bob, and she can later send a copy of the messages to Bob. Bob will assume that these messages come from Alice.Eve can then send her messages to Alice, who would believe that they came from Bob.Many researchers have proposed defenses against this type of attack.The most well-known approaches are digital signatures and message authentication codes [18].Although they are convenient for many systems, they still have some weaknesses.The proposed paper aims to distribute keys between Alice and Bob without compromising them with Eve.Consider the MITM attack in more detail see Figure 1  293 Thus, the eavesdropper E has formed a common key   with the User А and a common key   ′ with the user В.If the user А sends an encrypted message on the key   , then the eavesdropper will decipher this message on the key   and will re-encrypt on the key   ′ .Then he will send cryptography to the user В, who will decipher it on the key   .At the same time, the user А believes that he directly works with the user В, and the user В thinks that he works directly with the user А.The actual exchange between the users А and В is supervised by the eavesdropper Е.
Let us highlight that even if the eavesdropper uses the same numbers e = e' when forming keys by the users А and В, the keys between A and В will be different since it is highly likely that  ≠ .It means the man-in-the-middle attack is carried out   ≠   ′ and   ≠   .This fact will be used when building the authentication protocols based on the PUFs.

The principles of PUF building and features
PUF can be described by pairs of input and corresponding to output parameters (signals):  = (), where input signals  =  1 ,  2 , . . .,   are called challenges, and output signals  =  1 ,  2 , . . .,   are called answers (responses) [19].A pair consisting of an input physical parameter (challenge) and an output parameter (response) is called challenge-response challenge-response pair (CRP).PUF must satisfy the following requirements [19]: a. Response signal  may be extracted repeatedly and reliably by measuring for challenge .b.The number of possible challenges   must be so large that all responses corresponding to it   cannot be obtained by going over within the observable time.c.Since in the physical system, there is an extremely large number of data determining the response to this challenge, and it must be computationally impossible to calculate, simulate or by any other way to find a CRP (, ) when knowing the other pair ( ′ ,  ′ ) or some number of such pairs.d. Cloning of a given physical system by another physical system, which is described by similar multiple CRPs, or its physical reproduction must be extremely difficult.At present, many PUF types have been suggested: optical PUF, covering PUF, PUF of arbiter type, PUF based on ring oscillators, PUF based on static operative storing device, PUF of butterfly type (latch, multivibrator oscillator), PUF based on failures, combined PUF.Production of all PUFs is characterized by technological variations that affect the output parameters of the system.Due to this, these parameters will vary from device to device while preserving the identity of device functionality and their internal topology.The number of technological variations, such as p-n transitions or impurities in the substrate, determine the number of possible PUFs.
Our research object is an authentication system.For such a system, such properties as robustness, unclonability, and unpredictability are important.
Let us introduce the following notation: {} -a set of challenges at the PUF input; {}a set of responses at the PUF output; {, }  -a set of CRPs of the sth PUF; {}a set of PUF for a selected production technology with specified display pairs  = (); {  }a sub-set of PUF for a specified pair (  ,   ); || -the potency of an arbitrary set А. Robustness can be defined as the PUF's ability to maintain its properties, particularly the univocacy of the display  →  with changing conditions of PUF functioning (temperatures, humidity, and supply voltage).Additional measures, for example, noiseless codes, are used to increase resistance to destabilizing factors.In this case, they talk about a PUF system [15].Unclonability.The notion of unclonability in [20] is discussed in two types: − Existential unclonability, it is understood as an impossibility for the eavesdropper to create two PUFs with the same properties; − Selective unclonability.
In the second case, creating a new PUF clone of the original PUF is impossible if the eavesdropper accesses the original PUF.At the same time, it is assumed that some restrictions are performed.For example, the time of access to the PUF is limited, and the eavesdropper cannot physically affect the PUF and remain undetected.The eavesdropper can use side channels.In our further study, we will not discuss the features of robustness and unclonability as an assumption that they will be executed.
The unpredictability of PUF can be determined in a narrow and broad sense.Unpredictability in its narrow sense is determined for a separate PUF as follows.With any random equanimous choice of a challenge, the probability of response Ri occurrence is close to probability In a broad sense, unpredictability is determined as the impossibility of forming the same responses to different PUFs.As known, the number of display options of type   →   , where the number of boolean k-dimensional functions determines ,  ∈ (0,1) and amounts to (2 2  )  .It follows that even with moderate k, the probability of occurrence of two identical displays is negligible.However, such idealization of PUF is not confirmed by practice.Maiti et al. [21] notes that the number of its states is polynomially dependent on its linear dimensions for any physical system.Therefore, the assessment of the PUF number cannot be achieved in practice.Hence, it is necessary to assume that the PUF number polynomially depends on the potency of a set of responses, || = (||).It means the possibility of sub-sets {  }, which have the same CRP in some quantity.
In this regard, estimating the potency of such sub-sets and the number of CRPs coinciding with them is necessary.To model the relationship of the CRP of different PUFs, let us apply the class of strictly universal hash functions suggested by Carter and Wegman [22].
Concerning PUF, let us introduce the notion of a PUF class, under which we will understand a set of PUFs made according to the same technology and having fixed parameters of the challenge and response signals.Then, from condition 1), it follows that for any CRP.(2) In particular, in the case when the PUF response signal  is binary sequence with a length of k symbols, the number of possible answers equals the number of all sorts of binary combinations with the length of k, it means || = 2  , from (1) and (2) it follows that: From (1) and (2), it is obvious that if | ′ | = 1, then the number of PUFs is || = || 2 , which means it polynomially (by the second degree polynom) depends on ||.The polynomial dependence of the PUF number gives grounds to assume that, on the one hand, the proposed model does not contradict the practice.On the other hand, as shown, it is sufficient to ensure the security of the authentication system using PUF.Thus, we assume that PUFs having the following characteristics are used to solve authentication tasks:

DH authentication protocol using a TA and PUFs
Let us consider the general chart of authentication of a key generated by users А and В if there is a TA under conditions of attacks of an active eavesdropper Е Figure 2. The users communicate with TA, where they are preliminary authenticated using protocols that apply certificates, for example, protocols SSL/TLS or IPSec [23].The users have integrated PUF blocks into their devices.The user's task is to generate the key   =   =   according to the DH method.For this, users have a two-way communication channel between themselves.The key is authenticated via TA based on PUFs.The eavesdropper Е has an opportunity to control both communication channels between the users А and В, and channels between the users and TA, and carry out active attacks there.
A database is created, which records sub-sets {( ̂,  ̂) } of randomly selected CRP for each PUF.
The number of such pairs for one device is |( ̂,  ̂) | ≪ 2  .The meaning of this restriction is that if the eavesdropper "senses" the device implementing PUF by sending random challenges to it, then the probability of choosing a request from a subset {( ̂,  ̂) } will be negligible.CRPs ( ̂,  ̂) for each PUF in some numbers are computed at the plant during the PUF production and recorded in the TA database, which is stored in an encrypted form.

Figure 2. Keys authentication using TA and PUFs
The principle of DH-keys authentication by legal users is in the proof that the keys   and   generated by the user are the same.Remember that when the eavesdropper carries out a man-in-the-middle attack, he generates two keys:   and   ′ with large probability   ≠   ′ .To confirm that the users generated the same keys, the TA sends challenges to the users, and they send responses   and   generated using PUF to the TA.If the information contained in the responses confirms that the keys are the same, then the DH key is authenticated as genuine.If not, the key is not authenticated.Therefore, the task of the eavesdropper is to generate and transfer false answers   ′ and   ′ to TA, and they must persuade TA that the keys   and   ′ coincide.

DH-keys authentication protocol using a TA and PUFs (option 1)
Let us consider the key authentication protocol based on the principle.After the users generate DH-key:   =   =   , one or both users send a challenge to the TA for execution of the authentication protocol of the key they generated.Key authentication protocol includes the following types Figure 3: a.The TA sends challenges   ,   from the list of the challenges it has to users A and B. b.The user А computes the value of his PUF for this challenge   = (  ).The user В computes a similar value of his PUF   = (   ).
We record the response   in the form of concatenation of three parts   =  1 ‖ 2 ‖ 3 , where each part may be presented as a number -Galois field element -   ∈ (), similarly the response   is recorded in the form of   =  1 ‖ 2 ‖ 3 , where    ∈ ().i=1,2,3 (N is a prime number).where signs "+" and "×" correspond to addiction and multiplication in the field ( ).d.Having received   and  , the TA carries out conversions: where ′ 2 −1 , ′ 2 −1 are inverse element for ′ 2 , ′ 2 according to , and then computes.
The obtained value is compared to ′ 1 ⊕ ′ 1 .Here ′ 1 , ′ 1 , ′ 2 ,  ′ 2 are reference responses of А and В devices PUF, which are stored in the database of ТA.If: The TA verifies that the keys of А and В coincide, which means there was no man-in-the-middle attack.e.The TA notifies the users А and В that the keys coincide and authentication is done.For this, he sends messages  3 ′ and  В3 ′ to the users A and B, respectively.f.
The user А, having received  3 ′ , verifies the equality  3 ′ =  3 .The user В, having received  В3 ′ , verifies the equality  В3 ′ =  В3 .If equalities are true, the users are sure they have generated the same keys.When equality ( 3) is true, the centre informs the users by inverse values:  ̅ ′ 3 and  ̅ ′ 3 .After the authentication procedure, the TA deletes the used pair (  ,   ) from its database.
In this protocol, the most difficult operation of the users is multiplication in the final field by masking multiplier  2  2 .In the TA, it is N modulo addressing of the element.We also assume that used by the users А, В hash function ℎ(   ) satisfies the cryptographic requirements of collision strength and one-wayness [24].The PUF of   () and   ( ) are computed automatically by integrated devices.In this protocol, unlike the popular Needham-Schroeder authenticated key distribution protocol [25], the TA is used only for authenticating keys generated by the users, and it does not participate in their generation; hence, it cannot access them.

RESULTS AND DISCUSSION
Let us analyze the second option of the DH-key authentication protocol without arithmetic calculations.To do this, we will present and prove several lemmas.Lemma 1. Eavesdropping in the information exchange channels (IEC) between users and in IEC between abonents and the TA is less informative for the eavesdropper.
Proof: The eavesdropper does not obtain any information by inspecting the communication channel between the users since the users do not exchange any data except DH values.An eavesdropper monitors the exchange of messages in channels between users and a TA.It intercepts calls  А ,  В from TA. Then he answers calls   and   , sending them the second parts of responses to calls  2 ,  2 or their inversion.
Responses to the challenges   = ℎ(  )‖ℎ( 1 ∥ ℎ(  )) and   = ℎ(  )‖ℎ( 1 ∥ ℎ(  )) contain hash codes of the key and hash codes of the first part of the response.If the hash function is chosen correctly, for example, according to SHA-3 [24], restoration of the key   by its hash code ℎ(  ) is computationally impossible.Based on monitoring the challenges and information in the responses, the eavesdropper can set a task of building a challenge-response table {  →   } for PUF of the User to carry out an active attack later.However, opportunities for such attacks are limited.In fact, challenges transferred to the eavesdropper and known and are random numbers.In response to the challenge, the eavesdropper can access the first part of the response of PUF in the form of hash code -ℎ( 1 ), and if the hash function is built correctly, the pre-image cannot be restored.The second part of the response of PUF  2 becomes known to the eavesdropper after the authentication procedure completion.Since the challenge and response are one-time and after their use, they are deleted from the database of the TA, this information becomes useless.And this proves the lemma.
Lemma 2. The suggested protocol reliably detects the MITM attack.
Proof: Let's assume that when implementing a protocol for distributing common key between users A and B, the eavesdropper managed to carry out a MITM attack, as a result of which he generated the key   =   with the user А, and key   ′ =   with the user В, while   ≠  Е ′ .The further task of the eavesdropper is to convince the TA that the keys   and  Е ′ coincide.Suppose also that the eavesdropper intercepted the messages   = ℎ(  )‖ℎ( 1 ∥ ℎ(  )) and   = ℎ(  ′ )‖ℎ( 1 ∥ ℎ(  ′ )), which the users sent to the TA.To prove that the keys coincide, the eavesdropper may broadcast the message   = ℎ(  )‖ℎ( 1 ∥ ℎ(  )) to the TA, and instead of the message   , he must generate the message   ′ = ℎ(  )‖ℎ( 1 ∥ ℎ(  )).The first parts of the messages   and   ′ coincide, so the first verification in the TA is passed successfully.For the successful verification of the second part, it is necessary that the equality ℎ( 1 ′ ∥ ℎ(  )) = ℎ( 1 ∥ ℎ(  )) is true.Sequence  1 is not known to be the eavesdropper.Considering that  1 is a random sequence with a length of k/2, the only option for the eavesdropper is to guess such a sequence.Choosing k to be large enough, the likelihood of such an attack will be negligible.
Another attack of the eavesdropper may be a transfer of false messages about the completion of authentication to both users,  ̃2 and  ̃2 (although authentication was not completed).Sequences  ̃2 and  ̃2 are binary random sequences, each having a length of k/2 bit.The probability of their guessing is also negligible.The properties of the PUF can cause another authentication protocol vulnerability to be used.Attack of both users, which creates a false message   ′ = ℎ(  )‖ℎ( 1 ∥ ℎ( Е )) may be successful if it occurs that responses to the challenges CA and CB for PUFА and PUFВ coincide, it means   =   .
Let us estimate the probability of this event.Suppose that |  | is the number of PUFs, for which С  →   .According to feature 1 of the universal hash functions |  | = || || .The eavesdropper's attack will be successful if for PUFВ presentation С  →   is true.According to feature 2) of the universal hash functions, the number of hash functions, for which (  →   ,   →   ), equals Then, the probability that PUFВ generates the same response as PUFА equals: Considering that the PUF response is a binary sequence of length k, then || = 2  .By choosing a large enough k, we can get a negligible probability of a successful attack.The lemma is proved.Lemma 3. By sending random challenges to the device and thus "probing" it, an active listener can select a challenge with negligible probability from a subset of selected CRPs stored at the DB of TA.
Proof: Suppose the eavesdropper can "probe" the User's device, sending random challenges to it, to select a CRPs, which is included in the sub-set of CRP from DB.Then, having found such a pair, the eavesdropper may act as the TA and send a challenge to the users, receive the correct response and confirm authentication.If the potency of the sub-set stored in the DB challenge-request pairs is | ̂| << 2  for one TELKOMNIKA Telecommun Comput El Control  Authentication and key distribution protocol based on Diffie-Hellman algorithm and … (Victor A. Yakovlev) 299 device, then the probability of choosing the desired request from the pairs sub-set is negligible.In practice, the probability of probing can be reduced by introducing restrictions on the generation of responses by the User after receiving a certain number of challenges, as it is done in password systems.The lemma is proved.Combining the proven lemmas, we formulate a theorem.
Theorem.Key authentication protocol using TA and PUFs is secured.Proof: Based on Lemma 1, it can be stated that any communication between the protocol participants is secured, and the eavesdropper does not receive information on the key.Lemma 2 allows making sure that if the eavesdropper broadcasts the intercepted response of the user А, and the response of the user В will be generated by him using a random selection of a response of the PUF, he will not be able to perpetuate the legal user's identity.According to Lemma 3, the eavesdropper cannot choose a request from a subset of CRPs by sending random challenges to the user.As a result, it can be concluded that legal users can safely authenticate their keys using the proposed protocol.
Comment.Similarly, the security theorem for the first option of the protocol may be proved.Lemmas 1 and 3 may be used without changes and additions.In lemma 2, it is necessary to show that the success of the key substitution attack will not be achieved if the eavesdropper broadcasts the response of the user А   = [ 1 ⊕ ℎ(  )] ×  2 , and generates the response from the user В in the form of ′  = [ 1 ⊕ ℎ(  )] ×  2 .It is possible that the eavesdropper guesses a part of the response from PUFВ - 2 .Considering that    ∈ () and choosing large enough N, the probability of such an attack will be negligible.On the other hand, the attack can be successful if the responses for PUFА and PUFВ coincide.As shown in the proof of lemma 2, the probability of this event equals   = 1 || = 1 2  .Let us consider an example of selecting PUF parameters.Suppose the DB of the TA for each User contains 100,000 CRPs (| ̂| = 100000), then if the length k of the bit sequence in the challenge and response is equal to 128 bits, the amount of DB memory for one device will be 128 ⋅ 2 ⋅ 100000 bit = 32 Mbit.Then, the capacity of the DB, which stores information about 1 thousand devices, will be 32 Gbyte.The probability of randomly selecting a pair of numbers stored in the DB during PUF probing is   = 10 5 /2 128 ≈ 10 −33 .With polynomial dependence of PUF number from the number of responses (for seconddegree polynom), it is possible to implement (2 128 ) 2 ≈ 10 77 of PUF.We see that the proportion of the used CRPs is negligible from their total number.The share of the used PUFs is also negligible compared to their total number, even when the polynomial approximates the PUF number.The proposed authentication protocol can be implemented.

CONCLUSION
The paper solves the task of authenticating keys distributed by the DH method among network users, each with a built-in block with a PUF in his device.The keys are authenticated by a TA with a database of challenge-response value pairs for each user's PUF.We briefly describe PUF features and emphasizes the need to formalize PUF features.It is proposed to use th e class of strictly universal hash functions developed by Wegman and Carter.A polynomial dependence of the possible number of PUFs on the number of answers has been proven.Requirements for PUFs suitable for authentication systems are formulated.
We proposed two options for DH key authentication protocols based on the submission of challenges to users by a trusted centre and the generation of responses by them to these challenges using the PUF.The trusted centre makes the authentication decision based on the coincidence (equality) criterion of the keys received from a pair of users.The security of this protocol is proved here.The article also contains an example of evaluating the capacity of the TA database for storing CRPs of users' PUFs, demonstrating the possibility of practical implementation of the method.We plan further research in continuing the work in the following directions: verification of the formal model of the PUF structure and its description in the framework of the extended class of -almost universal hash functions; optimization of the DH key authentication protocol parameters; development of PUF-based authentication protocols without a challenge-response database for each PUF in the TA.

Figure 1 .
Figure 1.MITM attack for the DH algorithm

1 )
|  :   →   | = || || (Execution of condition 2) for PUF means that the number of PUFs, for which ,   ≠   is determined by the potency of the intersection of sub-sets  ′ =   ⋂   and inversely proportional to the square of the potency of a response set ||.| ′ | = || || 2

−
The number of digits of the binary representation of the response -k (PUF dimension) linearly depends on its physical size; − The number of pairs (CRP) exponentially depends on the PUF dimension || = 2  ; − The number of PUFs polynomially depends on the response potency || = (||) = || 2 . Authentication and key distribution protocol based on Diffie-Hellman algorithm and … (Victor A. Yakovlev)

Figure 4 .
Figure 4. Chart of the authentication protocol with the TA based on PUF (option 2) . a. User А generates a random number  ∈ [1,  − 1], calculates   =     and sends the obtained value to the correspondent В. b.User В generates a random number  ∈ [1,  − 1], calculates value   =    and sends the obtained value to the correspondent А. − Eavesdropper Е intercepts   , saves it in the memory, generates a random number  ∈ [1,  − 1], finds   =     and sends it to the user А under the guise of the user В. − The eavesdropper Е intercepts   , saves it in the memory, generates a random number ′ ∈ [1,  − 1], finds   =   ′   and sends it to the user В under the guise of the user А. a. User А calculates the session key value: