A Privacy-Preserving Logistics Information System with Traceability

09/11/2021
by   Quanru Chen, et al.
Tencent QQ
NetEase, Inc
0

Logistics Information System (LIS) is an interactive system that provides information for logistics managers to monitor and track logistics business. In recent years, with the rise of online shopping, LIS is becoming increasingly important. However, since the lack of effective protection of personal information, privacy protection issue has become the most problem concerned by users. Some data breach events in LIS released users' personal information, including address, phone number, transaction details, etc. In this paper, to protect users' privacy in LIS, a privacy-preserving LIS with traceability (PPLIST) is proposed by combining multi-signature with pseudonym. In our PPLIST scheme, to protect privacy, each user can generate and use different pseudonyms in different logistics services. The processing of one logistics is recorded and unforgeable. Additionally, if the logistics information is abnormal, a trace party can de-anonymize users, and find their real identities. Therefore, our PPLIST efficiently balances the relationship between privacy and traceability.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

08/07/2020

Why are Developers Struggling to Put GDPR into Practice when Developing Privacy-Preserving Software Systems?

The use of software applications is inevitable as they provide different...
11/23/2020

FakeSafe: Human Level Data Protection by Disinformation Mapping using Cycle-consistent Adversarial Network

The concept of disinformation is to use fake messages to confuse people ...
08/26/2019

No Peeking through My Windows: Conserving Privacy in Personal Drones

The drone technology has been increasingly used by many tech-savvy consu...
10/20/2021

UPPRESSO: Untraceable and Unlinkable Privacy-PREserving Single Sign-On Services

Single sign-on (SSO) allows a user to maintain only the credential at th...
11/19/2018

Anonymous Single Sign-on with Proxy Re-Verification

An anonymous Single Sign-On (ASSO) scheme allows users to access multipl...
09/18/2021

Anti-Neuron Watermarking: Protecting Personal Data Against Unauthorized Neural Model Training

In this paper, we raise up an emerging personal data protection problem ...
04/20/2022

The Danger of Small Anonymity Sets in Privacy-Preserving Payment Systems

Unlike suggested during their early years of existence, Bitcoin and simi...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In recent years, with the rapid development of e-commerce, online shopping has become a popular trend. Online shopping is an interactive activity between a buyer and a seller, where after completing an order by a buyer, the product is delivered via a logistics system [23]. Logistics system helps to reduce product cost and save shopping time.

Unfortunately, the current LISs [40] cannot effectively protect users’ privacy information. Users’ personal information is clearly visible on the express bill and the LIS database [50]. Some data breaches in LISs released users’ personal information, including addresses, phone numbers, transaction details, etc. If a user’s personal information is leaked and maliciously collected, she may be at high risk of identity forgery and property fraud, in addition to the risk of being harassed by spam messages. Therefore, it is interesting and important to consider the privacy issues in LISs.

Furthermore, since a product is delivered by multiple logistics stations, it is important to record the whole logistics process and make the process unforgeable. Additionally, to prevent users from conducting illegal transactions, users can be de-anonymized [12, 21] and traced.

In this paper, we propose a privacy-preserving logistics information system with traceability (PPLIST). Compared with the existing LISs, our scheme has the following advantages:

  1. Users can anonymously use the logistics services in our PPLIST scheme. Users generate and use different pseudonyms in different logistics services. Even the internal staff of a logistics company can not directly obtain the information of users’ identities, our PPLIST effectively protects users’ personal information.

  2. In the case that the identity of a user needs to be released, a trace party can de-anonymize a user and find his identity. This properties prevent users from conducting illegal logistics via a logistics system.

  3. Our PPLIST scheme is efficient. Multi-signature is applied to record the delivery process and reduces the storage space.

Contributions:

Our main contributions in this paper are summarised as follows: 1) The definition and security model of our PPLIST scheme are formalised; 2) A PPLIST scheme is formally constructed; 3) The security of our PPLIST scheme is formally reduced to well-known complexity assumptions; 4) Our PPLIST scheme is implemented and evaluated.

1.1 Related Work

In this subsection, we introduce the work which is related to our PPLST scheme, including LIS, privacy protection in LIS, multi-signature and pseudonym.

1.1.1 Logistics Information System

LIS is a subsystem and the nerve center of logistics systems. As the control center of the whole logistics activities, LIS has many functions. The main functions of LIS are as follows: collect, store, transmit, process, maintain and output logistics information; provide strategic decision support for logistics managers; improve the efficiency of logistics operations [39].

Bardi et al. [26] pointed out that the choice of LIS directly affected the logistics cost and customer-service level. Lai et al. [38] showed that LISs is very important for a company to manage product inventory and predict the trend of customers’ online shopping. In addition, Ngai et al. [42] claimed that LIS is an information system that can promote a good communication between the companies and the customers. An LIS adoption model was proposed in [42] to examine the relationship among organizational environment, perceived benefits and perceived barriers of LIS adoption. In [29], Closs and Xu argued that the important source of enterprise competitive advantages was logistics information technology. Their research showed that companies with advanced logistics information technology and LIS performed better than other companies.

LISs have been proposed and applied into various application scenarios [24, 46]. Amazon [24] is one of the first companies to provide e-commerce services. Amazon has a logistics system, which realizes the organization and operation of the whole logistics activities. Amazon has also added special technology, One-Click [13], in their LIS, which can automatically store the information of customers. Therefore, customers do not input their person information in each shopping. In addition, Amazon’s LIS has the following functions [30]: order confirmation in time, smooth logistics process, accurate inventory information and optional logistics methods, etc. Amazon has become a business to consumer (B2C) e-commerce [37] company.

Taobao [46] is a consumer to consumer (C2C) e-commerce [15] platform. Taobao entrusts all logistics activities to a third party logistics company, but takes a series of measures to ensure the security of logistics activities. For instance, Taobao implements the network real-name system (NRS) [14] in their LIS, and has set up a special customer-service department to solve products logistics problems. Besides, Taobao has the functions of timely confirmation of orders and delivery within the specified time.

1.1.2 Privacy Protection in LIS

Although the LIS of e-commerce platform brings convenience to people’s life, it also brings great challenges to privacy protection. LIS stores a large number of users’ personal information. Once the information is leaked, it will result in serious threaten to the life and safety of users. Some privacy protection methods in LIS have been proposed, such as [31, 17, 19, 20, 47, 49, 16]. We compare our scheme with these systems in Table 1.

Léauté et al. [17] proposed a scheme to ensure the privacy of users while minimizing the cost of logistics operation. The scheme formalizes the problem as a Distributed Constraint Optimization Problem (DCOP) [33], and combines various techniques of cryptography. But the disadvantage of this scheme [17] is that the anonymization of users is not considered. In [16], Frank et al. proposed a set of protocols for tracking logistics information, which is a light-weight privacy protection mechanism.

To solve the problem of privacy leakage caused by stolen express order number, Wei et al. [49] proposed a k-anonymous model to protect logistics information. However, the method only protects a part of users’ personal information, because the names and telephone numbers of receivers are directly printed on the express bills for delivery.

To improve the security of [49], Qi et al. [19] proposed a new logistics management scheme based on encrypted QR code [47]. After a courier scans the encrypted QR code by using an APP, the logistics information of products in the database is automatically updated through GPRS or Wi-Fi. The APP provides an optimal delivery route for couriers. However, the problem of [19] is that users’ personal information is still visible to the internal staff of express companies. In addition, Laslo et al. [47] proposed a traceable LIS based on QR code. However, this scheme does not consider privacy protection.

Furthermore, Gao et al. [31] proposed a secure LIS, named LIP-PA, which can protect the logistics process information between different logistics stations, but the protection of users’ personal information is not considered well. Hence, the privacy of users in LISs [31, 19, 47] was not fully considered.

Liu et al. [20] designed an LIS based on the Near Field Communication (NFC) [51] technology. In [20], users’ personal information was hidden in tags, and only authorized people can access information. However, because of the limitation of computation power, the scheme cannot perform complex encryption and decryption processes.

In summary, above schemes addressed the privacy issues in LIS, but these schemes did not consider the track of delievery process and the trace of illegal users. However, these are important issues in LISs. Therefore, to solve these problems, we propose a new privacy-preserving LIS called PPLIST.

Systems Anonymity Traceability Security Proof
Gao et al.[31]
Léauté et al.[17]
Qi et al.[19]
Liu et al.[20]
Laslo et al.[47]
Wei et al.[49]
Frank et al.[16]
Our PPLIST
Table 1: The Comparison between Our Scheme and Related Schemes

1.1.3 Multi-Signature

Multi-signature, also called multi-digital signature, is an important branch of digital signature. Multi-signature is suitable to the case where multiple users sign on a message, and a verifier is convinced that each user participated in the signing [7].

Itakura [35] first proposed the concept of multi-signature, and proposed a multi-signature scheme with fixed number of signatures. Then, many multi-signature schemes were proposed [9, 4, 6, 43, 2, 44]. The multi-signature generation time of schemes [35, 44] is linear with the number of signers. Okamoto et al. [2] proposed a muti-signature scheme, but it, like scheme [43], only allows each signer in a group to sign the message. It’s inflexible. Furthermore, Ohta and Okamoto [43] formlized the security model of multi-signature. However, this scheme did not consider the security of the key generation process, so its security is not strong. Based on [43], Micali et al. [6] proposed a formal and strong security model for multi-signature. Bellare and Neven [9] proposed a new scheme and proved its secure in the plain public-key model. This scheme improved the efficiency of previous multi-signature schemes.

Since it enables multiple signers to collabratively sign on a message, multi-signature has been used into various application scenarios, such as [41, 48, 25, 22]. Shacham [8] proposed a sequential aggregate multi-signature scheme. The scheme computed the final multi-signature by sequentially aggregating the signatures from multiple signers. However, the data transmission of [8] is large. To solve this problem, Neven [41] presented a new sequential aggregate multi-signature scheme based on [8]. The scheme of [41] reduces signing and verification costs effectively.

Tiwari et al. [48] proposed a secure multi-proxy multi-signature scheme. It does not need paring operations, and reduces the running time. The scheme is aslo secure against the attack of selected messages. However, Asaar et al.[25] found the scheme in [48] is insecure, and proposed an identity-based multi-proxy and multi-signature scheme without pairing. The security of this scheme was reduced to the RSA assumption in the random oracle model by using the Forking Lemma technique [11].

Recently, Dan et al.[22] proposed a new multi-signature scheme. Signature compression and public-key aggregation were used in the scheme. Therefore, when a group of signers signed a message, the verifier only needs to verify the final aggregate signature. The advantage of this scheme is that the size of final aggregate signature is constant and independent of the number of signers. Furthermore, this scheme is secure against rogue-key attacks. When constructing our PPLIST, we apply the scheme [22] to record the whole logistics process and reduces the storage cost.

1.1.4 Pseudonym

Pseudonym is a method that allows users to interact anonymously with other organizations. Because pseudonym is unlinkable, it can effectively protect the information of a user’s identity [45] among multiple authentications. The common pseudonym generation techniques are as follows [28]: 1) Encryption with public key; 2) Hash function; 3) Keyed-hash function with stored key; 4) Tokenization.

Chaum [27] found that pseudonym enables users to work anonymously with multiple organizations, and users can use different pseudonyms in different organizations. Because of the unlinkability of pseudonym, no organization can link a user’s pseudonyms to her identities. Later, Chaum and Evertse [1] presented a pseudonym model scheme based on RSA. However, the scheme needs a trusted center to complete the sign and transfer of all users’ credentials.

To reduce the trust on the trusted center, Chen [3] proposed a scheme based on the discrete logarithm assumption. The scheme also needs a trusted center, but the trusted center is only required for pseudonym verification. Although Chen’s scheme is less dependent on the trusted center than the scheme [1], the trusted center was still required.

In order to enable users to have the initiative in the pseudonym system, Lysyanskaya et al. [5] proposed a new scheme. In this scheme, a user’s master secret key was introduced. If the master secret keys are different, the information of users’ identities must be different. In addition, the pseudonym certificate submitted by a user to an organization only corresponds to the user’s master public key and does not disclose the information of his master secret key.

Pseudonym has been applied in some schemes [34, 36] to protect users’ privacy. To reduce the communication cost of traditional pseudonym systems in Internet of Vehicles, Kang et al. [36] proposed a privacy-preserved pseudonym scheme. In this scheme, the network edge resources were used for effective management, and the communication cost was effectively reduced.

In [34], Han et al. proposed an anonymous single sign-on (ASSO) scheme. In this scheme, pseudonym was applied to protect users’ identities. A user uses his secret key to generate different pseudonyms, and obtains a ticket from a ticket issuer anonymously without releasing anything about his real identity. Furthermore, a user can use different pseudonyms to buy different tickets and the ticket issuer cannot know whether two tickets are for the same user or two different users. In our PPLIST scheme, to protect users’ privacy, we apply the pseudonym developed in [34] to enable users to use logistics services anonymously and unlinkably.

1.2 Paper Organisation

The remainder of this paper is organised as follows. Section 2 presents the preliminaries used in our scheme, and describes the formal definition and security model of our PPLIST scheme. Section 3 provides the construction of our scheme. The security proof and implementation of our scheme are presented in Section 4 and Section 5, respectively. Finally, Section 6 concludes this paper.

2 Preliminaries

In this section, the preliminaries used throughout this paper are introduced, including bilinear group, complexity assumptions, formal definition and security model. Table 2 summaries the notations used in this paper

Notation Explanation Notation Explanation
A security parameter Pseudonym The pseudonym of
The i-th logistics station Public parameters
User PPT Probable polynomial-time
The trace party A bilinear group generator
YA The aggregation of x is randomly selected from
AgY A set of selected public keys Cryptographic hash functions
The aggregation of signatures The i-th single signature
The proof of user’s ownership I A set consisting of the indexes
d The number of elements in of selected logistics stations
q A prime number
Table 2: Notation Summary

The framework of our PPLIST is presented in Fig. 1. The system first generates the public parameters . Then, each entity (e.g. logistics station, user and the trace party) generates its secret-public key pair. Prior to ordering a service, the user generates a pseudonym by using his secret key. The system determines the delivery path, and then generates the aggregated public key of the selected logistics stations. After that, each selected logistics station generates its single signature on the product information, pseudonym and aggregated public key, and then passes it to the next selected logistics station. Finally, the last selected logistic station generates its signature and the aggregate signature . To obtain a product, the user needs to prove that he is the owner by generating a proof of the knowledge included in the pseudonym. The user can verify whether the product is delivered correctly by checking the aggregate signature . In the case that the identity of a user needs to be traced, the trace party can use his secret key to de-anonymous the pseudonym, and find the user’s identity.

Figure 1: The Framework of Our PPLIST Scheme

2.1 Bilinear Group

Let be cyclic groups with prime order . A map is a bilinear map if it satisfies the following properties: (1) Bilinearity: For all , , , ; (2) Non-degeneration: For all , , , where is the identity element in ; (3) Computability: For all , , there exists an efficient algorithm to compute .

Let be a bilinear group generator which takes as input a security parameter and outputs a bilinear group .

A function is negligible if for any , there exist a such that when .

2.2 Complexity Assumptions

Definition 1 (Computational Diffie-Hellman (CDH) Assumption [10])

Let , and be generator of , respectively. Suppose that . Given a triple , we say that the assumption holds on if all adversaries can output with a negligible advantage, namely .

Definition 2 (Discrete Logarithm (DL) Assumption [32])

Let be a cyclic group with prime order , and be a generator of . Given , we say that the assumption holds on if all adversaries can output a number such that with a negligible advantage, namely .

2.3 Formal Definition

A PPLIST scheme is formalized by the following eight algorithms:

The algorithm takes the security parameters as input and outputs the public parameters .

This algorithm consists of the following sub-algorithms:

  • This algorithm is executed by each logistics station . takes the security parameters as input, and outputs his secret-public key pair , where .

  • This algorithm is executed by a user . takes the security parameters as input, and outputs his secret-public key pair .

  • This algorithm is executed by a trace party . takes the security parameters as input, and outputs his secret-public key pair .

This algorithm is executed by . takes as input his secret key , the public key of the trace party and the public parameters , and outputs a pseudoym .

Let be a set which consists of the indexes of some selected logistics stations. This algorithm takes as input the public parameters and the public keys of selected logistics stations, and outputs the aggregated public key .

This algorithm consists of the following sub-algorithms:

  • This algorithm is executed by each selected logistics station . takes as input its secret key , the aggregated public key , product information and the public parameters , and outputs a signature , where .

  • This algorithm takes as input the public parameters and signatures , and outputs a final signature .

This algorithm is executed between and .

  • takes as input his secret key , the public key , his pseudonym and the public parameters , and outputs a proof .

  • The verifier takes as input the public parameters , and outputs if the proof is valid; otherwise, it outputs to show the proof is invalid.

This algorithm takes as input the public parameters , the final signature , the pseudonym , the aggregated public key and product information , and outputs if signature is valid; otherwise, it outputs to show it is an invalid signature.

This algorithm is executed by . takes as input his secret key , the pseudonym , the aggregated public key , the final signature , product information and the public parameters , and outputs public key if the signature is valid; otherwise, it outputs to show failure.

2.4 Security Requirements

The security model of our scheme is defined by the following two games.

2.4.1 Unforgeability.

This is used to define the unforgeability of signature, namely even if users, the trace party and the other stations collude, they cannot forge a valid signature on behalf of the selected logistics stations. This game is executed between a challenger and a forger .

Setup.

runs and sends to .

Key-Generation Query.
  1. asks the public key of stations. runs and sends the station’s public key to .

  2. When asks a urse’s secret-public key pair, runs and sends to . Let be a set of users’ public key.

  3. When asks the secret-public key of the trace party, runs and sends to .

User-Pseudonym Query.

submits a and the public key of the trace party, runs and sends to . Let be a set of pseudonyms of users.

Public-Key-Aggregation Query.

Let be a set which consists of the indexes of some selected logistics stations and let be the number of elements in the set . submits a group of selected stations’ public keys. runs , where . returns to .

Sign Query.

adaptively submits selected station’s secret key , the aggregation of public key , and pseudonym and the product information to ask for a single signature up to times.

Output.

outputs a forged signature , a final signature , pseudonym and the product information , the public keys of selected logistics stations and the aggregated public keys . wins the game if , has not conducted signature query on the message , and .

Definition 3

A privacy-preserving logistics information system with traceability is unforgeable if all probabilistic polynomial-time (PPT) forger who makes signature queries can only win the above game with a negligible advantage, namely

(1)

2.4.2 Traceability.

This is used to formalise the traceability of our scheme, namely an attacker cannot frame a user who did not use the logistics services. We suppose that at least one station is honest. This game is executed between a challenger and an attacker .

Setup.

runs and sends to .

Key-Generation Query.
  1. can ask for the public key of each station. runs and sends the station’s public key to .

  2. When asks a urse’s secret-public key pair, runs . Let the secret-public key pair of be . sends other users’ secret-public key pair and to . Let be a set consisting of users’s public keys.

  3. When asks the secret-public key pair of the trace party, runs and sends to .

User-Pseudonym Query.

submits a user’s and the public key of the trace party, runs and sends to . Let be a set of pseudonyms of users.

Public-Key-Aggregation Query.

Let be a set which consists of the indexes of some selected logistics stations and let be the number of elements in the set . submits a group of selected stations’ public keys. runs , where . returns to .

Sign Query.

adaptively submits a selected station’s secret key , the aggregation of public key , and pseudonym and the product information to ask for a single signature up to times.

Output.

outputs a tuple . wins the game if with or .

Definition 4

A privacy-preserving logistics information system with traceability is traceable if all probabilistic polynomial-time (PPT) adversary who makes signature queries can only win the above game with a negligible advantage, namely

(2)

3 Construction of Our Scheme

In this section, we introduce the construction of our scheme. We firstly present a high-level overview, and then describe the formal construction of our scheme.

3.1 High-Level Overview

The high-level overview of our scheme is as follows.

Setup.

The system generates the corresponding public parameters .

Key-Generation.

Suppose that there are logistics stations. Each , and generate their secret-public key pairs , and , where .

User-Pseudonym.

In order to protect privacy in a delivery process, generates a pseudonym by using his secret key and public key .

Public-Key-Aggregation.

According to product information, the system determines the logistics process by selecting a set of logistics stations . Let be a set consisting of the public keys of the selected logistics stations. For each service, a table is built to record its delivery information. The system uses the public key of each and the set to generate to resist the rogue key attacks, where . Then, the system generates the aggregated public key .

Sign.

Each selected logistics station uses his secret key to generate a signature on pseudonym and the product information , and sends to the next logistics stations. Finally, the last logistic station use his secret key to generate a single signature on pseudonym and the producte information , and compute the aggregated signature . also adds to the table .

User-Ownership-Verify.

When proves to the last logistic station that he is the owner of the product, he proves that his secret key is included in the pseudonym by executing a zero-knowledge proof with . If the proof is correct, is the owner of the product; otherwise, he is not the owner of the product.

Verify.

When receives a product, he checks whether the product was delivered correctly by checking the validity of the aggregate signature . If it is, the product is delivered correctly; otherwise, there are some problems in the delivery process.

Trace.

Given , in the case that a user needs to be de-anonymized, the trace party first checks whether the signature is correct or not. If it is incorrect, aborts; otherwise, users his secret key to de-anonymize the Pseudonym and get ’s public key .

3.2 Formal Construction

The formal construction of our PPLIST scheme is formalised by the following eight algorithms:

Setup.

The system runs with . Let be a generator of and be a generator of . Suppose that and are cryptographic hash functions. The public parameters are .

Key-Generation.
  • Each logistics station selects and computes . The secret-public key pair of is , where .

  • Each selects and computes . The secret-public key pair of is .

  • selects and computes . The secret-public key pair of is .

User-Pseudonym.

To generate a pseudonym for a product information , firstly computes and then computes . The pseudonym is .

Public-Key-Aggregation.

Let be a set consisting of the public keys of the logistics stations which will deliver the product to the user. The system firstly computes , and then computes . Let be a record of the product information . The system adds it into the table .

Sign.

When receiving a product, each computes . sends to for . Finally, computes and . Subsequently, adds it into the record of in the table .

User-Ownership-Verify.

To prove the ownership of the product to the last logistics station . and work as follows.

  • selects and computes .

  • sends to . selects , and returns it to .

  • computes , and , and returns to .

  • verifies , and . If these equations hold, it outputs to show that is the owner of the product; otherwise, it outputs to show that is not the owner of the product.

Verify.

verifies . If the equation holds, it outputs to show that the delivery process is correct; otherwise, it outputs to show that there are some errors in the delivery.

Trace.

In the case that the identity of who selected the product needs to be revealed, searches in the table , and finds the record firstly. Then, verifies . If it is not, quits the system immediately; otherwise, computes , and confirms the identity of user.

4 Security Analysis

In this section, the security of our scheme is formally proven.

Theorem 4.1

Our privacy-preserving logistics information system with traceability (PPLIST) is unforgeable if and only if the computational Diffie-Hellman (CDH) assumption holds on the bilinear group and are two random oracles and is a cryptographic hash function, where is the number of signature queries made by the forger , and .

Proof

Suppose that there exists a forger that can break the unforgeability of our scheme, we can construct an algorithm which can use to break the CDH assumption. Given , the aim of is to output .

Setup.

selects . The public parameters are .

responds to the queries of about the random oracle .

  • queries the hash function of a pseudonym and a message . selects ,and sets ,where . sends to and adds into the table .

  • queries the hash function of a pseudonym and a message . sends to , and adds into the table .

responds to the queries of about the random oracle . Let is the index of .

  • when , selects and sets . returns to and adds into the table .

  • when , selects and sets . returns to , and adds into the table .

Key-Generation Query.
  • picks a station from . For the -th logistics station key generation query, selects , and computes where . returns to . For the -th logistics station key generation query, returns to .

  • selects , and compute . sends the secret-public key pair to .

  • selects , and compute . sends the secret-public key pair to .

User-Pseudonym Query.

submits a product information . computes firstly, then computes , . sends to .

Public-Key-Aggreation Query.

submits a group of logistics stations’ public-key and sets . searches in , and gets , where . computes , and sends to .

Sign Query.

responds to the queries of about the single signature :

  • Since , asks about the single signature of the logistics station on a pseudonym and the message . computes . sends to .

  • Since , asks about the single signature of station on a pseudonym and a message . computes . sends to . can ask for many times.

  • asks about the single signature of station on a pseudonym and the message . aborts.

Output.

outputs a forged final signature . According to the above situations, can make queries of random oracles and signature generations, respectively. By using Forking lemma technique, for two queries of the random oracle on the -th station, selects and with . For other selected stations, sets and with . Hence, . If can forge a valid signature, have and , respectively. Then, computes