Keywords

1 Introduction

The development of Internet technology promotes the development of various industries toward automation and intelligence. The intelligent development of the electric power industry gives birth to the smart grid. “Smart grid” is defined as the automatic transmission network that can supervise and control each node. It can ensure the two-way flow of information and power throughout the transmission and distribution process from the power plant to the end user. At this stage, the scale of the smart grid is constantly expanding, and a large amount of data is generated during the operation of the smart grid. Through the analysis of these massive user data, so as to provide users with more intelligent and rational power services is the key to distinguishing smart grids from traditional power grids. The goal of the smart grid is to provide residents and commercial users with more reliable, efficient and controllable power services. However, there are many security and privacy issues in the transmission of user data in the smart grid, such as malicious tampering of electricity consumption data, eavesdropping on user privacy data, and so on. These privacy leakage issues have affected people’s information on the smart grid and seriously hindered the development of the smart grid. Therefore, how to protect the privacy of user data in the smart grid has become a top priority.

It is necessary to propose a privacy protection scheme that guarantees the conditional anonymity of user identities in the smart grid, and the control center can obtain fine-grained data on the user’s electricity consumption, and at the same time verify the integrity of the data. The group-blind signature technology [1,2,3] provides a new idea for us to realize the conditional anonymity and privacy protection of users in the smart grid. It has the characteristics of group signature and blind signature at the same time. Due to the high anonymity of the group-blind signature scheme and the traceability that can guarantee conditional anonymity, more and more new practical schemes are proposed by domestic and foreign scholars [4, 5], and they are applied in various fields to ensure security [6,7,8,9].

In this paper, we apply the group-blind signature scheme to the smart grid, and propose a group-blind signature scheme that realizes privacy protection in the smart grid, ensuring the conditional anonymity of user identity information and the privacy protection of consumer data. At the same time, we use the homomorphic tag mechanism to verify the integrity of user data and achieve fine-grained data aggregation.

2 Preliminaries

2.1 Group Blind Signature

A. Lysyanskaya and Z. Ramzan combined group signature and blind signature for the first time in 1998 to design the first group-blind signature scheme-Lys98 scheme [10], and used this scheme to construct an online and anonymous electronic Cash system. The scheme usually contains three entities, including group manager, group members, and external users. A standard group-blind signature scheme consists of the following five algorithms.

  1. (1)

    Setup: A probabilistic polynomial algorithm is used to generate the group public key y and the group manager’s management private key SGM.

  2. (2)

    Join: The new member interacts with the group manager, and a probabilistic polynomial algorithm generates member keys and member certificates.

  3. (3)

    Sign: Group members interact with an external user, through the message m input by the external user and the signer’s private key, a probabilistic polynomial algorithm generates the signature σ.

  4. (4)

    Verify: Input (m, σ, y), a probabilistic polynomial algorithm to determine the correctness of the signature σ on the message m and the group public key y.

  5. (5)

    Open: A probabilistic polynomial algorithm that output identify of the signer by inputting the signature σ and group manger’s private key.

2.2 Schnorr Identification Protocol

Schnorr identification protocol was proposed by Claus Schnorr in [11] and its security is based on the discrete logarithm problem. We assume that Prover(P) interactive with Verifier(V) in three-rounds protocol to prove that he owns w such that \({\text{W}} = {\text{g}}^{{ - {\text{w}}}} \;{\text{mod}}\;{\text{q}}\). The flowchart of Schnorr identification is shown in Fig. 1.

Fig. 1.
figure 1

The flowchart of Schnorr identification

Full size image
  1. (1)

    P randomly chooses number \({\text{r}} \in Z_{q}^{*}\) and calculates \(R = g^{r} \;mod\;q\) then sends R to V.

  2. (2)

    V randomly picks \({\text{e}} \in \left[ {0,2^{t} - 1} \right]\), security of the protocol is based on the parameter t, which means the protocol will be safer with the increase of t, and send e to P.

  3. (3)

    P calculates S = (r + w · e) mod p and sends it to V.

V will verify whether the Eq. \({\text{R}} = {\text{g}}^{{\text{s}}} \cdot {\text{W}}^{{\text{e }}} \;{\text{mod}}\;{\text{q}}\) is set up and accept that P knows w only if the equation holds.

3 System Model and Adversary Model

3.1 System Model

The system model of the scheme in this paper involves the working relationship of the three entities. Control Center (CC), which can generate system parameters, entity registration, data validation, and conditional tracking of other entities. Smart Substation (SS), which can directly interact with the user, verify the user’s identity, and generate blind signatures. Smart meters (SM), which record data in real time, regularly send a whole period consumption data, so there is a threat of data tampering. The relationship between the three entities is shown in Fig. 2. In addition, the scheme in this paper has traceability, and CC can obtain the identity of the signer or revoke the anonymity of the user when signature verification or message validation fails.

3.2 Adversary Model

The adversary of the scheme in this paper can not only eavesdrop on the channel between the user and SS, but also attempt to tamper with the data and destroy the stability of the system. There are two main types of adversaries in the adversary model, one is an external adversary who is not in the data collection model, and the other is an internal adversary who has user’s identity:

  1. (1)

    External adversaries can obtain user consumption information by eavesdropping on the channel between SM and SS. The malicious forgery and replacement of consumer information by the adversary will threaten the integrity of the data.

  2. (2)

    There are two types of internal adversaries. One is honest but curious which they want to get the consumption information of other users, but they don’t want to change any data. The other is malicious users who try to tamper with their consumption data.

4 Our Scheme

The scheme proposed in this paper includes five stages: (1) system initialization, (2) user anonymous authentication and data reporting, (3) message signatures, (4) verifying correctness of signature and integrity of data, (5) trace the signer or users. We plan to use SMi/Ui to distinguish the different user and use the Si to indicate the number of SS. In the phase of data reporting, for simplicity, we simulate only one case where the user reports consumption data.

Fig. 2.
figure 2

Relationship between the three entities

Full size image

4.1 System Initialization

(1) System parameter generation and releasing:

  • Step 1: CC chooses two big distinct prime p and q which satisfying p|q − 1 and computes n = pq.

  • Step 2: CC calculates the RSA public key pair (e, d) which satisfies ed ≡ 1(mod φ(n)), where φ(n) is Euler function. The group public key and group private key are e and d respectively.

  • Step 3: CC chooses a cyclic group G < g > which is subgroup of \({\mathrm{Z}}_{\mathrm{q}}^{*}\). While, CC randomly chooses the element x and calculates \({\text{y}} = {\text{g}}^{{\text{x}}} \;{\text{mod}}\;{\text{n}}\). Hence, group manager’s public key and private key are y and x respectively.

  • Step 4: CC publicly chooses secure anti-collision hash function \(\mathrm{H}:{\{\mathrm{0,1}\}}^{*}\to {\{\mathrm{0,1}\}}^{\mathrm{k}}\),\( {\mathrm{H}}_{1}:{\{\mathrm{0,1}\}}^{*}\to {\mathrm{Z}}_{\mathrm{q}}^{*}\).

  • Step 5: CC releases the public parameter P = {n, e, G, g, y, H, H1}.

(2) The phase of registering:

  • Step 1: If new group member (SS) wants to join the group, SS randomly chooses the number \({\mathrm{x}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{*}\) and sends it to the group manager (CC). CC randomly chooses \({\mathrm{y}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{*}\) and calculates \({\text{C}} = {\text{y}}^{{{\text{y}}_{{\text{i}}} }} {\text{x}}_{{\text{i}}} \;{\text{mod}}\;{\text{n}}\), and \({\text{C}}_{1} = {\text{g}}^{{{\text{y}}_{{\text{i}}} }} \;{\text{mod}}\;{\text{n}}\). The group member signed private key is yi, the group member signed private key is C1, Group manager Storage Group Member Certificate xi, and returns PK = (C,C1) group member’s certificate xi and yi to SS.

  • Step 2: Useri opens an account in CC and gets infori = (IDi∣|address|∣timestack), CC encrypts the user information infori to (infori)e with the group public key e and stores it in its own database, Useri will hold the public value \({\text{gt}}_{{\text{i}}} = \left( {{\text{H}}\left( {{\text{infor}}_{{\text{i}}} } \right)^{{\text{x}}} } \right)\;{\text{mod}}\;{\text{n}}\). CC installs smart meter at user’s home. SMi randomly chooses zi to calculate \({\text{I}}_{{\text{i}}} = {\text{g}}^{{{\text{z}}_{{\text{i}}} { }}} \;{\text{mod}}\;{\text{n}}\) as his own id information and sends Ii to CC, and CC sends the value of Ii to SS.

4.2 User Anonymous Authentication and Data Reporting

(1) User anonymous authentication:

Each SM tries to convince SS that he is valid user by using Schnorr identification protocol and then send the encrypted message to SS. The detailed process is shown in the Fig. 3.

  • Step 1: SMi random chooses \({\mathrm{t}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{*}\) and calculates \({\text{T}} = {\text{g}}^{{{\text{t}}_{{\text{i}}} }} \;{\text{mod}}\;{\text{n}}\) and sends to SS.

  • Step 2: SS calculates cb = H(T‖timestack) and sends cb to user.

  • Step 3: User calculates si = ti–cbzi and sends Si to SS.

  • Step 4: SS verifies the \({\mathrm{c}}_{\mathrm{b}}=\mathrm{H}({\mathrm{g}}^{{\mathrm{S}}_{\mathrm{i}}}{\mathrm{I}}_{\mathrm{i}}^{{\mathrm{c}}_{\mathrm{b}}}||\mathrm{timestack})\).

Fig. 3.
figure 3

User anonymous authentication

Full size image

(2) Data reporting:

SS will receive the user’s encrypted data after verifying the meter. Take a user Userk as an example, the electricity bill data generated by one day is m.

  • Step 1: The number of blocks of consumption data reported per day is limited by the security parameter λ. Set the safety parameter λ to 24, SM should generate 24 data blocks a day. Structure of 24 blocks generated by SMk shows in Fig. 4. Each block represents an hour of electricity consumption data, containing attribute values for the l dimension.

  • Step 2: SM generates another random number \(\mathrm{stk}\in {\mathrm{Z}}_{\mathrm{q}}^{*}\) as the secret tag key. Then SM outputs the public tag key \(ptk = gt_{k}^{stk} \;mod\;n\).

  • Step 3: SMk will generate l random values {mx1, mx2, mx3, … …, mxl} and calculate \({\text{u}}_{{\text{j}}} = {\text{gt}}_{{\text{k}}}^{{{\text{mx}}_{{\text{j}}} }} \;{\text{mod}}\;{\text{n}}\) for \({\text{j}} \in [1,{\text{l]}}\). For each data block mi, it computes a data tagi. SMk will generate tag for every data block (24/λ/day) by calculating the \({\text{tag}}_{{\text{i}}} = ({\text{H}}({\text{MID}}\left\| {\text{i}} \right.) \cdot \prod\nolimits_{{{\text{j}} = 1}}^{{\text{l}}} {{\text{u}}_{{\text{j}}}^{{{\text{m}}_{{{\text{ij}}}} }} } )^{{{\text{stk}}}}\), in which MID is the abstract of data and i is the block number of mi, SMk outputs the set of data tags Tag = {tag1, tag2, tag3, … …, tagi}, \(\mathrm{i}\in [\mathrm{1,24}/\uplambda ]\).

  • Step 4: SM encrypts (m‖tag) by using public key e. By doing so, we ensure that no other entity can learn the consumption information, other than group private key owner CC. Then SMk calculates M = (m‖tag)e and H1(m).

Fig. 4.
figure 4

Structure of 24 blocks generated by SMk

Full size image

4.3 Blindly Signature on the Message

Generate the signature: The process is shown in the Fig. 5.

  • Step 1: Signer randomly chooses \(\mathrm{k}\in {\mathrm{Z}}_{\mathrm{p}}^{*}\), calculates r' = gk mod n, and sends the r' to SMk, SMk randomly chooses a, b and calculates the blind factor r = r'agb mod n = gak+b mod n. Then calculates \({\text{H}}_{1} \left( {\text{m}} \right)^{\prime } = {\text{a}}^{ - 1} {\text{rH}}_{1} \left( {\text{m}} \right)\;{\text{mod}}\;{\text{n}} - 1\), sending the H1(m) to SS.

  • Step 2: Signers SS to calculate the signature \({\upsigma }^{*}=(\mathrm{r},{\mathrm{s}}^{*},\mathrm{C},{\mathrm{C}}_{1})\) for blind messages, where \({\text{s}}^{*} = {\text{H}}_{1} ({\text{m}})^{\prime}{\text{y}}_{{\text{i}}} + {\text{k }}\;{\text{mod}}\;{\text{n}} - 1\), \({\text{r}} = {\text{r}^{\prime}}^{{\text{a}}} {\text{g}}^{{\text{b}}} \;{\text{mod}}\;{\text{n}} = {\text{g}}^{{{\text{ak}} + {\text{b}}}} \;{\text{mod}}\;{\text{n}}\)\(,\) \(\mathrm{C}={\mathrm{y}}^{{\mathrm{y}}_{\mathrm{i}}}{\mathrm{x}}_{\mathrm{i}},\) \({\mathrm{C}}_{1}={\mathrm{g}}^{{\mathrm{y}}_{\mathrm{i}}}\).

  • Step 3: The SMk extracts the H1(m)’s signature from the signature of the blinded message, then gets the signature σ = (r, s, C, C1), and sends the M and the σ together to the CC by calculating the \({\text{s}} = {\text{as}}^{*} + {\text{b }}\;{\text{mod}}\;{\text{n}} - 1\).

Fig. 5.
figure 5

Generate the signature

Full size image

4.4 Verification and Traceability

  1. (1)

    Verify the signature’s correctness and the data’s integrity:

Step 1: CC decrypts M by using group private key d and gets the consumption information (mǁTag) and computes H1(m).

Step 2: CC verifies the correctness of the signature by judging whether or not the Eq. (1) is established. If the signature is verified correctly, it is proved that m was not tampered with during the transmission after being signed by SS.

$$ g^{s} = rC_{1}^{{rH_{1} \left( m \right)}} $$
(1)

Step 3. If the signature is valid, verify M by using the Tag to test whether the data has been modified. CC decrypts M to get \(\mathrm{Tag},\mathrm{m},{\mathrm{u}}_{\mathrm{j}}\), so CC can calculate the following values:

$$ TG = \prod\nolimits_{i = 1}^{24/\lambda } {tag_{i} } $$
(2)
$$ MG_{j} = \prod\nolimits_{i = 1}^{24/\lambda } {m_{ij} } $$
(3)
$$ DG = \prod\nolimits_{j = 1}^{l} {e\left( {u_{j} ,ptk} \right)^{{MG_{j} }} } $$
(4)
$$ HS = \prod\nolimits_{i = 1}^{24/\lambda } {h(MID\parallel i)} $$
(5)

Step 4: The CC then verifies whether Eq. (6) is set up every 24 h:

$$ DG \cdot e\left( {HS,ptk} \right) = e\left( {TG,gt_{k} } \right) $$
(6)

Step 5: If Eq. (6) is setting up, we can sure that the consumer’s information has not been modified. If not, CC will revoke the anonymity of user to check whether user or external adversary have changed the consumer’s information.

  1. (2)

    Trace the identify of signer and revoke the anonymity of user:

Step 1: If we find that there is controversy when verifying the signature equation, CC can open the signature to verify signer’s identity xi and find the information of SS by using the CC’s private key.

$$ x_{i} = C/C_{1}^{x} = y^{{y_{i} }} x_{i} /g^{{y_{i} x}} $$
(7)

Step 2: If Eq. (6) isn’t established, we know that the integrity of m has been destroyed, the anonymity of user will be revoked by CC to check whether adversary or user have changed data. Due to different SM has different gt, when CC acquires mǁTag and corresponding gt. CC uses the group private key d to decrypt (infori)e in the database to obtain infori, and uses the decrypted information to calculate gti.

$$ gt_{i} = H\left( {infor_{i} } \right)^{x} \; mod\;n = H\left( {ID_{i} \left| {\left| {address} \right|} \right|timestack} \right)^{x} \;mod\;n $$

Then, compare gti with the original gt to ensure the identity of user.

5 Security Analysis

The security of the proposed scheme is based on the assumption of several difficult problems, including the discrete logarithm problem and the integer decomposition problem. In addition, this scheme is based on Schnorr’s identification protocol and the security of RSA encryption. The following is to prove that the proposed scheme has authentication, privacy-preserving, traceability, unforgeability and anonymity. The specific analysis is as follows:

5.1 Authenticatability

Authenticatability means that only legal users can upload their consumption information to SS. In our data reporting protocol, SS will verify the validity of consumers’ identity. Only verifying successfully, SS can give a blind signature to data and send encrypted data with signature to CC. In the authenticated process, we use Schnorr identification protocol to authenticate the user’s identity.

Theorem 1.

The Schnorr identity protocol is an interactive protocol with the participation of certifier A and honest verifier B. If A and B successfully run the protocol, B is always convinced of A’s identity.

Proof.

$$ c_{b} = H(T|{|}timestack{)} $$
$$ = H\left( {g^{{t_{i} }} |{|}timestack} \right) $$
$$ = H(g^{{S_{i} + c_{b} z_{i} }} ||timestack) $$
$$ = Hg^{{S_{i} }} I_{i}^{{c_{b} }} ||timestack) $$

SS can be calculated \({\mathrm{g}}^{{\mathrm{S}}_{\mathrm{i}}}{\mathrm{I}}_{\mathrm{i}}^{{\mathrm{c}}_{\mathrm{b}}}\) and compared with T. Therefore, SS will accept SM’s proof of identity as long as SS and SM can follow the protocol.

5.2 Privacy Protection

Theorem 2.

The adversary cannot obtain the consumption information of the user in the initial and intermediate stages.

Proof. In the two phrases of data reporting and blind signature, the adversary and SS have the ability to obtain the encrypted user’s consumption information M, but cannot directly obtain the private key of the CC. So the possible way is to divide the large prime number into p and q, assuming that factoring N into the correct p and q has a non-negligible possibility ϵ in the polynomial time algorithm. However, there is no effective algorithm to solve the problem of prime number factorization. Therefore, our scheme can effectively protect the privacy of user’s consumption information.

5.3 Anonymity

If M is compromised, the scheme is anonymous and the adversary cannot obtain the identity of the owner of the information.

Theorem 3.

Even if the adversary can crawl into the private database of CC and steal the decrypted information m and Tag, A can’t infer the identity of the user by analysing the consumption information m.

Proof. If Adversary tries to infer the identify of data owner, the only way is to get gtk from \({\mathrm{tag}}_{\mathrm{i}}={(\mathrm{H}(\mathrm{MID}||\mathrm{i})\cdot {\prod }_{\mathrm{j}=1}^{\mathrm{l}}{\mathrm{u}}_{\mathrm{j}}^{{\mathrm{m}}_{\mathrm{ij}}})}^{\mathrm{stk}}\) and compare to \({\text{H}}_{1} ({\text{infor}}_{{\text{i}}} )^{{\text{x}}} \;{\text{mod}}\;{\text{n}}\). However, Adversary has no capacity for getting gtk because of solving the discrete logarithm problem is hard. Adversary cannot link m to user identity information, so anonymity is guaranteed.

5.4 Unforgeability

Unforgeability refer to the fact that external adversary can’t forge or tamper with the file. In our scheme of data reporting, the meter will set security parameter λ in advance to control the times of reporting. If the security parameter is λ, the frequency of sending report is 24h/λ. At the same time, we introduce the homomorphic tag mechanism to verify whether the original data has been modified.

Theorem 4.

If our scheme has been correctly performed by all entities, the Eq. (6) will hold when the CC executes the verification.

Proof. The correctness of our verification Eq. (6) is elaborated as follows:

$$ Left = DG \cdot e\left( {HS,ptk} \right) = \prod\nolimits_{j = 1}^{l} {e\left( {u_{j} ,ptk} \right)^{{MG_{j} }} } \cdot e\left( {HS,ptk} \right) $$
$$ Right = e\left( {TG,gt_{k} } \right) = e\left( {\prod\nolimits_{i = 1}^{24/\lambda } {tag_{i} } ,gt_{k} } \right) = e\left( {\left( {\prod\nolimits_{i = 1}^{24/\lambda } {({\mathcal{H}}(MID||i)} \cdot \prod\nolimits_{j = 1}^{l} {u_{j}^{{m_{ij} }} } } \right) ^{stk} ,gt_{k} } \right) = e\left( {\left( {\prod\nolimits_{i = 1}^{24/\lambda } {({\mathcal{H}}(MID||i) } } \right) ^{stk} ,gt_{k} } \right) \cdot e\left( { \prod\nolimits_{j = 1}^{l} {\prod\nolimits_{i = 1}^{24/\lambda } {u_{j}^{{m_{ij} stk_{ } }} } } ,gt_{k} } \right) $$
$$ = e\left( {HS,gt_{k}^{stk} } \right) \cdot e(\mathop \prod \limits_{j = 1}^{l} u_{j}^{{\sum\nolimits_{i = 1}^{24/\lambda } {m_{ij} } }} ,gt_{k}^{stk} ) $$
$$ = e\left( {HS,gt_{k}^{stk} } \right) \cdot e(\mathop \prod \limits_{j = 1}^{l} u_{j}^{ } ,gt_{k}^{stk} ) ^{{\sum\nolimits_{i = 1}^{24/\lambda } {m_{ij} } }} $$
$$ \to \prod\nolimits_{j = 1}^{l} {e\left( {u_{j} ,ptk} \right)}^{{MG_{j} }} = e(\prod\nolimits_{j = 1}^{l} {u_{j}^{{\sum\nolimits_{i = 1}^{24/\lambda } {m_{ij} } }} } ,gt_{k}^{stk} ) $$
$$ = \mathop \prod \limits_{j = 1}^{l} e(u_{j}^{{\sum\nolimits_{i = 1}^{24/\lambda } {m_{ij} } }} ,gt_{k}^{stk} ) $$
$$ = \mathop \prod \limits_{j = 1}^{l} e(u_{j}^{ } ,gt_{k}^{stk} ) ^{{\sum\nolimits_{i = 1}^{24/\lambda } {m_{ij} } }} $$
$$ = e(\mathop \prod \limits_{j = 1}^{l} u_{j}^{ } ,gt_{k}^{stk} ) ^{{\sum\nolimits_{i = 1}^{24/\lambda } {m_{ij} } }} $$
$$ {\text{Left}} = {\text{Right}} $$

Hence, we ensure that the equation DG∙e(HS, ptk) = e(TG, gtk) will establish through the formula if all participants follow as our scheme.

5.5 Traceability

Theorem 5.

If the Eq. (1) is not established, the CC executes tracking operation to get the signer’s information by using \({\text{x}}_{{\text{i}}} {\text{ = C/C}}_{1}^{{\text{x}}}\). Next, CC will revoke the anonymity of user, if the Eq. (6) is not established.

Proof. Signature correctness:

$$ g^{s} = g^{{as^{*} + b}} $$
$$ = g^{{a\left( {y_{i} H_{1} \left( m \right)^{^{\prime}} + k} \right) + b}} $$
$$ = g^{{a\left( {y_{i} a^{ - 1} rH_{1} \left( m \right) + k} \right) + b}} $$
$$ = g^{{y_{i} rH_{1} \left( m \right)}} g^{ak} g^{b} $$
$$ = C_{1}^{{rH_{1} \left( m \right)}} r^{^{\prime}a} g^{b} $$
$$ = rC_{1}^{{rH_{1} \left( m \right)}} $$

By verifying the correctness of Eq. (1), CC can check the signature issuing from SS.

Tracking the Signer identity:

$$ x_{i} = C/C_{1}^{x} $$
$$ = y^{{y_{i} }} x_{i} /g^{{y_{i} x}} $$
$$ = x_{i} $$

CC can get identity of signer by using group private key x which only group manager owns.

$$ gt_{i} = H\left( {infor_{i} } \right)^{x} \;mod\; n = H\left( {ID_{i} \left| {\left| {address} \right|} \right|timestack} \right)^{x} \; mod\;n $$

Finally, using the registration information in the database, CC can decrypt the (infori)e post information stored in its own database with its own private key d to get the user information infori, and then calculate the H(infori)x one by one to match the results with the corresponding gtk.

6 Conclusion

This paper proposes a group-blind signature scheme for privacy protection in smart grids. The four stages of the scheme realize the conditional anonymity of user identity information and the privacy protection of consumption data in the process of collecting electricity data. In addition, the homomorphic verifiable tag mechanism is used to ensure the verifiability of the integrity of the consumption data. The subsequent security analysis partly proves that the scheme proposed in this paper has authenticatability, privacy protection, anonymity, unforgeability and traceability.