Abstract
The proxy signature schemes allow proxy signers to sign messages on behalf of an original signer, a company, or an organization. Such schemes have been suggested for use in a number of applications, particularly in distributed computing, where delegation of rights is quite common. Many identity-based proxy signature schemes using bilinear pairings have been proposed. But the relative computation cost of the pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group. In order to save the running time and the size of the signature, in this letter, we propose an identity-based signature scheme without bilinear pairings. With the running time being saved greatly, our scheme is more practical than the previous related schemes for practical application.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
In order to simplify the public-key authentication, Shamir [1] introduced the concept of identity-based (ID-based) cryptosystem problem. In this system, each user needs to register at a key generator center (KGC) with identity of himself before joining the network. Once a user is accepted, the KGC will generate a private key for the user and the user’s identity (e.g., user’s name or email address) becomes the corresponding public key. In this way, in order to verify a digital signature or send an encrypted message, a user only needs to know the “identity” of his communication partner and the public key of the KGC.
Mambo et al. [2] introduced the notion of proxy signature scheme. A proxy signature scheme allows an entity called original signer to delegate his signing capability to another entity, called proxy signer. Since it is proposed, the proxy signature schemes have been suggested for use in many applications, particularly in distributed computing where delegation of rights is quite common. In order to adapt different situations, many proxy signature variants are produced, such as one-time proxy signature, proxy blind signature, multi-proxy signature, and so on. Since the proxy signature appears, it attracts many researchers’ great attention. Using bilinear pairings, people proposed many new ID-based signature schemes [3–5] and ID-based proxy signature (IBPS) scheme [6–10]. All the above IBPS schemes are very practical, but they are based on bilinear pairings and the pairing is regarded as the most expensive cryptography primitive. The relative computation cost of a pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group [11]. Therefore, IBPS schemes without bilinear pairings would be more appealing in terms of efficiency.
In this paper, we present an IBPS scheme without pairings. The scheme rests on the elliptic curve discrete logarithm problem (ECDLP).With the pairing-free realization, the scheme’s overhead is lower than that of previous schemes [6–10] in computation.
2 Preliminaries
2.1 Background of elliptic curve group
Let the symbol E/F p denote an elliptic curve E over a prime finite field F p , defined by an equation
and with the discriminant
The points on E/F p together with an extra point O called the point at infinity form a group
Let the order of \( \mathfrak{G} \) be n. \( \mathfrak{G} \) is a cyclic additive group under the point addition “+” defined as follows: Let P, Q ∊ G, l be the line containing P and Q (tangent line to E/F p if P = Q), and R, the third point of intersection of l with E/F p . Let l′ be the line connecting R and O. Then P “+” Q is the point such that l′ intersects E/F p at R and O and P “+” Q. Scalar multiplication over E/F p can be computed as follows:
The following problems defined over \( \mathfrak{G} \) are assumed to be intractable within polynomial time.
Eliptic curve discrete logarithm problem: For \( x{ \in_R}Z_n^{*} \) and G the generator of G, given P = x ⋅ \( \mathfrak{G} \) compute x.
2.2 ID-based proxy signatures
In this paper, unless stated otherwise, let O be the original signer with identity ID O and private key D O . He delegates his signing rights to a proxy signer A with identity ID A and private key D A . A warrant is used to delegate signing right. In [6], Gu and Zhu gave a formal security model for ID-based proxy signature schemes.
Definition 1
An ID-based proxy signature scheme is specified by the following polynomial-time algorithms with the following functionalities [6].
-
Setup: The parameters generation algorithm, takes as input a security parameter k, and returns a master secret key x and system parameters Ω. This algorithm is performed by KGC.
-
Extract: The private key generation algorithm, takes an identity ID U ∊ {0, 1}*as input, and outputs the secret key D U corresponding to ID U . KGC uses this algorithm to extract the users’ secret keys.
-
Delegate: The proxy-designation algorithm, takes O’s secret key D O and a warrant m ω as input, and outputs the delegation W O→A .
-
DVerify: The designation-verification algorithm, takes ID O , W O→A as input and verifies whether W O→A is a valid delegation come from O.
-
PKgen: The proxy key generation algorithm, takes W O→A and some other secret information z (for example, the secret key of the executor) as input, and outputs a signing key D p for proxy signature.
-
PSign: The proxy signing algorithm, takes a proxy signing key D p and a message m ∊ {0, 1}* as input, and outputs a proxy signature (m, δ).
-
PVerify: The proxy verification algorithm, takes ID O , ID A and a proxy signature (m, δ) as input, and outputs 0 or 1. In the later case, (m, δ) is a valid proxy signature of O.
We consider an adversary \( \mathfrak{A} \) which is assumed to be a probabilistic Turing machine which takes as input the global scheme parameters and a random tape.
Definition 2
For an ID-based proxy signature scheme IBPS, we define an experiment \( {\hbox{Exp}}_F^{\rm{IBPS}}(k) \) of adversary \( \mathfrak{A} \) and security parameter k as follows [6]:
-
1.
A challenger C runs Setup and gives the system parameters Ω to \( \mathfrak{A} \).
-
2.
C list ← ϕ, D list ← ϕ, G list ← ϕ, S list ← ϕ. (ϕ means null.)
-
3.
Adversary \( \mathfrak{A} \) can make the following requests or queries adaptively.
-
Extract(.): This oracle takes a user’s ID i as input, and returns the corresponding private key D i . If \( \mathfrak{A} \) gets D i ← Extract(ID i ), let C list ← C list ∪ {(ID i , D i )}.
-
Delegate(.): This oracle takes the designator’s identity ID and a warrant m w as input, and outputs a delegation W. If \( \mathfrak{A} \) gets W ← Delegate(ID, m w ), let D list ← D list ∪ {(ID, m w , W)}.
-
PKgen(.): This oracle takes the proxy signer’s ID and a delegation W as input, and outputs a proxy signing key D p . If \( \mathfrak{A} \) gets D p ← PKgen(ID, W), let G list ← G list ∪ {(ID, m w , W)}.
-
PSign(.): This oracle takes the delegation W and message m ∊ {0, 1}*as input, and outputs a proxy signature created by the proxy signer. If \( \mathfrak{A} \) gets (m, τ) ← PSign(W, m), let S list ← S list ∪ {(m, τ)}.
-
-
4.
\( \mathfrak{A} \) outputs (ID, m w , W) or (W, m, τ).
-
5.
If \( \mathfrak{A} \)’s output satisfies one of the following terms, \( \mathfrak{A} \)’s attack is successful.
-
The output is (ID, m w , W), and satisfies: DVerify(W, ID) = 1, (ID,⋅) ∉ C list, (ID,⋅) ∉ G list and (ID, m w ,⋅) ∉ D list. \( {\hbox{Exp}}_F^{\rm{IBPS}}(k) \) returns 1.
-
The output is (W, m, τ), and satisfies PVerify((m, τ), ID i , ID j ) = 1, (W, m,⋅) ∉ S list and (ID j ,⋅) ∉ C list (ID j , W,⋅) ∉ G list, where ID i and ID j are the identities of the designator and the proxy signer defined by W, respectively. ExpID \( {\hbox{Exp}}_F^{\rm{IBPS}}(k) \) returns 2.
-
Otherwise, \( {\hbox{Exp}}_F^{\rm{IBPS}}(k) \) returns 0.
Definition 3
[6]. An ID-based proxy digital signature scheme IBPS is said to be existential delegation and signature unforgeable under adaptive chosen message and ID attacks (DS-EUF-ACMIA), if for any polynomial-time adversary \( \mathfrak{A} \), \( { \Pr }\left[ {{\hbox{Exp}}_F^{\rm{IBPS}}(k) = {1}} \right] \) and \( { \Pr }\left[ {{\hbox{Exp}}_F^{\rm{IBPS}}(k) = {2}} \right] \) are negligible.
3 Our scheme
3.1 Scheme description
In this section, we present an ID-based proxy signature scheme without pairing. Our scheme rests on the ECDLP.
Setup
Takes a security parameter k, returns system parameters and a master key. Given k, KGC does as follows.
-
1)
Choose a k-bit prime p and determine the tuple {F p , E/F p , G, P} as defined in Section 2.
-
2)
Choose the master private key \( x \in Z_n^{*} \) and compute the master public key P pub = x⋅P.
-
3)
Choose two cryptographic secure hash functions \( {H_{{1}}}:{\left\{ {0,{ 1}} \right\}^{*}} \to {Z_n}^{*} \) and \( {H_{{2}}}:{\left\{ {0,{ 1}} \right\}^{*}} \times G \to {Z_p}^{*} \).
-
4)
Publish {F p , E/F p , G, P, P pub, H 1, H 2} as system parameters and keep the master key x secretly.
Extract
Takes system parameters, master key, and a user’s identifier as input, returns the user’s ID-based private key. With this algorithm, KGC works as follows for each user U with identifier ID U .
-
1)
Choose at random \( {r_U} \in Z_n^{*} \), compute R U = r U ⋅P and h U = H 1(ID U , R U ).
-
2)
Compute \( {D_U} = {r_U} + {h_U}x \).
U’s private key is the tuple (D U , R U ) and is transmitted to U via a secure out-of-band channel. U can validate her private key by checking whether the equation
holds. The private key is valid if the equation holds and vice versa.
Delegate
Takes O’s secret key D O and a warrant m ω as input, and outputs the delegation W O→A . As shown in Fig. 1, the user O does as the follows.
-
1)
Generate a random a and compute K = a⋅P.
-
2)
Compute e 1 = H 2(m w , K, ID A ) and \( \sigma = {e_1}{D_O} + a\bmod n \).
The delegation is W O→A =(ID O , R O , ID A , m w , K, σ).
DVerify
As shown in Fig. 1, to verify the delegation W O→A for message m w , the user A first computes e 1 = H 2(m w , K, ID A ), h O = H 1(ID O , R O ) and then checks whether
Accept if it is equal. Otherwise reject.
PKgen
If A accepts the delegation W O→A , as shown in Fig. 1, he computes the proxy signing key D p as \( {D_p} = \sigma + {D_A}{e_2}\bmod n \), where e 2 = H 2(m w , K, ID O ).
Sign
Takes system parameters, the proxy signing key D p and a message m as inputs, returns a signature of the message m. The user A does as follows.
-
1)
Choose at random b ∊ Z n * to compute R = b⋅P.
-
2)
Compute h = H 2(m, R).
-
3)
Verify whether the equation gcd (b + h, n) = 1 holds: Continue if it does and return to step 1 otherwise.
-
4)
Compute \( s = {\left( {l + h} \right)^{{ - 1}}}{D_p}\bmod n \).
-
5)
The resulting signature is (ID O , R O , ID A , R A , m w , K, σ, R, s).
Verify
To verify the signature (ID O , R O , ID A , R A , m w , K, σ, R, s) for message m, a verifier first checks if the proxy signer and the message conform to m w , then he computes, h O = H 1(ID O , R O ),h A = H 1(ID A , R A ), e 1 = H 2(m w , K, ID A ), e 2 = H 2(m w , K, ID O ), h = H 2(m, R), and then checks whether
Accept if it is equal. Otherwise reject.
Since R = b⋅P and \( s = {\left( {b + h} \right)^{{ - 1}}}{D_p}\bmod n \), we have
Then the correctness of our scheme is proved.
3.2 Security analysis
Assume there is an adversary \( \mathfrak{A} \) who can break our ID-based proxy signature scheme Σ. We will construct a polynomial-time algorithm \( \mathfrak{F} \) that, by simulating the challenger and interacting with \( \mathfrak{A} \), solves the ECDLP.
Theorem 1
Consider an adaptively chosen message attack in the random oracle model against Σ. If there is an attacker \( \mathfrak{A} \) that can break Σ with at most \( {q_{{{H_2}}}} \) H 2-queries and q S signature queries within time bound t and non- negligible probability ε. Then we can solve the ECDLP with non-negligible probability.
Proof Suppose that there is an attacker \( \mathfrak{A} \) for an adaptively chosen message attack against Σ. Then, \( { \Pr }\left[ {{\hbox{Exp}}_F^{\rm{IBPS}}(k) = {1}} \right] \) or \( { \Pr }\left[ {{\hbox{Exp}}_F^{\rm{IBPS}}(k) = {2}} \right] \) are non-negligible. We show how to use the ability of \( \mathfrak{A} \) to construct an algorithm \( \mathfrak{F} \) solving the ECDLP.
Suppose \( \mathfrak{F} \) is challenged with a ECDLP instance (P, Q) and is tasked to compute \( x \in Z_n^{*} \) satisfying Q = x P. To do so, \( \mathfrak{F} \) sets {F p , E/F p , G, P, P pub = Q, H 1, H 2} as the system parameter and answers \( \mathfrak{A} \)’s queries (described in definition 2) as follows.
Extract-query: \( \mathfrak{A} \) is allowed to query the extraction oracle for an identity ID U . S simulates the oracle as follows. It chooses \( {a_U},\,{b_U} \in Z_n^{*} \) at random and sets
Note that (D U , R U ) generated in this way satisfies the equation \( {D_U} \cdot P = {R_U} + {h_U} \cdot {P_{\rm{pub}}} \) in the extract algorithm. It is a valid secret key. F outputs (D U , R U , h U ) as the secret key of ID U and stores the value of (D U , R U , h U ) in the C list-table(we modify the content of C list-table).
Delegate-query: \( \mathfrak{A} \) queries the delegate oracle for a warrant m w , ID O and ID A , \( \mathfrak{F} \) first checks that whether ID O and ID A have been queried for the extraction oracle before. If yes, it just retrieves (D O , R O , h O ) from the table and uses these values to delegate a warrant m w , according to the delegate algorithm described in the scheme. It outputs the delegation W O→A = (ID O , R O , ID A , m w , K, σ) for m w , ID O and ID A and stores the value W O→A in the hash table Dlist for consistency. If ID O or ID A has not been queried to the extraction oracle, \( \mathfrak{F} \) executes the simulation of the extraction oracle and uses the corresponding secret key to sign the message.
Since \( \mathfrak{F} \) knows every user’s private key(described in Extract-query), he can simulate Delegate-query, DVerify-query, PKgen-query, PSign-query, and PVerify-query as he simulates Delegate-query.
1. If \( \mathfrak{A} \) can forge a valid delegation on warrant m w with the probability \( \varepsilon \geqslant 10\left( {{q_{{{H_2}}}} + 1} \right)\left( {{q_{{{H_2}}}} + {q_S}} \right)/{2^k} \), i.e. \( \Pr \left[ {{\hbox{Exp}}_F^{\rm{IBPS}}(k) = 1} \right] \geqslant 10\left( {{q_{{{H_2}}}} + 1} \right)\left( {{q_{{{H_2}}}} + {q_S}} \right)/{2^k} \), where m w has not been queried to the signature oracle, then a replay of \( \mathfrak{F} \) with the same random tape but different choice of H 2 will output two valid delegation (ID O , R O , ID A , m w , K, σ, e 1) and \( \left( {I{D_O},{R_O},I{D_A},{m_w},K,\sigma \prime,e_1^{\prime}} \right) \). Then we have
and
Let K = a P, \( {R_O} = {a_O} \cdot {P_{\rm{pub}}} + {b_O} \cdot P \), \( {P_{\rm{pub}}} = Q = x \cdot P \), then we have
and
then we have
and
Hence, we have
Let \( u = {\left( {{e_1} \cdot {a_O} + {e_1} \cdot {h_O} - {{e\prime}_1} \cdot {a_O} - {{e\prime}_1} \cdot {h_O}} \right)^{{ - 1}}}\bmod n \) and \( v = \left( {\sigma - \sigma \prime - {e_1} \cdot {b_O} + {{e\prime}_1} \cdot {b_O}} \right)\bmod n \), then, we get \( x = uv\bmod n \). According to [12, Lemma 4], the ECDLP can be solved with probability ε′ ≥ 1/9 and time \( t\prime \leqslant 23{q_{{{H_2}}}}t/\varepsilon \).
2. From case 1, we know the adversary \( \mathfrak{A} \) cannot generate a valid delegation. In this case we will prove, if \( \mathfrak{A} \) can forge a valid signature on message m under the delegation W O→A =(ID O , R O , ID A , m w , K, σ) with the probability \( \varepsilon \geqslant 10\left( {{q_{{{H_2}}}} + 1} \right)\left( {{q_{{{H_2}}}} + {q_S}} \right)/{2^k} \), i.e. \( \Pr \left[ {{\hbox{Exp}}_F^{\rm{IBPS}}(k) = 2} \right] \geqslant 10\left( {{q_{{{H_2}}}} + 1} \right)\left( {{q_{{{H_2}}}} + {q_S}} \right)/{2^k} \), where m has not been queried to the signature oracle, then a replay of \( \mathfrak{F} \) with the same random tape but different choice of H 2 will output two valid signatures (ID O , R O , ID A , R A , m w , K, σ, R, s, e 1, e 2, h), and (ID O , R O , ID A , R A , m w , K, σ′, R, s, e′1, e′2, h′). Then we have
and
Let K = a P, R = b P, \( {R_O} = {a_O} \cdot {P_{\rm{pub}}} + {b_O} \cdot P \), \( {P_{\rm{pub}}} = Q = x \cdot P \), then we have
and
In these equations, only b and x are unknown to \( \mathfrak{F} \). \( \mathfrak{F} \) solves for these values from the above like he does in case 1, and outputs x as the solution of the discrete logarithm problem.
According to [12, Lemma 4], the ECDLP can be solved with probability ε′ ≥ 1/9 and time \( t\prime \leqslant 23{q_{{{H_2}}}}t/\varepsilon \).
4 Comparison with previous scheme
In this section, we will compare the efficiency of our new scheme with Gu et al.’s scheme [6], Zhang’s scheme [7], Wu et al.’s scheme [8], Gu et al.’s [9], and Ji et al.’s scheme [10]. In the computation efficiency comparison, we obtain the running time for cryptographic operations using MIRACAL [13], a standard cryptographic library.
The hardware platform is a PIV 3-GHZ processor with 512-MB memory and a Windows XP operation system. For the pairing-based scheme, to achieve the 1,024-bit RSA level security, we use the Tate pairing defined over the supersingular elliptic curve \( E/{F_p}:{y^{{2}}} = {x^{{3}}} + x \) with embedding degree 2, where q is a 160-bit Solinas prime \( q = {{2}^{{{159}}}} + {{2}^{{{17}}}} + {1} \) and p a 512-bit prime satisfying \( p + {1} = {12}qr \). For the ECC-based schemes, to achieve the same security level, we employed the parameter secp160r1 [14], recommended by the Certicom Corporation, where \( p = {{2}^{{{16}0}}} - {{2}^{{{31}}}} - {1} \). The running times are listed in Table 1, where sca.mul. stands for scalar multiplication.
To evaluate the computation efficiency of different schemes, we use the simple method from [15, 16]. For example, the Extract algorithm of our scheme requires a KGC to carry out one ECC-based scale multiplication; thus, the computation time of the sign algorithm is 2.21 × 1 = 2.21 ms; the Delegate algorithm has to carry out one ECC-based scalar multiplications, and the resulting running time is 2.21 × 1 = 2.21 ms; the Dverify algorithm has to carry out two ECC-based scalar multiplications, and the resulting running time is 2.21 × 2 = 4.42 ms; the PKgen algorithm has to carry out one modular multiplications, we will ignore running time; the Psign algorithm has to carry out one ECC-based scalar multiplications, and the resulting running time is 2.21 × 1 = 2.21 ms; the PVerify algorithm has to carry out four ECC-based scalar multiplications, and the resulting running time is 2.21 × 4 = 8.84 ms. As another example, in Gu et al.’s scheme [6], the Extract algorithm of requires a KGC to carry out one pairing-based scale multiplication and a map-to-point hash function; thus, the computation time of the sign algorithm is 6.38 × 1 + 3.04 = 9.42 ms; the Delegate algorithm has to carry out one pairing -based scalar multiplications and a modular exponentiation, and the resulting running time is 6.38 × 1 + 5.31 = 11.69 ms; the Dverify algorithm has to carry out two pairing operations and a modular exponentiation, and the resulting running time is 20.04 × 2 + 5.31 = 45.39 ms; the PKgen algorithm has to carry out one pairing -based scalar multiplications, and the resulting running time is 6.38 × 1 = 6.38 ms; the Psign algorithm has to carry out one pairing -based scalar multiplications and a modular multiplication, then the resulting running time is 6.38 + 5.31 = 11.69 ms; the PVerify algorithm has to carry out two pairing, one pairing-based scalar multiplications and two modular exponentiations, then the resulting running time is 20.04 × 2 + 6.38 + 5.31 × 2 = 57.09 ms. Table 2 shows the results of the performance comparison.
According to Table 2, the running time of the Psign algorithm of our scheme is 18.9% of Gu et al.’s schemes [6], 2.61% of Zhang et al.’s scheme [7], 6.99%of Wu et al.’s scheme [8], 18.9% of Gu et al.’s scheme [9], and 11.55% of Ji et al.’s scheme [10], the running time of the Pverify algorithm of our scheme is 15.27% of Gu et al.’s schemes [6], 16.74% of Zhang et al.’s scheme [7], 7.87% of Wu et al.’s scheme [8], 20.37% of Gu et al.’s scheme [9], and 19.04% of Ji et al.’s scheme [10]. Thus our scheme is more efficient than the previous schemes [6–10].
5 Conclusion
In this paper, we have proposed an efficient identity-based proxy signature scheme. We also prove the security of the scheme under random oracle. Compared with previous scheme, the new scheme reduces the running time heavily. Therefore, our scheme is more practical than the previous related schemes for practical application.
References
Shamir A (1984) Identity-based cryptosystems and signature schemes. In: Proceedings of CRYPTO 1984. Lecture Notes in Computer Science. vol 196, pp. 47–53
Mambo M, Usuda K, Okamoto E (1996) Proxy signature: delegation of the power to sign messages. IEICE Trans Fundamentals E79-A(9):1338–1353
Cha JC, Cheon JH (2002) An identity-based signature from gap Diffie-Hellman groups. In: Desmedt YG (ed) PKC 2003. LNCS. vol 2567. Springer, Heidelberg, pp 18–30
Hess F (2003) Efficient identity based signature schemes based on pairings. In: Nyberg K, Heys HM (eds) SAC 2002. LNCS, vol 2595. Springer, Heidelberg, pp 310–324
Barreto PSLM, Libert B, McCullagh N, Quisquater J (2005) Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy B (ed) ASIACRYPT 2005. LNCS, vol 3788. Springer, Heidelberg, pp 515–532
Gu C, Zhu Y (2005) Provable security of ID-based proxy signature schemes. In: Lu X, Zhao W (eds) ICCNMC 2005. LNCS, vol 3619. Springer, Heidelberg, pp 1277–1286
Zhang J, Zou W (2007) Another ID-based proxy signature scheme and its extension. Wuhan Univ J Nat Sci 12:133–136
Wu W, Mu Y, Susilo W et al. (2007) Identity-based proxy signature from pairings, ATC 2007, LNCS 4610, pp. 22–31.
Gu C, Zhu Y (2008) An efficient ID-based proxy signature scheme from pairings. Inscrypt 2007, LNCS 4990, pp. 40–50
Ji H, Han W, Zhao L et al (2009) An identity-based proxy signature from bilinear pairings, 2009 WASE International Conference on Information Engineering, pp 14–17
Chen L, Cheng Z, Smart NP (2007) Identity-based key agreement protocols from pairings. Int J Inf Secur (6):213–241.
David P, Jacque S (2000) Security arguments for digital signatures and blind signatures. J Cryptol 13(3):361–396
Shamus Software Ltd., Miracl library, http://www.shamus.ie/index.php?page=home
The Certicom Corporation, SEC 2: Recommended Elliptic Curve Domain Parameters, www.secg.org/collateral/sec2_final.pdf
Cao X, Kou W, Du X (2010) A pairing-free identity-based authenticated key agreement protocol with, minimal message exchanges. Inf Sci 180:2895–2903
He D, Chen J, Hu J. An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security, Information Fussion, doi:10.1016/j.inffus.2011.01.001.
Acknowledgments
The authors thank the anonymous reviewers and Dr. Guy Pujolle for their valuable comments. This research was supported by the Fundamental Research Funds for the Central Universities under Grants 201275786.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Debiao, H., Jianhua, C. & Jin, H. An ID-based proxy signature schemes without bilinear pairings. Ann. Telecommun. 66, 657–662 (2011). https://doi.org/10.1007/s12243-011-0244-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-011-0244-0