國際清算銀行-Project Tourbillon：探索CBDC的隱私、安全性和可擴(kuò)展性（英）

Project

TourbillonExploring

privacy,

security

andscalability

for

CBDCsFinalReportNovember20231Publication

date:November2023?BankforInternational

Settlements

2023.Allrightsreserved.Briefexcerptsmaybe

reproducedortranslatedprovidedthe

sourceis

stated.ISBN978-92-9259-711-5(online)ProjectTourbillonExecutivesummary35Acronyms,abbreviationsanddefinitions12Introduction6Theprototypes1111131821222323242626272932343640412.1

Highlevelsolutionarchitecture2.2

eCash1.0(EC1)2.3

eCash2.0(EC2)2.4

ImplementationandtestingsetupResultsandconsiderations3.1

Payeranonymityandother

policy

objectives3.2

Quantum-safe

cryptography3.3

Scalability33.4

Privacyandsecuritytrade-offs3.5

ImplementationconsiderationsConclusionsandnextsteps4ReferencesAnnex

A:OptimaldenominationalgorithmAnnexB:

SequencediagramsforrebalancingAnnexC:Threatmodel

andtrustassumptionsAnnex

D:Quantum-safeblindsignatureschemeContributors2ProjectTourbillonExecutivesummaryThe

use

of

cash

is

in

decline

worldwide

as

digital

payments

continue

to

grow.

Overthe

past

decade,

the

number

of

cashless

payments

has

grown

at

an

annual

rate

of16%,

with

more

than

one

trillion

transactions

in

CPMI

countries

alone.1

In

this

context,concerns

about

the

potential

erosion

of

privacy

are

being

raised.2

Unsurprisingly,public

consultations

by

central

banks

on

retail

central

bank

digital

currencies

(CBDCs)showthatprivacyisafundamentaluserrequirement.3Privacy

is

the

right

to

keep

personal

information

secret

or

known

only

to

atrusted

group

of

people.

This

implies

that

there

are

different

levels

of

privacy.According

to

Bank

of

Canada

et

al

(2021),

payments

can

be

(i)

confidential,

where

onlytrusted

parties

see

personal

information

(such

as

credit

card

payments);

(ii)pseudonymous,

where

identifiers

or

public

addresses

can

be

used

to

identify

anindividual

(such

as

bitcoin

transactions);

or

(iii)

anonymous,

where

parties

to

atransaction

cannot

be

identified

(such

ascash

payments).

However,

privacy

and

dataprotectionneedtobebalancedwithotherpublicpolicy

objectives,inparticularanti-money

laundering

and

combating

the

financing

of

terrorism

(AML/CFT)

andcounteringtaxevasion.Project

Tourbillon

introduces

a

new

privacy

paradigm

that

balances

userneeds

and

public

policy

objectives:

payer

anonymity.

For

example,

a

consumer

whopays

a

merchant

using

CBDCs

does

not

disclose

personal

information

to

anyone,including

the

merchant,

banks

and

the

central

bank.

However,

the

identity

of

themerchant

is

disclosed

to

the

merchant’s

bank

(as

part

of

the

payment)

but

is

keptconfidentialthere.Thecentral

bankdoes

notseeanypersonal

paymentdata

butcanmonitorCBDCcirculationatan

aggregatelevel.In

addition

to

privacy,

CBDCs

must

meet

several

other

requirements

fromusers

and

other

stakeholders

(suchasbanksand

regulatory

authorities)

aswell

asitsown

public

policy

objectives.4

Project

Tourbillon

addresses

three

featuressimultaneously:?privacy–by

enablingpayeranonymity;1See

Bank

for

International

Settlements

(BIS)

Committee

on

Payments

and

Market

Infrastructures

(CPMI)Red

Book

statistics.

The

Red

Book

statistics

on

payments

and

financial

market

infrastructures

in

the

27CPMI

member

jurisdictions

are

collected

annually

by

BIS.

For

more

information

and

the

latest

2021

data,see/statistics/payment_stats.htm.23SeeCoy(2022).The

ECB(2021)notesthat

43%

ofrespondents

toapublic

consultation

on

thedigitaleuro

rankedprivacyasthemost

important

aspect

of

the

digitaleuro,wellaheadof

other

features,

such

as

security(18%).

TheBank

of

England

(2023b)

notes

that

the

majority

of

the

50,000

respondents

to

a

public

consultation

on

thedigitalpoundin2023expressedconcernsaboutprivacy,programmabilityandthedeclineofcash.4As

an

example,

the

Bank

of

England

(2023a)

has

highlighted

the

following

design

priorities

for

a

digitalversion

of

the

pound:

privacy,

security,

resilience,

performance,

extensibility

and

energy

usage.

Additionally,the

European

Central

Bank

(2023b),

in

their

third

report,

added

that

banks

must

provide

core

services

toendusersforofflinefunctionalityandshouldprovideconditionalpayments(notprogrammable

money).3ProjectTourbillon??security–by

implementingquantum-safecryptography;andscalability

–

by

testing

the

prototype’s

ability

to

handle

a

growing

numberof

transactionsusingpaymentdata.In

order

toevaluate

the

trade-offs

between

these

three

features,

two

distinctprototypesbasedon

theeCashdesigndescribedbyChaum(1982)werebuiltaspartof

project

Tourbillon:

eCash

1.0

(EC1)5

and

eCash

2.0

(EC2)6.

Achieving

this

requiredmeticulouscalibration

andprecision,

muchliketheinnerworkingsof

a

tourbillon–ahigh-precisionmechanicalpartinawatch.Project

Tourbillon

shows

that

it

is

feasible

to

implement

a

design

thatprovides

payer

anonymity.

The

project

demonstrated

that

both

prototypes

arescalable

andcanhandle

a

growingnumberoftransactions.

Italsodemonstratedthatquantum-safe

blind

signatures,

a

cryptographic

technique

used

toensure

anonymity,can

be

implemented.

However,

the

implementation

proved

challenging.

Quantum-safe

cryptography

exhibited

slow

performance

and

limited

functionality,

withthroughput

reduced

by

a

factor

of

200

compared

to

so-called

classic

cryptography,highlightingtheneedfor

furtherresearchanddevelopment.

Finally,acomparisonofthe

two

prototypes

illustrates

the

trade-offs

between

privacy

and

security:

EC1provides

unconditional

payer

anonymity

but

EC2

has

more

resilient

security

featuresallowingforbetter

protectionagainst

counterfeiting.The

Tourbillon

project

is

a

first

step

in

exploring

privacy,

security

andscalabilityinaneCash

CBDC

design.

Futureworkcanbecategorisedintothreeareas.First,

further

developing

quantum-safe

cryptography

to

make

it

easier

to

implementand

deploy.

Second,

enhancing

the

design

to

improve

speed

and

functionality,

as

wellas

cover

more

use

cases.

Third,

addressing

viability

issues

by

exploring

sustainablebusiness

models.56SeeChaumet

al(2021).SeeChaumandMoser(2022).4ProjectTourbillonAcronyms,abbreviations

anddefinitionsAMLBISBISIHAnti-moneylaundering.BankforInternational

Settlements.BIS

InnovationHub.BlindsignaturesCryptographictechniquein

whichthecontentof

amessageisobscured(blinded)beforeitissigned.Centralbankdigital

currency.CBDCCBDCcoinCoinAdigitalcoinsignedby

the

centralbank.Adigitalfilewithaserial

number,not(yet)signedbythecentralbank.CFTCombatingthefinancingof

terrorism.CNSACPMICPUCommercial

National

SecurityAlgorithm.Committee

onPaymentsand

MarketInfrastructures.Centralprocessingunit.Digitalsignatures

Theresultof

acryptographictransformationof

datathatprovides

amechanismforverifyingorigin

authentication,dataintegrity,and

signatorynon-repudiation.DLTE2EEEC1Distributedledgertechnology.End-to-endencryption.eCash1.0.EC2eCash2.0.GPUHashGraphics

processingunit.Aone-waymathematical

functionthatconvertsanydigitaldataintoafixednumberof

alphanumerical

charactersKnowyourcustomer.NationalInstituteof

StandardsandTechnology.Pointof

sale.KYCNISTPoSPublic-keycryptographyrCBDCEncryption

systemthatusesapublic-privatekeypairforencryptionand/ordigitalsignature.Aretail

CBDC

isabroadlyavailablegeneral

purpose

CBDCthatcanbeused

bythe

public,

forday-to-daypayments.Typeofpublic-keycryptographywidelyusedfordataencryptionoverthe

internet,namedforitsinventors:RonaldRivest,AdiShamirandLeonardAdleman.Real-timegrosssettlement.RSAencryptionRTGSSICSNBSwissInterbankClearing.SwissNationalBank.TPSTransactionsper

second.wCBDCAwholesale

CBDC

isavailabletocommercial

banks

andotherfinancialinstitutions.QRcodeQSCQuickresponse

code.Quantum-safe

cryptography.5ProjectTourbillon1

IntroductionA

central

bank

digitalcurrency

(CBDC)

is

a

digitalpayment

instrument,

denominatedin

the

national

unit

of

account,

that

is

a

direct

liability

of

the

central

bank

(Bank

ofCanada

et

al

(2020)).

In

addition

to

the

payment

instrument,

a

CBDC

system

(orarrangement)

includes

the

frontend,

backend

and

communication

infrastructureneededforapayertotransferanamount

ofCBDC

to

apayee.There

are

two

types

of

CBDCs:retail

and

wholesale.A

retailCBDC

(rCBDC)

isa

broadly

available

general

purpose

CBDC

that

can

be

used

by

the

public.

A

wholesaleCBDC

(wCBDC),

on

the

other

hand,

is

accessible

only

to

financial

institutions

ofsignificance

tomonetary

policyimplementation,

financial

stabilityand/or

thesmoothfunctioning

of

the

payments

and

settlement

infrastructure.7

Currently,

no

country

hasyet

fully

implemented

a

wCBDC

but

11

countries

(Anguilla,

Antigua

and

Barbuda,Bahamas,

Dominica,

Grenada,

Jamaica,

Montserrat,

Nigeria,

Saint

Kitts

and

Nevis,Saint

Lucia

and

Saint

Vincent

and

the

Grenadines)

have

implemented

a

rCBDC

andChina

is

testing

the

digital

renminbi

in

several

cities

larger

than

many

countries.8Additionally,

the

European

Central

Bank

(ECB)

and

Bank

of

England

(BoE)

are

exploringthe

digital

euroandthedigitalpound,respectively.Depending

on

the

jurisdiction,

introducing

a

CBDC

is

seen,

inter

alia,

as

a

wayto

upgrade

domestic

payments

rails

(eg

to

complement

cash

or

speed

up

governmenttransfers),

improve

financial

inclusion,

counter

currency

substitution

and/or

enhancecross-borderpayments.ButintroducingaCBDC

also

posesmany

challenges,

bothintermsofongoingoperationsandimplicationsfor

the

financialsystem.

ArCBDCmay,for

example,

lead

to

the

disintermediation

of

banks

if

the

populace

substitutescommercial

bank

money

for

central

bank

money

at

scale.

More

expensive

and

lessstable

fundingforbanks

couldpotentially

spurfinancialinstability.In

designing

a

rCBDC,

central

banks

need

to

consider

the

requirements

ofusers

and

other

stakeholders

(suchasbanksand

regulatory

authorities)

aswell

asitsown

public

policy

objectives.

The

prioritisation

of

these

requirements

and

objectiveswill

determine

the

ultimate

features

included

in

the

design

of

a

CBDC

and

the

widerCBDC

system.9

As

an

example,

BoE

(2023a)

has

highlighted

the

following

designprioritiesfor

adigital

versionofthepound:

privacy,security,

resilience,

performance,extensibility

and

energy

usage.

Additionally,

the

ECB

(2023b),

in

its

third

report,

added7TodistinguishwCBDCfromthesightdepositsorreservebalancesthatfinancialinstitutionscurrentlyholdwith

central

banks

in

book

entry

form,

it

is

often

assumed

that

wCBDC

are

tokenised,

ie,

based

ondistributedledgertechnology(DLT).89LaunchedretailCBDCscanbeexploredviatheAtlanticCouncil’sCBDC

tracker

andReutersreporting

onthedigitalrenminbi.Bank

of

Canada

et

al

(2020)

divides

the

features

of

a

CBDC

into

three

categories:

(i)

instrument

featuressuch

as

convertibility,

convenience

and

acceptance;

(ii)

system

features

such

as

cyber

security,

resilience,instantaneous

settlement,

availability,

scalability,

throughput,

privacy

and

interoperability;

and

(iii)institutionalfeaturessuchas

robustlegalframeworksandadherencetostandards.6ProjectTourbillonthat

banks

must

provide

core

services

to

end

users

for

offline

functionality

and

shouldprovideconditional

payments

(not

programmablemoney).Not

all

requirements

or

objectives

may

be

achievable

given

currenttechnology,

policy

objectives

or

law.

Moreover,

some

requirements

and

objectivesmay

conflict

with

others

and

hence

designing

a

CBDC

may

involve

trade-offs

betweenone

requirementor

policyobjectiveandanother.Achieving

privacy

while

combating

illicit

payments

is

one

such

challenge.Privacy

is

animportant

user

requirementfor

rCBDCs.

The

majority

of

respondentstorecent

public

consultations,

cited

in

ECB

(2021)

and

Cunliffe

(2023),

highlighted

theimportance

of

privacy

in

CBDCs.

However,

individual

privacy

protections

need

to

bebalanced

with

public

policy

objectives,

in

particular

anti-money

laundering

andcombating

the

financing

of

terrorism

(AML/CFT)

and

countering

tax

evasion.

ProjectTourbillon

explores

the

nexus

of

three

important

CBDC

system

requirements

thatcurrent

live

implementations,

pilots

and

studies

have

highlighted

as

particularlychallenging:

privacy,security

and

scalability.10PrivacyPrivacy

is

the

right

to

keep

personal

information

secret

or

known

only

to

a

trustedgroup

of

people.

Payment

systems

provide

different

levels

of

privacy.

Bank

of

Canadaetal

(2021a)positsthreelevels:confidential,

pseudonymous,andanonymous.???In

confidential

payments,

an

individual’s

identity

is

known

only

by

a

narrowset

of

trusted

parties

(eg

involved

banks

or

payment

system

providers

incardpayments).In

pseudonymous

payments,

an

individual's

identity

is

not

known,

but

theremay

be

identifiers

or

other

information

that

can

be

used

to

link

the

paymenttoanindividual(egasin

bitcoin).Anonymityis

the

abilityof

individualstoremainunidentifiableinapaymenttransaction(eg

asincash).11Project

Tourbillon

introduces

payer

anonymity

to

ensure

anonymity

forsenderswhilecombatingillicitpayments.1210For

example,

the

digital

euro

project

(ECB

2023a)

as

well

as

China’s

digital

renminbi

(PBOC

2021)

havementioned

privacy,

cyber

security

and

scalability

as

important

features

to

be

considered.

The

digitalcurrency

initiative

summarises

this

by

noting

that

it

is

part

of

a

“l(fā)arger

CBDC

initiative

which

combinestechnology

research

in

security,

privacy,

and

scalability

with

user

research

into

the

design

of

digital

currencysystems”(DCI).1112However,

de

Montjoye

et

al

(2015)

note,

that

even

some

anonymous

payment

data,

with

sufficientmetadata,canbeusedtore-identifyindividuals.The

Tourbillon

prototypes

cannot

protect

a

consumer’s

anonymity

against

user

behaviour

or

external

tools.In

particular,

a

consumer

can

always

choose

to

reveal

their

identity

tothe

merchant,

to

banks,

or

eventothird

parties.

External

tools

like

reward

cards

or

facial

recognition

software

in

stores

can

also

link

consumerstopayments.7ProjectTourbillonPayer

anonymityPayer

anonymity

provides

cash-like

anonymity

to

payers

in

a

payment,

but

not

topayees.

For

example,

a

consumer

who

pays

a

merchant

using

CBDCs

does

not

disclosepersonalinformationto

anyone,including

themerchant,banksandthe

centralbank.However,

the

identity

ofthe

merchant

is

knownto

the

payerand

is

onlydisclosedtothe

merchant’s

bank

(as

part

of

the

payment)

where

it

is

kept

confidential.

The

centralbank

does

not

see

any

personal

payment

data

but

can

monitor

CBDC

circulation

atanaggregatelevel.SecuritySecurity

in

digital

payment

systems

aims

to

maintain,

inter

alia,

the

confidentiality

andintegrity

of

payments

data

as

outlined

by

CPMI-IOSCO

(2012).

Cryptography

can

beused

to

uphold

the

confidentiality

of

the

payment

data

(providing

privacy)

and

theintegrity

of

the

payment

system

as

a

whole

(preventing

double

spending

orcounterfeiting).

Achieving

robust

security

relies

on

secure

cryptography

thatsafeguards

against

both

current

and

future

cyber

threats,

such

as

attacks

fromquantumcomputers(BoxA).ScalabilityScalability

is

the

ability

to

adjust

to

changing

demands

without

compromisingperformance,

quality

orcost.

In

the

context

of

a

payment

system,

scalability

is

aboutensuring

smooth

functioning

during

peak

surges

and

times

of

sustained

elevateddemand.

Typically,

payment

systems

operate

on

distinct

daily

and

weekly

cyclesrelative

to

the

weekly

average

(illustrated

in

Graph

1).

As

such,

it

is

important

for

apayment

system

to

notonly

settle

the

average

volume

of

paymentsquickly,but

alsoitsseasonal

peaksand

sustainedloads

too.PaymentseasonalityGraph1A.Intradayvolumeof

paymentsrelativetoweeklyaverageB.Dailyvolumeof

paymentsrelative

to

weeklyaverage%%Sources:SwissNationalBank;Worldline;PostFinance;MonitoringConsumptionSwitzerland.8ProjectTourbillonProject

objectivesThe

projectassessesthe

degreetowhichprivacy,securityandscalabilitycaneachbeachievedin

the

contextoftwo

CBDC

designsproposedby

ChaumandMoser(2022).Specifically,

theobjectives

were:??Privacy–enabling

payeranonymitywhilecounteringillicitpayments;Security

–

evaluating

the

implementation

of

quantum-safe

cryptography(QSC);and,?Scalability–testingtheprototype’sscalabilityusingpaymentdata.Both

designs

are

based

on

and

extend

the

eCash

design

proposed

by

Chaum(1982).13

The

assessment

was

done

by

building

a

prototype

for

each

design,

and

thenanalysingand

testinghowprivate,secureandscalableeachprototypeis.This

report

summarises

the

work

carried

out

in

project

Tourbillon.

Section

2describes

the

two

eCash

based

prototypes

and

how

they

were

tested.

Section

3presents

the

results

and

discusses

privacy,

security,

scalability,

trade-offs

andimplementation

considerations.

Section

4

concludes

with

an

outlook

on

possiblefuture

work.13ThehistoryofeCashcanbefoundonDavidChaum’swebsite(at/ecash/).9ProjectTourbillonBox

A:Threat

of

quantum

computers

to

cryptographyQuantum

computing

makes

useof

theprinciplesof

quantum

mechanics,

whichallow

fora

system

to

exist

not

only

in

a

zero

or

one

state,

but

rather

in

a

composition

of

the

two(Schumacher

1995).

This

property,

known

as

superposition,

enables

quantum

computerstosolve

certaincomputational

problems

faster

thanclassical

computers.

Such

computingmaybringmanybenefitsbut

italsoposesthreats.The

threat

of

quantum

computers

to

information

security

lies

in

their

potential

ability

tobreak

asymmetric

cryptography

(CNSS

2015),

such

as

RSA-based

encryption

(Rivest

et

al1978),

Diffie-Hellman

key

exchange

and

digital

signatures.

These

cryptographic

schemesprotect

muchof

today’sdigital

infrastructure

and

communications

systems(Graph

A.1).

Ifthis

threat

is

realised,

it

could

lead

to

data

breaches

and

a

profound

loss

of

trust

in

alldigital

systems,includingfinancialones.Quantumcomputers

arestill

in

the

research

and

development

phase,and

there

aremanytechnical

challenges

to

overcome

before

they

become

practical

for

widespread

use.However,

it

isimportant

that

quantum-resistant

algorithmsare

researched,

implementedanddeployedassoonaspossible.ProjectTourbillonusestwo

approachesto

achievequantum-resistance.First,ituseshashfunctions

that

quantum

computers

cannot

break.

A

hash

function

is

the

most

fundamentalprimitive

in

cryptography;

if

hash

functions

were

ever

broken,

it

would

dismantle

all

ofcryptography

because

of

hardness

assumptions.

Trying

to

reverse

a

hash

function

wouldbeliketryingtounscrambleanegg.Second,

Project

Tourbillon

implements

alattice-based

blind

signaturescheme,

describedin

Beullens

et

al

(2023).

Lattice-based

cryptography

is

a

potentially

quantum-resistantapproach,

used

in

NIST-standardised

quantum-safe

schemes,

namely

CRYSTALS-KyberandCRYSTALS-Dilithium,butcustomisedforblindsignatures.Itreliesonthehardnessofalatticeproblemforquantumcomputersandisoptimisedforuseindeviceswithlimitedresources

such

assmartphones.Cryptographyandquantum-resistanceGraphA.110ProjectTourbillon2

TheprototypesThis

section

describes

the

two

prototypes

built

as

part

of

Project

Tourbillon:

EC114and

EC2.15,16

It

begins

with

a

high-level

solution

architecture,

followed

by

in-depthtechnical

explanations

of

EC1

and

EC2,

including

workflows,

and

concludes

with

adiscussionoftheimplementationandtestingsetup.The

project

focuses

on

consumer-to-merchant

payments

via

mobileapplications.17

Extensions

to

other

use

cases,

such

as

peer-to-peer

payments,

are

inprinciple

straightforward.

However,

for

the

sake

of

simplicity

were

not

within

thescopeof

thisproject.2.1

High

level

solution

architectureBoth

prototypes

leverage

the

existing

two-tier

banking

system

and

involve

fourparties:

a

central

bank,

commercial

banks

(or

simply

banks),

consumers

and

merchants(Graph

2).

Consumers

and

merchants

have

deposit

accounts

with

banks

and

bankshave

reserve

accountswith

thecentral

bank.Consumers

and

merchants

must

be

initially

onboarded

by

a

bank,

ensuringthat

know-your-customer

(KYC)

procedures

are

met.

Once

onboarded,

consumersand

merchants

can

install

and

use

the

Tourbillon

app

(Graph

3)

on

their

mobiledevices.The

interfacesare

familiar

to

both

consumers

and

merchants:

the

consumerTourbillon

app

allows

consumers

to

withdraw,

hold

CBDCs

(via

self-custody)

andmake

payments.

The

merchant

Tourbillon

app

allows

merchants

to

request

payments,receivepayments

and

view

thestatus

of

payments.18The

eCash-based

design

relies

on

unsigned

digital

coins

and

digital

coinssignedbythecentral

bank

–

CBDC

coins.Anunsigned

coin

is

a

consumer

generateddigital

file

with

a

unique

serial

number

that

is

not

(yet)

signed

by

the

central

bank.Onceacoinissignedby

the

central

bank,

thatcoinbecomesaCBDCcoin.The

CBDC

coin

is

designed

as

a

single-use

CBDC.

Unlike

banknotes,

the

CBDCcannot

be

reused

by

the

recipient

(merchant)

for

further

payments.

Instead,

the

CBDCmust

be

redeemed

with

the

central

bank

(via

the

merchant’s

bank).

This

has

two14151617Chaumetal(2021).ChaumandMoser(2022).ThedevelopmentoftheprototypeswassupportedbyIBMandCurrencyNetwork.Two

apps

were

developed:

a

consumer

app

and

a

merchant

app.

It

is

possible

to

merge

both

apps

forconsumer-to-merchantpayments

as

wellaspeer-to-peerpayments.18The

Tourbillon

app

for

merchants

does

not

contain

a

wallet

because

we

focus

on

the

consumer-to-merchantpayment.11ProjectTourbilloneffects:

(i)

it

provides

protection

against

double-spending;

and

(ii)

it

ensures

that

amerchant’ssaleisrecordedattheirbank.Tourbillonhigh-levelarchitectureGraph2eCash-based

designs

usecoins

with

fixed

denominations.

Project

Tourbillonestablishedfourdistinct

denominationsthatfollow

thepoweroftwo,

meaningtherearecoins

with

a

value

of

1,

2,

4

and

8.19

For

each

withdrawal

request,

an

algorithm

isused

to

optimise

the

denomination

of

the

CBDC

coins

used,

minimising

their

quantitywhile

ensuring

that

the

consumer

always

has

the

correct

change

to

pay

any

amount(Annex

A).

Whenever

the

consumer

spends

CBDC

coins,

the

algorithm

assesses

theoptimal

denomination

of

the

remaining

coins.

If

this

is

not

the

case,

a

backgroundprocessisinitiatedtorebalancethedenominations(AnnexB).An

overview

of