WO2006069994A2 - Process and device for the authentication of communications - Google Patents

Process and device for the authentication of communications Download PDF

Info

Publication number
WO2006069994A2
WO2006069994A2 PCT/EP2005/057176 EP2005057176W WO2006069994A2 WO 2006069994 A2 WO2006069994 A2 WO 2006069994A2 EP 2005057176 W EP2005057176 W EP 2005057176W WO 2006069994 A2 WO2006069994 A2 WO 2006069994A2
Authority
WO
WIPO (PCT)
Prior art keywords
chr
authentication
values
chameleon
data
Prior art date
Application number
PCT/EP2005/057176
Other languages
French (fr)
Other versions
WO2006069994A3 (en
Inventor
Roberto Di Pietro
Antonio Durante
Luigi Mancini
Original Assignee
Universita' Degli Studi Di Roma 'la Sapienza'
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Universita' Degli Studi Di Roma 'la Sapienza' filed Critical Universita' Degli Studi Di Roma 'la Sapienza'
Publication of WO2006069994A2 publication Critical patent/WO2006069994A2/en
Publication of WO2006069994A3 publication Critical patent/WO2006069994A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • This invention refers to the field of communications safety and, more precisely, to a process and device for the authentication of communications.
  • the authentication of communications can be defined as a process able to certify the origin of the data.
  • An authenticator party A possesses IT tools and a secret item of information (typically a secret value, known as a key) that fulfil an authentication technique. A is therefore able to create a binding connection between its own identity and the data that it wishes to authenticate.
  • a secret item of information typically a secret value, known as a key
  • a hash function consists of a special mathematical transformation that, when applied to a document to be signed, maps a so-called “footprint” or “stamp”: this is a "summary” composed of a greatly reduced (and constant) number of bits, which unambiguously represents the original document. It is necessary that the hash function employed benefits from certain important properties. Briefly put, we can say that a good hash function must be "non-invertible” and "collision-free". The first property means that given a stamp (namely, the hash of a document), it must not be possible to extract the document from which it derives, while the second means that it must not be possible to find two different documents that produce the same stamp.
  • SHA-1 hash function
  • FIPS PUB 180-1 edited by the National Institute of Standard -NIST- USA
  • RSA functions are used in the known manner in combination with standard asymmetric cryptography techniques, such as the RSA functions for example, described in the article by R. Rivest, A. Shamir and L. Adleman, entitled “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, 21 (2), pp. 120-126, February 1978.
  • the RSA functions implement non-transferable electronic signatures, used precisely for authentication.
  • the object of this invention is that of indicating a process and device for the authentication of communications, based on the use of chameleon functions, able to overcome the aforesaid drawbacks.
  • a process and device for the authentication of communications is the object of this invention, as better described in the claims, which form an integral part of this description.
  • Figures 1 and 2 illustrate the steps of the process forming the subject of this invention.
  • the Authentication Technique forming the subject of the invention allows a chameleon hash function to be used without the aid of other authentication methods for electronically signing data.
  • a party that wishes to use the chameleon hash functions for authenticating data generates two values, CKR and HKR, in accordance with a given generation algorithm, in itself known.
  • the HKR value is known as the public key and anyone who knows it is able to efficiently calculate the chameleonic hash function, indicated as CHR(m, r).
  • the possessor of CKR (the secret key, known as the "trapdoor") can easily find collisions for a given output value of the chameleon function.
  • the CHR function Given a message mO and a pseudo-random value rO (otherwise known as a seed), the CHR function generates a hash value CHR(mO, rO) that satisfies the following properties:
  • the Authentication Technique forming the subject of the invention provides for the following steps.
  • Y), and considering the collision property of the secret key, the sender A is able to generate a pseudo-random value s1 such that CHR(H (d I Y), s1 ) ⁇ (phase M3, Fig. 1 ).
  • Sender A sends the three values to an addressee B: ⁇ ⁇ > d, s1 >, where Y is known as the "authentication token", d is the data to be authenticated and s1 is the pseudo-random value, (phase M4, Fig. 1 ).
  • Addressee B receives the three values ⁇ Y, d, s1 > (phase D1 , Fig. 2) and calculates:
  • An example of a device that embodies the authentication method forming the subject of the invention thus contemplates a part resident with the sender and a part with the addressee.
  • the part resident with the addressee receives the values ⁇ Y, d, s1 > and performs the calculations described in point 4 above, as in phases D1-D5 in Fig.
  • the device can be implemented via computers of known type resident with the sender and the addressee, opportunely programmed using known programming languages, such as C, C++ or C# for example.
  • the process can be implemented to advantage through programs resident in said computers that include means of coding for implementing one or more steps of the process, when these programs are run on said computers. It is therefore intended that the scope of protection extends to said programs for computers and also to the media that can be read by computer and contain a recorded message, said computer-readable media including program code for implementing one or more steps of the process when said program is run on a computer.
  • the length of the additional information to allow authentication consists in the values Y and s1 (the data d would in fact be sent in any case). These values are smaller with respect to the values required for RSA type authentication algorithms.
  • the authentication of data with RSA implies the generation of a packet with the length of the encoding key, which is typically 2048 bits.
  • s1 can be equal to 1024 bits and v is typically 128 bits long.
  • the security of the proposed scheme resides in the difficulty for an attacker to calculate a collision for a particular value generated via a chameleon function in the absence of the secret key CKR.
  • the chameleonic functions can base their difficulty in calculating a collision, in the absence of the private key, on factorization techniques, such as RSA mentioned above, for example, or on the problem of calculating the discrete logarithm, as reported in the article by T.
  • EIGamal "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms"; IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Communication Control (AREA)
  • Storage Device Security (AREA)

Abstract

A process is described for the authentication of communications that allows chameleonic hash functions to be used without the aid of other authentication mechanisms for electronically signing data.

Description

Process and device for the authentication of communications Field of the invention
This invention refers to the field of communications safety and, more precisely, to a process and device for the authentication of communications. Prior art
The authentication of communications can be defined as a process able to certify the origin of the data. Various authentication techniques exist and they are currently used as basic elements for e-commerce applications, home-banking, pay-tv and other applications in which it is necessary to determine the authenticity of transmitted data with a high level of security.
The basic scheme of authentication methods can be summarized as follows. An authenticator party A possesses IT tools and a secret item of information (typically a secret value, known as a key) that fulfil an authentication technique. A is therefore able to create a binding connection between its own identity and the data that it wishes to authenticate.
The validity of the authentication process rests on the fact that third parties C are unable to authenticate the data instead of A, even if they possess the IT tools of which A disposes, because they do not possess the secret item of information. So-called chameleon hash functions are known, such as those defined and described in the article "Chameleon signatures", authors H. Krawczyk and T. Rabin, published in the Proceedings of the 7th Annual Symposium on Network and Distributed System Security, year 2000, pages 143-154, for example. A hash function consists of a special mathematical transformation that, when applied to a document to be signed, maps a so-called "footprint" or "stamp": this is a "summary" composed of a greatly reduced (and constant) number of bits, which unambiguously represents the original document. It is necessary that the hash function employed benefits from certain important properties. Briefly put, we can say that a good hash function must be "non-invertible" and "collision-free". The first property means that given a stamp (namely, the hash of a document), it must not be possible to extract the document from which it derives, while the second means that it must not be possible to find two different documents that produce the same stamp. For example, a standard public-domain hash function that enjoys these and other properties is the hash function known as SHA-1 , described in the publication "FIPS PUB 180-1" edited by the National Institute of Standard -NIST- USA, and available from the Internet site http://www.itl.nist.gov/fipspubs/fip180-1.htm. These functions are used in the known manner in combination with standard asymmetric cryptography techniques, such as the RSA functions for example, described in the article by R. Rivest, A. Shamir and L. Adleman, entitled "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, 21 (2), pp. 120-126, February 1978. The RSA functions implement non-transferable electronic signatures, used precisely for authentication.
These known communications authentication techniques are afflicted by the main drawback of computational complication, which limits their effective use, for example, in many practical situations where processing resources are limited. Summary of the invention
Thus, the object of this invention is that of indicating a process and device for the authentication of communications, based on the use of chameleon functions, able to overcome the aforesaid drawbacks. A process and device for the authentication of communications is the object of this invention, as better described in the claims, which form an integral part of this description.
Brief description of the figures
Objects and advantages of this invention shall become apparent from the detailed description that follows of an embodiment thereof (and of its variants) and the enclosed drawings, given by way of a non-limiting example, in which:
Figures 1 and 2 illustrate the steps of the process forming the subject of this invention.
Detailed description of the invention
The Authentication Technique forming the subject of the invention allows a chameleon hash function to be used without the aid of other authentication methods for electronically signing data. According to the general aspects of the method forming the subject of the invention, a party that wishes to use the chameleon hash functions for authenticating data generates two values, CKR and HKR, in accordance with a given generation algorithm, in itself known.
The HKR value is known as the public key and anyone who knows it is able to efficiently calculate the chameleonic hash function, indicated as CHR(m, r).
The possessor of CKR (the secret key, known as the "trapdoor") can easily find collisions for a given output value of the chameleon function. Given a message mO and a pseudo-random value rO (otherwise known as a seed), the CHR function generates a hash value CHR(mO, rO) that satisfies the following properties:
- collision resistance: an efficient algorithm that knowing only the public key HKR can find the two pairs (mO, rO) and (ml , M ), where mO <> ml and/or rO <> M , such that CHR(m0, rO) = CHR(m1 , M ), does not exist. This is due to the fact that all messages m induce the same distribution probability on CHR(m0, rO) for a value "r" chosen in a uniformly random manner.
- secret key collision: there is an efficient algorithm that taking the secret key CKR, any pair mO, rO and any ml as input, finds a value r1 such that CHR(m0, rO) = CHR(m1 , r1).
More in particular, the Authentication Technique forming the subject of the invention provides for the following steps.
1. Let d be the data to authenticate, HKR the public key and CKR the secret key of a chameleonic function, and CHR(m, r) an application of a chameleonic function, in itself known. Lastly, let H and H be two different standard hash functions, based on the above-mentioned SHA-1 standard for example. Note that CHR :< {0; 1}w , {0; 1}w > → {0; 1}2*, where typical values of w could be 1024, and vary in function of the chosen security level and the particular function chosen for implementation.
2. A sender A chooses two values mO and rO in a pseudo-random manner and calculates: β = CHR(m0, rO), (phase M1 , Fig. 1 ) Y = H(β), (phase M2, Fig. 1 ) Given mO, rO and the value H(d | Y), and considering the collision property of the secret key, the sender A is able to generate a pseudo-random value s1 such that CHR(H (d I Y), s1 ) = β (phase M3, Fig. 1 ).
3. Sender A sends the three values to an addressee B: < γ> d, s1 >, where Y is known as the "authentication token", d is the data to be authenticated and s1 is the pseudo-random value, (phase M4, Fig. 1 ).
4. Addressee B receives the three values < Y, d, s1 > (phase D1 , Fig. 2) and calculates:
• δ = CHR( H (d I Y), s1 ), (phase D2, Fig. 2).
• In phase D3 (Fig. 2), checks that the equivalence H(δ ) = Y is satisfied. If so, then the authentication of the data d is considered as having been successfully performed by addressee B (phase D4, Fig. 2), because only A who possesses the secret key CHR is able to generate s1 in a manner for which CHR( H (d | Y), s1 ) = H(δ) = \. Instead, if the equivalence H(δ ) = Y is not satisfied, authentication fails, phase D5, Fig. 2. Third parties cannot sign data d instead of A because an efficient algorithm does not exist that, knowing only As public key HKR, can find a pair mθ, rO and H(d |
Y), s1 such that CHR(m0, rO) = CHR( H (d | Y), S1 ).
An example of a device that embodies the authentication method forming the subject of the invention thus contemplates a part resident with the sender and a part with the addressee.
The part resident with the sender performs the calculations described in point 2 above, determines the values < Y, d, s1 > and transmits them to the addressee, as in phases M1-M4 in Fig. 1.
The part resident with the addressee receives the values < Y, d, s1 > and performs the calculations described in point 4 above, as in phases D1-D5 in Fig.
2.
The device can be implemented via computers of known type resident with the sender and the addressee, opportunely programmed using known programming languages, such as C, C++ or C# for example. The process can be implemented to advantage through programs resident in said computers that include means of coding for implementing one or more steps of the process, when these programs are run on said computers. It is therefore intended that the scope of protection extends to said programs for computers and also to the media that can be read by computer and contain a recorded message, said computer-readable media including program code for implementing one or more steps of the process when said program is run on a computer. The advantages deriving from the application of this invention are evident. The proposed authentication method allows:
- checking the authenticity of data, incurring a reduced computational cost with respect to other similar techniques (the above-mentioned RSA for example), thanks to the particular efficiency in implementing the chameleon hash functions, based in particular on the techniques described in the above-mentioned article "Chameleon signatures". In fact, while the RSA authentication algorithm requires a computational cost in checking the authenticity of a message equal to O(|z|2), where |z| is the length in bits of the message to authenticate, a "claw-free" implementation allows a cost of only O(|z|) to be incurred. The computational cost is found to be similarly advantageous also in the generation phase of authenticated data.
- reducing the size of the data sent to the addressee for allowing data authentication. In particular, it can be noted that the length of the additional information to allow authentication consists in the values Y and s1 (the data d would in fact be sent in any case). These values are smaller with respect to the values required for RSA type authentication algorithms. The authentication of data with RSA implies the generation of a packet with the length of the encoding key, which is typically 2048 bits. To have the same level of security using the proposed authentication method, s1 can be equal to 1024 bits and v is typically 128 bits long.
- guaranteeing the authenticity and non-repudiation properties of the data. In fact, only the possessor of the secret key can generate the pseudo-random value s1 such that:
CHR( H (d I Y), s1 ) = CHR(m0, rθ) = β. - resistance to attacks. The security of the proposed scheme resides in the difficulty for an attacker to calculate a collision for a particular value generated via a chameleon function in the absence of the secret key CKR. In particular, the chameleonic functions can base their difficulty in calculating a collision, in the absence of the private key, on factorization techniques, such as RSA mentioned above, for example, or on the problem of calculating the discrete logarithm, as reported in the article by T. EIGamal: "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms"; IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-31 , NO. 4, JULY 1985, pp. 469-472. These and other characteristics render the authentication method forming the subject of the invention advantageously applicable to the field of communications between devices of limited processing capacity, such as mobile phones or networks of sensors, for example. In point-to-point or point-to-multipoint communications.
Other embodiments for the described non-limitative example are possible, without however departing from the scope of protection of this invention, including all of the equivalent embodiments for a person skilled in the art. From the above-provided description, a person skilled in the art is able to realize the subject of the invention without introducing further constructional details.

Claims

1. A process for the authentication of communications based on the use of chameleon hash functions, characterized in that it includes the phases of: a)- providing data (d) to authenticate, a public key (HKR) and a secret key (CKR) of a chameleon function, an application of a chameleon function (CHR(m, r)), and two different standard hash functions (H and H). b)- in a generation phase:
- choosing two values (mθ, rO) in a pseudo-random manner;
- calculating the values: β = CHR(m0, rO) and Y = H(β)
- given mθ, rO, and a value H(d | Y), generating a pseudo-random value (s1 ) such that: CHR(H (d | Y), s1 ) = β (phase M3, Fig. 1 )
- generating three values: < Y, d, s1 >. c)- in an authentication phase, based on said three values < Y, d, s1 >: - calculating δ = CHR( H (d | Y), S1 )
- checking the equivalence: H(δ ) = Y
- if said equivalence is satisfied, then said data d is authenticated;
- if said equivalence is not satisfied, then said data d is not authenticated.
2. A process for the authentication of communications based on the use of chameleon hash functions, characterized in that it includes the phases of: a)- having data (d) to authenticate, a public key (HKR) and a secret key (CKR) of a chameleon function; an application of a chameleon function (CHR(m, r)), and two different standard hash functions (H and H). b)- in a generation phase: - choosing two values (mθ, rO) in a pseudo-random manner;
- calculating the values: β = CHR(m0, rO) and Y = H(β)
- given mθ, rO, and a value H(d | Y), generating a pseudo-random value (s1 ) such that: CHR(H (d | Y), s1 ) = β (phase M3, Fig. 1 ) - generating three values: < Y, d, s1 >.
3. A process for the authentication of communications based on the use of chameleon hash functions, characterized in that it includes the phases of: a)- having data (d) to authenticate, a public key (HKR) and a secret key (CKR) of a chameleon function; an application of a chameleon function (CHR(m, r)), and two different standard hash functions (H and H). b)- having three values < Y, d, s1 > generated in a generation phase including the phases of:
- choosing two values (mθ, rO) in a pseudo-random manner
- calculating the values: β = CHR(mO, rO) and Y = H(β)
- given mθ, rO, and a value H(d | Y), generating a pseudo-random value (s1 ) such that: CHR(H (d | Y), s1 ) = β (phase M3, Fig. 1 )
- generating three values: < Y, d, s1 >. c)- calculating δ = CHR( H (d | Y), S1 );
- checking the equivalence: H(δ ) = Y;
- if said equivalence is satisfied, then said data d is authenticated; - if said equivalence is not satisfied, then said data d is not authenticated.
4. A process for the authentication of communications according to claim 2 or 3, characterized in that said three values < Y, d, s1 > are transmitted and/or received.
5. A device for the authentication of communications based on the use of chameleon hash functions, characterized in that it includes means for the embodiment of the process in claim 1.
6. A device for the authentication of communications based on the use of chameleonic hash functions, characterized in that it includes means for the embodiment of the process in claim 2.
7. A device for the authentication of communications based on the use of chameleonic hash functions, characterized in that it includes means for the performing the process in claim 3.
8. A computer program that includes program code suitable for performing the steps of any of the claims 1 to 4, when said program is run on a computer.
9. Computer-readable media including a recorded program, said computer- readable media including program code suitable for carrying out the steps of any of the claims 1 to 4, when said program is run on a computer.
PCT/EP2005/057176 2004-12-27 2005-12-27 Process and device for the authentication of communications WO2006069994A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ITRM20040642 ITRM20040642A1 (en) 2004-12-27 2004-12-27 PROCEDURE AND DEVICE FOR COMMUNICATION AUTHENTICATION.
ITRM2004A000642 2004-12-27

Publications (2)

Publication Number Publication Date
WO2006069994A2 true WO2006069994A2 (en) 2006-07-06
WO2006069994A3 WO2006069994A3 (en) 2006-08-24

Family

ID=36481225

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2005/057176 WO2006069994A2 (en) 2004-12-27 2005-12-27 Process and device for the authentication of communications

Country Status (2)

Country Link
IT (1) ITRM20040642A1 (en)
WO (1) WO2006069994A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008149029A2 (en) * 2007-05-23 2008-12-11 France Telecom Digital signature delegation
CN114710298A (en) * 2022-06-02 2022-07-05 深圳天谷信息科技有限公司 Method, device, equipment and medium for batch signature of documents based on chameleon Hash

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6108783A (en) * 1998-02-11 2000-08-22 International Business Machines Corporation Chameleon hashing and signatures

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6108783A (en) * 1998-02-11 2000-08-22 International Business Machines Corporation Chameleon hashing and signatures

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ATENIESE G ET AL: "Identity-based chameleon hash and applications" FINANCIAL CRYPTOGRAPHY. 8TH INTERNATIONAL CONFERENCE, FC 2004. REVISED PAPERS. (LECTURE NOTES IN COMPUT. SCI. VOL.3110) SPRINGER-VERLAG BERLIN, GERMANY, 2004, pages 164-180, XP002383659 ISBN: 3-540-22420-3 *
KRAWCZYK,RABIN: "Chameleon Signatures" ANNUAL SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY, [Online] 2000, pages 1-12, XP002383658 Retrieved from the Internet: URL:http://www.cs.ut.ee/~lipmaa/crypto/lin k/signature/trapdoor.php> [retrieved on 2006-06-02] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008149029A2 (en) * 2007-05-23 2008-12-11 France Telecom Digital signature delegation
WO2008149029A3 (en) * 2007-05-23 2009-04-16 France Telecom Digital signature delegation
CN114710298A (en) * 2022-06-02 2022-07-05 深圳天谷信息科技有限公司 Method, device, equipment and medium for batch signature of documents based on chameleon Hash

Also Published As

Publication number Publication date
ITRM20040642A1 (en) 2005-03-27
WO2006069994A3 (en) 2006-08-24

Similar Documents

Publication Publication Date Title
Park et al. Constructing fair-exchange protocols for E-commerce via distributed computation of RSA signatures
EP2707990B1 (en) Procedure for a multiple digital signature
CA2228185C (en) Verification protocol
US9882890B2 (en) Reissue of cryptographic credentials
US20120096274A1 (en) Authenticated encryption for digital signatures with message recovery
WO2012049629A1 (en) Authenticated encryption for digital signatures with message recovery
KR0144086B1 (en) Electronic signature mathod
Hwang et al. An untraceable blind signature scheme
WO2012156254A1 (en) A method for performing a group digital signature
Mansour Analysis of RSA digital signature Key generation using strong prime
Kumar et al. An efficient implementation of digital signature algorithm with SRNN public key cryptography
Chande et al. An improvement of a elliptic curve digital signature algorithm
Stallings Digital signature algorithms
JP4307589B2 (en) Authentication protocol
Andreevich et al. On Using Mersenne Primes in Designing Cryptoschemes
WO2006069994A2 (en) Process and device for the authentication of communications
Wang et al. Signature schemes based on two hard problems simultaneously
Wu et al. Self-certified multi-proxy signature schemes with message recovery
Pathan et al. Bilinear-pairing-based remote user authentication schemes using smart cards
US20110113253A1 (en) Enhanced digital signatures algorithm method and system utilizing a secret generator
Jain Digital signature algorithm
Chande et al. An elliptic curve based multi-signature scheme for wireless network
JP2004222333A (en) Method for enabling user to check legality of electronic commerce/information service provider
Tripathi et al. An Extension to Modified Harn Digital Signature Scheme with the Feature of Message Recovery
Lee et al. The security of two ID-based multisignature protocols for sequential and broadcasting architectures

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05850499

Country of ref document: EP

Kind code of ref document: A2