A signature scheme from the finite field isomorphism problem

Abstract In a recent paper the authors and their collaborators proposed a new hard problem, called the finite field isomorphism problem, and they used it to construct a fully homomorphic encryption scheme. In this paper, we investigate how one might build a digital signature scheme from this new problem. Intuitively, the hidden field isomorphism allows us to convert short vectors in the underlying lattice of one field into generic looking vectors in an isomorphic field.


Introduction
In [3], the authors and their collaborators presented a new hard problem, the Finite Field Isomorphism Problem. We briefly recall the problem here. Let q be a prime, let Fq be the finite field with q elements, and let f (x) ∈ Fq[x] and F(y) ∈ Fq[y] be irreducible monic polynomials of degree n. Then are isomorphic fields with q n elements. As usual, we identify elements of X and Y with vectors having integer coordinates between − 1 2 q and 1 2 q, and we use this identification measure the size of field elements. It is then an experimental observation that, except for trivial cases, the isomorphism X → Y does not respect the Archimedian property of size. Indeed, when f and F are distinct monic irreducible polynomials, it is observed that polynomials within a sphere of small radius in X appear to be essentially uniformly distributed in Y, with respect to both the L ∞ and the L 2 norms.

Definition 1. Finite Field Isomorphism Problems (FFI):
Let k ≥ 1 be an integer, let X and Y be as in (1), let ϕ be an isomorphism ϕ : X ∼ − → Y, let 1 ≤ β ≤ 1 2 q be a parameter, and let X[β] denote the set of a(x) ∈ X with L ∞ -norm bounded by ‖a‖ ≤ β. Choose a 1 (x), . . . , a k (x) uniformly and randomly from X[β], and let A i = ϕ(a i ) for 1 ≤ i ≤ k be the corresponding images in Y.
The Computational FFI problem (CFFI): Given Y and the list of polynomials A 1 (y), . . . , A k (y), recover f (x) and/or one or more of a 1 (x), . . . , a k (x).
The Decisional FFI problem (DFFI): Let ϵ > 0. Let b 1 (x) be randomly chosen in X[β], let B 1 (y) = ϕ(b 1 ), and let B 2 (y) be randomly chosen in Y. Given the data Y, A 1 (y), . . . , A k (y), and given the pair }︀ in a random order, identify, with probability greater than 1/2 + ϵ, which element of the pair was constructed using ϕ. Remark 1. Under reasonable independence assumptions and for reasonable parameters, the CFFI has a unique solution. Thus for randomly chosen F(y) and A 1 (y), . . . , A k (y), it is an exercise to estimate the probability that there exists an f (x) ∈ X[β] and a 1 (x), . . . , a k (x) ∈ X[β] and an isomorphism X → Y sending a i to A i for all 1 ≤ i ≤ k. This probability is roughly n −1 (︀ (2β + 1) k+1 /q k ) n .
In [3], the authors gave a detailed construction of how to build an isomorphism X → Y, described a preliminary analysis of the hardness of the FFI problems, and constructed a new fully homomorphic encryption scheme from the decisional version of the FFI problem. In this paper we explain how to build a signature scheme from the computational version of the FFI problem via the following framework, where we refer the reader to Section 3.3 for the definitions of the lattices L h and L H .
1. Generate a signature s, which is a a short vector within or close to a lattice L h related to the hidden field X.
2. Publish its image S ∈ Y, and demonstrate the validity of the signature by showing a relationship between S and a lattice L H related to the public field Y.
Since we have assumed that the map X → Y behaves like a random mapping, there is a negligible probability that the public lattice L H will have any exceptionally short vectors. Therefore, we can build trapdoors using short vectors in L h without the necessity of concealing the trapdoor from the attacker. This allows us to use very efficient methods to generate s. As an example, we will show how this can be done using NTRU lattices Verification is still possible due to the homomorphic property of the map X → Y, but various lattice attacks on the public key, e.g., searching for the trapdoor from the lattice, are blunted or eliminated due to the non-linear nature of the isomorphism X → Y.
In this paper, we instantiate the above idea using the pqNTRUSign signature scheme [8][9][10], a candidate in the NIST PQC competition [17]. We name this new scheme pqFFSign.
We briefly recall that an NTRU lattice L is a built using a ring of the form X : , where f (X) = X N ± 1 or some similar polynomial with small coefficients [9]. More precisely, one creates a sublattice of X × X by choosing small secret polynomials and taking solutions to a congruence modulo a public integer q. The private key is the short lattice vectors coming from the small polynomials, and the public key is a basis consisting of long vectors. The secret short vectors, as usual, can be used to solve approximate closest vector problems, and a signature in the pqNTRUSign scheme consists of a solution to an appr-CVP, where an additional congruence modulo a small prime p is used to tie the document to the signature. Details are given in the cited references, but the important point is that the NTRU ring and the NTRU lattice are public values, and the NTRU lattice contains one or more very short vectors, a property that could potentially be exploited by lattice reduction algorithms.
The key idea in the present paper is that we do not allow the attacker to see the lattice X, which contains one or more vectors that are considerably shorter than predicted by the Gaussian heuristic. Instead, we use the isomorphism X → Y to transfer the entire problem to a lattice that does not have any especially short vectors. In this way, some previously described attacks against the private key of NTRU lattices, such as the hybrid attack [11], become impossible, since the very short vectors that exist in an NTRU lattice are mapped to random-looking vectors in the image lattice. However, even for pqFFSign, forgery attack via transcript analysis is still possible, so we rely as usual on rejection sampling [4,13] to seal the information leakage in transcripts. Due to space constraints, we omit a full description and analysis of rejection sampling here, but it is easy to adapt the material already described in the original pqNTRUSign paper.

Lattice-based signatures and rejection sampling.
Signature schemes based on hard lattice problems have a history of almost 20 years. Early lattice-based signature schemes, such as GGHSign [6] and NTRUSign [7], leaked private key information via transcripts of message/signature pairs. An attacker could create a signing key from a long enough transcript using methods for "learning a parallelepiped" [5,16].
In [13], Lyubashevsky proposed a rejection sampling method to thwart transcript leakage attacks. Using his technique, signatures are produced according to a fixed public distribution, typically either a Gaussian or a uniform distribution. A transcript reveals only this public distribution, and contains no information about the particular signing key that is used to generate the signatures. This technique has become the de facto method for avoiding transcript leakage in lattice-based signature schemes; cf. as [4,8,10,14]. However, to ensure that the output signature follows a given distribution, a large number of randomly generated candidate signatures may need to be rejected before a suitable signature is accepted. This may significantly slow down the signing procedure.

Notation
and F(y) ∈ Fq[y] be monic irreducible polynomials of degree n. We use f and F to construct two copies of F q n , which we denote by X := Fq[x]/(f (x)) and Y := Fq[y]/(F(y)), and we let ϕ : X → Y be an isomorphism of fields. In general, polynomials denoted by lower case letters will be polynomials in X, and their isomorphic images in Y will be denoted with the corresponding capital letters. A vector form of a polynomial is the vector consisting of all coefficients of the given polynomial. We will often identify polynomials and vectors when there is no ambiguity.
Consider a polynomial a(x) = a 0 + a 1 x + · · · + a n−1 x n−1 ∈ X. We will informally say that a(x) is short if for all i, the congruence class a i mod q reduced into the interval (−q/2, q/2] is small relative to q. An important class of such polynomials are those satisfying a i ∈ {−1, 0, 1}; these are called trinary polynomials. We denote by ‖a‖ = max 0≤i≤n−1 |a i | and ‖a‖ 2 = (a 2 0 + · · · + a 2 n−1 ) 1/2 the L ∞ -norm and the L 2 -norm of a, respectively, where it is understood that the coefficients of a are normalized to lie in the interval (−q/2, q/2]. N.B. In our notation, the unsubscripted absolute value ‖ · ‖ is the L ∞ -norm, not the usual Euclidean L 2 -norm. We now list some additional notation that is used in the rest of this paper: U is an n-by-n invertible matrix with small entries, e.g., in {−1, 0, 1}.

Two Uniformity Heuristics
We start with a heuristic which says that polynomials in Fq[x] with small coefficients are as likely to be irreducible as random polynomials. Heuristic 1 is based on the very reasonable assumption that monic irreducible polynomials are uniformly distributed over Fq[x] with respect to the L ∞ -norm, together with the well known prime number theorem for function fields, which states that the number of distinct irreducible monic polynomials of degree n in Fq[x] is on the order of q n /n; see [12, Chapter 7, Section 2, Corollary 2]. Similarly, classical primality tests for integers such as Miller-Rabin [15,18] are easily adapted to the function field setting. It is thus easy to check, at least with very high probability, whether a given polynomial is irreducible, and the probability of success is roughly 1/n. We invoke Heuristic 1 primarily to ensure that the signer will be able to find a pqFFSign private key. It also could help with combinatorial security in the sense that it says that the space of pqFFSign private keys is too large to search. However, since there does not appear to be an algorithm that directly lists the irreducible polynomials in the set of bounded coefficient polynomials, the actual combinatorial security comes from the size of the full set of bounded coefficient polynomials.
We will also mention the following additional uniformity heuristic on inverses, which might help in future security analyses of pqFFSign. However, we note that this heuristic is not related to the hardness of the finite field isomorphism problem. This is similar to various well-established assumptions. Uniformity of products of the form and U 2 small-entry circulant matrices, was used in analyzing the security of NTRUEncrypt [9]. If we instead choose the coefficients of U 1 and U 2 from a discrete Gaussian distribution for certain parameters, then it is proven in [19] that U −1 1 U 2 is almost uniformly distributed in GLn(Fq). We note that Heuristic 2 says that when our secret basis c 1 (x), . . . , cn(x) for X is written as linear combinations of the (almost) standard basis x, x 2 , . . . , x n , the coefficients of those linear combinations look reasonably random in Fq.

The pqFF-Sign Signature Scheme
For this section, we fix the following parameters: • n, the degree of the polynomials f (x) and F(Y).
• β, a size parameter satisfying 1 ≤ β ≤ 1 2 q, used to specify the size of the coefficients of a "small" polynomial.
• p, a (very small) prime different from q. • B, a closeness parameter, used to determine if a claimed signature is a good enough solution to a CVP to be a valid signature.

An Algorithm to Find an Isomorphism
We recall how to find suitable polynomials f (x) and F(y) and an explicit isomorphism as described in more detail in [3]. Recall that we need to find four polynomials f , F, ϕ, ψ satisfying: is irreducible monic of degree n with random coefficients.
• F(y) The key idea here is that x will be identified with ϕ(y) and y will be identified with ψ(x), and the conditions on ϕ and ψ say that this identification gives an explicit isomorphisms. The algorithm for finding these quantities is sketched in Algorithm 1. )︀ ≡ y (mod F(y)).

The Detailed Scheme
The pqFFSign signature scheme uses three algorithms: K G , S and V . In addition it also requires a Hash function that maps a document and a public key into a 2n-dimensional vector with small coefficients. We assume as usual that Hash is a cryptographically secure hash function in which each bit of the given document and each bit of the given public key affects every bit of the output.

Key generation
The key generation algorithm K G (λ) → pk, sk takes as the input a bit-security parameter λ, i.e., the goal is a scheme whose running time is O(2 λ ). It outputs a public key pk and a secret key sk as follows: -Generate a parameter set Ξ = {n, p, q, β, B} as a function of λ, where in particular p is a small integer, co-prime to q, satisfying p n/2 ≥ 2 λ . (This ensures that a collision search on a set of size p n is infeasible for the desired bit-security.) -Generate a finite field isomorphism {f , F, ϕ, ψ} as described in Section 3.1.
-Generate polynomials a(x) and b(x) in Fq[x] with coefficients bounded by β.
-Generate (δ, ϵ) satisfying: and with the property that the polynomials satisfy the relation in the field X. An algorithm to compute a valid pair (δ, ϵ) is given in Section 3.3. -Output: The signature is the pair σ := (δ, ϵ).

Verification
The verification algorithm V (µ, σ, pk) → ACCEPT/REJECT takes a message µ, a signature σ, and a public key pk as the input. It first uses the message and the public key to compute (δ, ϵ) := Hash(µ, pk).
It then checks the validity of the following conditions: (See Remark 3 for the purpose of these conditions.) Output: ACCEPT if (4), (5), and 6 are true, REJECT otherwise.
Remark 3. The mod p conditions in (4) and (5) for δ and ϵ serve to link the signature to the document and to the public key. The equality (6) and the norm conditions in (4) and (5) give a relation in Y that reflects a relation among short vectors in X.
Remark 4. A comparison shows that the primary difference between pqNTRUSign and pqFFSign is that in the former, signatures are created by using polynomials in the ring )︀ whose coefficients are small relative to the standard basis 1, x, . . . , x n−1 , while in the latter we use polynomials with small coefficients relative to the basis c 1 (x), . . . , cn(x). The advantage of this approach is that the verifier only sees a relation involving C 1 (y), . . . , Cn(y) in Y.
Remark 5. The polynomials c 1 (x), c 2 (x), . . . , cn(x) form an Fq-basis for X, and C 1 (y), C 2 (y), . . . , Cn(y) form an Fq-basis for Y. Each C j (y) is the image of the corresponding c j (x) under the isomorphism that sends x ↦ → ϕ(y). This same isomorphism preserves the coefficients of linear combinations of the c j (x), that is, The key property on which pqFFSign is based is the relation (2) and the fact that the coefficients of U are small, from which it follows that each of the monomials x, x 2 , . . . , x n is a linear combination of the c j (x) with small coefficients. From this it follows that any polynomial in x with small coefficients can in turn be written as a polynomial in c j (x) with small coefficients. Note that Heuristic 2 says that the converse will not be true, i.e., it says that the coefficients of the c j (x) will be uniformly distributed mod q.

Algorithm To Find (δ, ϵ)
We note that the choice of the security parameter B provides a balance between combinatorial security (large B is good) and the difficulty of generating a valid signature using the private key (small B is good).

Definition 2. For any polynomial h(x)
)︀ , we define the associated NTRU lattice to be the 2n-dimensional lattice Similarly for L H . We note that )︀ is a short vector in L h , but its image in L H is unlikely to be short.
1. For j = 1, . . . , n, choose δ (0) j at random such that |δ (0) j | < 1 2 q − B and δ (0) j ≡ δ j (mod p) and set Note that by construction we have If all of the η j lie in the interval (− 1 2 q + B, 1 2 q − B], proceed to Step (iv); otherwise go back to Step (i) and choose new values for the δ (0) j . (For appropriate choices of parameters, the probability of success at this step is reasonably high; see [8] for details. As described in [8], this step may be used to implement rejection sampling, which provides security against transcript attacks.) 4. Construct The procedure for this step is sufficiently complicated that we give the details in Section 3.3.1.

Set s(x) = s 0 (x) + u(x) and t(x) = t 0 (x) + v(x). Write s(x) and t(x) as linear combination of the basis polynomials c
1 (x), . . . , cn(x) as in (3), and read off the coefficients of those linear combinations to create the vectors δ and ϵ that form the signature.

Details of Step 4
To construct the desired

(︀ u(x), v(x)
)︀ , we construct an appropriate r(x) which is short, and set

u(x) = pr(x)a(x) and v(x) = r(x)b(x).
We want to find an r(x) that satisfies and also satisfies Suppose first that we have any r(x) that is sufficiently short. Since a(x) is short, we see that r(x)a(x) is also short, and we may write Then the δ (u) j s in the formula As long as all of the d i and all of the entries of U are sufficiently small, we will have |δ (u) j | < B and δ (u) j ≡ 0 (mod p) for all j. Thus for whatever sufficiently short r(x) we choose, the δ (u) j ≡ 0 (mod p) condition will hold.
We turn now to finding a short r(x) that satisfies

To accomplish this, write b(x)
Let B denote the matrix whose i, j entry is b i,j and consider the product BU. The entries of BU are small because the b i,j and the entries of U are small. For any we have To solve for r(x), first define This accomplishes the goal

Security Considerations
We highlight some of best known attacks. Due to page limitations, we leave other (less effective) known attacks in the appendix.

The Size of B
The key point is to choose B in such a way that the final signature lies inside an appropriate subset of the (− 1 2 q, 1 2 The coefficients r ′ i lie in the interval (−p/2, p/2]. Let K be chosen to be the maximum of the absolute values of the entries of BU. Then each |δ (v) j | will be bounded above by a constant multiple of pK √ n. The same almost applies to |δ (u) j |, but because of the multiple of p it will be larger by a factor of p unless some scaling is done to compensate for this, for example, by choosing the original δ (0) j from an interval smaller than (−q/2, q/2]. So B must be on the order of pK √ n. The size of K will be optimal when U and B are as sparse as possible.

Recovering the Isomorphism/Solving CFFI Problem
The attacker is given polynomials C 1 (y), . . . , Cn(y) ∈ Y that are the images of unknown short polynomials c 1 (x), . . . , cn(x) ∈ X via an unknown isomorphism X → Y. For the general CFFI problem, if the attacker knows at least 2n elements of Y that are images of short elements of X, then she can set up a mixed lattice/combinatorial attack to recover the short elements of X and the isomorphism X → Y. See Section B in the appendix for details. This attack requires 2n elements, but the public key for pqFFSign provides the attacker with only n images of short elements of X, not 2n. So the attack would seem to fail at this point. However, the fact that f (x) is small means that products of small elements of X remain reasonably small. Indeed, that is a key fact being exploited by pqFFSign. So for 1 ≤ i ≤ n, the attacker can create additional elements by taking products such as C n+i (y) := C 1 (y)C i (y) mod F(y) in Y, and these new elements of Y will be images of somewhat small elements of X. This may allow the attack described in Section B to proceed, with the caveat that the target vectors will now be considerably larger than in the basic version of the CFFI problem. On the other hand, since the coordinates of the target vectors will now consist of n very small numbers and n moderately small numbers, the targets are unbalanced. So a full analysis of the underlying lattice problem requires balancing the lattice to account for this imbalance in the targets' coordinates.

Recovering the Unique Shortest Vector
There are two main security concerns that determine parameters in pqNTRUSign. One is the problem of recovering the private key from the public NTRU key, and the other is the problem of forgery. Of these, the one that has the biggest impact on parameter size is the public key to private key problem. This is because, to make rejection sampling efficient, the q needs to be chosen large compared to n. This makes the lattice problem somewhat easier and forces an increase in the size of n. The forgery problem requires smaller parameters to achieve the same security levels.
In this context there appear at first to be two NTRU-type problems : Recovering a(x), b(x) from h(x), and recovering the corresponding polynomials A(y), B(y) from H(y). However, the polynomial h(x) is private and is only revealed if the underlying isomorphism is discovered, in which case the scheme is considered broken. So this lattice problem does not apply to pqFFSign.
On the other hand, the polynomial H(y) is public, but the corresponding problem of recovering A(y), B(y) from H(y) is not a lattice problem because A(y) and B(y) are polynomials with coefficients that are essentially random mod q, so they are not short. This is a consequence of the fundamental observation that the isomorphism between the two copies of F q n does not respect the archimedian properties of the polynomials' coefficients. Further, since A(y) and B(y) are not short, recovery of them does not appear to be helpful to the attacker.
There is a lattice attack to recover the matrix U from the C j (y), and this would suffice to break the scheme, but the dimension of the lattice required to solve this problem is at least n 2 . We describe this attack in Section C. For all of these reasons, it thus appears that it suffices to set parameters to avoid forgery attacks, and this should allow for smaller signatures and better operating characteristics. In particular, by choosing the small prime p as close as possible to √ q, we can make the Gaussian defect of a solution very close to one, which thus makes lattice reduction attacks very difficult even in relatively small dimensions.

Conclusion and Future Work
In this work we present a signature scheme (partially) based on the Computational Finite Field Isomorphism Problem (CFFI). Future research directions include: The hardness of the finite field isomorphism problem: In this paper, we have indicated several ways in which one might try to solve the CFFI problem. However, the quantitative difficulty of the CFFI problem is presently unclear.

Average-case/worse-case hardness:
There exists an easy instance of the CFFI problem, namely when f (x) = F(y). It would be of interest to prove that random (or even, all) instances of the CFFI problem with f (x) ≠ F(y) are equally difficult.

Transcript security and rejection sampling:
A sufficiently long raw pqNTRUSign transcript allows an attacker to reconstruct a short lattice basis due to the way in which signatures are generated. The use of rejection sampling eliminates this attack by leading to transcripts that are independent of the underlying lattice. (See [8] for details.) Similarly, raw pqFFSign reveals a transcript of short vectors (δ, ϵ) that may contain information about f or (a, b) or U. We expect that rejection sampling can be used to produce key-independent transcripts. Formulating and proving such a result should not be hard, but remains to be done.

Security reduction between pqFFSign and CFFI:
It is clear that the security of pqFFSign, the signature scheme that we have proposed in this paper, relies on the difficulty of CFFI. The converse is not clear. It would be quite interesting to give a security reduction showing, say, that breaking pqFFSign plus an algorithm solving some sort of standard hard CVP lattice problem is equivalent to solving the CFFI problem.

Analyze the balanced lattice attack :
As discussed in Section 4.2, the lattice attack (Section B) on the pure CFFI problem needs to be balanced before being applied to pqFFSign. Doing this will yield constraints on the various parameters required to achieve a desired level of security. Further, even if the lattice attack succeeds completely, there is still what appears to be a difficult combinatorial problem to solve. This combinatorial problem deserves further study.
Next, using the formulas

we have δC(y)H(y) = ϵC(y).
That is, (δ, ϵ) is also in the lattice (δ, ϵ) ∈ L 2 := RowSpan We observe that any vector in the intersection L 1 ∩ L 2 is a potential signature. We have where the last equality uses the assumption that gcd(p, q) = 1. Hence the Gaussian heuristic for the shortest nonzero vector in L 1 ∩ L 2 is Further, we se that the L 2 norm of the target vector is bounded by ⃦ ⃦ (δ, ϵ) This yields the root Hermite factor . Hence a lattice attack will be infeasible if we choose parameters to ensure that where exp is chosen to be the experimental Hermite factor expected to be achievable via lattice reduction algorithms. For example, using the LLL-BKZ 2.0 algorithms, a Hermite factor = 1.005 seems to be secure; see [2].

B A Combined Lattice-Combinatorial Attack on the CFFI Problem
We consider the CFFI problem under the assumption that k ≥ 2n, so the attacker is given polynomials A 1 (y), . . . , A k (y) ∈ Y that are the images of polynomials a 1 (x), . . . , a k (x) ∈ X having small coefficients. We identify a polynomial C(y) = C 0 + · · · + C n−1 y n−1 ∈ Y with the row vector C := (C 0 , . . . , C n−1 ) ∈ F n q , and similarly for elements of X. Then the (unknown) isomorphism ψ : Y → X is given by an n × n matrix Ψ, i.e., Ψ is the matrix of ψ relative to the bases {1, . . . , y n−1 } of Y and {1, . . . , x n−1 } of X. Note that with this notation, we have ψ (︀ C(y) )︀ = CΨ. We form four n × n matrices In other words, the rows of M are the vectors A 1 , . . . , An, and similarly for the other matrices. Then by assumption we have the matrix formulas MΨ = m and NΨ = n, and thus NM −1 m = n, where all computations are done in Fq. Note that although the matrix Ψ has unknown random coefficients, the matrices m and n have unknown small coefficients, and the matrices M and N are known. So this last formula will allow us to describe a known lattice with unknown short target vectors.
For each 1 ≤ t ≤ n, let v t := (︂ column vector whose first n coordinates are the t th -column of m and whose second n coordinates are the t th -column of n. where we have, as usual, lifted numbers from Fq to an interval centered at 0. Then the relation NM −1 m = n tells us that v t ∈ L := ColumnSpan To ease notation, we write N = 1 2 n(n + 3) for the number of variables, we write t = (v i , w ij , u 3,k ) for the vector consisting of these variables, and we let M be the N × n matrix giving the system of linear equations over Fq.
Then we obtain a matrix formula (n 2 − n), so we expect ‖t‖ to be roughly n √ 14/9. On the other hand, the Gaussian expected length of the shortest non-zero vector in the lattice is roughly √︀ n 2 /πe · (q n ) 1/n 2 ≈ 0.1 · n · q 1/n .
Thus even for quite large values of q, the target vector is likely to be considerably larger than many other (useless) short vectors in the lattice. For example, if n = 100, then the target only becomes a likely shortest vector if q > 10 111 .

D A Non-Linear Attack
It is possible to use multiplication and reduction modulo F(y) in Y to set up an attack in which one has to find small solutions to certain non-linear equations. Such problems appear to be completely infeasible, which we illustrate with a toy example with n = 3. The attacker knows the polynomials c ′ (y) = c ′ 0 + c ′ 1 y + c ′ 2 y 2 , c ′′ (y) = c ′′ 0 + c ′′ 1 y + c ′′ 2 y 2 , h(y) = y 2 + h 0 y + h 1 .
Expanding and reducing modulo y 3 + y + 1, we find that