CN105187218B - A kind of digitized record signature, the verification method of multi-core infrastructure - Google Patents
A kind of digitized record signature, the verification method of multi-core infrastructure Download PDFInfo
- Publication number
- CN105187218B CN105187218B CN201510641207.1A CN201510641207A CN105187218B CN 105187218 B CN105187218 B CN 105187218B CN 201510641207 A CN201510641207 A CN 201510641207A CN 105187218 B CN105187218 B CN 105187218B
- Authority
- CN
- China
- Prior art keywords
- combined value
- server
- digital
- signature
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of digitized record of multi-core infrastructure signatures, verification method.This method is:1) signature request is sent to the kernel service of selection by client;2) gateway server is using the digital combined value in signature request as bottom layer node, and successively polymerization obtains gateway radical word combined value and is sent to aggregate server;3) aggregate server generates aggregate server radical word combined value and is sent to Core server connected to it;4) Core server generates radical word group merging and signs to it;5) Core server returns to client after signed data, digital combined value polymerization route and the aggregated server of service identifiers, gateway server are updated polymerization route;When verifying, client obtains the radical word combined value in corresponding signing certificate verifying signature;Then a radical word combined value is regenerated according to polymerization route, is verified compared with the radical word combined value in signature.The present invention can meet the different business requirement to kernel service.
Description
Technical field
The invention belongs to electronic security(ELSEC) technical fields, are related to a kind of digitized record signature of multi-core infrastructure, test
Card method, is able to verify that primitiveness, the authenticity of electronic document, while meeting multi-management area autonomous control in a manner of multi-core.
Background technique
Currently, digitized information has become a kind of important information with internet and the fast development of e-commerce
Source rapidly develops electron information service and proposes stern challenge, how to guarantee that the safety of digitized information also becomes
One important project.
U.S. Patent application United States Patent Application 20140282863 and in the past patent Shen
A kind of revolutionary innovative technology please be brought for electronic data signature.Without key signature technology with pure mathematics proof of algorithm and proof
Signature time, origin, data integrity and the non repudiation of electronic data.It only relies upon mathematics, thoroughly gets rid of pair
The dependence of trust, anyone can individual authentication data, and verifying is never failed, while cracking to quantum immune, is suitble to big
The real-time verification of data age mass object.No key signature verification service infrastructure provides the signature and verifying clothes to data
Business.
Although the above invention proposes a kind of method and system of verifying digitized record independent of trust, different
Management domain (country, judicial region, industry and enterprise etc.) has different supervisory systems to the service for providing digitized record verifying, number
Wordization records service for checking credentials person across the different approval and license for surely obtaining other management domains behind management domain boundary, and former patent does not have
It is provided with the different regulatory requirements for adapting to multiple management domains and processing method when depositing.
Summary of the invention
For the technical problems in the prior art, the purpose of the present invention is to provide a kind of multi-core infrastructure
Digital record signature, verification method.
The present invention devises the verifying base of multicore central server on the basis of existing no key signature infrastructure unitary core
Infrastructure, it can run multiple cores service in the same verifying infrastructure, each kernel service can be using not
Same root polymerization;Existing kernel service can only provide single mode root polymerization, i.e., each second to root into
Design multimode takes root in polymerization on the basis of row polymerization, as taken root in set and non-temporal requirement by different time requirement
Polymerization is taken root in such as to carry out taking root in polymerization by number.
The technical scheme is that:
A kind of digitized record endorsement method of multi-core infrastructure, step are:
1) signature request is sent to the kernel service of selection by client;Wherein, comprising to be signed in the signature request
The digital combined value of digital record;
2) bottom layer node that gateway server calculates the digital combined value in the signature request received as polymerization, to setting
Bottom layer node number combined value in fixed cycle polymerize two-by-two obtains the father node number combined value of bottom layer node;Again to father node
Digital combined value is successively polymerize two-by-two, is finally obtained the gateway radical word combined value of the gateway server and is sent it to
Aggregate server;
3) the gateway radical word combined value received successively polymerize by aggregate server two-by-two, finally obtains aggregate server root
Digital combined value simultaneously is sent to give the Core server of aggregate server connection;
4) Core server carries out data integrity validation to aggregate server radical word combined value, is verified rear core
Server according to polymerizer radical word combined value is periodically generated the radical word combined value of the Core server and to the radical word group
Conjunction value and its generation time sign;
5) Core server is by signed data, the digital combined value polymerization route and the service mark of oneself of Core server
Knowledge returns to aggregate server;
6) aggregate server number combined value polymerization road is added in aggregate server in the number combined value polymerization route
Then the signed data, updated digital combined value polymerization route and service identifiers are returned to gateway server by diameter;
7) the number combination of the gateway is added in gateway server in the updated digital combined value polymerization route of step 6)
It is worth polymerization route, the signed data, updated digital combined value polymerization route and service identifiers is then returned into the client
End;The client saves signature result corresponding with the service identifiers of kernel service selected when signature.
A kind of verification method of signature result, step are:
21) the kernel service mark of the kernel service of selection is sent to gateway server by client, is obtained and the core
The corresponding signing certificate of service identifiers;
22) client utilizes the Core server radical word combined value in signing certificate verifying signature result;Verifying
Pass through rear progress step 23);
23) client is counted according to digital combined value of the digital combined value polymerization route to the digital record of signature
It calculates, finally obtains a radical word combined value, then by the Core server radical word group in the radical word combined value and step 22)
Conjunction value is compared, and determines whether the digitized record has change according to comparison result.
Further, if client preserves the signed data of multiple cores service identifiers, repeatedly step 21~
23), each signed data is verified.
Further, the digital record is electronic document, picture, audio or video data.
Further, digital record is converted to by a digital combined value by hash function;Wherein, the number combination
Value is a cryptographic Hash.
Further, the aggregate server is connect with one or more Core servers.
Further, the Core server using PKI technology to the radical word combined value of generation and its generate the time into
Row signature.
Compared with prior art, the positive effect of the present invention is:
Be compared to monokaryon central server without key signature verification method, the present invention can run multiple cores service simultaneously,
Meet the different business requirement to kernel service, and kernel service is allowed to be managed independently and run by third party.In this way,
Using the verifying infrastructure of multi-core, it can not only meet simultaneously and the different of root polymerization are required, while can also reduce
The repeated construction of other low-level networks in infrastructure.
Detailed description of the invention
Fig. 1 is present system structure chart;
Fig. 2 is digital record signature flow chart of the invention;
Fig. 3 calculates generation root cryptographic Hash procedure chart for simplified infrastructure architecture to describe digital record by polymerization;
Fig. 4 is digital record verification processing flow chart of the invention.
Specific embodiment
Technical solution of the present invention is described in further detail with reference to the accompanying drawing.But it does not constitute to limit of the invention
System.
The present invention is to verify the completely new approach and system of digitized record, proposes that many-core systems verify digitized record,
It can be adapted to multiple the different of management domain supervision simultaneously using different publication channels and publication frequency and require.Meanwhile multi-core
System makes entire verifying system avoid the dependence to single service provider in system level.
This system structure chart is as shown in Figure 1.Systemic hierarchial is divided by function by the present invention from top to bottom:Gateway service
Device, aggregate server and Core server.
Gateway server
Gateway layer has following functions:
1. receiving the signature request that client is sent, aggregate server is submitted to after being polymerize by digitized record.
2. being recorded for each optional network specific digitization, by the polymerization route of aggregate server return, aggregation information and with number
The root combination gateway polymerization route itself and aggregation information of word signature return to client.
3. receiving the complete calendar Hash tree information of more families of aggregate server transmitting.
Aggregate server
Aggregate server has following functions:
1. the digitized record that lower layer's gateway is submitted is carried out geographical polymerization and generates root.
2. being signed using digital certificate to root, guarantee from the short-lived validity after root generation.
3. the root of generation is submitted to Core server.
4. being recorded for each optional network specific digitization, polymerization route, aggregation information and the root with digital signature are returned
Give lower layer's gateway.
5. the transmitting complete calendar Hash tree in the upper layer Duo Jia gives lower layer's gateway.
Core server
Core server has following functions:
1. the root that pair aggregate server generates carries out time dimension polymerization and generates calendar polymerizing value, calendar value is also.
2. a pair calendar polymerizing value is issued at set time intervals.
3. saving root to each with the calendar Hash tree relationship between time aggregation value (calendar value).
4. providing complete calendar Hash tree to aggregate server.
User can the Core server connected be wanted in selection when signature according to demand.
Signature process
Fig. 2 is digital record signature flow chart of the invention, essentially describes label of the data in multi-core infrastructure
Name treatment process.The method includes the steps of:
1. client sends signature request and selects kernel service
As shown in step 2000, client using after API (application programming interfaces) processing electronical record to gateway server
Issue signature request.Detailed process is:
Client selection or creation digital record 2012.Digital record 2012 can be ordinary electronic document, picture, sound
Frequently, the electronic data such as video.Client converts digital record by hash function 2016 using API application programming interfaces 2014
For a cryptographic Hash 2018.Hash function in many fields of computer science be all it is well known, I will not elaborate.Then soft
Signature request can be sent to gateway server by part module 2020.
Meanwhile client selects kernel service mark by API application programming interfaces 2014.Kernel service mark can save
In local, for specifying corresponding Core server, can be used during receiving signature result and verifying.
2. gateway server polymerization calculates.
As shown in step 3000, gateway server receives the signature request that client issues, and signature in the setting period is asked
The bottom layer node that cryptographic Hash in asking is calculated as polymerization.As shown in Fig. 2, the cryptographic Hash of every a pair of of bottom layer node is connected
As output valve, the cryptographic Hash of this output valve is then calculated, father node of the cryptographic Hash as described two bottom layer nodes.It presses
According to identical calculation, polymerization calculating is carried out again to newly-generated all father nodes, to the last, calculate one it is single
Highest node of the cryptographic Hash as gateway, the referred to as root cryptographic Hash of gateway.Whole bottom layer nodes are during polymerizeing calculating
Generate the data structure of a Merkle Hash tree.The root cryptographic Hash of gateway can be sent to aggregate server by gateway.
3. aggregate server polymerization calculates
Similar with gateway server as shown in step 4000, the cryptographic Hash that aggregate server submits gateway server is made
For the bottom layer node that polymerization calculates, it polymerize calculation using identical with gateway, finally, each aggregate server can also produce
The cryptographic Hash of a raw highest node, referred to as the root cryptographic Hash of aggregate server.This cryptographic Hash is by under the aggregate server
The gateway root cryptographic Hash that the whole gateways connected are submitted calculates generation by polymerization.Aggregate server is aggregate server
Root cryptographic Hash be sent to all Core servers being connected with him.
4. Core server polymerization calculates
As shown in step 5000, after each Core server (5010,5020) receives the root cryptographic Hash of aggregate server,
Data integrity validation is carried out to the root cryptographic Hash from aggregate server using certificate first.Pass through data integrity validation
Afterwards, kernel service is inputted using the root cryptographic Hash of polymerizer as the bottom of kernel service, uses the calculating similar with polymerizer
Mode ultimately generates the root cryptographic Hash an of Core server, also referred to as root cryptographic Hash.The root cryptographic Hash that Core server generates
It is to be generated according to fixed time interval, therefore, each root cryptographic Hash corresponds to a time point naturally.Then, core
Server signs to root cryptographic Hash and generation time using PKI technology.
5. returning to signature result
Core server is by the service of signed data, Core server cryptographic Hash polymerization route and Core server oneself
Mark returns to aggregate server, and aggregate server returns after aggregate server cryptographic Hash polymerization route is added in the information received
To gateway server, gateway server returns to client after gateway server cryptographic Hash polymerization route is added in the information received
End.Client selects the core selected in signature in return information and identifies the signature that corresponding Core server returns
As a result it saves.
We describe digital record with a kind of infrastructure architecture of simplification and calculate generation root Hash by polymerization below
The process of value.Fig. 3 is seen, in Fig. 3, for carrying out polymerization calculating again with digital record cryptographic Hash generated to be signed
Cryptographic Hash is numbered 0~9 respectively, i.e.,①,②,③,④,⑤,⑥,⑦,⑧,⑨.The sequence that two cryptographic Hash combine uses
0 or 1 indicates:0 indicates from left combination, and 1 indicates from right combination, that is, { 0,0,1,1,0,0,1,1,1,0 }.These cryptographic Hash, in conjunction with
Sequence and some other information constitute signed data 8000.This process is:
1. client calculates the cryptographic Hash of electronical record, it is sent to gateway.
2. other cryptographic Hash in gateway, in the cryptographic Hash and gateway of client1. 2. carrying out polymerization calculating, generate
The root cryptographic Hash of gateway, is sent to polymerizer.
3. in polymerizer 3. the root cryptographic Hash of gateway, 4., 5., 6. carries out polymerization meter with other cryptographic Hash in polymerizer
It calculates, generates the root cryptographic Hash of polymerizer, be then sent to kernel service.
4. in kernel service 7. the root cryptographic Hash of polymerizer, 8., is 9. gathered with other cryptographic Hash in Core server
It is total to calculate, generate the root of kernel service.
5. 7. cryptographic Hash, 8., is 9. returned to polymerizer with binding sequence by kernel service.
6. 3. 7. polymerizer, 4., 5., 6. and from Core server returns to cryptographic Hash, 8., 9. returns with binding sequence
Back to gateway.
7. gateway is cryptographic Hash1. 2. and from polymerizer returning 3., 4., 5., 6., 7., 8., 9. and combine suitable
Client is returned to, signed data 8000 is generated.
8. client is according to the signed data 8000 of return, and the kernel service mark selected when signature, selection correspond to
The signed data that returns of Core server and preservation, the signed data that other kernel services mark returns do not save.
Verify process
Fig. 4 is the verification process of digital record of the invention, essentially describes the verification processing process of data.The process packet
Containing following steps:
1. reading kernel service in signed data using API to identify.
2. an above-mentioned kernel service identifier is sent to gateway, to obtain signature card corresponding with kernel service mark
Then book is verified the PKI signature of the root cryptographic Hash in verifying signed data, to guarantee that root cryptographic Hash is true.
3. calculating the cryptographic Hash of digital record 2012.Identical as the endorsement method calculating method of cryptographic Hash, client uses
Digital record 2012 to be verified is converted to a cryptographic Hash using hash function 2016 by API application programming interfaces 2014
2018。
4. recalculating root cryptographic Hash.Included cryptographic Hash and combination are extracted from the corresponding signed data of digital record
Sequentially, it polymerize calculation method according to identical with signature process, recalculates to obtain root cryptographic Hash.
5. root cryptographic Hash obtained in step 5 is carried out with cryptographic Hash obtained in the signature process saved in signed data
Compare, judge whether it is identical, to judge whether digital record has change.
If 6. preserved in the signed data of multiple cores service identifiers, repeatedly step 1-6, to all signed datas
It is verified.
Have been described in detail above the working principle of the invention, but this is only to facilitate the example for understanding and lifting,
Purpose is to help to understand the contents of the present invention and implement accordingly, is not construed as limiting the scope of the present invention.This field
Technical staff be understood that:Without departing from the spirit and scope of the invention and the appended claims, various replacements, variation
It is all possible with modification.But all these replacements, change and modification all should belong to the model that claims of the present invention defines
It encloses.
Claims (7)
1. a kind of digitized record endorsement method of multi-core infrastructure, step are:
1) signature request is sent to the kernel service of selection by client;It wherein, include number to be signed in the signature request
The digital combined value of record;
2) bottom layer node that gateway server calculates the digital combined value in the signature request received as polymerization, to setting week
Bottom layer node number combined value in phase polymerize two-by-two obtains the father node number combined value of bottom layer node;Again to father node number
Combined value is successively polymerize two-by-two, is finally obtained the gateway radical word combined value of the gateway server and is sent it to polymerization
Server;
3) the gateway radical word combined value received successively polymerize by aggregate server two-by-two, finally obtains aggregate server radical word
Combined value simultaneously is sent to give the Core server of aggregate server connection;
4) Core server carries out data integrity validation to aggregate server radical word combined value, is verified rear kernel service
Device according to polymerizer radical word combined value is periodically generated the radical word combined value of the Core server and to the radical word combined value
And its generation time signs;
5) Core server returns signed data, the digital combined value polymerization route of Core server and the service identifiers of oneself
Back to aggregate server;
6) the aggregate server number combined value polymerization route is added in aggregate server in the number combined value polymerization route, so
The signed data, updated digital combined value polymerization route and service identifiers are returned into gateway server afterwards;
7) the digital combined value that the gateway is added in gateway server in the updated digital combined value polymerization route of step 6) gathers
It is combined diameter, the signed data, updated digital combined value polymerization route and service identifiers are then returned into the client;
The client saves signature result corresponding with the service identifiers of kernel service selected when signature.
2. the verification method of signature result described in a kind of pair of claim 1, step are:
21) the kernel service mark of the kernel service of selection is sent to gateway server by client, is obtained and the kernel service
Identify corresponding signing certificate;
22) client utilizes the Core server radical word combined value in signing certificate verifying signature result;It is verified
Step 23) is carried out afterwards;
23) client is calculated according to digital combined value of the digital combined value polymerization route to the digital record of signature, most
A radical word combined value is obtained eventually, then by the Core server radical word combined value in the radical word combined value and step 22)
It is compared, determines whether the digitized record has change according to comparison result.
3. method according to claim 2, which is characterized in that if client preserves the signature of multiple cores service identifiers
Data, then repeatedly step 21)~23), each signed data is verified.
4. the method as claimed in claim 1 or 2 or 3, which is characterized in that the digital record is electronic document, picture, audio
Or video data.
5. the method as claimed in claim 1 or 2 or 3, which is characterized in that digital record is converted to one by hash function
Digital combined value;Wherein, the digital combined value is a cryptographic Hash.
6. the method as claimed in claim 1 or 2 or 3, which is characterized in that the aggregate server and one or more cores take
Business device connection.
7. method according to claim 1 or 2, which is characterized in that the Core server is using PKI technology to the root of generation
Digital combined value and its generation time sign.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510641207.1A CN105187218B (en) | 2015-09-30 | 2015-09-30 | A kind of digitized record signature, the verification method of multi-core infrastructure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510641207.1A CN105187218B (en) | 2015-09-30 | 2015-09-30 | A kind of digitized record signature, the verification method of multi-core infrastructure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105187218A CN105187218A (en) | 2015-12-23 |
| CN105187218B true CN105187218B (en) | 2018-11-23 |
Family
ID=54909073
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510641207.1A Active CN105187218B (en) | 2015-09-30 | 2015-09-30 | A kind of digitized record signature, the verification method of multi-core infrastructure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105187218B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106130718B (en) * | 2016-06-29 | 2019-05-21 | 谈建 | A kind of the signed data generation method and verification method of digital record |
| CN110830259A (en) * | 2019-08-06 | 2020-02-21 | 贵州大学 | Method and system for providing originality and integrity certification for multimedia data |
| CN110689356A (en) * | 2019-09-09 | 2020-01-14 | 谈建 | Method for recording commodity circulation process by using nested digital twin |
| CN110730074A (en) * | 2019-09-09 | 2020-01-24 | 谈建 | Implementation method and data structure of nested traceable digital twin body |
| CN111046069B (en) * | 2019-11-11 | 2021-05-07 | 蚂蚁区块链科技(上海)有限公司 | Aggregation calculation method, device and equipment in block chain type account book |
| CN111506929A (en) * | 2020-04-21 | 2020-08-07 | 贵州大学 | Product circulation identification method combined with block chain technology |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413313A (en) * | 2010-09-26 | 2012-04-11 | 索尼公司 | Data integrity authentication information generation method and device as well as data integrity authentication method and device |
| CN102419809A (en) * | 2011-10-29 | 2012-04-18 | 重庆君盾科技有限公司 | Safe, efficient and universal method for proving original value of electronic document |
| CN103227719A (en) * | 2011-06-20 | 2013-07-31 | 保护时知识产权控股有限公司 | System and method for generating keyless digital multi-signatures |
| CN104636672A (en) * | 2015-03-04 | 2015-05-20 | 浙江工商大学 | Security data reporting method and security data reporting system on basis of Hash trees and anonymity technologies |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140245020A1 (en) * | 2013-02-22 | 2014-08-28 | Guardtime Ip Holdings Limited | Verification System and Method with Extra Security for Lower-Entropy Input Records |
-
2015
- 2015-09-30 CN CN201510641207.1A patent/CN105187218B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413313A (en) * | 2010-09-26 | 2012-04-11 | 索尼公司 | Data integrity authentication information generation method and device as well as data integrity authentication method and device |
| CN103227719A (en) * | 2011-06-20 | 2013-07-31 | 保护时知识产权控股有限公司 | System and method for generating keyless digital multi-signatures |
| CN102419809A (en) * | 2011-10-29 | 2012-04-18 | 重庆君盾科技有限公司 | Safe, efficient and universal method for proving original value of electronic document |
| CN104636672A (en) * | 2015-03-04 | 2015-05-20 | 浙江工商大学 | Security data reporting method and security data reporting system on basis of Hash trees and anonymity technologies |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105187218A (en) | 2015-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105187218B (en) | A kind of digitized record signature, the verification method of multi-core infrastructure | |
| TWI694350B (en) | Information supervision method and device based on blockchain | |
| CN110113388B (en) | Improved clustering algorithm-based block chain system consensus method and device | |
| US10742397B2 (en) | Method and system for managing decentralized data access permissions through a blockchain | |
| US10491396B2 (en) | Method and server for providing notary service for file and verifying file recorded by notary service | |
| US10235538B2 (en) | Method and server for providing notary service for file and verifying file recorded by notary service | |
| CN107196762B (en) | Big data oriented power determining method | |
| CN112187712B (en) | Anonymous authentication method and system for trust in de-center mobile crowdsourcing | |
| CN111753014B (en) | Identity authentication method and device based on block chain | |
| CN111694895B (en) | Block chain remote data auditing method and system | |
| WO2020233149A1 (en) | Method, apparatus and device for timing authentication in blockchain account book | |
| CN113779642B (en) | Data processing method, device and system thereof, and electronic equipment | |
| Xu et al. | Efficient and lightweight data streaming authentication in industrial control and automation systems | |
| CN110414983A (en) | Reference information processing method, device, equipment and storage medium based on block chain | |
| CN111640018A (en) | Block chain transaction existence verification method and device | |
| CN109660357A (en) | Digital asset register method, verification method, device, equipment and storage medium | |
| CN116506227B (en) | Data processing method, device, computer equipment and storage medium | |
| CN116132071B (en) | Identity authentication method and device for identification analysis node based on blockchain | |
| CN109981288B (en) | Fine-grained cloud server side rapid external certification method based on aggregated signature | |
| CN116684160A (en) | Public service litigation data security sharing and privacy protecting method and system | |
| CN113112269B (en) | Multiple signature method, computer device, and storage medium | |
| CN114722429A (en) | Identity sharing method and device, electronic equipment and readable storage medium | |
| CN102223382B (en) | Cloud safety method and system with data distribution characteristics as password | |
| JP2021096650A (en) | Trace recording system and data verification method | |
| Li et al. | Audit as You Go: A Smart Contract‐Based Outsourced Data Integrity Auditing Scheme for Multiauditor Scenarios with One Person, One Vote |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |