A Gapless Post-quantum Hash Proof System in the Hamming Metric

A hash proof system (HPS) is a form of implicit proof of membership to a language. Out of the very few existing post-quantum HPS, most are based on languages of ciphertexts of code-based or lattice-based cryptosystems and inherently suffer from a gap caused by the possibility for an ill-formed ciphertext to decrypt to a valid plaintext. Since this gap is inconvenient when proving the security in the universal composability framework by Canetti et al., Bettaieb et al. proposed the first gapless post-quantum HPS based on the Rank Quasi-Cyclic (RQC) cryptosystem in the rank metric while conjecturing the existence of a similar HPS in the usual Hamming metric. We solve this conjecture by designing a gapless post-quantum HPS based on the Hamming Quasi-Cyclic (HQC) cryptosystem which, in contrast to RQC, is a NIST post-quantum cryptography standardization alternate candidate. We describe a novel proof of validity for HQC ciphertexts, thereby closing the adversarial gap and present a witness encryption scheme secure in the standard model and a password-based authenticated key exchange protocol secure in the Bellare–Pointcheval–Rogaway (BPR) model.

1. 1.

   The codomain of \(e_X\) can be substituted for the Kleene star of any non-unary alphabet.

2. 2.

   We extend \(\mathcal {{R}}\) to \(\left\{ 0,1\right\} ^*\times \left\{ 0,1\right\} ^*\) by defining \(\mathcal {{R}}(x,\omega ) = 0\) for all and .

3. 3.

   The role of \(w_a\) is to parametrize the correctness of the hash proof system but is not intrinsically needed by the HQC cryptosystem.

4. 4.

   In [8], the authors incorrectly refer this transform as to the Naor–Yung transform [21], which only guarantees security against non-adaptive chosen ciphertext attacks (\(\text {IND-CCA1}\)).

Authors and Affiliations

1. LASEC, Ecole Polytechnique Fédérale de Lausanne, 1015, Lausanne, Switzerland

   Bénédikt Tran & Serge Vaudenay

Corresponding author

Correspondence to Bénédikt Tran .

Editors and Affiliations

1. NTT Social Informatics Laboratories, Tokyo, Japan

   Mehdi Tibouchi

2. Indiana University at Bloomington, Bloomington, IN, USA

   XiaoFeng Wang

A The \(\textsf{FQCDSD}\) Problem

Recall that \(\mathbb {F}^n_{2,\wp }\) denotes the set of vectors \(\boldsymbol{z}\in \mathbb {F}_2^n\) such that \({{\,\textrm{wt}\,}}(\boldsymbol{z})\equiv \wp \pmod {2}\) and that \(\mathbb {S}^n_w\subset \mathbb {F}_2^n\) denotes the Hamming sphere of radius w. In this section, we provide a formal description of the \(\textsf{FQCDSD}\) oracle and discuss the hardness of the \(\textsf{FQCDSD}\) problem (Definition 18). Throughout this section, \(\boldsymbol{m}\in \mathbb {F}_2^k,\,\textbf{G}\in \mathbb {F}_2^{k\times n}\) and \(\boldsymbol{h}_0\in \mathbb {F}_2^n\) are public values and \(\boldsymbol{a}_1,\boldsymbol{a}_2,\boldsymbol{a}_3\in \mathbb {S}^n_{w_a},\,\boldsymbol{r}\in \mathbb {S}^n_{w_r}\) and \(\boldsymbol{e}\in \mathbb {S}^n_{w_e}\) denote independent uniformly distributed variables.

1.1 A.1 Formal \(\textsf{FQCDSD}\) Oracle

We formally define the \(\textsf{FQCDSD}\) oracle \(\mathcal {{O}}_{\textbf{G},\boldsymbol{h}_0}(\boldsymbol{h}_1,\pi )\) as the interactive process depicted on Fig. 6 (page 23), where \(\pi \) is a proof of validity for \(\boldsymbol{h}_1\) to be of the form \(\boldsymbol{h}_1 = \textbf{G}^{\!\top }\boldsymbol{m}+ \boldsymbol{h}_0*\boldsymbol{r}+\boldsymbol{e}\) for some \(\boldsymbol{m}\in \mathbb {F}_2^n\) and \((\boldsymbol{r},\boldsymbol{e})\in \mathbb {S}^n_{w_r}\times \mathbb {S}^n_{w_e}\). The proof of validity can be constructed using the protocol described in Appendix B.1.

Interactive \(\textsf{FQCDSD}\) Oracle.

Full size image

1.2 A.2 Hardness of the \(\textsf{FQCDSD}\) Problem

The \(\textsf{FQCDSD}\) problem essentially asks to distinguish between \(\boldsymbol{y}_2 = \boldsymbol{a}_2 + \boldsymbol{h}_1*\boldsymbol{a}_3\) and uniform vectors of same parity given as sole information \(\boldsymbol{y}_1 = \boldsymbol{a}_1 + \boldsymbol{h}_0 * \boldsymbol{a}_3\) and the guarantee that \(\boldsymbol{h}_1=\textbf{G}^{\!\top }\boldsymbol{m}+ \boldsymbol{h}_0*\boldsymbol{r}+\boldsymbol{e}\). Recall that the \(3 \text {-}\textsf{QCDSD}\) with parity problem considers instances of the following form:

The question is now whether the problem remains hard when the adversary has limited control over \(\boldsymbol{h}_1\). We approach this question using similar techniques as in [8, §4.2], although the structural constraints are hard to determine.

Entropy Considerations. Since an adversary may choose \(\boldsymbol{m},\,\boldsymbol{r}\) and \(\boldsymbol{e}\), the number of bits in \(\boldsymbol{h}_1\) an adversary can manipulate is at most \(n' = k + \log \left( {\begin{array}{c}n\\ w_r\end{array}}\right) \left( {\begin{array}{c}n\\ w_e\end{array}}\right) \) out of n bits. Table 2 (page 22) recalls the suggested HQC parameters for the different security levels [2, Tab. 5] and the proportion of bits an adversary may temper. According to these numbers, an adversary should not be able to temper sufficiently many bits in order to solve the \(\textsf{FQCDSD}\) problem.

Structural Considerations. Although the \(\textsf{FQCDSD}\) oracle expects its input to be of a specific form, the adversary may still try to find “weak” inputs for which the oracle distribution would be distinguishable from the uniform distribution. More precisely, consider the equation \( \begin{bmatrix} \textbf{I}_n&\textbf{circ}(\boldsymbol{h}_1) \end{bmatrix}\begin{bmatrix} \boldsymbol{a}_2 \\ \boldsymbol{a}_3 \end{bmatrix} = \boldsymbol{y}_2 \). In the rank metric case, the circulant matrix associated to \(\boldsymbol{h}_1\) is generalized as an ideal matrix. Informally, ideal matrices are generalizations of circulant matrices. In particular, the same arguments as in [8, §4.2] concerning the strategy of setting as many zeros as possible on \(\boldsymbol{h}_1\) apply, hence the adversary should not manage to make \(\boldsymbol{h}_1\) sufficiently sparse in order to leak information about the syndrome and distinguish it from a random one.

B Stern-Like Protocols for HQC

Given a syndrome decoding instance \((\textbf{Q},\boldsymbol{\sigma })\in \mathbb {F}_2^{k\times n}\times \mathbb {F}_2^n\) for weight \(w\in \mathbb {N}\), the Stern protocol [23, 24] is a zero-knowledge protocol which convinces a verifier \(\mathcal {{V}}\) that a prover \(\mathcal {{P}}\) knows a secret vector \(\boldsymbol{z}\in \mathbb {S}_w^k\) such that \(\textbf{Q}^{\!\top }\boldsymbol{z} = \boldsymbol{\sigma }\). More generally, given \(\textbf{Q}_1,\textbf{Q}_2\in \mathbb {F}_2^{k\times n}\), a vector \(\boldsymbol{\sigma }\in \mathbb {F}_2^n\) and a weight \(w = w_1 + w_2\), Alamélou et al. [3] presented the Concatenated Stern protocol which convinces a verifier \(\mathcal {{V}}\) that a prover \(\mathcal {{P}}\) knows a secret vector \(\boldsymbol{z} = (\boldsymbol{z}_1\Vert \boldsymbol{z}_2)\in \mathbb {S}^{2k}_w\) such that \(\boldsymbol{z}_i\in \mathbb {S}^k_{w_i}\) and \(\textbf{Q}^{\!\top }\boldsymbol{z} = \boldsymbol{\sigma }\) where \(\textbf{Q}^{\!\top } = \begin{bmatrix}\textbf{Q}^{\!\top }_1&\textbf{Q}^{\!\top }_2\end{bmatrix}\). Stated otherwise, this is equivalent to show that \(\textbf{Q}^{\!\top }_1\boldsymbol{z}_1 + \textbf{Q}^{\!\top }_2\boldsymbol{z}_2 = \boldsymbol{\sigma }\). Their construction essentially evaluates Stern protocols for \(\boldsymbol{z}_1\) and \(\boldsymbol{z}_2\) simultaneously but requires some additional (omitted) assumptions in order to be used in the context of digital signatures. Instead, Blazy et al. [9] reformulated the Concatenated Stern protocol to make it a statistical zero-knowledge proof protocol with cheating probability 2/3 verifying properties of completeness and soundness zero-knowledge in the ROM under the syndrome decoding hardness assumption [9, Thm. 1].

Let \((n,\nu ,k,d,w,w_r,w_e,w_a)\) be public HQC parameters, \(\mathcal {{C}}\) be the underlying public \([n_1n_2,k,d]\)-code and let \(n = n_1n_2 + \nu \) be an Artin prime. Given a HQC secret key \(\textsf{sk}=(\boldsymbol{x},\boldsymbol{y})\in \mathbb {S}^n_w\times \mathbb {S}^n_w\) and a public key \(\textsf{pk}=(\textbf{G},\boldsymbol{h},\boldsymbol{s})\) such that \(\textbf{G}\in \mathbb {F}_2^{k\times n_1n_2}\) is a generator matrix for \(\mathcal {{C}}\) and \(\boldsymbol{h}\in \mathbb {F}_2^n\) and \(\boldsymbol{s} = \boldsymbol{x} + \boldsymbol{h} * \boldsymbol{y}\), a ciphertext \((\boldsymbol{u},\boldsymbol{v})\) for a plaintext \(\boldsymbol{m}\in \mathbb {F}_2^k\) is defined according to Fig. 2 by:

where \(\boldsymbol{r}_1,\boldsymbol{r}_2\in \mathbb {S}^n_{w_r}\) and \(\boldsymbol{e}\in \mathbb {S}^n_{w_e}\). The goal of this section is to describe two protocols similar to the Concatenated Stern protocol to convince a verifier \(\mathcal {{V}}\) that a prover \(\mathcal {{P}}\) knows the secret values \((\boldsymbol{r}_1,\boldsymbol{r}_2,\boldsymbol{e})\) for the plaintext \(\boldsymbol{m}\) and that two ciphertexts \(\textsf{ct}\) and \(\textsf{ct}'\) arise from the same plaintext under different public keys.

Remark 6

All zero-knowledge proof protocols described in this section can be turned into non-interactive zero-knowledge proof protocols in the random oracle model by applying the Fiat–Shamir transform [13, 22].

1.1 B.1 Proof of HQC Ciphertext Validity

As mentioned beforehand, the textbook HQC cryptosystem is not compatible with the HPS construction because of the truncation operation, so instead, we assume that \(\mathcal {{C}}\) is of length exactly n up to replacing \(\textbf{G}\) by \(\begin{bmatrix}\textbf{G}&\textbf{0}_\nu \end{bmatrix}\) (see Sect. 6 for details). That way, we ignore the truncation operation when constructing the ciphertext and simplify the description of the next protocols. In particular, (B.1) is equivalent to the following equation:

Let and . Let

and \({\textbf{Q}^{\!\top }=\begin{bmatrix}\textbf{Q}^{\!\top }_1&\textbf{Q}^{\!\top }_2&\textbf{Q}^{\!\top }_3&\textbf{Q}^{\!\top }_4\end{bmatrix}\in \mathbb {F}_2^{2n\times (3n+k)}}\). We need a protocol that convinces a verifier \(\mathcal {{V}}\) that a prover \(\mathcal {{P}}\) knows \(\boldsymbol{z}\) such that each secret block has the prescribed weight and \(\textbf{Q}^{\!\top }\boldsymbol{z} = \boldsymbol{\sigma }\). Figure 7 describes the protocol from a high-level point of view and we describe each protocol component on Fig. 8 (page 26) separately.

Single iteration of Proof of Validity for a single HQC ciphertext.

Full size image

Unless stated otherwise, is a hash function modelled as a random oracle. Denote by \(\mathfrak {S}_\ell \) the group of permutations over \(\ell \) elements. We denote by \(\tau (\boldsymbol{a})\) the action of \(\tau \in \mathfrak {S}_\ell \) on \(\boldsymbol{a}\in \mathbb {F}_2^\ell \) defined by \(\boldsymbol{a} = (a_1,\ldots ,a_\ell ) \mapsto \tau (\boldsymbol{a}) = (a_{\tau (1)},\ldots ,a_{\tau (\ell )})\). In addition, we use the following conventions in the protocol descriptions and subsequent proofs.

\(\diamond \):

We write \((c_1 = c_1')\) instead of \(\mathbbm {1}_{c_1 = c_1'}\) and use \(\wedge \) for the logical AND operator.

\(\diamond \):

Given \({m = \sum _{i=1}^sm_i\in \mathbb {N}}\) and \(\zeta _i\in \mathbb {F}_2^{m_i}\), we write . Reciprocally, we write \(\zeta \rightarrow \Vert _{i=1}^s\zeta _i\) to indicate that \(\zeta \in \mathbb {F}_2^m\) is parsed into chunks \(\zeta _1,\ldots ,\zeta _s\) of size \(m_1,\ldots ,m_s\) respectively.

\(\diamond \):

Whenever a prover challenge response \(\rho \) is parsed on the verifier side for a challenge value \(ch\in \left\{ 0,1,2\right\} \), the components of that response are marked with a superscript \({(\cdot )}^{ch}\). For instance, if the prover sends \(\rho = iv_1\Vert iv_2\), then the verifier parses \(\rho \) as \(iv_1^{ch}\Vert iv_2^{ch}\).

\(\diamond \):

If the prover sends a permutation of \(\boldsymbol{a}\in \mathbb {F}_2^\ell \) under \(\tau \in \mathfrak {S}_\ell \) as \(\tau (\boldsymbol{a})\) to the verifier, the verifier denotes this value as \(\boldsymbol{\bar{a}}\). In particular, we expect \(\tau (\boldsymbol{a}) = {\boldsymbol{\bar{a}}}\) to hold if and only if the participants execute the protocol honestly.

Proof of Validity for a single HQC ciphertext in the ROM.

Full size image

Proposition 3

The protocol depicted on Fig. 8 satisfies the completeness property, i.e., a honest prover always convinces a honest verifier.

Proof

Whenever the honest verifier issues a challenge \(ch = 0\) or \(ch = 2\), it is clear from the construction that a honest prover can convince the verifier. It remains to show that the same holds when \(ch = 1\). To ease notations, we drop the superscript \({(\cdot )}^1\). Since \(\boldsymbol{\mu } = \boldsymbol{z}\oplus \boldsymbol{\delta }\) and \(\boldsymbol{z}\) satisfies \(\textbf{Q}^{\!\top }\boldsymbol{z} = \boldsymbol{\sigma }\), it follows that

In particular, the computed commitments match those that were received.   \(\square \)

Theorem 3

The protocol depicted on Fig. 8 is a statistical zero-knowledge proof with cheating probability 2/3 in the random oracle model.

Proof

The proof follows the same idea as [8, App. 1] and as the original Concatenated Stern protocol by Blazy et al. [9]. The latter is formulated when \(\boldsymbol{z}\) has only two blocks instead of four as it is the case on Fig. 8 and where the last block has no weight condition. We now construct a simulator \(\mathcal {{S}}\) which, when interacting with a malicious verifier, outputs a simulated transcript with probability 2/3 that is statistically close to a real transcript. The simulator starts by choosing a prediction \(\tilde{ch}\in \left\{ 0,1,2\right\} \) and uniformly distributed salts \(iv_1,iv_2,iv_3\in \left\{ 0,1\right\} ^{\textsf{poly}{\left( {\lambda }\right) }}\). The simulator also samples uniformly distributed vectors \(\boldsymbol{\tilde{z}}_1,\boldsymbol{\tilde{z}}_2\in \mathbb {S}^n_{w_r},\,\boldsymbol{\tilde{z}}_3\in \mathbb {S}^n_{w_e}\) and \(\boldsymbol{\tilde{z}}_4\in \mathbb {F}_2^n\) together with permutations \(\tau _1,\tau _2,\tau _3\in \mathfrak {S}_n,\tau _4\in \mathfrak {S}_k\) and uniformly distributed masks \(\boldsymbol{\delta }_1,\boldsymbol{\delta }_2,\boldsymbol{\delta }_3\in \mathbb {F}_2^n,\,\boldsymbol{\delta }_4\in \mathbb {F}_2^k\).

Case \(\tilde{ch}=0\). The commitment is defined such that:

When receiving a challenge ch from the verifier, the simulator responds as follows:

\(\diamond \):

If \(ch=0\), then \(\rho = \bot \) and the simulator aborts.

\(\diamond \):

If \(ch=1\), then \(\rho = \Vert _{i=1}^4\tau _i\Vert _{i=1}^4(\boldsymbol{\tilde{z}}_i\oplus \boldsymbol{\delta }_i)\Vert iv_1\Vert iv_3\).

\(\diamond \):

If \(ch=2\), then \(\rho = \Vert _{i=1}^4\tau _i(\boldsymbol{\tilde{z}})\Vert _{i=1}^4\tau _i(\boldsymbol{\delta }_i)\Vert iv_2\Vert iv_3\).

Case \(\tilde{ch}=1\). The commitment is defined such that:

When receiving a challenge ch from the verifier, the simulator responds as follows:

\(\diamond \):

If \(ch=0\), then \(\rho = \Vert _{i=1}^4\tau _i\Vert \oplus _{i=1}^4\boldsymbol{\delta }_i\Vert iv_1\Vert iv_2\).

\(\diamond \):

If \(ch=1\), then \(\rho = \bot \) and the simulator aborts.

\(\diamond \):

If \(ch=2\), then \(\rho = \Vert _{i=1}^4\tau _i(\boldsymbol{\tilde{z}}_i)\Vert _{i=1}^4\tau _i(\boldsymbol{\delta }_i)\Vert iv_2\Vert iv_3\).

Case \(\tilde{ch}=2\). The commitment is defined such that:

where \(\boldsymbol{\tilde{z}}'\in \mathbb {F}_2^{3n+k}\) satisfies \(\textbf{Q}^{\!\top }\boldsymbol{\tilde{z}}' = \boldsymbol{\sigma }\). Since there is no weight constraint on \(\boldsymbol{\tilde{z}}'\), the latter can be easily found by the simulator. When receiving a challenge ch from the verifier, the simulator responds as follows:

\(\diamond \):

If \(ch=0\), then \(\rho = \Vert _{i=1}^4\tau _i\Vert _{i=1}^4\boldsymbol{\delta }_i\Vert iv_1\Vert iv_2\).

\(\diamond \):

If \(ch=1\), then \(\rho = \Vert _{i=1}^4\tau _i\Vert _{i=1}^4(\boldsymbol{\tilde{z}}'_i\oplus \boldsymbol{\delta }_i)\Vert iv_1\Vert iv_3\).

\(\diamond \):

If \(ch=2\), then \(\rho = \bot \) and the simulator aborts.

Clearly, the simulator outputs \(\bot \) with probability close to \(\frac{1}{3}\) and for a non-aborted simulator, the simulator transcripts are statistically close to the distribution of honest transcripts assuming that is modelled as a random oracle.

   \(\square \)

Theorem 4

If there exists a probabilistic polynomial-time cheating prover which convinces the verifier with probability \(\frac{2}{3}+\varepsilon \) for a non-negligible \(\varepsilon \), then there exists a probabilistic polynomial-time extractor which outputs \(\boldsymbol{z}_1,\boldsymbol{z}_2\in \mathbb {S}^n_{w_e},\,\boldsymbol{z}_3\in \mathbb {S}^n_{w_r}\) and \(\boldsymbol{z}_4\in \mathbb {F}_2^n\) such that \(\sum _{i=1}^4\textbf{Q}^{\!\top }_i\boldsymbol{z}_i=\boldsymbol{\sigma }\).

Proof

We construct a knowledge extractor from a cheating prover \(\mathcal {{P}}\) as follows. By applying Véron’s technique [25], a similar argument as in [8, App. 2] allows the extractor to rewind \(\mathcal {{P}}\) in time \(\textsf{poly}{\left( {\lambda }\right) }[1/\varepsilon ]=\textsf{poly}{\left( {\lambda }\right) }\) and obtain a commitment \(\gamma \) for which \(\mathcal {{P}}\) validates the (honest) verifier challenges. More precisely, the following equations are satisfied simultaneously:

Since is modelled as a random oracle, an adversary should not be able to find a collision on it and the above equations hold when removing . In particular, the random salts are consistent and the following equations hold for all \(i=1,\ldots ,4\):

(B.3)

Let . By (B.3), we have . Since \(\tau \) is invertible, the extractor can compute and since \(\tau \) is a permutation, \({{\,\textrm{wt}\,}}(\boldsymbol{z}_i) = {{\,\textrm{wt}\,}}(\boldsymbol{\bar{z}}_i^2)\). On the other hand, since \(\gamma _1^0=\gamma _1^1\) and is a random oracle, a similar argument establishes

In particular, satisfies \(\textbf{Q}^{\!\top }\boldsymbol{z} = \boldsymbol{\sigma }\).   \(\square \)

Remark 7

Note that the above protocols do not depend on the matrix \(\textbf{G}\in \mathbb {F}_2^{k\times n}\). In particular, replacing \(\textbf{G}\in \mathbb {F}_2^{k\times n_1n_2}\) for \(n = n_1n_2+\nu \) by \(\begin{bmatrix}\textbf{G}&\textbf{0}_{\nu }\end{bmatrix}\in \mathbb {F}_2^{k\times n}\) does not affect the overall description nor the security. That way, the witness encryption scheme and the PAKE protocols can be instantiated under the same considerations as in Sect. 6.

1.2 B.2 Proof of Related HQC Ciphertexts

In this section, we explain how to verify that two HQC ciphertexts arise from the same plaintext \(\boldsymbol{m}\) under different public keys. More precisely, let \(\textsf{pk}= (\textbf{G},\boldsymbol{h},\boldsymbol{s})\) and \(\textsf{pk}' = (\textbf{G}',\boldsymbol{h}',\boldsymbol{s}')\) be two distinct HQC public keys corresponding to the secret keys \(\textsf{sk}= (\boldsymbol{x},\boldsymbol{y})\) and \((\boldsymbol{x}',\boldsymbol{y}')\) respectively. Let \((\boldsymbol{u},\boldsymbol{v})\) and \((\boldsymbol{u}',\boldsymbol{v}')\) be the corresponding ciphertexts obtained using the random values \(\omega =(\boldsymbol{r}_1,\boldsymbol{r}_2,\boldsymbol{e})\) and \(\omega '=(\boldsymbol{r}'_1,\boldsymbol{r}'_2,\boldsymbol{e}')\) respectively. Observe that a proof of knowledge asserting that \((\boldsymbol{u},\boldsymbol{v})=\textsf{HQC}.\textsf{Enc}(\textsf{pp},\textsf{pk},\boldsymbol{m};\omega )\) and \((\boldsymbol{u}',\boldsymbol{v}')=\textsf{HQC}.\textsf{Enc}(\textsf{pp},\textsf{pk}',\boldsymbol{m};\omega ')\) is equivalent to the knowledge of \(\omega ,\omega '\in {\mathbb {S}^n_{w_r}}\times {\mathbb {S}^n_{w_r}}\times {\mathbb {S}^n_{w_e}}\) and \(\boldsymbol{m}\in \mathbb {F}_2^k\) such that

In particular, the zero-knowledge proof protocol asserting the validity of a HQC ciphertext can be adapted by considering \(\textbf{Q}^{\!\top }=\begin{bmatrix} \textbf{Q}^{\!\top }_1&\textbf{Q}^{\!\top }_2&\textbf{Q}^{\!\top }_3&\textbf{Q}^{\!\top }_4&\textbf{Q}^{\!\top }_5&\textbf{Q}^{\!\top }_6&\textbf{Q}^{\!\top }_7\end{bmatrix}\) instead. Therefore, Proposition 3 and Theorems 3 and 4 can be reformulated in this context with concatenations and summations going from 1 to 7 instead of 1 to 4. Since the same observation as in Remark 7 applies, it follows that the PAKE protocol is secure in the BPR model.

Reprints and permissions

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

Policies and ethics